1. 2

    Author suggests using minimalist shells such as dash or busybox for everyday use. Anyone here doing this?

    1. 5

      I’m not sure s/he does - it suggests using a basic shell for scripts.

      1. 1

        good point

      2. 3

        I use mksh, which is like “modern ksh” (actually, a MirBSD Korn Shell) for me.

        1.  

          For scripts? Of course! If you use a big, fancy shell to run your scripts you can more easily accidentally use a non-standard feature. Also, the big, fancy shells are noticeably slower.

          1. 2

            /bin/sh on FreeBSD, ash-derivative.

            1.  

              god no. unless your shell use cases are exceedingly simplistic, writing pure POSIX shell scripts is tedious.

              bash out of the box has useful things like:

              • parameter transformations like @Q which makes it easy to safely eval values.
              • pattern substitution
              • an ERE regexp engine
              • hash maps and arrays
              • mapfile
              • compgen

              and a lot more.

              1.  

                My ‘usual’ response to this type of thing is:

                Bash is not universal, and has ‘interesting’ behaviour in various versions.

                If you find POSIX shell is too simplistic (or the program is too complex), it’s likely that you just need to use a more complex language, not rely on Bash and call it a shell script.

            1. 2

              I just switched to OpenBSD for e-mail using the following stack:

              Inbound: opensmtpd -> spampd(tag) -> opensmtpd -> clamsmtpd(tag) -> opensmtpd -> procmail -> dovecot(Maildir) outbound: opensmtpd -> dkim_proxy -> opensmtpd(relay)

              I don’t use the spamd/grey listing up front like a lot of tutorials suggest, but spampd(spam assistant) seems to get the majority of it.

              My old stack was similar, but used postfix on opensuse. I really like the opensmtpd configuration; loads simpler than postfix. However I wish it supporter filters that the other MTAs do. It had filter support for a bit, but was clunky and subsequently removed. It makes it difficult (impossible?) to run things like rspam.

              1. 5

                rspamd has an MDA mode, so you can do like

                accept from any for local virtual { "@" => mike } deliver to mda "rspamc --mime --ucl --exec /usr/loca
                l/bin/dovecot-lda-mike" as mike
                

                and dovecot-lda-mike is

                #! /bin/sh
                exec /usr/local/libexec/dovecot/dovecot-lda -d mike
                

                smtpd is really really really good. For some reason the email software ecosystem is a mess of insane configs and horrible scripts, but my smtpd.conf is 12 lines and the only script I use (that rspamd one) is going to go away when filters come back. smtpd is so good I went with an MDA instead of a web app to handle photo uploads to my VPS. It’s one line in smtpd.conf and ~70 lines of python, and I don’t have to deal with fcgi or anything like that.

                1. 1

                  smtpd is so good I went with an MDA instead of a web app to handle photo uploads to my VPS

                  Oh that’s a clever idea. I’ve been using ssh (via termux) on my phone but that is so clumsy.

                2. 5

                  I do greylisting on my email server [1] and I’ve found that it reduces the incoming email by 50% up front—there are a lot of poorly written spam bots out there. Greylisting up front will reduce the load that your spam system will have to slog through, for very little cost.

                  [1] Yes, I run my own. Been doing it nearly 20 years now (well over 10 at its current location) so I have it easier than someone starting out now. Clean IP, full control over DNS (I run my own DNS server; I also have access to modify the PTR record if I need to) and it’s just me—no one else receives email from my server.

                  1. 2

                    I’m the author/presenter of the tutorial. If I may, I suggest looking at my talk this year at BSDCan: Fighting Spam at the Frontline: Using DNS, Log Files and Other Tools in the Fight Against Spam. In those slides I talk about using spf records (spf_fetch, smtpctl spfwalk, spfwalk standalone) to whitelist IPs and mining httpd and sshd logs for bad actors and actively blacklisting them.

                    For those who find blacklisting a terrifying idea, in the presentation I suggest configuring your firewall rules so that your whitelists always win. That way, if Google somehow get added to your blacklists, the whitelist rule will ensure Gmail can still connect.

                    I also discuss ways to capture send-to domains and add them to your whitelists so you don’t have to wait hours for them to escape the greylists.

                    1. 1

                      I didn’t find SPF to be all that great, and it was the nearly the same three years earlier. Even the RBL were problematic, but that was three years ago.

                      As for greylisting, I currently hold them for 25 minutes, and that might be 20 minutes longer than absolutely required.

                    2. 1

                      Greylisting is the best. Back when my mailserver was just on a VPS it was the difference between spamd eating 100% CPU and a usable system.

                  1. 2

                    A secondary market for concert/event tickets could bypass the pretty extortionary and abusive middlemen that currently dominate that market. Of course that depends on: a stable value-coin; participation of event promoters; dramatically increased scalability, reliability, efficiency and usability of blockchain and off-chain tools.

                    I think anything like this, that depends on allocating scarce intangible assets, presents a compelling use case. But all this is contingent on dramatic improvements in technology. Right now there are some really interesting things going on in the Ethereum world involving consensus, sharding, and scalability that, if promises are lived up to, might get us closer to where we’d need to be. As far as I can tell most people involved in other cryptocurrencies space are unhealthily fixated on asset prices and speculation, probably to the detriment of making meaningful progress into building these things into useful tools.

                    1. 3

                      I kind of agree, but a “stable value-coin” is a “trusted third party”, I think.

                      1. 5

                        Yes. This is an absolutely unavoidable point that people need to accept and not try to find a clever technical solution for, because none exists! The US dollar is useful to people largely because the federal reserve has a staff that produces and considers numerous reports of real-world consumer prices and adjusts policy to keep them changing at a modest and predictable rate. There is no way a fixed set of rules in a blockchain can achieve this: we are intractable bound to these real-world institutions if we want the stable prices average citizens will demand. Cryptocurrency enthusiasts very slowly re-learning–or refusing to learn–these basic tenets of monetary policy is frustrating.

                        Given this, I feel that being able to trust arbitrary counterparties for a some variety of transactions could still be a very useful tool in the future.

                        1. 3

                          I think for at least the early ones it was less ignorance of monetary policy, and more a fundamental philosophical disagreement.

                      2. 1

                        Can’t they just sell it centralized online with a limit for each registered customer? Could even bootstrap it at one event by giving customers cards with unique codes on them for use with an app and/or web site. They get them with instructions when they come in. That establishes the unique ID’s that are used to buy tickets for future events.

                        Whatever is left of the problem should be minimal. If each supplier does this, third parties will show up selling them a solution trying to grab the market. It will get cheaper for those selling tickets.

                      1. 8

                        This seems less Haskell-specific and more a lack-of-focus problem. I can refactor and add abstractions all day in Ruby too :)

                        1. 2

                          I don’t know if you know haskell but it is much worse in haskell. Like 20x worse. People will try to say it’s a personal probably and yes all languages, but I really don’t think it is.

                          1. 4

                            I do all of my personal coding in Haskell. I don’t find the temptation to do useless extra abstractions much worse. I mean, it’s bad in every language because abstractions are fun, but one can also choose to get things done :)

                        1. 23

                          I don’t think that direction is “up” ;)

                          1. 6

                            agreed. it’s at best sideways, but in reality, it’s downward for a time. nobody will necessarily respect your opinion as management in an org just because you’ve been promoted.

                            1. 2

                              The article actually does distinguish between “moving up” and “switching from engineering to management”. It’s the title of the link here on lobste.rs that’s misleading.

                              1. 2

                                Perhaps, this is a personal opinion of mine. I consider both moving to a Software Architect position or Management position as going up.

                              1. 2

                                There is a public_send method that respects method visibility - to be completely honest I’m not sure how it deals with protected status, though, since protected is not typically seen in idiomatic Ruby afaict.

                                I do like the perspective of looking at method dispatch in terms of sending messages, though. Decent write up!

                                1. 2

                                  public_send does not call protected methods. And, yeah, protected rarely happens in Ruby. I consider it a mild code smell as it implies the use of inheritance.

                                  1. 1

                                    And, yeah, protected rarely happens in Ruby. I consider it a mild code smell as it implies the use of inheritance.

                                    I’ve always considered private to be the wrong choice, in any language, because it signals that I think I know every way anyone might ever want to extend my class. Inheritance may not always (or even often) be the right solution, but making certain extension options impossible is just going to drive future coders crazy.

                                    1. 2

                                      I use private to lower the cost for future internal refactors, and upgrades, by providing a signal that “Hey, this method is not part of the public API, I do not condone its external use, and reserve the right to change it wildly.”

                                      It communicates that there consciously was no consideration for what might happen if external objects began to depend on said private method. Later changes by anyone (not just the original author) can and will be free to change the private method at will: refactor, upgrade, remove entirely, and there is less to hold in your head and worry about when upgrading them later.

                                      However, behavior of a private method that is observable through the a public method is fair game, and test cases should exist for those. The flip side of this is that, except in some rare cases, I favor not testing private methods. Any behavior that is possible via a private method, but which cannot be exercised or observed through use of public methods, should not be considered as supported behavior on the object. That does not preclude a new public method from exposing more of the private method’s behavior later, but at that point it is part of the public interface, and should be presented and documented as such.

                                      As for making certain extension options impossible, at least in the context of Ruby, private does not do this.

                                      class PrivateGreeter
                                        private
                                        def greeting
                                          "Hello."
                                        end
                                      end
                                      
                                      class PublicGreeter < PrivateGreeter
                                        def speak
                                          greeting
                                        end
                                      end
                                      
                                      irb> PrivateGreeter.new.greeting
                                      # => NoMethodError: private method `greeting' called for #<PrivateGreeter>
                                      irb> PublicGreeter.new.speak
                                      # => "Hello."
                                      

                                      You can even give it the same name as the parent class’ private method if you really, truly need to let external objects utilize the method as part of the subclass’ public API with the exact same name:

                                      class PublicGreeter < PrivateGreeter
                                        def greeting
                                          super
                                        end
                                      end
                                      
                                      irb> PrivateGreeter.new.greeting
                                      # => NoMethodError: private method `greeting' called for #<PrivateGreeter>
                                      irb> PublicGreeter.new.greeting
                                      # => "Hello."
                                      

                                      Since an inherited class can make use of its parent class’ private method, the question then becomes: should it? If we have a stipulation that the parent class reserves the right to refactor its private methods or change them wildly, should we rely on a parent class’ private method?

                                      I think the answer differs between application code and library code. If the parent class comes from a library, or some internal, but still cross-domain, utility code, I would not want to rely on the existence, the arity, or the behavior of a private method. If the behavior is so critical, I would rather capture the behavior permanently as part of the subclass by copying the code itself over to the subclass (or not use inheritance at all, but I would still definitely copy the code). Everything I have seen makes me agree that duplication is far cheaper than the wrong abstraction.

                                      In the case of application code, it is more acceptable to rely on a parent class’ internals. I still would fight the urge, but it can be expected that the author modifying the subclass and parent class has access and authority to work on both in order to get their job done, that the tests for both classes live in the same suite, and other niceties that make maintaining that dependency across time situation more tenable.

                                  2. 1

                                    Thanks for your great feedback ! That’s motivates me to do even more :-)

                                  1. 10

                                    This continued trend of saying that easily-understandable language features that, even when unfamiliar, are a simple Google away should be avoided just in case someone hasn’t seen them before needs to end. We put features in the languages to be used, maybe not used every time the opportunity comes up, or in “overly clever” ways, but avoiding them in clear cases to avoid anyone else needed to learn anything just reduces the level of learning industry-wide.

                                    1. 1

                                      I think there are language features out there that are so esoteric they should be avoided – Ruby’s flip-flop operator comes to mind. This doesn’t seem to be in the same category; I was able to grok the idea after a 30-second explanation.

                                      1. 1

                                        With flip-flop, the case is a little different though: Matz himself has said so, even very long ago.

                                        (See the relevant chapter in Matsumoto/Flanegan: The Ruby Programming Language)

                                        1. 1

                                          For-else is esoteric as well. It’s mentioned once in the Python documentation, and no example is given. Same with try-else. Guido himself said he wouldn’t have put the functionality in there if he’d had a time machine https://mail.python.org/pipermail/python-ideas/2009-October/006157.html

                                    1. 2

                                      Do they owe enough to make legal proceedings worth it? Odds are the court will easily judge in your favour (the other side often doesn’t even bother to show up in such cases IME, they don’t want to pay a lawyer themselves). Then, if you suspect they have some or all of your money, it gives you the legal authority to have the money seized from the accounts, etc (details will vary by jurisdiction)

                                      1. 2

                                        A team of developers was working with them, that is why it makes it worth it. I am sure they have the money, but probably not enough money to pay debts and to finish the development before a new investor or the IPO goes through.

                                        1. 1

                                          A team of developers was working with them, that is why it makes it worth it. I am sure they have the money, but probably not enough money to pay debts and to finish the development before a new investor or the IPO goes through.

                                        1. 3

                                          I do this for all my sites. It really should be the default, or at least more obvious.

                                            1. 3

                                              Writing a robotfindschicken clone in Scheme for kicks. It’s fun but feels sorta sinful to write in a nearly purely imperative way in a language like this. I guess there’s no way around with ncurses.

                                              1. 1

                                                Scheme FRP library?

                                                1. 1

                                                  Interesting idea but I don’t think any FRP library exists for any dialect of Scheme. Or any dialect of Lisp besides Clojure for that matter.

                                              1. 65

                                                This blogpost is a good example of fragmented, hobbyist security maximalism (sprinkled with some personal grudges based on the tone).

                                                Expecting Signal to protect anyone specifically targeted by a nation-state is a huge misunderstanding of the threat models involved.

                                                Talking about threat models, it’s important to start from them and that explains most of the misconceptions in the post.

                                                • Usable security for the most people possible. The vast majority people on the planet use iOS and Android phones, so while it is theoretically true that Google or Apple could be forced to subvert their OSs, it’s outside the threat model and something like that would be highly visible, a nuclear option so to speak.
                                                • Alternative distribution mechanisms are not used by 99%+ of the existing phone userbases, providing an APK is indeed correctly viewed as harm reduction.
                                                • Centralization is a feature. Moxie created a protocol and a service used by billions and millions of people respectively that provides real, measureable security for a lot of people. The fact is that doing all this in a decentralized way is something we don’t yet know how to do or doing invites tradeoffs that we shouldn’t make. Federation atm either leads to insecurity or leads to the ossification of the ecosystem, which in turn leads to a useless system for real users. We’ve had IRC from the 1990s, ever wonder why Slack ever became a thing? Ossification of a decentralized protocol. Ever wonder why openpgp isn’t more widespread? Noone cares about security in a system where usability is low and design is fragile. Ever tried to do key rotation in gpg? Even cryptographers gave up on that. Signal has that built into the protocol.

                                                Were tradeoffs made? Yes. Have they been carefully considered? Yes. Signal isn’t perfect, but it’s usable, high-level security for a lot of people. I don’t say I fully trust Signal, but I trust everything else less. Turns out things are complicated when it’s about real systems and not fantasy escapism and wishes.

                                                1. 34

                                                  Expecting Signal to protect anyone specifically targeted by a nation-state is a huge misunderstanding of the threat models involved.

                                                  In this article, resistance to governments constantly comes up as a theme of his work. He also pushed for his tech to be used to help resist police states like with the Arab Spring example. Although he mainly increased the baseline, the tool has been pushed for resisting governments and articles like that could increase perception that it was secure against governments.

                                                  This nation-state angle didn’t come out of thin air from paranoid, security people: it’s the kind of thing Moxie talks about. In one talk, he even started with a picture of two, activist friends jailed in Iran in part to show the evils that motivate him. Stuff like that only made the stuff Drew complains about on centralization, control, and dependence on cooperating with surveillance organization stand out even more due to the inconsistency. I’d have thought he’d make signed packages for things like F-Droid sooner if he’s so worried about that stuff.

                                                  1. 5

                                                    A problem with the “nation-state” rhetoric that might be useful to dispel is the idea that it is somehow a God-tier where suddenly all other rules becomes defunct. The five-eyes are indeed “nation state” and has capabilities that are profound; like the DJB talk speculating about how many RSA-1024 keys that they’d likely be able to factor in a year given such and such developments and what you can do with that capability. That’s scary stuff. On the other hand, this is not the “nation state” that is Iceland or Syria. Just looking at the leaks from the “Hacking Team” thing, there are a lot of “nation states” forced to rely on some really low quality stuff.

                                                    I think Greg Conti in his “On Cyber” setup depicts it rather well (sorry, don’t have a copy of the section in question) and that a more reasonable threat model of capable actors you do need to care about is that of Organized Crime Syndicates - which seems more approachable. Nation State is something you are afraid of if you are political actor or in conflict with your government, where the “we can also waterboard you to compliance” factors into your threat model, Organized Crime hits much more broadly. That’s Ivan with his botnet from internet facing XBMC^H Kodi installations.

                                                    I’d say the “Hobbyist, Fragmented Maximalist” line is pretty spot on - with a dash of “Confused”. The ‘threats’ of Google Play Store (test it, write some malware and see how long it survives - they are doing things there …) - the odds of any other app store; Fdroid, the ones from Samsung, HTC, Sony et al. - being completely owned by much less capable actors is way, way higher. Signal (perhaps a Signal-To-Threat ratio?) perform an good enough job in making reasonable threat actors much less potent. Perhaps not worthy of “trust”, but worthy of day to day business.

                                                  2. 18

                                                    Expecting Signal to protect anyone specifically targeted by a nation-state is a huge misunderstanding of the threat models involved.

                                                    And yet, Signal is advertising with the face of Snowden and Laura Poitras, and quotes from them recommending it.

                                                    What kind of impression of the threat models involved do you think does this create?

                                                    1. 5

                                                      Who should be the faces recommending signal that people will recognize and listen to?

                                                      1. 7

                                                        Whichever ones are normally on the media for information security saying the least amount of bullshit. We can start with Schneier given he already does a lot of interviews and writes books laypeople buy.

                                                        1. 3

                                                          What does Schneier say about signal?

                                                          1. 10

                                                            He encourages use of stuff like that to increase baseline but not for stopping nation states. He adds also constantly blogged about the attacks and legal methods they used to bypass technical measures. So, his reporting was mostly accurate.

                                                            We counterpoint him here or there but his incentives and reo are tied to delivering accurate info. Moxie’s incentives would, if he’s selfish, lead to locked-in to questionable platforms.

                                                    2. 18

                                                      We’ve had IRC from the 1990s, ever wonder why Slack ever became a thing? Ossification of a decentralized protocol.

                                                      I’m sorry, but this is plain incorrect. There are many expansions on IRC that have happened, including the most recent effort, IRCv3: a collectoin of extensions to IRC to add notifications, etc. Not to mention the killer point: “All of the IRCv3 extensions are backwards-compatible with older IRC clients, and older IRC servers.”

                                                      If you actually look at the protocols? Slack is a clear case of Not Invented Here syndrome. Slack’s interface is not only slower, but does some downright crazy things (Such as transliterating a subset of emojis to plain-text – which results in batshit crazy edge-cases).

                                                      If you have a free month, try writing a slack client. Enlightenment will follow :P

                                                      1. 9

                                                        I’m sorry, but this is plain incorrect. There are many expansions on IRC that have happened, including the most recent effort, IRCv3: a collectoin of extensions to IRC to add notifications, etc. Not to mention the killer point: “All of the IRCv3 extensions are backwards-compatible with older IRC clients, and older IRC servers.”

                                                        Per IRCv3 people I’ve talked to, IRCv3 blew up massively on the runway, and will never take off due to infighting.

                                                        1. 12

                                                          And yet everyone is using Slack.

                                                          1. 14

                                                            There are swathes of people still using Windows XP.

                                                            The primary complaint of people who use Electron-based programs is that they take up half a gigabyte of RAM to idle, and yet they are in common usage.

                                                            The fact that people are using something tells you nothing about how Good that thing is.

                                                            At the end of the day, if you slap a pretty interface on something, of course it’s going to sell. Then you add in that sweet, sweet Enterprise Support, and the Hip and Cool factors of using Something New, and most people will be fooled into using it.

                                                            At the end of the day, Slack works just well enough Not To Suck, is Hip and Cool, and has persistent history (Something that the IRCv3 group are working on: https://ircv3.net/specs/extensions/batch/chathistory-3.3.html)

                                                            1. 9

                                                              At the end of the day, Slack works just well enough Not To Suck, is Hip and Cool, and has persistent history (Something that the IRCv3 group are working on […])

                                                              The time for the IRC group to be working on a solution to persistent history was a decade ago. It strikes me as willful ignorance to disregard the success of Slack et al over open alternatives as mere fashion in the face of many meaningful functionality differences. For business use-cases, Slack is a better product than IRC full-stop. That’s not to say it’s perfect or that I think it’s better than IRC on all axes.

                                                              To the extent that Slack did succeed because it was hip and cool, why is that a negative? Why can’t IRC be hip and cool? But imagine being a UX designer and wanting to help make some native open-source IRC client fun and easy to use for a novice. “Sisyphean” is the word that comes to mind.

                                                              If we want open solutions to succeed we have to start thinking of them as products for non-savvy end users and start being honest about the cases where closed products have superior usability.

                                                              1. 5

                                                                IRC isn’t hip and cool because people can’t make money off of it. Technologies don’t get investment because they are good, they get good because of investment. The reason that Slack is hip/cool and popular and not IRC is because the investment class decided that.

                                                                It also shows that our industry is just a pop culture and can give a shit about good tech .

                                                                1. 4

                                                                  There were companies making money off chat and IRC. They just didn’t create something like Slack. We can’t just blame the investors when they were backing companies making chat solutions whose management stayed on what didn’t work in long-term or for huge audience.

                                                                  1. 1

                                                                    IRC happened before the privatization of the internet. So the standard didn’t lend itself well for companies to make good money off of it. Things like slack are designed for investor optimization, vs things like IRC being designed for use and openness.

                                                                    1. 2

                                                                      My point was there were companies selling chat software, including IRC clients. None pulled off what Slack did. Even those doing IRC with money or making money off it didn’t accomplish what Slack did for some reason. It would help to understand why that happened. Then, the IRC-based alternative can try to address that from features to business model. I don’t see anything like that when most people that like FOSS talk Slack alternatives. Then, they’re not Slack alternatives if lacking what Slack customers demand.

                                                                      1. 1

                                                                        Thanks for clarifying. My point can be restated as… There is no business model for federated and decentralized software (until recently , see cryptocurrencies). Note most open and decentralized tech of the past was government funded and therefore didn’t face business pressures. This freed designets to optimise other concerns instead of business onrs like slack does.

                                                                2. 4

                                                                  To the extent that Slack did succeed because it was hip and cool, why is that a negative? Why can’t IRC be hip and cool?

                                                                  The argument being made is that the vast majority of Slack’s appeal is the “hip-and-cool” factor, not any meaningful additions to functionality.

                                                                  1. 6

                                                                    Right, as I said I think it’s important for proponents of open tech to look at successful products like Slack and try to understand why they succeeded. If you really think there is no meaningful difference then I think you’re totally disconnected from the needs/context of the average organization or computer user.

                                                                    1. 3

                                                                      That’s all well and good, I just don’t see why we can’t build those systems on top of existing open protocols like IRC. I mean: of course I understand, it’s about the money. My opinion is that it doesn’t make much sense to insist that opaque, closed ecosystems are the way to go. We can have the “hip-and-cool” factor, and all the amenities provided by services like Slack, without abandoning the important precedent we’ve set for ourselves with protocols like IRC and XMPP. I’m just disappointed that everyone’s seeing this as an “either-or” situation.

                                                                      1. 2

                                                                        I definitely don’t see it as an either-or situation, I just think that the open source community typically has the wrong mindset for competing with closed products and that most projects are unapproachable by UX or design-minded people.

                                                                3. 3

                                                                  Open, standard chat tech has had persistent history and much more for decades in the form of XMPP. Comparing to the older IRC on features isn’t really fair.

                                                                  1. 2

                                                                    The fact that people are using something tells you nothing about how Good that thing is.

                                                                    I have to disagree here. It shows that it is good enough to solve a problem for them.

                                                                    1. 1

                                                                      I don’t see how Good and “good enough to solve a problem” are related here. The first is a metric of quality, the second is the literal bare minimum of that metric.

                                                              2. 1

                                                                Alternative distribution mechanisms are not used by 99%+ of the existing phone userbases, providing an APK is indeed correctly viewed as harm reduction.

                                                                I’d dispute that. People who become interested in Signal seem much more prone to be using F-Droid than, say, WhatsApp users. Signal tries to be an app accessible to the common person, but few people really use it or see the need… and often they are free software enthusiasts or people who are fed up with Google and surveillance.

                                                                1. 1

                                                                  More likely sure, but that doesn’t mean that many of them reach the threshold of effort that they do.

                                                                2. 0

                                                                  Ossification of a decentralized protocol.

                                                                  IRC isn’t decentralised… it’s not even federated

                                                                  1. 3

                                                                    Sure it is, it’s just that there are multiple federations.

                                                                1. 2

                                                                  I can’t decide if Let’s Encrypt is a godsend or a threat.

                                                                  On one hand, it let you support HTTPS for free.
                                                                  On the other, they collect an enourmous power worldwide.

                                                                  1. 8

                                                                    Agreed, they are quickly becoming the only game in town worth playing with when it comes to TLS certs. Luckily they are a non-profit, so they have more transparency than say Google, who took over our email.

                                                                    It’s awesome that we have easy, free TLS certs, but there shouldn’t be a single provider for such things.

                                                                    1. 3

                                                                      Is there anything preventing another (or another ten) free CAs from existing? Let’s Encrypt just showed everyone how, and their protocol isn’t a secret.

                                                                      1. 6

                                                                        OpenCA tried for a long time, and I think now has pretty much given up: https://www.openca.org/ and just exist in their own little bubble now.

                                                                        Basically nobody wants to certify you unless you are willing to pay out the nose and are considered friendly to the way of doing things. LE bought their way in I’m sure, to get their cert cross-signed, which is how they managed so “quickly” and it still took YEARS.

                                                                        1. 1

                                                                          Have you ever tried to create a CA?

                                                                          1. 3

                                                                            I’ve created lots of CAs, trusted by at most 250 people. :)

                                                                            Of course it’s not easy to make a new generally-trusted CA — nor would I want it to be. It’s a big complicated expensive thing to do properly. But if you’re willing to do the work, and can arrange the funding, is anything stopping you? I don’t know that browser vendors are against the idea of multiple free CAs.

                                                                            1. 3

                                                                              Obviously I was not talking about the technical stuffs.

                                                                              One of my previous boss explored the matter. He had the technical staff already but he wanted to become an official authority. It was more or less 2005.

                                                                              After a few time (and a lot of money spent in legal consulting) he gave up.

                                                                              He said: “it’s easier to open a bank”.

                                                                              In a sense, it’s reasonable, as the European laws want to protect citizens from unsafe organisations.

                                                                              But, it’s definitely not a technical problem.

                                                                        2. 1

                                                                          Luckily they are a non-profit

                                                                          Linux Foundation is a 501(c)(6) organization, a business league that is not organized for profit and no part of the net earnings goes to the benefit of any private shareholder or individual.
                                                                          The fact all shareholders benefit from its work without a direct economical gain, doesn’t means it has the public good at heart. Even less the public good of the whole world.

                                                                          It sound a lot like another attempt to centralize the Internet, always around the same center.

                                                                          It’s awesome that we have easy, free TLS certs, but there shouldn’t be a single provider for such things.

                                                                          And such certificates protect people from a lot of relatively cheap attacks. That’s why I’m in doubt.

                                                                          Probably, issuing TLS certificates should be a public service free for each citizen of a state.

                                                                          1. 3

                                                                            Oh Jeez. Thanks, I didn’t realize it was not a 501c3, When LE was first coming around they talked about being a non-profit and I just assumed. That’s what happens when I assume.

                                                                            Proof, so we aren’t just taking @Shamar’s word for it:

                                                                            Linux Foundation Bylaws: https://www.linuxfoundation.org/bylaws/

                                                                            Section 2.1 states the 501(c)(6) designation with the IRS.

                                                                            My point stands, that we do get more transparency this way than we would if they were a private for-profit company, but I agree it’s definitely not ideal.

                                                                            So you think local cities, counties, states and countries should get in the TLS cert business? That would be interesting.

                                                                            1. 5

                                                                              It’s true the Linux Foundation isn’t a 501(c)(3) but the Linux Foundation doesn’t control Let’s Encrypt, the Internet Security Research Group does. And the ISRG is a 501(c)(3).

                                                                              So your initial post is correct and Shamar is mistaken.

                                                                              1. 1

                                                                                The Linux Foundation will provide general and administrative support services, as well as services related to fundraising, financial management, contract and vendor management, and human resources.

                                                                                This is from the page linked by @philpennock.

                                                                                I wonder what is left to do for the Let’s Encrypt staff! :-)

                                                                                I’m amused by how easily people forget that organisations are composed by people.

                                                                                What if Linux Foundation decides to drop its support?
                                                                                No funds. No finance. No contracts. No human resources.
                                                                                Oh and no hosting, too.

                                                                                But hey! I’m mistaken! ;-)

                                                                                1. 2

                                                                                  Unless you have inside information on the contract, saying LE depends on the Linux Foundation is pure speculation.

                                                                                  I can speculate too. Should the Linux Foundation withdraw support there are plenty of companies and organisations that have a vested interest in keeping LetsEncrypt afloat. They’ll be fine.

                                                                                  1. 1

                                                                                    Agreed.

                                                                                    Feel free to think that it’s a philanthropic endeavour!
                                                                                    I will continue to think it’s a political one.

                                                                                    The point (and as I said I cannot answer yet) is if the global risk of a single US organisation being able to break most of HTTPS traffic world wide is worth the benefit of free certificates.

                                                                                    1. 3

                                                                                      Any trusted CA can MITM, though, not just the one that issued the certificate. So the problem is (and always has been) much, much worse than that.

                                                                                      1. 1

                                                                                        Good point! I stand corrected. :-)

                                                                                        Still note how it’s easier for the certificate issuer to go unnoticed.

                                                                            2. 4

                                                                              What’s Linux Foundation got to do with it? Let’s Encrypt is run by ISRG, Internet Security Research Group, an organization from the IAB/IETF family if memory serves.

                                                                              They’re a 501(c)(3).

                                                                              1. 2

                                                                                LF provide hosting and support services, yes. Much as I pay AWS to run some things for me, which doesn’t lead to Amazon being in charge. https://letsencrypt.org/2015/04/09/isrg-lf-collaboration.html explains the connection.

                                                                                1. 1

                                                                                  Look at the home page, top-right.

                                                                                  1. 2

                                                                                    The Linux Foundation provides hosting, fundraising and other services. LetsEncrypt collaborates with them but is run by the ISRG:

                                                                                    Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

                                                                          1. 2

                                                                            The comments in the post discuss a 5XX vs a 4XX error and that client-side errors should be fixed by the client. Now I am wondering if the GDPR applies to European citizens or people that are currently in Europe (maybe a day trip or what ever). I usually thought that these GDPR filters are using geoIp. But what if a European citizen is in the US and the other way around? I only checked Wikipedia for this and they say the GDPR applies to EU-citizens. So how to figure out if a web client is a EU-citizen? What am I doing wrong?

                                                                            1. 4

                                                                              The companies are just trying to protect themselves as best they can. Realistically, a European citizen suing a US-only company in a European court over European law is being frivolous and the company will likely not be affected in any way, so the butt-covering of geoip blocking is more a political statement to potential sue-ers than it is actual legal protection.

                                                                              1. 6

                                                                                What is the actual message to European users of such political statement?

                                                                                We don’t want your money? We don’t want your data? You do not deserve our technology? We are the Spiders of the Web and you are just a fly?

                                                                                Btw, as an European I would really appreciate a clear statement on a website saying “we are sorry but we cannot protect your data and respect your rights, please search for one of our competitor that can do it better”.

                                                                                I’m not ironic.
                                                                                GDPR defines several important rights for the data subject that imply certain investments in cybersecurity and a basic quality of service. Being able to say “I cannot do this right, please ask to someone else” is a sign of professionalism.

                                                                              2. 3

                                                                                You figure it out by asking them. There are many sites that don’t serve US citizens for various reasons. When you enter them, they ask you to declare you are not a US citizen. It’s as simple as that. If they lie, it’s on them.

                                                                                Honestly, this GDPR thing has gotten many Americans acting indignated and generally quite irrational over something that hardly changes anything and is not without a slew of precedent. It’s just the first time US companies are visibly seriously affected by law elsewhere. Now you know how it feels. Get over the feeling and deal with it.

                                                                                1. 1

                                                                                  Well, in principle, I would guess that European courts might be apprehensive about dictating law globally, which would essentially be the case if it was found that GDPR applies to European citizens wherever they may be, and even if a website operator had taken all reasonable precautions to block European citizens from using their cite.

                                                                                  1. 3

                                                                                    GDPR apply to data of European citizens worldwide and to data of non European citizens collected while they are in the Union.

                                                                                    However, if your registration form have a mandatory checkbox “I’m NOT a European citizen and I’m not going to use your services while in the European Union” AND the such checkbox is uncheked by default AND you block all European IPs, I think no European court will ever annoy you.

                                                                                1. 2

                                                                                  This is really a non-issue as far as I’m concerned.

                                                                                  Browsers (either standalone or with plugins) let users turn off images, turn off Javascript, override or ignore stylesheets, block web fonts, block video/flash, and block advertisements and tracking. Users can opt-out of almost any part of the web if it bothers them.

                                                                                  On top of that, nobody’s twisting anybody’s arm to visit “heavy” sites like CNN. If CNN loads too much crap, visit a lighter site. They probably won’t be as biased as CNN, either.

                                                                                  Nobody pays attention to these rants because at the end of the day they’re just some random people stating their arbitrary opinions. Rewind 10 or 15 or 20 years and Flash was killing the web, or Javascript, or CSS, or the img tag, or table based layouts, or whatever.

                                                                                  1. 10

                                                                                    Rewind 10 or 15 or 20 years and Flash was killing the web, or Javascript, or CSS, or the img tag, or table based layouts, or whatever

                                                                                    Flash and table based layouts really were and, to the extent that you still see them, are either hostile or opaque to people who require something like a screen reader to use a website. Abuse of javascript or images excludes people with low end hardware. Sure you can disable these things but it’s all too common that there is no functional fallback (apparently I can’t even vote or reply here without javascript being on).

                                                                                    Are these things “killing the web” in the sense that the web is going to stop existing as a result? Of course not, but the fact that they don’t render the web totally unusable is not a valid defense of abuses of these practices.

                                                                                    1. 3

                                                                                      I wouldn’t call any of those things “abuses”, though.

                                                                                      Maybe it all boils down to where the line is drawn between supported hardware and hardware too old to use on the modern web, and everybody will have different opinions. Should I be able to still browser the web on my old 100 Mhz Petnium with 8 Mb of RAM? I could in 1996…

                                                                                      1. 12

                                                                                        Should I be able to still browser the web on my old 100 Mhz Petnium with 8 Mb of RAM?

                                                                                        To view similar information? Absolutely. If what I learn after viewing a web page hasn’t changed, then neither should the requirements to view it. If a 3D visualization helps me learn fluid dynamics, ok, bring it on, but if it’s page of Cicero quotes, let’s stick with the text, shall we?

                                                                                        1. 5

                                                                                          I wouldn’t call any of those things “abuses”, though.

                                                                                          I think table based layouts are really pretty uncontroversially an abuse. The spec explicitly forbids it.

                                                                                          The rest are tradeoffs, they’re not wrong 100% of the time. If you wanted to make youtube in 2005 presumably you had to use flash and people didn’t criticize that, it was the corporate website that required flash for no apparent reason that drew fire. The question that needs to be asked is if the cost is worth the benefit. The reason people like to call out news sites is they haven’t really seen meaningfully new features in two decades (they’re still primarily textual content, presented with pretty similar style, maybe with images and hyperlinks. All things that 90s hardware could handle just fine) but somehow the basic experience requires 10? 20? 100 times the resources? What did we buy with all that bandwidth and CPU time? Nothing except user-hostile advertising as far as I can tell.

                                                                                          1. 2

                                                                                            If you wanted to make youtube in 2005 presumably you had to use flash and people didn’t criticize that

                                                                                            At the time (ok, 2007, same era) I had a browser extension that let people view YouTube without flash by swapping the flash embed for a direct video embed. Was faster and cleaner than the flash-based UI.

                                                                                            1. 1
                                                                                            2. 2

                                                                                              I’d say text-as-images and text-as-Flash from the pre-webfont era are abuses too.

                                                                                        2. 7

                                                                                          On top of that, nobody’s twisting anybody’s arm to visit “heavy” sites like CNN. If CNN loads too much crap, visit a lighter site.

                                                                                          Or just use http://lite.cnn.io

                                                                                          1. 2

                                                                                            nobody’s twisting anybody’s arm to visit “heavy” sites like CNN

                                                                                            Exactly. It’s not a “web developers are making the web bloated” problem, it’s a “news organizations are desperate to make money and are convinced that personalized advertising and tons of statistics (Big Data!!) will help them” problem.

                                                                                            Lobsters is light, HN, MetaFilter, Reddit, GitHub, GitLab, personal sites/blogs, various wikis, forums, issue trackers, control panels… Most of the stuff I use is really not bloated.

                                                                                            If you’re reading general world news all day… stop :)

                                                                                          1. 3

                                                                                            This is awesome! Signed up. Are you planning on open sourcing it? I’m sure I would self host something like this.

                                                                                            1. 4

                                                                                              Thanks! I’d love to open-source it. However, I can’t justify the time commitment it would take yet. I’ve open-sourced many smaller projects, and I always feel compelled to answer every email I get. I wish I could post it and then just ignore it, but I really can’t.

                                                                                              I did make a deal with myself a long time ago. If I can get enough supporters on Patreon, I will open-source it. The code is already pretty cleaned-up and ready to go. It’s pure PHP, no dependencies. No frameworks or anything.

                                                                                              1. 2

                                                                                                Post code with no email address to contact you? ;)

                                                                                                1. 1

                                                                                                  I actually did that with one project. People find a way.

                                                                                                  Anyway, my name is all over this by now.

                                                                                                2. 1

                                                                                                  Sweet project, man! I’ve already set it up to email me whenever my name is mentioned on reddit. I’m just a poor student so I can’t justify a patreon (or I could, if it were just 1 project, but there are so many projects I’d love to support) so I’ll have to content myself with just saying thanks, it’s a great idea and a great post explaining it.

                                                                                                  1. 2

                                                                                                    I’m glad you like it! I put it online in the hope that others would find it useful, so I appreciate your comment!

                                                                                              1. 12

                                                                                                A realization I recently had:

                                                                                                Why don’t we abstract away all display affordances from a piece of code’s position in a file? That is, the editor reads the file, parses its AST, and displays it according to the programmer’s preference (e.g., elastic tabstops, elm-like comma-leading lists, newline/no-newline before opening braces, etc). And prior to save, the editor simply runs it through an uncustomized prettier first.

                                                                                                There are a million and one ways to view XML data without actually reading/writing pure XML. Why not do that with code as well?

                                                                                                1. 4

                                                                                                  This idea is floating around the interwebz for a long time. I recall it being stated almost verbatim on Reddit, HN, probably on /.

                                                                                                  1. 6

                                                                                                    And once you take it a step further, it’s clear that it shouldn’t be in a text file in the first place. Code just isn’t text. If you store it as a tree or a graph in some sort of database, it becomes possible to interact with it in much more powerful ways (including displaying it any way you like). We’ve been hobbled by equating display representation with storage format.

                                                                                                    1. 7

                                                                                                      This talk touches on this issue, along with some related ones and HCI in general: Bret Victor: The Future of Programming

                                                                                                      1. 2

                                                                                                        God, I have been trying to recall the name of this talk for ages! Thank you so much, it is a great recommendation

                                                                                                      2. 5

                                                                                                        Text is great when (not if) your more complicated tools fail or do something you can’t tolerate and you need to use tools which don’t Respect The Intent of designers who, for whatever reason, don’t respect your intent or workflow. Sometimes, solving a problem means working around a breakage, whether or not that breakage is intentional on someone else’s part.

                                                                                                        Besides, we just (like, last fifteen or so years) got text to the point where it’s largely compatible. Would be a shame to throw that away in favor of some new AST-database-thing which only exists on a few platforms.

                                                                                                        1. 1

                                                                                                          I’m not sure I get your point about about intent. Isn’t the same already true of, say, compilers? There are compiler bugs that we have to work around, there are programs that seem logical to us but the compiler won’t accept, and so on. Still, everybody seems to be mostly happy to file a compiler bug or a feature request, and live with a workaround for the present. Seems like it works well enough in practice.

                                                                                                          I understand your concern about introducing a new format but it sounds like a case of worse-is-better. Sure, we get a lot of convenience from the ubiquity of text, but it would nevertheless be sad if we were stuck with it for the next two centuries.

                                                                                                          1. 1

                                                                                                            With compilers, there are multiple of them for any given language, if the language is important enough, and you can feed the same source into all of them, assuming that source is text.

                                                                                                            1. 2

                                                                                                              I’ve never seen anyone casually swap out the compiler for production code. Also, for the longest time, if you wrote C++ for Windows, you pretty much had to use the Microsoft compiler. I’m sure that there are many embedded platforms with a single compiler.

                                                                                                              If there’s a bug in the compiler, in most casss you work around it, then patiently wait for a fix from the vendor.

                                                                                                              So that’s hardly a valid counterpoint.

                                                                                                              1. 1

                                                                                                                Re: swapping out compiler for production code: most if not all cross-platform C++ libraries can be compiled on at least llvm, gcc and msvc.

                                                                                                                1. 1

                                                                                                                  Yes, I’m aware of that, but what does it have to do with anything I said?

                                                                                                                  EDIT: Hey, I went to Canterbury :)

                                                                                                                  1. 1

                                                                                                                    “I’ve never seen anyone casually swap out the compiler for production code” sounded like you were saying people didn’t tend to compile the same production code on multiple compilers, which of course anyone that compiles on windows and non-windows does. Sorry if I misinterpreted your comment!

                                                                                                                    My first comment is in response to another Kiwi. Small world. Pretty cool.

                                                                                                        2. 1

                                                                                                          This, this, a thousand times this. Text is a good user-interface for code (for now). But it’s a terrible storage and interchange format. Every tool needs its own parser, and each one is slightly different, leaving begging the amount of cpu and programmer time we waste going from text<->ast<->text.

                                                                                                          1. 2

                                                                                                            Yeah, it’s obviously wasteful and limiting. Why do you think we are still stuck with text? Is it just sheer inertia and incrementalism, or does text really offer advantages that are challenging to recreate with other formats?

                                                                                                            1. 7

                                                                                                              The text editor I use can handle any computer language you can throw at it. It doesn’t matter if it’s BASIC, C, BCPL, C++, SQL, Prolog, Fortran 77, Pascal, x86 Assembler, Forth, Lisp, JavaScript, Java, Lua, Make, Hope, Go, Swift, Objective-C, Rexx, Ruby, XSLT, HTML, Perl, TCL, Clojure, 6502 Assembler, 68000 Assembler, COBOL, Coffee, Erlang, Haskell, Ocaml, ML, 6809 Assembler, PostScript, Scala, Brainfuck, or even Whitespace. [1]

                                                                                                              Meanwhile, the last time I tried an IDE (last year I think) it crashed hard on a simple C program I attempted to load into it. It was valid C code [2]. That just reinforced my notion that we aren’t anywhere close to getting away from text.

                                                                                                              [1] APL is an issue, but only because I can’t type the character set on my keyboard.

                                                                                                              [2] But NOT C++, which of course, everybody uses, right?

                                                                                                              1. 0

                                                                                                                To your point about text editors working with any language, I think this is like arguing that the only tool required by a carpenter is a single large screwdriver: you can use it as a hammer, as a chisel, as a knife (if sharpened), as a wedge, as a nail puller, and so on. Just apply sufficient effort and ingenuity! Does that sound like an optimal solution?

                                                                                                                My preference is for powerful specialised tools rather than a single thing that can be kind of sort of applied to a task.

                                                                                                                Or, to approach from the opposite direction, would you say that a CAD application or Blender are bad tools because they only work with a limited number of formats? If only they also allowed you to edit JPEGs and PDFs, they would be so much better!

                                                                                                                To your point about IDEs: I think that might even support my argument. Parsing of freeform text is apparently sufficiently hard that we’re still getting issues like the one you saw.

                                                                                                                1. 9

                                                                                                                  I use other tools besides the text editor—I use version control, compilers, linkers, debuggers, and a whole litany of Unix tools (grep, sed, awk, sort, etc). The thing I want to point out is that as long as the source code is in ASCII (or UTF-8), I can edit it. I can study it. I might not be able to compile it (because I lack the INRAC compiler but I can still view the code). How does one “view” Smalltalk code when one doesn’t have Smalltalk? Or Visual Basic? Last I hear, Microsoft wasn’t giving out the format for Visual Basic programs (and good luck even finding the format for VB from the late 90s).

                                                                                                                  The other issue I have with IDEs (and I will come out and say I have a bias against the things because I’ve never had one that worked for me for any length of time without crashing, and I’ve tried quite a few over 30 years) is that you have one IDE for C++, and one for Java, and one for Pascal, and one for Assembly [1] and one for Lua and one for Python and man … that’s just too many damn environments to deal with [2]. Maybe there are IDEs now that can work with more than one language [3] but again, I’ve yet to find one that works.

                                                                                                                  I have nothing against specialized tools like AutoCAD or Blender or PhotoShop or even Deluxe Paint, as long as there is a way to extract the data when the tool (or the company) is no longer around. Photo Shop and Deluxe Paint work with defined formats that other tools can understand. I think Blender works with several formats, but I am not sure about AutoCAD (never having used it).

                                                                                                                  So, why hasn’t anyone stored and manipulated ASTs? I keep hearing cries that we should do it, but yet, no one has yet done it … I wonder if it’s harder than you even imagine …

                                                                                                                  Edited to add: Also, I’m a language maven, not a tool maven. It sounds like you are a tool maven. That colors our perspectives.

                                                                                                                  [1] Yes, I’ve come across several of those. Never understood the appeal …

                                                                                                                  [2] For work, I have to deal with C, C++, Lua, Make and Perl.

                                                                                                                  [3] Yeah, the last one that claimed C/C++ worked out so well for me.

                                                                                                                  1. 1

                                                                                                                    For your first concern about the long term accessibility of the code, you’ve already pointed out the solution: a defined open format.

                                                                                                                    Regarding IDEs: I’m not actually talking about IDEs; I’m talking about an editor that works with something other than text. Debugging, running the code, profiling etc. are different concerns and they can be handled separately (although again, the input would be something other than text). I suppose it would have some aspects of an IDE because you’d be manipulating the whole code base rather than individual files.

                                                                                                                    Regarding the language maven post: I enjoyed reading it a few years ago (and in practice, I’ve always ended up in the language camp as an early adopter). It was written 14 years ago, and I think the situation is different now. People have come to expect tooling, and it’s much easier to provide it in the form of editor/IDE plugins. Since language creators already have to do a huge amount of work to make programs in their languages executable in some form, I don’t think it would be an obstacle if the price of admission also included dealing with the storage format and representation.

                                                                                                                    To your point about lack of implementations: don’t Smalltalk and derivatives such as Pharo qualify? I don’t know if they store ASTs but at least they don’t store text. I think they demonstrate that it’s at least technically possible to get away from text, so the lack of mainstream adoption might be caused by non-technical reasons like being in a local maximum in terms of tools.

                                                                                                                    The problem, as always, is that there is such a huge number of tools already built around text that it’s very difficult to move to something else, even if the post-transition state of affairs would be much better.

                                                                                                                    1. 1

                                                                                                                      Text editors are language agnostic.

                                                                                                                      I’m trying to conceive of an “editor” that works with something other than text. Say an AST. Okay, but in Pascal, you have to declare variables at the top of each scope; you can declare variables anywhere in C++. In Lua, you can just use a variable, no declaration required. LISP, Lua and JavaScript allow anonymous functions; only the latest versions of C++ and Java allow anonymous functions, but they they’re restricted in that you can’t create closures, since C++ and Java have no concept of closures. C++ has exceptions, Java has two types of exceptions, C doesn’t; Lua kind of has exceptions but not really. An “AST editor” would have to somehow know that is and isn’t allowed per language, so if I’m editing C++ and write an anonymous function, I don’t reference variables outside the scope of said function, but that it can for Lua.

                                                                                                                      Okay, so we step away from AST—what other format do you see as being better than text?

                                                                                                                      1. 1

                                                                                                                        I don’t think it could be language agnostic - it would defeat the purpose as it wouldn’t be any more powerful than existing editors. However, I think it could offer largely the same UI, for similar languages at least.

                                                                                                                        1. 1

                                                                                                                          And that is my problem with it. As stated, I use C, C++ [1], Lua, Make and a bit of Perl. That’s at least what? Three different “editors” (C/C++, Lua/Perl (maybe), Make). No thank you, I’ll stick with a tool that can work with any language.

                                                                                                                          [1] Sparingly and where we have no choice; no one on my team actually enjoys it.

                                                                                                                        2. 1

                                                                                                                          Personally, I’m not saying you should need to give up your editor of choice. Text is a good (enough for now) UI for coding. But it’s a terrible format to build tools on. If the current state of the code lived in some sort of event-based graph database for example, your changes could trigger not only your incremental compiler, but source analysis (only on what’s new), it could also maintain a semantic changelog for version control, trigger code-generation (again, only what’s new).

                                                                                                                          There’s a million things that are currently “too hard” which would cease to be too hard if we had a live model of the code as various graphs (not just the ast, but call graphs, inheritance graphs, you-name-it) that we could subscribe to, or even write purely-functional consumers that are triggered only on changes.

                                                                                                                2. 4

                                                                                                                  Inertia, arrogance, worse-is-better; Working systems being trapped behind closed doors at big companies; Hackers taking their language / editor / process on as part of their identity that needs to be defended with religious zeal; The complete destruction of dev tools as a viable business model; Methodologies-of-the-week…. The causes are numerous and varied, and the result is software dev is being hamstrung and we’re all wasting countless hours and dollars doing things computers should be doing for us.

                                                                                                                  1. 2

                                                                                                                    I think that part of the issue is that we haven’t seen good structured editor support outside of Haskell and some Lisps.

                                                                                                                    Having a principled foundation for structured editor + a critical mass by having it work for a language like Javascript/Ruby, would go a long way to making this concept more mainstream. After which we could say “provide a grammar for favorite language X and get structured editor support!”. This then becomes “everything is structured at all levels!”

                                                                                                                    1. 3

                                                                                                                      I think it’s possible that this only works for a subset of languages.

                                                                                                                      Structured editing is good in that it operates at a higher level than characters, but ultimately it’s still a text editing tool, isn’t it? For example, I think it should be trivial to pull up a list of (editable) definitions for all the functions in a project that call a given function, or to sort function and type definitions in different ways, or to substitute function calls in a function with the bodies of those functions to a given depth (as opposed to switching between different views to see what those functions do). I don’t think structured editing can help with tasks like that.

                                                                                                                      There are also ideas like Luna, have you seen it? I’m not convinced by the visual representation (it’s useful in some situations but I’m not sure it’s generally effective), but the interesting thing is they provide both a textual and a visual representation of the code.

                                                                                                                  2. 1

                                                                                                                    Python has a standard library module for parsing Python code into an AST and modifying the AST, but I don’t know of any Python tools that actually use it. I’m sure some of them do, though.

                                                                                                                  3. 1

                                                                                                                    Smalltalk. The word you’re looking for is Smalltalk. ;)

                                                                                                                    1. 2

                                                                                                                      Lisp, in fact. Smalltalk lives in an image, Lisp lives in the real world. ;)

                                                                                                                      Besides, Lisp already is the AST. Smalltalk has too much sugar, which is a pain in the AST.

                                                                                                                      1. 1

                                                                                                                        Possibly, but I’m only talking about a single aspect of it: being able to analyse and manipulate the code in more powerful ways than afforded by plain text. I think that’s equally possible for FP languages.

                                                                                                                    2. 1

                                                                                                                      Ultimately I think this is the only teneble solution. I feel I must be in the minority in having an extreme dislike of columnar-style code, and what I call “white space cliffs” where a column dictates a sudden huge increase in whitespace. But I realize how much it comes down to personal aesthetics, so I wish we could all just coexist :)

                                                                                                                      1. 1

                                                                                                                        Yeah, I’ve been messing around with similar ideas, see https://nick.zoic.org/art/waste-web-abstract-syntax-tree-editor/ although it’s only vapourware so far because things got busy …

                                                                                                                        1. 1

                                                                                                                          Many editors already do this to some extent. They just render 4-space tabs as whatever the user asks for. Everything after the indent, though, is assumed to be spaced appropriately (which seems right, anyway?)

                                                                                                                          1. 1

                                                                                                                            You can’t convert to elastic-tabstop style from that, and without heavy language-grammar knowledge you can’t do this for 4-space “tabs” generally.

                                                                                                                            Every editor ever supports this for traditional indent style, though: http://intellindent.info/seriously/

                                                                                                                            1. 1

                                                                                                                              To be clear, you can absolutely render a file that doesn’t have elastic tabstops as if it did. The way a file is rendered has nothing to do with the actual text in the file.

                                                                                                                              It’s like you’re suggesting that you can’t render a file containing a ton of numbers as a 3D scene in a game engine. That would be just wrong.

                                                                                                                              Regardless, my point is specifically that this elastic tabstops thing is not necessary and hurts code readability more than it helps.

                                                                                                                              The pefantics of clarifying between tabs and tabstops is a silly thing as well. Context gives more than enough information to know which one is being talked about.

                                                                                                                              It sounds like this concept is creating more problems than it solves, and is causing your editor to solve problems that only exist in the seveloper’s imagination. It’s not “KISS” at all, quite the opposite.

                                                                                                                          2. 1

                                                                                                                            Because presentation isn’t just a function of the AST. Indentation usually is, but alignment can be visually useful for all kinds of reasons.

                                                                                                                          1. 4

                                                                                                                            I didn’t know what was Gopher before and still not sure what it is (will read more on that). I find Lobster already a pretty good interface without much distraction since it’s mostly text, so I don’t know what I would really use it for. What would be the use of this over lobster?

                                                                                                                            Nice work and it’s loads really fast.

                                                                                                                            1. 4

                                                                                                                              Gopher is an old protocol, I mean it predates the world wide web so it’s not about making an alternative UI to lobste.rs on http:// but on gopher:// for people who like to live in a plain-text world. See https://gopher.floodgap.com/overbite/relevance.html for more informations on gopher.

                                                                                                                              1. 6

                                                                                                                                live in a plain-text world

                                                                                                                                Except that gopher doesn’t guarantee plain-text (in practise any file type can be served). IIRC the main advantage of Gopher is that it has a standard format for navigation.

                                                                                                                                1. 4

                                                                                                                                  Interestingly enough, Gopher and the web are roughly the same age - Gopher was publicly released in 1991, the same year as Tim Berners-Lee’s original announcement to alt.hypertext.

                                                                                                                              1. 9

                                                                                                                                It’s interesting because the author is not thoughtlessly in favour of GitHub, but I think that his rebuttals are incomplete and ultimate his point is incorrect.

                                                                                                                                Code changes are proposed by making another Github-hosted project (a “fork”), modifying a remote branch, and using the GUI to open a pull request from your branch to the original.
                                                                                                                                

                                                                                                                                That is a bit of a simplification, and completely ignores the fact that GitHub has an API. So does GitLab and most other similar offerings. You can work with GitHub, use all of its features, without ever having to open a browser. Ok, maybe once, to create an OAuth token.

                                                                                                                                Whether using the web UI or the API, one is still performing the quoted steps (which notably never mention the browser).

                                                                                                                                A certain level of discussion is useful, but once it splits up into longer sub-threads, it becomes way too easy to loose sight of the whole picture.

                                                                                                                                That’s typically the result of a poor email client. We’ve had threaded discussions since at least the early 90s, and we’ve learned a lot about how to present them well. Tools such as gnus do a very good job with this — the rest of the world shouldn’t be held back because some people use poor tools.

                                                                                                                                Another nice effect is that other people can carry the patch to the finish line if the original author stops caring or being involved.
                                                                                                                                

                                                                                                                                On GitHub, if the original proposer goes MIA, anyone can take the pull request, update it, and push it forward. Just like on a mailing list. The difference is that this’ll start a new pull request, which is not unreasonable: a lot of time can pass between the original request, and someone else taking up the mantle. In that case, it can be a good idea to start a new thread, instead of resurrecting an ancient one.

                                                                                                                                What he sees as a benefit I see as a detriment: the new PR will lose the history of the old PR. Again, I think this is a tooling issue: with good tools resurrecting an ancient thread is just no big deal. Why use poor tools?

                                                                                                                                While web apps deliver a centrally-controlled user interface, native applications allow each person to customize their own experience.
                                                                                                                                

                                                                                                                                GitHub has an API. There are plenty of IDE integrations. You can customize your user-experience just as much as with an email-driven workflow. You are not limited to the GitHub UI.

                                                                                                                                This is somewhat disingenuous: while GitHub does indeed have an API, the number & maturity of GitHub API clients is rather less than the number & maturity of SMTP+IMAP clients. We’ve spent about half a century refining the email interface: it’s pretty good.

                                                                                                                                Granted, it is not an RFC, and you are at the mercy of GitHub to continue providing it. But then, you are often at the mercy of your email provider too.

                                                                                                                                There’s a huge difference between being able to easily download all of one’s email (e.g. with OfflineIMAP) and only being at the mercy of one’s email provider going down, and being at the mercy of GitHub preserving its API for all time. The number of tools which exist for handling offline mail archives is huge; the number of tools for dealing with offline GitHub project archives is … small. Indeed, until today I’d have expected it to be almost zero.

                                                                                                                                Github can legally delete projects or users with or without cause.
                                                                                                                                

                                                                                                                                Whoever is hosting your mailing list archives, or your mail, can do the same. It’s not unheard of.

                                                                                                                                But of course my own maildir on my own machine will remain.

                                                                                                                                I use & like GitHub, and I don’t think email is perfect. I think we’re quite aways from the perfect git UI — but I’m fairly certain that it’s not a centralised website.

                                                                                                                                1. 8

                                                                                                                                  We’ve spent about half a century refining the email interface: it’s pretty good.

                                                                                                                                  We’ve spent about half a century refining the email interface. Very good clients exist…. but most people still use GMail regardless.

                                                                                                                                  1. 6

                                                                                                                                    That’s typically the result of a poor email client. We’ve had threaded discussions since at least the early 90s, and we’ve learned a lot about how to present them well. Tools such as gnus do a very good job with this — the rest of the world shouldn’t be held back because some people use poor tools.

                                                                                                                                    I have never seen an email client that presented threaded discussions well. Even if such a client exists, mailing-list discussions are always a mess of incomplete quoting. And how could they not be, when the whole mailing list model is: denormalise and flatten all your structured data into a stream of 7-bit ASCII text, send a copy to every subscriber, and then hope that they’re able to successfully guess what the original structured data was.

                                                                                                                                    You could maybe make a case for using an NNTP newsgroup for project discussion, but trying to squeeze it through email is inherently always going to be a lossy process. The rest of the world shouldn’t be held back because some people use poor tools indeed - that means not insisting that all code discussion has to happen via flat streams of 7-bit ASCII just because some people’s tools can’t handle anything more structured.

                                                                                                                                    I agree with there being value in multipolar standards and decentralization. Between a structured but centralised API and an unstructured one with a broader ecosystem, well, there are arguments for both sides. But insisting that everything should be done via email is not the way forward; rather, we should argue for an open standard that can accommodate PRs in a structured form that would preserve the very real advantages people get from GitHub. (Perhaps something XMPP-based? Perhaps just a question of asking GitHub to submit their existing API to some kind of standards-track process).

                                                                                                                                    1. 1

                                                                                                                                      You could maybe make a case for using an NNTP newsgroup for project discussion

                                                                                                                                      While I love NNTP, the data format is identical to email, so if you think a newsgroup can have nice threads, then so could a mailing list. They’re just different network distribution protocols for the same data format.

                                                                                                                                      accommodate PRs in a structured form

                                                                                                                                      Even if you discount structured text, emails and newsgroup posts can contain content in any MIME type, so a structured PR format could ride along with descriptive text in an email just fine.

                                                                                                                                      1. 1

                                                                                                                                        Even if you discount structured text, emails and newsgroup posts can contain content in any MIME type, so a structured PR format could ride along with descriptive text in an email just fine.

                                                                                                                                        Sure, but I’d expect the people who complain about github would also complain about the use of MIME email.

                                                                                                                                      2. 1

                                                                                                                                        You could maybe make a case for using an NNTP newsgroup for project discussion, but trying to squeeze it through email is inherently always going to be a lossy process.

                                                                                                                                        Not really — Gnus has offered a newsgroup-reader interface to email for decades, and Gmane has offered actual NNTP newsgroups for mailing lists for 16 years.

                                                                                                                                        But insisting that everything should be done via email is not the way forward; rather, we should argue for an open standard that can accommodate PRs in a structured form that would preserve the very real advantages people get from GitHub. (Perhaps something XMPP-based? Perhaps just a question of asking GitHub to submit their existing API to some kind of standards-track process).

                                                                                                                                        I’m not insisting on email! It’s decent but not great. What I would insist on, were I insisting on anything, is real decentralisation: issues should be inside the repo itself, and PRs should be in some sort of pararepo structure, so that nothing more than a file server (whether HTTP or otherwise) is required.

                                                                                                                                      3. 4

                                                                                                                                        …the new PR will lose the history of the old PR.

                                                                                                                                        Why not just link to it?

                                                                                                                                        This is somewhat disingenuous: while GitHub does indeed have an API, the number & maturity of GitHub API clients is rather less than the number & maturity of SMTP+IMAP clients. We’ve spent about half a century refining the email interface: it’s pretty good.

                                                                                                                                        That strikes me as disingenuous as well. Email is older. Of course it has more clients, with varying degrees of maturity & ease of use. That has no bearing on whether the GitHub API or an email-based workflow is a better solution. Your point is taken; the GitHub API is not yet “Just Add Water!”-tier. But the clients and maturity will come in time, as they do with all well-used interfaces.

                                                                                                                                        Github can legally delete projects or users with or without cause.

                                                                                                                                        Whoever is hosting your mailing list archives, or your mail, can do the same. It’s not unheard of.

                                                                                                                                        But of course my own maildir on my own machine will remain.

                                                                                                                                        Meanwhile, the local copy of my git repo will remain.

                                                                                                                                        I think we’re quite aways from the perfect git UI — but I’m fairly certain that it’s not a centralised website.

                                                                                                                                        I’m fairly certain that it’s a website of some sort—that is, if you intend on using a definition of “perfect” that scales to those with preferences & levels of experience that differ from yours.

                                                                                                                                        1. 2

                                                                                                                                          Meanwhile, the local copy of my git repo will remain.

                                                                                                                                          Which contains no issues, no discussion, no PRs — just the code.

                                                                                                                                          I’d like to see a standard for including all that inside or around a repo, somehow (PRs can’t really live in a repo, but maybe they can live in some sort of meta- or para-repo).

                                                                                                                                          I’m fairly certain that it’s a website of some sort—that is, if you intend on using a definition of “perfect” that scales to those with preferences & levels of experience that differ from yours.

                                                                                                                                          Why on earth would I use someone else’s definition? I’m arguing for my position, not someone else’s. And I choose to categorically reject any solution which relies on a) a single proprietary server and/or b) a JavaScript-laden website.

                                                                                                                                          1. 1

                                                                                                                                            Meanwhile, the local copy of my git repo will remain.

                                                                                                                                            Which contains no issues, no discussion, no PRs — just the code.

                                                                                                                                            Doesn’t that strike you as a shortcoming of Git, rather than GitHub? I think this may be what you are getting at.

                                                                                                                                            Why on earth would I use someone else’s definition?

                                                                                                                                            Because there are other software developers, too.

                                                                                                                                            I choose to categorically reject any solution which relies on a) a single proprietary server and/or b) a JavaScript-laden website.

                                                                                                                                            I never said anything about reliance. That being said, I think the availability of a good, idiomatic web interface is a must nowadays where ease-of-use is concerned. If you don’t agree with that, then you can’t possibly understand why GitHub is so popular.

                                                                                                                                        2. 3

                                                                                                                                          (author here)

                                                                                                                                          Whether using the web UI or the API, one is still performing the quoted steps

                                                                                                                                          Indeed, but the difference between using the UI and the API, is that the latter is much easier to build tooling around. For example, to start contributing to a random GitHub repo, I need to do the following steps:

                                                                                                                                          • Tell my Emacs to clone & fork it. This is as simple as invoking a shortcut, and typing or pasting the upstream repo name. The integration in the background will do the necessary forking if needed. Or I can opt not to fork, in which case it will do it automatically later.
                                                                                                                                          • Do the changes I want to do.
                                                                                                                                          • Tell Emacs to open a pull request. It will commit my changes (and prompt for a commit message), create the branch, and open a PR with the same commit message. I can use a different shortcut to have more control over what my IDE does, name the branch, or create multiple commits, etc.

                                                                                                                                          It is a heavily customised workflow, something that suits me. Yet, it still uses GitHub under the hood, and I’m not limited to what the web UI has to offer. The API can be built upon, it can be enriched, or customised to fit one’s desires and habits. The difference in what I need to do to get the same steps done differs drastically. Yes, my tooling does the same stuff under the hood - but that’s the point, it hides those detail from me!

                                                                                                                                          (which notably never mention the browser).

                                                                                                                                          Near the end of the article I replied to:

                                                                                                                                          “Tools can work together, rather than having a GUI locked in the browser.”

                                                                                                                                          From this, I concluded that the article was written with the GitHub web UI in mind. Because the API composes very well with other tools, and you are not locked into a browser.

                                                                                                                                          That’s typically the result of a poor email client.

                                                                                                                                          I used Gnus in the past, it’s a great client. But my issue with long threads and lots of branches is not that displaying them is an issue - it isn’t. Modern clients can do an amazing job making sense of them. My problem is the cognitive load of having to keep at least some of it in mind. Tools can help with that, but I can only scale so far. There are people smarter than I who can deal with these threads, I prefer not to.

                                                                                                                                          What he sees as a benefit I see as a detriment: the new PR will lose the history of the old PR. Again, I think this is a tooling issue: with good tools resurrecting an ancient thread is just no big deal. Why use poor tools?

                                                                                                                                          The new PR can still reference the old PR, which is not unlike having an In-Reply-To header that points to a message not in one’s archive. It’s possible to build tooling on top of this that would go and fetch the original PR for context.

                                                                                                                                          Mind you, I can imagine a few ways the GitHub workflow could be improved, that would make this kind of thing easier, and less likely to loose history. I’d still rather have an API than e-mail, though.

                                                                                                                                          This is somewhat disingenuous: while GitHub does indeed have an API, the number & maturity of GitHub API clients is rather less than the number & maturity of SMTP+IMAP clients. We’ve spent about half a century refining the email interface: it’s pretty good.

                                                                                                                                          Refining? You mean that most MUAs look just like they did thirty years ago? There were many quality of life improvements, sure. Lots of work to make them play better with other tools (this is mostly true for tty clients and Emacs MUAs, as far as I saw). But one of the most wide-spread MUA (gmail) is absolutely terrible when it comes to working with code and mailing lists. Same goes for Outlook. The email interface story is quite sad :/

                                                                                                                                          There’s a huge difference between being able to easily download all of one’s email (e.g. with OfflineIMAP) and only being at the mercy of one’s email provider going down, and being at the mercy of GitHub preserving its API for all time.

                                                                                                                                          Yeah, there are more options to back up your mail. It has been around longer too, so that’s to be expected. Email is also a larger market. But there are a reasonable number of tools to help backing up one’s GitHub too. And one always makes backups anyway, just in case, right?

                                                                                                                                          So yeah, there is a difference. But both are doable right now, with tools that already exist, and as such, I don’t see the need for such a fuss about it.

                                                                                                                                          I use & like GitHub, and I don’t think email is perfect. I think we’re quite aways from the perfect git UI — but I’m fairly certain that it’s not a centralised website.

                                                                                                                                          I don’t think GitHub is anywhere near perfect, especially not when we consider that it is proprietary software. It being centralised does have advantages however (discoverability, not needing to register/subscribe/whatever to N+1 places, and so on).

                                                                                                                                        1. 5

                                                                                                                                          I love the “do not work as currencies” quote that people love to say… I’ve been using cryptocurrencies to buy products and services for years. Seems to work fine.

                                                                                                                                          1. 2

                                                                                                                                            When I skimmed it, the paper was more specific about what doesnt work means. Wild shifts in value causing more holding than spending was one example. That’s also why every person I know IRL who does Bitcoin is a speculator or day trader.