1.  

    Whaaaa…

    Why are you setting up a meeting with a stranger? Article is totally lacking motivation.

    1. 1

      For people wanting this sleek-look kind of system I’ve been recommending the Purism systems. My Mom just got one as is pretty happy so far. It’s a nice machine and nice to know my money is going to further good projects and not just going to Dell.

      1. 13

        Also avoid “flexible holidays”. That’s just another way of saying there’s a baseline of no holidays, and for the few you’ll want, you’ll have to get approval from management. Similar story with “flexible hours”, which means you’ll be expected to leave late rather than early. Often when there’s “flexibility”, it’s flexibility for the company, not for you.

        Much better to go for jobs with clear business hours and a clear number of holidays per year, at least you know exactly what you’ll get and can make an informed decision.

        1. 13

          As I understand it “unlimited vacation” is a hack on human psychology to trick workers into taking less vacation. If they don’t let you book it when you try, though (barring normal reasons like a pending release you’re super important for or whatever – which apply even with “standard” vacation policies) it’s not really flexible or unlimited.

          My old employer gave me 4 weeks of vacation, and I usually didn’t use it all, or forced myself to use it at year end and got long Christmases. Since moving to new job with “unlimited vacation” and knowing the risks of such a policy, I make very sure to book at least 4 weeks a year. This year it’ll be 5.5 weeks.

          1. 5

            Not always. At my last job, it was exactly as you described it: a hack to get you to take less vacation. At my current job, it really is unlimited. “Standard practice” at my current company is 3-4 weeks off per year, with 5-6 not being unheard of as well. I, personally, take less but also have an understanding with my manager that I can take off on short notice as I tend to have periods where I get very sick of work.

            1. 3

              I’ll echo this; at my current company, the unlimited vacation policy exists pretty much in earnest. I calculated that over the past 3.5 years I have averaged 4.5weeks/year of vacation. I’ve never had a vacation request denied, though I obviously don’t do things like request every single Friday off, or take a month in the middle of a release rollout, etc.

              1. 1

                At my last job, it was exactly as you described it: a hack to get you to take less vacation. At my current job, it really is unlimited.

                These do not have to be mutually exclusive. As I said in my post, as long as you make sure to take ownership of the situation and force yourself to remember and ask for vacations, you can get them (often). Just don’t let your mind fall into the trap of not counting the vacation days, because then you’ll (likely) end up taking less.

              2. 3

                Alternatively, employers have to pay out unused vacation days when you leave a company. This can be pretty expensive, especially if you accrue a lot of vacation.

                1. 2

                  Around here (Ontario, Canada) they have to have a baseline of some vacation in the contract, so that still has to get counted and paid out in theory.

                  1. 1

                    Yeah, probably varies by location. I’m in California and my old manager admitted it after I put two and two together.

                2. 2

                  Unlimited vacation makes no sense to me. You can just take as many paid days off per year as you like? Why don’t people just take the whole year off?

                  If you mean unpaid holidays then… who the hell cares how many unpaid days off you can take per year? What kind of employer is going to tell you that you can’t take unpaid leave. The number that matters is the number of paid days holiday above the legal minimum.

                  1. 2

                    You can - but your coworkers will judge you for it. Social forces are pretty powerful.

                    The theory is that you avoid having employees show up un-motivated - the practice is nobody gets any time off.

                    1. 2

                      My coworkers will judge me? Who cares they judge me. I can take unlimited paid time off..

                    2. 1

                      Why don’t people just take the whole year off?

                      Three reasons – because employees are more trustworthy than that – because an employee who did that would have zero productivity and likely get fired – because vacations require manager approval and no one would approve the whole year.

                      At my company in particular, you need “extra special” approval to get more than two weeks in a row, even. But taking almost 6 weeks in drips and drabs is easy to do.

                      1. 1

                        because employees are more trustworthy than that

                        If you trust someone to not take advantage of an incredibly poorly thought out policy that allows them to get as much free money as they like without doing five minutes of work, then you’re a naive fool.

                        because an employee who did that would have zero productivity and likely get fired

                        You can’t fire someone for taking leave. If it’s ‘unlimited leave’ then it’s unlimited leave. They aren’t expected to be productive when they’re on leave when they take a month of leave, so why would they be expected to be productive on leave when they take 6 months or 12 months of leave in a year?

                        because vacations require manager approval and no one would approve the whole year.

                        Okay, so the actual answer is ‘it’s not actually unlimited leave’?

                        At my company in particular, you need “extra special” approval to get more than two weeks in a row, even. But taking almost 6 weeks in drips and drabs is easy to do.

                        That’s not unlimited leave, that’s 6 weeks of leave, but where if you take fewer than 6 weeks of leave you don’t accrue more that you can take the next year or be paid out for when you leave. In other words, it’s really shitty leave.

                        1. 1

                          no one would approve the whole year.

                          So it’s not unlimited. That’s the issue I have with this - there’s obviously an upper limit to how many days one can take, and I don’t see why the company would keep that information a secret. I prefer things to be clear from day one and the same for everybody. Otherwise it’s just those who remember to take days off, or those who get along well with the manager who get more vacation days, it’s basically a policy that’s not fair to all employees.

                    3. 2

                      That might be true in some places, but it’s certainly not true everywhere. The last place I worked, ‘flexible holidays’ meant that while they expected you to take holidays they were pretty much fine with you taking them whenever you wanted.

                      ‘Flexible hours’ meant you were expected to be there 10:00-15:00 on Monday-Friday and when you did the rest of your 40 hours per week was up to you. Want to work 6:30-15:00? Cool! Want to work 8:00-17:15 four days a week and 10:00-15:00 on Fridays? Do it. Most people finished around 16:00 on Fridays, for example, and many came in at 9:30 or 10:00 every day or 7:00 or even earlier every day.

                      Maybe you should fix your labour laws so that ‘baseline of no holidays’ doesn’t exist.

                    1. 2

                      I feel like ActivityPub and OStatus will be the new Atom/RSS .. on steroids.

                      1. 5

                        OStatus is built on Atom, because that’s the obvious thing to do and they weren’t suffering from NiH at the time :)

                      1. 1

                        One year ago I would agree about the bool/false/true case. But, nowadays I sin and use uint8_t, 0 and 1 for every boolean, since I use a lot of fwrite() and fread() in my codebase and I want 100% guarantee that I’m writing and reading an unsigned byte to/from file, on any platform, and I don’t want to create an intermediate variable every time. I’d rather write a good variable name to convey the meaning, and know it’s a boolean without looking.

                        1. 1

                          Using 0 and 1 is a sensible and idiomatic way to represent C boolean constants, nothing wrong with that.

                          Just don’t #define True 1 ;)

                        1. 3

                          acct:singpolyma@singpolyma.net

                          Not followable on Mastodon yet, but most other fediverse and indieweb implementations work. Mastodon compatibility is hopefully coming in my 2019 rewrite.

                          1. 1

                            That’s awesome to see someone implemented ActivityPub for their own site/blog. Does yours work with Pleroma? What specific challenges are there with Mastodon’s API?

                            1. 2

                              It’s not ActivityPub, it’s OStatus, but yeah. I haven’t tested with Pleroma specifically, but I know it works with GNU Social and Friendica for sure. Mastodon has some little quirks, but in this case the biggest one is that they only support Atom feeds and my site intentionally used alternate formats to make sure that worked in implementations at the time. But at this point Mastodon is not planning to ever be full compatible with protocol specs, and having my site work there is probably more valuable than continuing to be weird on purpose.

                          1. 6

                            I think the only thing that authors/maintainers owe the community is an honest statement about the quality of their software. If you market your open source project as an industrial grade masterpiece and the code is unreliable garbage that doesn’t scale, then people have a right to be upset.

                            1. 4

                              Why? Users should bear the responsibility of at least skimming the code in order to determine whether it is fit for use.

                              1. 1

                                So you think that authors are blameless if they oversell/hype their open source software way past the point of it’s proven capabilities?

                                1. 1

                                  No. There’s no way to really fix that, though. It happens in any marketplace.

                                  If you release something labeled a prototype that somehow ends up on HN, then you will get breathlessly-written issues along the lines of “I want to use this for my startup why doesn’t it work?”

                              2. 5

                                I find most projects contain a statement about the quality of the software. Usually looks like this:

                                THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE

                                1. 2

                                  They don’t even owe that unless required by law. What they’re doing is throwing an object, from blessed to cursed, out there into the world. The responsibility is on the user to determine if that object is a working piece of software that meets their needs. Anything more is charity nobody should demand. Feel free to ask nicely, though.

                                1. 6

                                  This is interesting, in relation to another current thread here.

                                  A comment on an issue where a maintainer has passed control to another party, who then allegedly inserted malware into the release:

                                  You put at risk millions of people, and making something for free, but public, means you are responsible for the package.

                                  (source: https://github.com/dominictarr/event-stream/issues/116#issuecomment-441161123)

                                  So… maintainers who burn out should hand over their project to someone else, but they are somehow indefinitely responsible for the code after all? And there zero blame laid on the party that uses the code? That does seem to encapsulate the entitlement issue.

                                  1. 3

                                    Thanks for posting this here - if you didn’t, I was going to, as it’s the main thing that has been bugging me about the whole episode.

                                    This is a hard problem to solve! How far can you trust your contributors or fellow maintainers? What constitutes a reasonable effort to ensure that your software is in good hands, and frankly how much of a reasonable effort do you owe people when you’re providing something on your own time, for free?

                                    I hope we can build better tools and practices to protect against this sort of thing in future but, in line with your post and the main article, I can’t blame the author for handing over a project he didn’t want to someone who offered to maintain it.

                                    1. 4

                                      The offer to maintain an “abandoned” project could be seen as a form of social engineering. Presumably the new maintainer (or a team they were a part of) identified the vulnerability of the NPM infrastructure and tried to find a way to exploit it.

                                      They then acted as a “good citizen” of the open source community (affinity fraud) to get access to the source and the NPM uploader rights.

                                      (It would be interesting to see if other packages that have been used in the targeted applications have a similar vulnerability. Presumably the team has other aliases or identities in this case.)

                                      Dealing with this is tough as heck. A maintainer who wishes to remain a good security citizen would have to set the repo readonly, and require extensive vetting to open it again… but that can have a massive chilling effect, and is pretty trivially defeated through straight-up fraud. Or people will look at this and see that a successful open source project simply doesn’t give enough ROI financially or emotionally to invest time in. If you “mess up” at any time in the future you will suffer the consequences.

                                      As usual, bad actors makes life worse for honest people. But it’s the way of the world. I guess it’s surprising that NPM hasn’t already been hit with something like this (or maybe it has but it’s not shown up yet).

                                      1. 4

                                        how much of a reasonable effort do you owe people

                                        You owe no one anything. It is polite to inform users of the new maintainership, but that is all.

                                        If people choose to blindly source from an upstream with no vetting or even knowledge when it changes hands, that’s on them, not you.

                                    1. 8

                                      Whether it’s due to some collective memory of the technical difficulty of doing it pre-internet, or because ESR once wrote that it should be a last resort, the open source community seems unwilling to reach for the fork at times like this.

                                      TFA doesn’t even mention the possibility, but it’s always there. If you want some change to Clojure but Rich Hickey isn’t ready to accept it, you can avoid your own frustration and his by forking the repo and making the change. If you don’t like the fact that I haven’t made any changes to event-stream in a while, you don’t have to give control over to some random, you can fork it.

                                      Linux has even taken the idea of forking in decentralised version control to heart, and everybody’s repository is a fork. If Linus won’t take your commits, they’re still in git in your version(s), and maybe Greg or someone else will take them.

                                      1. 3

                                        So much this. Freedom is the freedom to fork. That’s at least 2/4 of the point ;)

                                        1. 1

                                          That’s overstating it. There’s ways to allow forks under proprietary models. You just say they can make any change they want, distribute it to other paying customers, and the licensor isn’t responsible for the changes. It doesn’t become free without acquisition, changes, and redistribution all free. At a minimum.

                                      1. 36

                                        Such irony in the title here–“open source” is not about you; it’s a movement to hijack the free software movement and turn it into something a company can profit from, riding on free software goodwill and stripping the political aspects that are hard to reconcile with shameless capitalism.

                                        I don’t think it’s what Rich meant here, but it does nicely serve to underscore the vast gulf between the oss and free software camps; if you are in software because you want to make the world a better place, move right along.

                                        1. 26

                                          it’s a movement to hijack the free software movement

                                          There’s a problem with this statement, it doesn’t apply to me.

                                          When I was open-sourcing my project I wasn’t joining any movement. I didn’t sign any contract. I use the words “open source” in a plain sense: this is a source code that someone can get and use according to the posted license. I’m totally fine with any company making profit off of this code. No company ever indoctrinated me into thinking this, and I deliberately chose BSD license over GPL exactly to not having to be associated with Free Software movement (I don’t hate it, I just didn’t want to). Yes, for real. People like me exist.

                                          What I’m saying is, we already have a term meaning “open source + a particular ideology”. It’s Free Software. Please don’t try to appropriate “open source” to mean anything more than “available source code”. And no, I don’t really care what OSI thinks about this “term”. It’s their idea, not mine. I need some words to describe what I’m doing, too.

                                          1. 9

                                            When I was open-sourcing my project I wasn’t joining any movement

                                            That’s exactly the difference between the “free software” movement and Open Source. You made @technomancy’s point for him.

                                            1. 1

                                              It’s contradicting the framing that he’s somehow been duped out of believing in the fsf’s ideology by an open source movement.

                                            2. 9

                                              P.S. In fact, there was a time when “Free Software” also wasn’t associated with not letting companies profit from it. Here’s a classic Mark Pilgrim on this: https://web.archive.org/web/20091102023737/http://diveintomark.org/archives/2009/10/19/the-point

                                              Part of choosing a Free license for your own work is accepting that people may use it in ways you disapprove of.

                                              1. 5

                                                Check Selling Free Software from 1996.

                                                1. 6

                                                  I came here to share this link. the GPL, and free software, was never about gratis, was never about not paying for software. It has always been about liberty and the freedom to control one’s own software.

                                                2. 3

                                                  2009 is classic? Am I old?

                                                  1. 1

                                                    “Classic” in a sense “explains well”, has nothing to do with being old :-)

                                                3. 5

                                                  Just because you use a term doesn’t mean you get to define it. Saying “I don’t care what OSI thinks or why the term was invented” seems pretty strange to me… it’s their term and has a history, like it or not.

                                                  1. 8

                                                    What word should I use if I publish source code so people can use it but don’t care about furthering the cultural revolution?

                                                    1. 5

                                                      “Open source”.

                                                      1. 1

                                                        Billionaire. In a historical interview, that’s what the CEO of Apple believed he’d become if a lot of things lined up, one being getting a whole, networking stack for free from BSD developers. The other thing he envisions is them begging for money at some point so their projects don’t close down. He bragged his main competition would be contributing their fixes back since they got themselves stuck with la licence de la révolution. Attendees were skeptical about such a one-sided deal going down.

                                                      2. 4

                                                        No :-) The only way a natural languages is defined is through use, and the most common usage becomes a definition. OSI didn’t make this term theirs by simply publishing their definition, they just joined the game and have as much weight in it as every single user of the word.

                                                        1. 4

                                                          True, but also like it or not language evolves over time (always to the chagrin of many). This is not unique to technology or English. At the end of the day it doesn’t matter what either OSI or /u/isagalaev thinks, society at large makes the definitions.

                                                          Having said that, if you step outside of the FOSS filter bubble, it seems pretty clear to me that society leans towards /u/isagalaev’s definition.

                                                          1. 3

                                                            Also, as a sensible dictionary would, Merriam-Webster defines both current interpretations of it: https://www.merriam-webster.com/dictionary/open-source

                                                        2. 4

                                                          we already have a term meaning “open source + a particular ideology”. It’s Free Software.

                                                          You can’t remove politics from this question; the act of pretending you can is in itself a political choice to support the status quo.

                                                          1. 2

                                                            You can remove “politics” from open source, and that is precisely what open source has done.

                                                            The term open source can be operationally defined (i.e., descriptive, constructed, and demonstrable). From Wikipedia, citing the book “Understanding Open Source & Free Software Licensing.” (Though feel free to use Merriam Webster or the OED as a substitute): “source code is released under a license in which the copyright holder grants users the rights to study, change, and distribute the software to anyone and for any purpose.”

                                                            The license terms are selected that most parsimoniously accomplish the stated definition. (i.e., make it possible for the stated definition to become externally correspondent and existentially possible). The fewest number of rules (formula, statements, decisions) possible to accomplish the work–producing a limited number of legal operations (rights, grants, privileges) that can be fully accounted for.

                                                            It is the deflationary nature of the process that removes “politics.” Making the license commensurable and testable while removing suggestion, loading, framing, or overloading. BSD/MIT are small and shrinking, whereas GPL 2/3 are large and growing. That’s the difference.

                                                            1. 2

                                                              “source code is released under a license in which the copyright holder grants users the rights to study, change, and distribute the software to anyone and for any purpose.”

                                                              You can still get patent sued for that due to laws paid for by lobbyists. The effects of politicians on what we can and can’t do with open-source mean it’s inherently political. The people who say they want its benefits with no interest in politics or whose licenses don’t address it are still involved in a political game: they’re just not players in it.

                                                              1. 1

                                                                I’m not sure why do you think I’m trying to “remove politics”. Of course I do have some political view on this, however vague it might be. This is totally beside the point. The point is that I don’t want to proclaim/discuss my political views every time I want to say that the code is available. It’s a completely valid desire.

                                                              2. 1

                                                                Why BSD license over public domain? The latter makes the source code more “available”, does it not?

                                                                (If you wonder how I feel about the GPL, check my repos.)

                                                                1. 11

                                                                  The latter makes the source code more “available”, does it not?

                                                                  No. In jurisdictions that don’t recognise public domain (e.g. France) and in which authors cannot give up their copyright, giving it to the public domain is meaningless and it’s as if the code has no free license at all. It’s the same as “all rights reserved”.

                                                                  1. 2

                                                                    That’s very interesting. Would folks in such jurisdictions be interested in working together with others to reform copyright law? Perhaps among .. other things?

                                                                    1. 2

                                                                      Why? It’s a different branch of copyright law and the idea of authorship being something you cannot give up is fundamental to those. You can only perpetually license.

                                                                      CC0 is a great license to use in those cases, btw.

                                                                      1. 2

                                                                        Why?

                                                                        One reason being that some people think copyright, or perhaps even more generally, intellectual property, is unethical. Another reason could be a desire for a single simple concept of “public domain,” perhaps similar to what we have in the US.

                                                                  2. 1

                                                                    I like the idea of retaining an exclusive right to the project’s name, BSD is explicit about it.

                                                                2. 10

                                                                  Companies are profiting massively from both. The License Zero author figured out the reason is the FOSS authors focused on distribution methods instead of results. That’s why Prosperity straight up says commercial use like many non-free licenses mention. The other one says any change has to be submitted back.

                                                                  The license needs to explicitly mention them making money or sharing all changes to achieve what you’re describing. That plus some patent stuff. The “free” licenses trying to block commercial exploitation are neither believably free nor stopping commercial exploitation after companies like IBM (massive capitalist) bet the farm on them. I mean, the results should prove they dont work for such goals but people keep pushing old ways to achieve them.

                                                                  Nope. Just reinforcing existing systems of exploitation by likes of IBM. We need new licenses that send more money and/or code improvements back.

                                                                  1. 3

                                                                    It should not be the job of a license enforced by copyright to extract rents. That’s the playbook we are fleeing.

                                                                    1. 2

                                                                      ““open source” is not about you; it’s a movement to hijack the free software movement and turn it into something a company can profit from”

                                                                      The commenter wrote as if they expected whatever license or philosophy was in use to prevent companies from using the software for profit or with exploitation central focus. Several companies are making billions leveraging FOSS software. One even lobbies against software freedom using patent law since suits won’t affect it. So, if the goal is stopping that and spreading software freedom, then the so-called “free” licenses aren’t working. Quite the opposite effect moving billions into the hands of the worst, lobbying companies imaginable.

                                                                  2. 2

                                                                    I just don’t see “open-source” being an hijack of “free software” for corporate purposes. Why would corporate care, they can exploit the free labor of free software just as much, the politics are not visible in the final software product. If anything, it seems like the social goals of free software have been diluted by other programmers who like the technical side of it, but neither care or agree about the politics.

                                                                    1. 3

                                                                      Why would corporate care, they can exploit the free labor of free software just as muc

                                                                      Depends on the market. If it’s software they sell directly, the copyleft requirement means they have to give up their changes. Those changes might be generating the customers. They might also be causing lock-in. Better for them to keep their changes secret.

                                                                      Your point remains if it’s anything that lets them dodge the part about returning changes, esp SaaS.

                                                                      1. 3

                                                                        I just don’t see “open-source” being an hijack of “free software” for corporate purposes.

                                                                        It’s not really a matter of opinion. That hijacking is exactly what happened in 1998. The fact that today you forgot that this is what happened means that it worked: you stopped thinking about free software, as the OSI intended to happen in 1998.

                                                                        OSI was created to say “open source, open source, open source” until everyone thought it was a natural term, with the goal of attracting corporate interests. They even called it an advertising campaign for free software. Their words, not mine.

                                                                    1. 1

                                                                      100% this. Also, mark up your AbstractImplementationOfBorrowCheckerFactoryPatternMatcher with my favorite obscure HTML tag, <wbr>:

                                                                      Abstract<wbr>Implementation<wbr>Of<wbr>Borrow<wbr>Checker<wbr>Factory<wbr>Pattern<wbr>Matcher
                                                                      

                                                                      You could also use a zero-width space to similar effect, but the ZWSP will copy/paste into an editor. This can be very confusing.

                                                                      1. 1

                                                                        Adding HTML to alter the formatting of some text just feels super icky. Will this really improve things vs break-all? You may still have to break mid”word” anyway depending on actual width to be occupied.

                                                                        1. 1

                                                                          What’s the nature of your objection? That <wbr> is like using <i> instead of <em>? Would you rather use the zero-width space to annotate break opportunities because it is text rather than markup?

                                                                          I’ve actually mostly used <wbr> in anger in headings rather than body text. Manually injecting break opportunities produced much more pleasant results than the arbitrary breaks the browser could provide. That’s subjective, of course. If overflow-wrap: break-word gives good enough results I didn’t mean to suggest adding <wbr> is necessary — I just wanted to share a related tool I’ve found useful.

                                                                          There is also &shy;, the “soft hyphen”. This character can be used to mark a break opportunity in regular text. This was particularly useful before hyphens: auto existed, though some browsers would render it as a regular hyphen. But again, for programmatic identifiers, it will copy/paste which users may find confusing.

                                                                      1. 3

                                                                        Do you really need to have root privileges on your Google-free phones?

                                                                        I would like to keep my phone as much secure as possible, and having root privileges enabled doesn’t seem like a smart choice if you have security in mind too.

                                                                        1. 7

                                                                          Yes. I’m the owner of the hardware, I want to be able to do whatever I want with it, including the things that not having root would prevent me from doing.

                                                                          1. 3

                                                                            The problem with this idea is that you are also allowing the possibility for any applications you install to also use root. Some ‘root access management’ apps will prompt you, etc, but then you’re just depending on them to not have any issues that would allow an app to circumvent their checks.

                                                                            I am the owner of my hardware, and I choose to not allow applications to assume more permissions than the OS was designed to allow them to have.

                                                                            1. 7

                                                                              That just sounds like an argument for improving those components instead of giving up control altogether.

                                                                              1. 8

                                                                                Not at all what I intended. I’m merely pointing out the downfall in enabling root access on current mobile operating systems. I would use root in an OS which I could control, sadly there’s no longer any mobile device supporting one (RIP N900), but hopefully there will be a new one soon (Librem 5 cannot come fast enough).

                                                                                1. 2

                                                                                  That makes sense.

                                                                                  1. 2

                                                                                    My N900 is still kicking, but yeah it’s not my daily driver because browser reasons :P

                                                                                    Besides Librem5, we’re also waiting on the Pyra. The Gemini is here today running Debian as an alternate. Also running ubports on a Nexus 5 can get you close.

                                                                                    1. 1

                                                                                      Of course! There’s also postmarketOS.

                                                                                2. 3

                                                                                  There used to be a lot of good use cases for rooting an Android phone, because there were a lot of reasonable things you needed root to do (run VPNs, block ads, change DNS settings, put background apps to sleep) and a lot of the culture of that time has persisted in the Android modding community. But over time, most of the things you really needed root for have been either added to the base system (doze, night mode) or made available to a user-space API (VPNs) or developer settings. With Android 7 or later, the only thing you really would need root for is micro-tweaking kernel settings, and that’s really only useful when you’re trying to get the most out of older hardware. Now it’s worth the little bit of extra security to leave your phone/tablet unrooted.

                                                                                  1. 4

                                                                                    There used to be a lot of good use cases for rooting an Android phone

                                                                                    If you’re using a carrier-branded phone there are still reasons:

                                                                                    • Debloating/disabling undesirable preinstalled apps.
                                                                                    • Fine-grained app permissioning (xposed framework).
                                                                                    • App hibernation and background running control.
                                                                                    • DNS choice and filtering.
                                                                                    • Ad Blocking.
                                                                                    • Enabling hotspot support (varies with carrier).
                                                                                    1. 4

                                                                                      Some of those (DNS and ad blocking) no longer require root.

                                                                                      If you are able to unlock the bootloader and run something like LineageOS, then you effectively resolve the remaining issues without rooting the device.

                                                                                      1. 1

                                                                                        Oof. Yeah, though to be totally pedantic, you could install an unrooted LineageOS on that phone (if it, or similar, is available), and get most of those. Blokada gives you DNS choice and filtering and ad blocking, and it doesn’t require root (it uses the VPN framework).

                                                                                        1. 1

                                                                                          Blokada

                                                                                          I’ll give that try. I found DNS66 to cause long hangs and random lookup failures and, of course, AdAway requires root.

                                                                                3. 4

                                                                                  The ‘root access’ moniker is a bit of a misnomer as it makes many people seem to think disabling it disables the root account. This is of course not what happens, Android being *nix underneath it by definition has a root account which is used to boot the device and run a host of services. Any bugs which would give rise to local root access still apply no matter whether a working su is installed or not. If the installed su app is working as it should the attack surface is only raised by so much as the user remains vigilant over granting root to specific apps. Any app which does get root can abuse it so this privilege should only be bestowed upon those bits which are ’ known to be trustworthy’. In other words, the security of a ‘rooted’ device depends for a large part on the judiciousness by which the user grants or denies root access, just like the security of a firearm depends on the hand wielding it.

                                                                                  1. 1

                                                                                    depends for a large part on the judiciousness by which the user grants or denies root access

                                                                                    Not entirely. It also depends extremely heavily on the mechanism used to manage root access (e.g. SuperSu). If that application has issues that can be exploited to go around the user intervention, then all bets are off. Suddenly your firearm is capable of firing without you touching it.

                                                                                    1. 1

                                                                                      If the installed su app is working as it should the attack surface is only raised by so much as the user remains vigilant over granting root to specific apps.

                                                                                      1. 1

                                                                                        Ok, but my point is that’s a mighty big assumption to make.

                                                                                  2. 3

                                                                                    Like any decent system, every root requests are accepted (or rejected) by the user.

                                                                                    It’s not like you installed an app from the store and it uses root without you knowing.

                                                                                    1. 3

                                                                                      You’re assuming the root manager software (like Magisk, or SuperSU back in the days) has no security issues whatsoever.

                                                                                      Mind you, I’m not saying that commonly used root managers are compromised, but I believe that the current status of Android rooting management is inherently insecure because we rely on software not always audited. I prefer having a custom ROM (maybe even with a custom boot chain of trust!) without root rather than leaving such a wide attack surface available for an hypothetical rogue party.

                                                                                    2. 1

                                                                                      because if someone stole your phone and guessed your root password they could install whatever they want on it?

                                                                                      1. 1

                                                                                        Is this an argument against my thought? If yes could you please elaborate more? I’m curious about your point of view, and I’m afraid my (lacking) knowledge of English didn’t help me understanding your reply.

                                                                                        1. 2

                                                                                          i’m confirming how having root access hurts security. which attacks can be carried out when your phone is rooted, which couldn’t be carried out if it weren’t rooted?

                                                                                          1. 3

                                                                                            An app with root access can read the private data of other apps, and can generally disregard the permissions system, so that’s two major classes of things there.

                                                                                            1. 1

                                                                                              but the user would be able to decide whether to run a program as root, wouldn’t they?

                                                                                            2. 3

                                                                                              One could trick the user into installing an app that bypasses root managers and gets root permissions directly. From there, the same rogue app could steal basically everything from the user’s phone without even noticing anything.

                                                                                              1. 1

                                                                                                why would the app be run as root? on linux i can build and run programs as my user account without giving the programs root permissions. i install programs with sudo, but then i’m running the package manager which is code i trust, not the programs i’m installing which i trust less. after installing a program, i still have to explicitly run it as root. does android work differently?

                                                                                      1. 11

                                                                                        Ugh, what Mongo and others are doing isn’t free software. It’s not open source. Trying to broadly expand the scope of copyleft far beyond the GNU licenses “derivative work”, which solely relies on copyright law, not contract law (or wasn’t intended to), is not in the interest of promoting free software.

                                                                                        Copyleft GNU licenses are pretty clear: no discrimination against fields of endeavour (actually, this is what the open source definition says, but it’s the same spirit of the GNU licenses). Saying “if you make money, we treat you differently” is discriminating against commercial interests. The new Mongo license is discriminating solely on your income. Not whether you release source or not, but whether you’re making money. This is not free software! This is not open source!

                                                                                        GNU copyleft licenses are trying to level the playing field. Author gave you the source code and in exchange you must pay it forward. You cannot deny someone else the freedom that you were granted. Conditionally granting someone else freedom on whether they’re making money or not is not at all the same thing.

                                                                                        1. 3

                                                                                          “Copyleft GNU licenses are pretty clear: no discrimination against fields of endeavour (actually, this is what the open source definition says, but it’s the same spirit of the GNU licenses). Saying “if you make money, we treat you differently” is discriminating against commercial interests.”

                                                                                          My first question is “Why?” In a market where money talks and theyre mostly selfish, why structure your licenses to give selfish, freeloading, for-profit companies a bunch of free labor and software at others’ expense? Those commercial users are also themselves usually discriminatory by paying proprietary developers but not OSS. OSS-like for non-commercial with paid for commercial is more fair.

                                                                                          Next, there’s the issue that it’s a capitalist market where money defines the very laws that govern software freedom. In this system, big companies in software are actively removing software freedoms and increasing lockin with their money. OSS/FOSS proponents need lots of money to counter it. Telling them not to do models that generate revenue to protect user’s and developer’s freedoms aids those taking them away. Today, I see most free licenses as unethical and damaging to freedom as proprietary sector for that reason.

                                                                                          The author of post is trying to address this with License Zero. He, imho correctly, focuses on use and modification as triggers of software freedom and/or payment instead of distribution conditions. His Parity license also forces all changes to be shared. That counters the cloud folks quite a bit since a new player can leverage their changes. So, mixing commercial licensing to capture developer and lawyer funds plus strongest, reciprocal copyleft seems most freedom- and developer-protecting compromise.

                                                                                          1. 5

                                                                                            why structure your licenses to give selfish, freeloading, for-profit companies a bunch of free labor and software at others’ expense?

                                                                                            Because there’s no inherent connection between “for-profit” and “abuses the trust of their users”. The FSF doesn’t want to prevent companies who respect user freedom from making a profit; that would be the opposite of what they’re trying to achieve.

                                                                                            1. 2

                                                                                              I said force them to share some profit they derive via software with those whose work produces the software. That’s opposite of what you’re saying where FSF wants OSS people to make no profit or little profit while companies can freeload and profit massively. That’s not hypothetical: it’s what’s occuring in the current environment with current licenses.

                                                                                              1. 5

                                                                                                I don’t think that’s what the FSF wants at all.

                                                                                                1. 1

                                                                                                  It’s what their strategies are doing and have since they started. If they continue, then it’s what they want in practice if not in theory. I care about practical results more than good intentions.

                                                                                                  1. 2

                                                                                                    The FSF doesn’t want companies to freeload. It wants users to be free.

                                                                                                    The practical result is that users are free.

                                                                                                    If we are concerned with the investors in corporations that aren’t able to rent-seek because of this then that’s a different conversation.

                                                                                                    1. 1

                                                                                                      Users cant be free if politicians are paid to reduce their protections. Money is needed to defend them. My point is models that dont generate revenue needed to protect software freedom… a large amount on just patent side alone… dont protect software freedom. Esp if other side is rewriting or reinterpreting the law while free side is relying on same law.

                                                                                                      Models that maximize revenue from business use plus allow free, non-commercial use (or even free commercial under certain revenue) can fund a defense against those removing software freedom. That’s on top of funding tons of paid work on such software and/or FSF-style software. If looking at outcomes, it achieves overall goals better even if limiting distribution goal a bit.

                                                                                                2. 4

                                                                                                  The problem is not wanting to get paid – the problem is wanting to use a copyright monopoly to restrict legitimate use in order to get paid.

                                                                                                  1. 1

                                                                                                    Why is that a problem if the alternative is massive, evil companies getting paid while mostly freeloading on ethical people and paying to reduce/remove their software freedoms? What is your alternative that doesn’t keep most FOSS developers working for pennies to lower-middle-class income? And captures more of the value FOSS is creating to sustain it? (Hell, secure it, too.)

                                                                                                    1. 2

                                                                                                      Write software that does something useful and charge for that.

                                                                                                      Simple.

                                                                                                      Trying to treat software development like the search for an old fashioned pop music hit, something you write once then live off the residuals if you get lucky, isn’t a good model.

                                                                                                      1. 1

                                                                                                        There are multiple business models in the wild that don’t abuse users. This is one of them. I call this one “libre non gratis” and it is used, to my knowledge, by at least Conversations, Synergy, Jason Rohrer’s indie games (and some other video games too by other people. similar setup), to name a few.

                                                                                            2. 2

                                                                                              What the GPL means to me is to give the end user the freedom to fix abusive software. It isn’t really about money or even paying it forward (it doesn’t require you to contribute back to the author at all, only to make the source available to your users so they can modify it same as you have).

                                                                                              Ever use a smartphone app that sends spammy notifications? Wouldn’t happen with GPL - you can just fix the crap yourself.

                                                                                              1. 2

                                                                                                Right, paying it forward to your users, not paying back to the original author.

                                                                                                1. 1

                                                                                                  Yes the latter is the “but what about the project?” antipattern.

                                                                                              2. 1

                                                                                                While i would generally agree that there should be no discrimination for fields of endeavor. I am however sometimes thinking about the possibility that my software might be used for controlling weaponry. And I don’t like that thought.

                                                                                                Probably a non-binding preamble might be the better solution than a pacifist license though, given the complications that a pacifist license would have.

                                                                                                1. 5

                                                                                                  That sort of thing comes up often. It doesn’t seem like software licenses are the right place to make a stand against that.

                                                                                                  We had a discussion about this not long ago,

                                                                                                  https://lobste.rs/s/gpzhu8/is_freedom_zero_such_hot_idea

                                                                                              1. 15

                                                                                                It’s becoming more and more obvious that the old “open source and free software are basically the same thing” line is just wrong. There’s incidental overlap, but the underlying logic of “help the end user” and “make companies more effective at Doing Cloud Capitalism” are inherently at odds in the long run.

                                                                                                1. 7

                                                                                                  I think the OSD and Four Freedoms having 100% overlap is hardly “incidental”.

                                                                                                  Open Source and Free Software as movements differ greatly in focus, but the software and licenses are 99.9% overlapped.

                                                                                                  1. 9

                                                                                                    Yes, that’s a good clarification on what I meant. The fact that the output (the software) technically happens to qualify as open source and free software at the same time is incidental to the fact that the intent of the underlying movements are in very different directions.

                                                                                                  2. 1

                                                                                                    Which one would be more appropriate for “just throwing code out there, I don’t care what happens”? :)

                                                                                                    (I use the Unlicense and identify more with “open source” – so it’s kinda weird to see “open source” being associated with “cloud capitalism”…)

                                                                                                    1. 2

                                                                                                      The reason for the “cloud capitalism” is because in practise if you “don’t care what happens” and your code is useful, it will be used by a cloud corporation to profit. Some people believe these corporations encourage developers and users to “not care what happens” because it directly benefits the corporations.

                                                                                                      Which is not to say that not caring is bad by itself, but only that some bad actors are very happy about it in some cases.

                                                                                                  1. 4

                                                                                                    At this stage both Android and iOS are pretty much the same. They both serve pretty much same features, notifications look pretty much the same and my feeling is that with every version they are both copying things from each other.

                                                                                                    I’ve had a few Android devices and I’ve had problems with some and had amazing experience with others. It’s very much vendor specific (like in everything else).

                                                                                                    Also - I don’t think that with any smartphone there’s a way to entirely de-google or de-apple or de-ads yourself.

                                                                                                    1. 2

                                                                                                      Also - I don’t think that with any smartphone there’s a way to entirely de-google or de-apple or de-ads yourself.

                                                                                                      Could try a non-Android non-Apple smartphone :) They still exist, if less popular.

                                                                                                      1. 1

                                                                                                        Interesting. Do you have any recent experience with any of those? Any in particular I should check out?

                                                                                                        1. 1

                                                                                                          I’m currently typing this on a non-Android Blackerry 10 device. They don’t make them new, but many are still very serviceable. I’m holding out to replace this with a Pyra, but have been tempted by Planet Computers’ current Gemini and their upcoming device (defaults to Android but official support to dual boot with Sailfish or Debian). I would get a Nexus 5 and run ubports, but I need a real keyboard. If you don’t, might be worth checking out Purism’s Librem5 slated for release next year, my wife is getting that one.

                                                                                                          This is not a complete list, but ones I’m currently using or eyeing.

                                                                                                          1. 1

                                                                                                            The Gemini looks pretty good. My only problem is the camera which is something that I’m using quite a lot. Other than that, the specs are great!

                                                                                                            1. 2

                                                                                                              They claim https://www.indiegogo.com/projects/cosmo-communicator improves the camera, as well as a few other things.

                                                                                                              1. 2

                                                                                                                They claim https://www.indiegogo.com/projects/cosmo-communicator improves the camera, as well as a few other things.

                                                                                                      1. 5

                                                                                                        If you want to use copyright for rent-seeking against the users of your software, that is an unethical abuse. Saying “but if I don’t, I’m not creative enough to know how I’ll make money” is not an excuse.

                                                                                                        1. 6

                                                                                                          I’m not sure if it’s the small proprietary businesses that are engaging in rent seeking, so much as the AWS’s of the world that open source just enough to get you hooked.

                                                                                                          1. 4

                                                                                                            As I argued here, the FOSS licenses sending all the money to businesses subverting copyright and patent laws are facilitatimg damage. Better to have business models that get developers paid, open up more stuff, and having power to fight back in Congress and courts.

                                                                                                          1. 3

                                                                                                            TL;DR: Bad smartphone design (sorry, design with different priorities) lead to very limited devices where all the fun stops, but it is possible to overcome multiple parts with a laptop / VPS / termux.

                                                                                                            Ditching an open source widely supported platform with forks and projects like termux in which you can be the root user, featuring well-filled alternative app markets

                                                                                                            For an Apple product.

                                                                                                            I still dislike Android not being a serious OS : why no supported compiler ? Why no full POSIX libc ?

                                                                                                            I prefer OSes that can compile themself by design.

                                                                                                            Another thing to do is switching from smartphone back to laptop. A small eee pc-style that can easily be swapped in and out of the backpack, running a lightweight Linux or BSD system can act as a good smartphone replacement. Then you only need a smartphone for USB tethering or SMS / calls. There are even apps (or termux) that can relay SMS with a computer.

                                                                                                            Then you cave SSH through your tethering connection and send SMSes over SSH ! :-P The joy of 10-finger typing SMSes.

                                                                                                            A $100 android smartphone suffice.

                                                                                                            For “very mobile computing”, you may even do the opposite: SSH into your VPS or into your laptop from the phone. Then you can use IRC, and alll terminal “apps” you need. Some like Vim even support touch screen (acting as a mouse: set mouse=all).


                                                                                                            Sent from my iPhone (j/k)

                                                                                                            1. 2

                                                                                                              SMS/calls don’t require a phone or SIM these days either. So you only need a SIM if you want data on the go, and that is better served by a good-quality “hotspot” (they even make them with eithernet ports!) than by a smartphone.

                                                                                                              1. 2

                                                                                                                I never tried internet service based calls/SMS. Maybe they are reliable enough for daily use. I am not doing hiking in the Himalaya after all!

                                                                                                                1. 1

                                                                                                                  My wife and I have both been using https://jmp.chat for almost two years now as our only way to do SMS or calls – it’s so good we’d never go back to the old way.

                                                                                                                  1. 2

                                                                                                                    That looks interesting! Thank you for the link ! Jabber is a little complex to my tastes (XML-based) but standard protocol that you can pipe, forward, whose stream can be trraansmitted over an encrypted transport (TLS, SSH, CurveCP, MinimaLT and what not!), bridged to other protocols…

                                                                                                                    So much much more flexible than anything I can think of!

                                                                                                            1. 1

                                                                                                              Submissions for October are up: https://snark.badcode.rocks/archives/2018-October/thread.html Challenge for November is up: https://badcode.rocks/2018/305/beer-song/ I’ll post a new thread when the winner and teardown come out for October.