1.  

    The software support is the biggest reason. iPhones get years of security and feature updates. I can’t think of any Android phone that gets updates as long as an iPhone 6S.

    Neither of those platforms offer real user ‘repair’ of the software so the comparison is not a useful one here. You might argue that you can more easily write software for your android phone than an iphone, or that it is possible even to create your own version of android or install one from someone else. The reality however is that this is hard and complicated. It is definitely not an option that the average consumer has available. For most people android is exactly as much of a walled garden as ios. I am a programmer but when I tried getting an operating system I had control over on a samsung years back I gave up in frustration after hours of failures. I also soft bricked it because of vendor lock-in measures.

    Compare this with an actual right to repair phone, such as the pine phone. I got one to test it out and although I would not recommend it to my parents, I was able to flash the os and try out a bunch of different distros. I think I could even teach my parents to flash a pine phone, I just don’t think that is something they want to do. I can use ubuntu, debian, arch, just to name some big ones. I am not afraid that there will no longer be a supported OS for my phone in 10 years. I might not have the newest developments but the archived images will still work and the full functionality the phone currently has it will have until it falls apart. Also I can write my own software for it as trivially as making a .py file.

    What apple and google call ‘support’ I neither want nor need. I also feel that support is a massive euphemism for what they really offer which is more like a combination of big brother and nanny. I want to own my devices not rent them from a megacorp.

    I feel this also reflects the general tone of the article. Rather than focusing on what right to repair could mean if applied sensibly, it merely lists a few ways in which it could be applied that are not very effective or useful.

    1.  

      The same line rubs me the wrong way. The iPhone 6S was released 5 years ago, as was the FairPhone 2; they’re both officially supported during the same time. Looking at older generations to see how long support might go for (there’s no commitment from Apple that I can find), the iPhone 5 was released in 2012 and had its last software update in 2019. 7 years is very good for official support, and does beat any Android device thus far, but the difference is that there is still support and security updates available for the Nexus 4 and Galaxy S3 (both released 2012) via third parties such as e.foundation. Those updates are expected to continue as well.

      As noted, not everyone has an interest or the ability to install a third party ROM, but the availability of them means that it’s reasonable to keep these old devices running well beyond the official manufacturer’s intent, which is something that is not possible with iPhones. Once Apple gives up on them, they’re done.

      I agree that the Pinephone (and Librem 5) are likely to be even better for longevity, and I hope that postmarketOS matures on those platforms and then the gains can be brought to other (mainly Android) devices through community support.

      I appreciate the emphasis on trade-offs that the article tries to make, but I also agree that it appears to be unbalanced in the focus on somewhat strawman arguments over particular technology choices. It’s good to think about some of these potential issues (which I think was the intent) but then the tone of the article and the solutions provided end up taking away from that point.

      1.  

        What apple and google call ‘support’ I neither want nor need. I also feel that support is a massive euphemism for what they really offer which is more like a combination of big brother and nanny. I want to own my devices not rent them from a megacorp.

        Absolutely. But…

        I think I could even teach my parents to flash a pine phone, I just don’t think that is something they want to do.

        And it’s not just parents. Programmers also tend to hate “yak shaving”. There are so many cases people are too lazy/uninterested to even want to exercise the control they could potentially have, it’s not a huge market. The mass marketed devices all have no control and people are just fine with it. The second-order effects that this lack of control brings might be a problem, but most people aren’t aware that this is how it works, and just shrug and buy a new gadget.

        I guess I’m just getting old and cynical, but I see very little hope for things really improving.

        1.  

          I guess I’m just getting old and cynical, but I see very little hope for things really improving.

          Actually the right to repair train has a lot of momentum in the European parliament and some companies that sell to Europe are already taking steps to comply. If you live in the US there might be more grounds for cynicism, but then again you can always buy your tech from European companies.

          It is not about the majority that might not be interested in a particular freedom, it is about the few who are. Not many people use mechanical typewriters or listen to Blind Melon but the government should still protect the right to do so. Also most people do get a bit upset when they find out the phone they paid 1k for has a dead battery and they are not legally allowed or practically able to replace it. People also would love to be able to go to a repair shop and pay a reasonable price for a basic component replacement. Most of them may have forgotten that that was ever a thing but they would pick it up again pretty fast.

      1. 13

        We’re talking about a language designed in ten days to enable a monkey to dance in a webpage when you hovered over it with a mouse. A language that warranted a book with a title like JavaScript: the Good Parts. A language where “3” * “3” is 9 and “3” + “3” is “33”.

        Though arguably JS is closer to Lisp than Python is. Python, with its statement-orientation, pitiful lambda, lack of TCO, and bizarre idea of scope was chosen to succeed Scheme as the teaching language in the MIT course.

        1. 5

          Designed in 10 days by a lisp hacker.

          1. 6

            That … is debatable. Designed by someone who knew enough jargon to sound like a lisp hacker, at least.

          2. 5

            The language is type checked, try it out using cndreisbach’s link. For example, your multiplication of strings results in:

            Line 1: Expected number on left hand side of operation, got string.
            Hints:
            Line 1: A type mismatch was detected in the binary expression:
              "3" * "3"
            The binary operator (*) expected two operands with types:
              number * number
            but instead it received two operands of types:
              string * string
            

            But the + is still working for concatenation of strings.

            1. 4

              JS from Netscape days is not the JS of today and people could use some break. The language grown. And yes, lots of the old gotchas are still there, but that is for a good reason. Either they’re needed to not break the web because you don’t want all old content suddenly breaking, or they’re misunderstood and part of some standard that people complaining are not aware of.

              In your example, the plus sign is the concatenation operator between strings. That is the correct behaviour. The multiplication example works because of automatic type coercion. You don’t want the string concatenation operator to attempt to do integer coercion and sum the strings. Today, we might not want that kind of automatic coercion, but there are sites using this and changing it would break the web.

              It is better to have a working and retrocompatible web than break things for language purity and elegance.

              1. 4

                I’d argue a language with so much cruft that is strongly bound to backwards-compatibility is not the most suitable language for teaching fundamental concepts. Purity and elegance is exactly what you need when teaching fundamentals, so that the awkwardness does not get in the way of the exposition.

                1. 6

                  Speaking as a teacher, I think that teachers like the purity and elegance (and I do) because it makes it easy to teach, not because it makes learning easy or durable. So when students come up with weird ways to use JavaScript, it slows me down, but it also allows me to present a realistic picture of the way actual work in the field is probably going to be.

                  There has been an ongoing debate in my faith over the tension between God’s sovereignty and human will, with competing systems proposed to defend one or the other. Both of them break down in different ways on close inspection because they’re an effort to impose a kind of order on a system that seems disorderly.

                  So I suppose in some ways I feel the same way about all the arguments about language purity or OOP vs FP. They’re systems imposed on top of the reality of programming, and none of them will perfectly fit it. I’d rather be flexible on that end, even if it makes teaching more complicated, since it means more of what I teach will probably actually be useful beyond the “clean room” environment of a CS course.

                  When I worked construction, it really surprised me how complex some of the math was that my coworkers were scribbling on scraps of lumber while we worked to solve different problems. But they were showing me how to do this with a drill in the other hand. Sometimes I like to think of this as an analogy for how teaching computer science. You need theory and you need to get actual work done. Languages like JavaScript can accomplish this, however inelegantly, and it’s one of the most ubiquitous languages on the planet now.

                  But yeah, sometimes I scream into a pillow when I see how my students have used it and gotten away with it.

                  1. 3

                    BASIC was used for decades to teach programming to people who had never even thought about how to write a program. It was everywhere; in those days nearly every computer came with a BASIC interpreter either in ROM or the OS or both.

                    Today every computer you buy has a JS interpreter right there, just hidden from view. Even if it’s not the cleanest language, it’s ubiquity makes it ideal for learning how to program.

                    1. 1

                      Yes, and Dijkstra had some less than nice things to say about it, too. I seem to recall a quote about teachBASIC causing brain damage. If he were alive and posting on here today, he’d probably get flagged for trolling.

                  2. 2

                    Lots of languages do implicit type conversions. I may not like it, but I can live with it. Lua does it. Perl, the first language I really mastered, does it. So does PHP. But all 3 have a dedicated string concatenation operator, instead of overloading +. Overloading + isn’t by itself a bad thing. Python does it, and it’s fine there. But combine type conversions with operator overloading, and the language is unsound.

                    1.  

                      combine type conversions with operator overloading, and the language is unsound.

                      And yet C++ remains very popular…

                      1.  

                        Lots of unsound things are very popular: gambling, porn etc.

                    1. 1

                      And “hello” ^ true is 1.

                      1. 4

                        No, in this book: Line 1: Operator '^' is not allowed.

                    1. 7

                      I’m still not sure how they pulled it off with a rename(2) that’s not atomic on the default file system. Was the test suite run on UFS?

                      1. 6

                        Checking the POSIX spec, it doesn’t add a requirement that rename is atomic, it references the fact that the C specification requires that it is atomic. The only reference to rename being atomic is in the RATIONALE section, which says:

                        This rename() function is equivalent for regular files to that defined by the ISO C standard. Its inclusion here expands that definition to include actions on directories and specifies behavior when the new parameter names a file that already exists. That specification requires that the action of the function be atomic.

                        However, neither the C99 nor C11 specifications (I can’t find a copy of C89) require rename to be atomic. The text appears unmodified. The full spec (skipping return value and function signature) from 7.21.4.2 of the C11 spec is:

                        The rename function causes the file whose name is the string pointed to by old to be henceforth known by the name given by the string pointed to by new. The file named old is no longer accessible by that name. If a file named by the string pointed to by new exists prior to the call to the rename function, the behavior is implementation-defined

                        No mention of atomicity, no mention of any ordering with respect to other threads or other concurrent entities interacting with the filesystem.

                        As far as I can tell, there is actually no requirement that rename be atomic for POSIX compliance. POSIX mentions atomicity only in the RATIONALE section as a property inherited from ISO C and in the DESCRIPTION it explicitly says that in the case of conflicts between ISO C and POSIX then ISO C’s definition takes precedence.

                        That said, I’m surprised to learn that XNU’s rename isn’t atomic, because the documentation for Cocoa’s -writeToFile:atomically: states that it uses a rename operation to perform the atomic filesystem update.

                        1. 1

                          writeToFile:atomically

                          Perhaps this changed by now, but it was broken in 2011: https://stackoverflow.com/questions/4662115/is-an-atomic-rename-possible-in-mac-vfs-hfs

                          With APFS, rename should be atomic.

                          1. 1

                            Hmm, this doesn’t look like it’s a violation of atomicity: the rename completes atomically if the ACL permits deletion, it fails if the ACL doesn’t permit deletion.

                        2. 1

                          Maybe there’s no test for that in the test suite? If compliance is simply a matter of “passes the tests”, you might be able to get away with breaking the standard in several ways and still be seen as compliant. Or maybe there’s some leeway and it doesn’t need to be 100% passing all the tests to get certified?

                        1. 13

                          Oh man, this is only the tip of the iceberg with MySQL weirdness. On the topic of character sets, another fun one is that it doesn’t verify its input. So it will happily accept and store latin-1 characters in a UTF-8 connection. This used to cause so many issues when clients dealt with encodings in a haphazard way - if some store latin-1 and some store UTF-8, you’ll end up with a database that can’t really be corrected. This blog post helped me out a great deal back in the day when I was dealing with CMSes with shitty character handling written in PHP (Drupal and Wordpress, mostly, but others too). Ironically, instead of recommending utf8mb4, it also tells you to use the utf8 encoding….

                          1. 5

                            Back when I worked at Mozilla on MDN, we had tags on articles, and since it was a multilingual site each language-specific version of each article had its own language-specific tags. Except there was a recurring and hard-to-reproduce weird bug where sometimes you’d get, say, French tags showing up on an English article or vice-versa.

                            It turned out, after some digging, that the issue was MySQL: its character collations didn’t treat accented and un-accented (so think of “e” versus “é”) as distinct. So if, say, the French and English tags of an article differed only in an accent or two (example: English tag “Reference”, French tag “Référence”), MySQL couldn’t tell them apart and which one you got back from the queries we were doing was non-deterministic. Which was why sometimes the English article retrieved the French tag, or the French article retrieved the English one.

                            A co-worker solved this by building and installing a new MySQL collation which could distinguish them. I have no idea whether MySQL itself has ever fixed this, or if now there’s a particular character set or collation you can use to avoid the issue.

                            1. 1

                              The correct behaviour for text search in utf8 is super annoying.

                              There’s the obvious issue of different encodings for the same character e.g é as combined vs single unit (I totally forget Unicode terms nowadays). Similarly some characters have multiple encodings.

                              There’s other “obvious” things like the fi ligature, and other similar ligatures which having coding.

                              Things start getting weird when you ask should a search for e match é? Most people seem to say yes, and so no to the reverse of should é match e? It seems more clear that è != é, but that implies non transitive reaction ships :)

                              The real pain point though is things like “ss” - should this only match “ss” or should it also match ß? In practice they need to match. Vice versus should ß match “ss” some people seem strongly opposed but in practice yes. I vaguely recall some MS software makes this locale specific, but that was >10 years ago, so the exact behavior might be OS locale or user locale or something. Also I could simply be misremembering :)

                              I do kind of feel for the authors of a sql DB as I’m sure any choice will have people complaining.

                          1. 1

                            Not sure where I fall on this essay as a whole, but it is not easy to implement a conforming Common Lisp or Scheme. The toy meta-circular evaluator in SICP is just a toy. Both languages are big (CL bigger) and both entail very serious technical challenges.

                            1. 2

                              It’s relatively easy to build a Lisp dialect if you can lean heavily on the host language. I think that’s really the point - most of the early MIT AI lab research like e.g. PLANNER, CONNIVER and of course Scheme itself were all done on top of earlier Lisps (mostly Lisp 1.5 or MacLisp, I think). And think what you will of Paul Graham’s Arc what you like, but it was also built on top of another Lisp (Racket, in this case, which, ironically, is now using Chez Scheme as a host language, but didn’t start out that way). You can start small and build it out (Scheme wasn’t as fully featured as it is today, of course). Also, it doesn’t have to be s-expression based; there’s a JavaScript written in Guile and a teaching subset of Java in Racket. Also, Julia is partially written in Scheme. Of course, at least starting out with s-expressions is a lot easier since you don’t need to write a parser.

                              1. 1

                                Common lisp is quite large, and r7rs-large grows by the month; but their core operational models are not huge (this is more true of scheme than cl, given e.g. clos), and an implementation of the interesting bits is not prohibitively difficult.

                                1. 1

                                  I’d agree about Scheme except for tail calls and continuations and hygienic macros. From my point of view a Scheme is next to useless without tail calls and syntax-case, the latter of which is definitely not trivial.

                                  1. 1

                                    So, for context, I knew nothing about hygienic macros before today. I was vaguely aware of their purpose, and of scheme’s syntax for them, but that was it. Here is a quick-‘n’-dirty implementation of syntax-rules for s7 scheme I was able to devise in a little over two hours, based on r7rs and a little googling to explain the behaviour of nested captures (which I think I got right). It doesn’t actually implement hygiene—ironic, but it is fairly trivial—nor a couple of other features, but I do not think any major pieces are missing.

                                    I am willing to aver that it is a bit more complicated than I thought, but if someone like me, whose prior exposure to hygienic macros was effectively nil, is able to construct a near-passable implementation in 2 hours, I think my original statement that it is not prohibitively difficult stands.

                              1. 1

                                It seems that the problem with the Java example is indeed syntactic. I’d never seen lambdas in Java before and did a double take at how awkward the notation is. In any case, Java as a teaching language is probably not the best idea anyway - there’s so much up-front ceremony that you’ll either have to explain or handwave away. Scheme is much better because it’s so minimal and simple (of course, I’m biased), but you could do so much better when starting with Python, for example. If you have to teach a language that’s widely used in industry, that would probably be my first choice over C++, Java, JavaScript or PHP.

                                Regarding extensibility in languages resulting in unreadable code if you rely too heavily on macros; doesn’t that make sense? If I started to converse with you in English using some made-up words, you might be able to follow me by gleaning the meaning through context (or interrupting me and asking - similar to viewing the source of a macro), but if I add too many of those, I’ll have lost you. That doesn’t mean it’s not valuable to be able to invent and introduce new words (macros) sparingly, if they are used between a small group of people using the same vocabulary (programming team).

                                At least with macros you don’t need a custom compiler, so you can just use my code without needing to know exactly all the macros I introduced to make my own life easier.

                                1. 6

                                  Pretty slick UI, and maybe people find it helpful, considering all the “self hosting e-mail is doomed” stories and comments we’ve been seeing lately.

                                  1. 4

                                    I found it interesting how a cryptographer who doesn’t know a lot about JavaScript makes the suggestion of not relying on so many dependencies from a trust and ease of review perspective.

                                    Also, if this is the way reviewers review code in a language they’re not super-familiar with, it would be very easy to slip in malicious dependencies under the hood; the correct way to check a dependency is to look up the package description file and then look up those names in the npm repository. I mean, in this case it was pretty obvious that the “noble” package was something completely different than what was used. And the name in the import statement matched the name in the package.json file, with the @noble prefix.

                                    1. 5

                                      I think the author was pretty up front in his title that this was an “extremely casual”, i.e. low effort, review.

                                      1. 2

                                        In a real paid-for review, you’d normally see one of two options: dependencies out of scope - only the first-party code is analysed, or dependencies in scope - the review applies to a very specific set of installed deps, effectively defined by a lock file or delivered all together. Nobody just yolos like in the blog in a real test.

                                        1. 2

                                          I suppose you’d never get that kind of feedback then (as in “you’re using deps from too many sources”), in the first place!

                                          1. 2

                                            You could, some security people will definitely tell you that.

                                      1. 10

                                        The Dutch data authority has already issued a warning that, pending a review, Google Analytics might be declared illegal in the Netherlands, too. It’s very likely that other EU countries will follow this ruling as well.

                                        1. 15

                                          Nyob has also recently been going after companies that make it hard to reject tracking or withdraw consent. Definitely an organisation worthy of donations!

                                        1. 2

                                          Consumer organisations should really be warning people about such things. Especially premium stuff like Apple’s (whose hardware is good enough that it can be used for many many years) should really be able to get lifetime updates. The real problem here is that these machines are so locked down that you can’t update them to something more modern, which you usually can with general-purpose computers like laptops and desktops (at least, in a supported way - there are almost always ways to hack around it).

                                          1. 9

                                            There’s regulation going through the EU at the moment that will require labelling of the guaranteed security update lifetime for IoT devices. I hope tablets and so on will fit into this scheme. A cheap Android handset looks a lot less cheap if you have to replace it after a year if you don’t want to be running malware.

                                            I disagree with the conclusion of the post. The versions of Safari and Chrome listed both have known security vulnerabilities that have been exploited in the wild. Modifying your site to support known-insecure clients is irresponsible. So is a manufacturer dropping security updates from a device and not explicitly notifying the customer. I’d love to see regulation that made these appliance-like devices display a prominent message to users after they stop getting security updates saying something like ‘This device no longer gets security updates, connecting it to the Internet is likely to expose you to malware that can compromise any personal data stored on or accessible from the device’ with large financial penalties for manufacturers that didn’t display them.

                                            The big problem with upgrades for security, from a usability perspective, is that normally people upgrade to make more things work. Security is about making fewer things work. A device that does only everything a user wants is strictly less featureful than a device that does everything that a user wants and everything an attacker wants. Telling people that they need to upgrade so that an attacker has fewer features is difficult.

                                            1. 2

                                              Total agree about the bad conclusion; the main issue is with the device not getting updates, not with the websites breaking backwards compatibility with ancient and insecure browsers (although there’s something to be said for not unnecessarily breaking things).

                                              And making people understand security is a fool’s errand. Just the idea of running malware and others controlling your computer is so alien to most people that they don’t care. And besides, it’s difficult to explain why it’s a problem for them, personally. Often the malware doesn’t interfere with your work (I’ve seen plenty of malware-infected Windows machines where the only complaint was that it was a bit slow and could I please have a look at it).

                                              1. 1

                                                I’ve found it easier with phones / tablets than with big computers for a couple of reasons:

                                                • People seem to use mobile banking on mobile devices more than Internet banking on the web. Explaining that malware could transfer all of the money out of their account can be scary.
                                                • Mobile devices have cameras and microphones and people take them into their bedrooms. Explaining that malware can turn on the camera and microphone and send the recording to an attacker can be scary.
                                                • Mobile devices with SIMs can send premium-rate text messages, which cost money.

                                                If I were evil, I’d register a load of premium-rate SMS numbers and write some Android malware that looked at the SIM state and identified people on popular pre-pay plans. When it found one, it would send one (lowish cost) premium SMS to that number. If it costs the user 20 cents or so, the cost of querying it with their provider is more than the cost of ignoring it for most people, and most people on pre-paid plans don’t look at itemised bills anyway. If a few people query it, the telcos will most likely just issue a refund until enough people complain that it triggers a fraud-detection threshold. If 99% of people don’t query it then the 1% that do will probably be assumed to be drunk people who forgot that they sent the message. You could probably make a few million doing this. If you make 20 cents per message and infect 10% of US mobile phones, then you’ll get something like $6m. If the premium-rate numbers are registered via different private shell corporations registered in tax havens then tracking you down would be quite difficult even if someone did discover the malware.

                                                I’m quite surprised that I’ve never read about anyone discovering a scheme like this in the wild. I bet far more than 10% of US mobile phones have remotely exploitable root vulnerabilities.

                                                1. 1

                                                  I’m quite surprised that I’ve never read about anyone discovering a scheme like this in the wild.

                                                  The voice-call version of this scheme is attempted regularly and every Telco or VoIP provider past a certain size has to stay vigilant for it.

                                                  1. 1

                                                    The points you raise are good but still somewhat vague. And I’m not sure how viable it is for bank accounts to be taken over in this way. I’ve never heard of malware that was able to do that (but then, I haven’t looked into malware that deeply)

                                                    Regarding why nobody tried your get rich quick scheme: maybe it’s too easy to trace the premium number and bank account to an owner?

                                                    1. 1

                                                      The points you raise are good but still somewhat vague. And I’m not sure how viable it is for bank accounts to be taken over in this way. I’ve never heard of malware that was able to do that (but then, I haven’t looked into malware that deeply)

                                                      There have been quite a few and banks have tried really hard to shift liability onto the customer when they’re discovered.

                                                      Regarding why nobody tried your get rich quick scheme: maybe it’s too easy to trace the premium number and bank account to an owner?

                                                      Open a bank account registered to the shell corporation, when money goes in, transfer it through a few different jurisdictions before it gets to you (or do more conventional money-laundering things like buying art, gold or BitCoin with it and selling the asset as you). I think US banks can reverse transactions for six months after they happen, but if you aren’t detected for a year then you’d still keep the first six months.

                                                      Note also that none of the intermediaries have an incentive to catch you. The company selling you the premium-rate connection takes a cut, as does the mobile provider sending the SMS messages. Unless they’re spending more handling complaints than they are making from the SMS fees, they make more money if they keep quiet than if they try to shut you down (which, itself, is expensive to do and involves sharing data with law enforcement). Even the banks will be charging corporate account fees. This may explain why I’ve not read about any such scams - everyone who could report them is happy making money from them.

                                                      1. 1

                                                        Open a bank account registered to the shell corporation

                                                        A thing I think I’ve heard of fraudsters doing is opening a bank account registered with a real corporation that doesn’t belong to them, giving contact information that looks plausible but won’t actually result in any real employee of the patsy corporation being directly contacted.

                                                      2. 1

                                                        Bank account stealing malware has been a thing for a while, pretty much since the first terryingly-insecure day an ethically-negligent software engineer attached a cgi-bin script to an RS-232 null modem plugged into a creaking, coal-fired mainframe. https://search.theregister.com/?q=bank+trojan has results going back for over a decade (and I suspect the only reason the stories stop when they do is because that was when the site was founded). For example, https://www.theregister.com/2005/02/09/banking_trojan/

                                                        One thing to be aware of is that it isn’t strictly necessary for the malware authors to go to all the trouble of completely automating the process of emptying out a victim’s accounts. Historically it’s been really common for people to deliver malware payloads that just do things like take screenshots and operate as a keylogger, then pass off the details of successful infections to a human to do cash extraction.

                                              1. 12

                                                A long standing bug in Firefox suddenly got exposed because some service updated their HTTP3 implementation. Possibly on Google or Cloudflare’s side, both of which are used by Mozilla for their infrastructure. And Firefox will check in (unless told otherwise) early on, making it possible to hit the bug very early on. Resulting it Firefox being unable to load any other page with that thread. Ouch.

                                                1. 3

                                                  I was wondering why Firefox was suddenly making my fans go and stop loading anything! Wow, that’s pretty messed up.

                                                1. 5

                                                  This is disappointing. I did not know there were competing standards for URLs now.

                                                  1. 15

                                                    The WHATWG standard isn’t much of a standard - the document changes right from under you as it’s a “living standard”. AFAIK there are no stable URLs of particular versions. And there’s no BNF anymore, either, as they ripped it out. I complained about that before but they seem uninterested in fixing it, which also gives me little confidence that if someone added it as a contribution, it would be maintained.

                                                    1. 3

                                                      It only changes under you if you don’t pay attention ;-)

                                                      1. 1

                                                        I guess it’s good that I just always go with the IETF standard then. I wonder how the WHATWG has diverged though? What things can break if I send a valid IETF standard URL to a browser?

                                                        1. 11

                                                          One example is WHATWG URLs allow \ as a path seperator, and IETF URLs only allow /. This means that if you use an IETF URL parser to get the hostname of https://evil.com\@good.com/ it will parse as good.com, but with a browser’s url parser you get evil.com.

                                                          1. 2

                                                            I think the WHATWG standard is laxer than the IETF standard, as it allows for “auto-correcting” URLs with problems (search for “spaceAsPlus” in the text, for example - that allows for optionally converting spaces in the URL to plus signs, depending on a parser mode flag). I guess this means a browser will (should?) accept IETF URLs, but there will be URLs accepted by browsers which won’t be considered URLs by other parsers.

                                                            But of course, without a proper BNF, who knows exactly what’s different? There might be some edge cases where an IETF URL would be rejected by a browser. This verbose step-wise description is less formal and more wordy, which makes it more difficult to figure out what grammar is being described.

                                                          2. 1

                                                            I am really disappointed in Firefox for having helped Google do this. URLs are the foundations of modern web, and if there is no stable definition (as you said, there is no formal grammar definition any more) then what exactly are we building on?

                                                            These replies are especially sad. If one requires Turing complete steps, what can you guarantee about how a given URL is processed?

                                                            1. 1

                                                              Despite those comments I would be extremely surprised if the url format was actually Turing complete. There’s an obvious preference to express the parsing algorithm using a Turing complete language, but that doesn’t mean that the url grammar is actually Turing complete

                                                              1. 1

                                                                Why are you disappointed? Mozilla and Google folk were trying to ensure that the standard matched reality.

                                                            2. 12

                                                              The WHATWG wants to claim they own everything, but then ignore all the interesting cases since they only need things to work in Chrome…

                                                              1. 9

                                                                That’s incorrect. Changes in a whatwg spec require at least two implementations (e.g., one of WebKit, Blink, Gecko) to agree for any changes.

                                                                1. 8

                                                                  That’s barely a difference, since it’s still just a list of large web browser engines. And in practise if Google wants something do you really think Mozilla and Apple could block? Chrome would implement, force the issue in the name of compatibility 🤷‍♂️

                                                                  1. 7

                                                                    And in practise if Google wants something do you really think Mozilla and Apple could block?

                                                                    Considering there have already been multiple things that Google has implemented but Apple and Mozilla have refused to (citing security/privacy concerns), I think that it is in fact possible Google might implement something and Apple and Mozilla would refuse to.

                                                                    1. 1

                                                                      What other browsers should matter? There aren’t any that have sufficiently complete implementations to provide meaningful info regarding implementation issues, and there aren’t any others that have sufficient users to be relevant.

                                                                      1. 1

                                                                        For URLs/URIs especially mostly things that are not browsers or web related at all. cURL sure, but also XMPP clients, Telecom equipment, git, lots of stuff that relies on this syntax!

                                                                        1. 0

                                                                          They don’t rely on the url format that browsers have to support

                                                                  2. 2

                                                                    In fairness, it’s worth asking if that is because the IETF was not willing to consider the needs of the browser and/or moved to slow or just because they are bad actors?

                                                                    1. 10

                                                                      The IETF barely exists as an “entity”, it’s made up of the people who show up to do the work. I don’t think the WHATWG are “bad actors” but rather I think they’re only interested in documenting whatever Google was going to do anyway rather than improving anything.

                                                                      Don’t get me wrong, having public documentation on what Google was going to do anyway is great! Way better than reverse engineering their nonstandard stuff. But what’s dangerous is when non-Google people treat it as a standard and implement it instead of the actual standard.

                                                                      1. 6

                                                                        I think this misrepresents and underplays both the historical purpose and current value of WHATWG. When half of the web is violating e.g. the html standard in one way or another, and it all just so happens to work because of browser bugs or misfeatures from IE6, it is very useful to have a spec that fully describes error recovery. It is not useful to have a standard with ebnf that describes an ideal world but doesn’t really tell you how to write a real parser that actually works on 99% of websites.

                                                                        I’m not aware of any inherent reason those specs couldn’t live within the IETF body, but I know of and have experienced the editorial process of the IETF. It is absolutely not frictionless and I can imagine the writing style of WHATWG would not pass their editorial guidelines.

                                                                        I think you should take a look in WHATWG’s public issue tracker before asserting that IETF is fundamentally a more open venue than the WHATWG. I feel like half of the assertions you make are coming from your public perception of what the Chromium team is doing, not from actual problems observed with the spec body.

                                                                        1. 2

                                                                          When it comes to something that is web specific, I agree. And in general, as I said “having public documentation on what Google was going to do anyway is great!”

                                                                          But for things that are used far beyond the web and in all sorts of contexts, like URLs/URIs, having web browsers write their own incompatible “spec” for how these should work is… strange at best. And again, having something written to document what they do is still useful. But it’s not a standard, and it should not be implemented by anyone not trying to be compatible with browser behaviour for a specific reason.

                                                                          1. 3

                                                                            “whatever Google is going to do” is exactly the misrepresentation I am talking about. This is not how it started and this is not how it works today. The fork did not just happen due to ideological resentment of existing spec bodies and corporate greed, the fork happened in practice much sooner in browsers like IE6. And the earliest whatwg spec was written at Opera.

                                                                            I can apprechiate your other points and the complaint in the article. The html spec in particular is written with a very particular audience (browser implementors) in mind.

                                                                            1. 3

                                                                              It’s great that Opera started documenting the insanity that is browser URL parsing.

                                                                              So your perspective is, if Google wanted google!/blahblah as a valid URL, implemented it in Chrome and pushed it to production, WHATWG wouldn’t accept it?

                                                                              Note: I’m not suggesting Google would ever want such a thing, and I just randomly made up URL nonsense on purpose :)

                                                                              My guess is, and I imagine @singpolyma’s perspective also, WHATWG would accept the change, perhaps with some token amount of GRRR.. but it would happen.

                                                                              1. 3

                                                                                I’m not going to speculate as to what might happen in such a scenario. Can you point out a comparable scenario where Google did something like this and the standardization process was as you described? Otherwise we’re talking about projected fears, not reality.

                                                                                What I have seen is that Google does indeed push forward with feature impls, but the standardization process in WHATWG is not as lackluster you describe.

                                                                                1. 2

                                                                                  It’s happened in other aspects of web browsing, but I’m not currently aware of it in URL parsing, specifically.

                                                                                  1. 1

                                                                                    I can recall a few cases of the opposite: Google went on to implement something, others refused, so it was not standard, and google rolled back its implementation.

                                                                        2. 2

                                                                          What needed to change in the URL spec that you think the IETF was so slow about?

                                                                          1. 1

                                                                            I don’t knows the history here, thus my question. I’ve always used ietf compliant parsers and was surprised there were two competing standards. I was merely musing on the potential reasons for another standard having been started.

                                                                            1. 1

                                                                              Ah, it sounded like you were making a claim about the IETF, not asking a question. Got it.

                                                                        3. 0

                                                                          The WHATWG predates chrome by many many years, and is part of the reason chrome was possible. Having an actual accurate specification meant webkit was able to resolve a number of compatibility problems, so when chrome came out it was compatible with the majority of the web.

                                                                        4. 5

                                                                          Besides the deficiencies of WHATWG, you can always have bugs in any one parser, which is another reason not to mix parsers.

                                                                          1. 1

                                                                            The core problem is that the IETF specification does not reflect the reality of what browsers have to handle. It doesn’t matter how much you might say “this is an invalid url”: If it works in some browsers but not others, users will point to those browsers as evidence that your browser is wrong.

                                                                            The same happened with the W3C. Instead of attempting to define a standard that actually matched reality, they went off into the xhtml weeds, and never tried to address the issues that actually mattered: the actual content browsers had to support. That is the primary reason the WHATWG ended up being responsible for the actual html standard.

                                                                            It does not matter how much you may want to be the sole definition, if that spec fails to match actual content it is irrelevant.

                                                                            It’s why javascript supports <!– comments, despite that being insane

                                                                            1. 1

                                                                              Javascript supports <!-- comments for backwards-compatibility with browsers that didn’t implement <script>. You use it like this:

                                                                              <script>
                                                                              <!-- This starts a multiline HTML and is a single line JS comment
                                                                              alert("this is JS, still in the HTML comment tho")
                                                                              // time to end the HTML comment! -->
                                                                              </script>
                                                                              
                                                                              1. 2

                                                                                Oh I know. I worked on the portions of the spec that standardized it :D

                                                                                I was never entirely aware of the why of it existing, it honestly seemed to line up more (at the period I was dealing with it) with “xhtml” that was being served as html. Sidenote: more or less every single “xhtml” document I ever encountered was not treated as xhtml due to various response errors, and more or less none of them would actually validate as xml :D

                                                                          1. 6

                                                                            While the article is extremely insightful, he doesn’t really go into one important point. If he weren’t (semi-indirectly) compensated for working on Rails, it is very likely he would have stopped working on it, either when running into one of these crises of meaningfulness, or when the demands would be too big to keep doing it in his spare time.

                                                                            If Rails had become as popular as it was, and he hadn’t had the opportunity to work on it during his day job, I’m sure the demands of reviewing merge requests, making releases and responding to bug reports and on the mailing list would have either driven him to burnout or caused him to hand over the reins to someone who could sustain this effort.

                                                                            On the other hand, in such a scenario where Rails really was that popular, it’d be likely someone would’ve offered to pay him for it if he spoke up about not being able to maintain it.

                                                                            But it’s more likely it would have died a quiet death, as it wouldn’t have been as polished as it was now to cause such a massive uptake. And perhaps that’s alright - not all software needs to become hyper popular. But I guess that’s not how many people see it. We still live in a society where there’s this rat race towards fame and money and we’re conditioned to confuse that with meaning and purpose.

                                                                            While he does go into being in this privileged situation and acknowledging that not everyone is at the same level of self-actualization that they are able to work on free software as an act of love, he doesn’t really offer good advice on how to get there. The closest he gets is simply saying something along the lines of “if you no longer take joy from working on free software, don’t do it”. Perhaps that’s the best advice, even if people don’t want to hear it - go out into the world, take on other hobbies and form relationships. Then, when you are whole again, perhaps come back to it and see if that desire to create software is still burning inside you.

                                                                            1. 3

                                                                              Yeah, I think the biggest problem with this article is that he’s generalizing from his own experience.

                                                                              Very Works on My Machine.

                                                                            1. 2

                                                                              You would close your project off to contributions from anyone outside the collective.

                                                                              One of the joys of open source is finding a bug, or missing feature that I care about, being able to fix/implement it myself, and send a patch upstream. If I contribute under GPL, and you accept my contributions, you lose the right to relicense. Well, unless you make me sign a CLA (no thanks).

                                                                              1. 1

                                                                                I have a lot of Open Source projects, and amount of contributions is minimal comparing to amount of users. And even contributors are often additional work because their changes have to guided, reviewed and then supported.

                                                                                I’ve signed CLAs before and it’s annoying, but I don’t mind otherwise. Small price to pay, for otherwise free and open software provided for me. Especially if I knew it allows the developers to support themselves without begging for donations while doing unpaid work for me, everyone, and especially companies making a lot of money using their software.

                                                                                1. 2

                                                                                  If that’s the case for you, then I guess it’s no loss.

                                                                                  For me at least, the point of GPL is protection against proprietary software. which signing a CLA, and this type of arrangement in general, undermines.

                                                                                  Given the sentiments of you, and many others around you have little to do with software freedom or copyleft, I wonder if you wouldn’t be better served by a non-commercial license rather than a copyleft one.

                                                                                  1. 2

                                                                                    For me at least, the point of GPL is protection against proprietary software. which signing a CLA, and this type of arrangement in general, undermines.

                                                                                    The Free Software Foundation used to require people to sign over their copyright for contributions to all official GNU projects. If I recall correctly, they did this so they had the freedom to retroactively update code to newer GPL versions. It seems like they’ve relaxed this a bit now.

                                                                                    1. 2

                                                                                      I wouldn’t sign a CLA for the FSF either.

                                                                                      That said, the FSF isn’t using their CLA to sell unlicensed versions of the code.

                                                                                      1. 4

                                                                                        That said, the FSF isn’t using their CLA to sell unlicensed [proprietary] versions of the code.

                                                                                        Technically, yes they are, that is precisely why they want copyright assignment (not a CLA). This used to be where most FSF revenue came from (more than donations). If a company was caught violating the GPL, the FSF will offer them a time-limited retroactive proprietary license to the code. They then have the duration of the proprietary license to comply with the GPL. If they’re not in compliance at the end then the FSF can take them to court for copyright infingement.

                                                                                        Note that granting this license is possible for the FSF only because they own all of the copyright. RedHat, for example, couldn’t do the same for Linux because hundreds of other people would still have standing to sue for copyright infringement on their contribution to the Linux kernel.

                                                                                    2. 0

                                                                                      For me at least, the point of GPL is protection against proprietary software. which signing a CLA, and this type of arrangement in general, undermines.

                                                                                      Signing a CLA by no means is undermining copyleft licenses or their spirit. There can be a AGPL project, you contribute, sign CLA and everybody can still use it as a AGPL licensed free software.

                                                                                      1. 2

                                                                                        The point of AGPL isn’t to have a badge saying “AGPL”, it’s that people who make derivatives of one’s work have to share their source. This arrangement undermines that, because the entire point of the collective is that you sell the right to strip the license.

                                                                                        1. 2

                                                                                          The root problem is that dual-licensing isn’t an open source business model. It is a proprietary business model. Your money comes from selling proprietary software. This is predicated on the idea that proprietary software is more valuable than F/OSS, which is one that any proponent of Free Software and most advocates of Open Source would reject.

                                                                                          You don’t choose a specific F/OSS license in a dual-licensed open/proprietary project because you believe that it’s the best way of ensuring freedom for users or because you think it’s the best way of growing a community, you choose it to give the most friction to any of your downstream consumers who have money. You intentionally make using the open version difficult to encourage people not to use it.

                                                                                          This is fine if you want to be running a proprietary software company but still get some marketing points from a try-before-you-buy version that is technically open source but claiming that it’s an open source (or Free Software) business model is misleading.

                                                                                          1. 2

                                                                                            Yes, but selling exceptions to AGPL is no worse than using MIT in terms of software freedom. In fact it is better! In terms of software freedom, MIT < AGPL and selling exceptions < AGPL. So if you are okay with contributing to MIT projects, you should be okay with contributing to AGPL and CLA for selling exceptions projects, software freedom wise.

                                                                                            https://www.gnu.org/philosophy/selling-exceptions.html is of the same opinion, by the way.

                                                                                            1. 1

                                                                                              Exactly. Unless someone is an AGPL-maximalist (which I can understand and respect), I don’t know what are their qualms with dual-licensing. It’s a ideological compromise from AGPL-purism, but waaaay more pure than liberal OSS licenses which are like dual-licensing but with unconditional, perpetual, reciprocitiy-free license for all commercial applications.

                                                                                  1. 35

                                                                                    Why did GitHub remove his account/projects?

                                                                                    1. 44

                                                                                      That’s the part that bothers me.

                                                                                      I understand it wasn’t a nice thing to do, and that people are upset, but it’s his own code in his own repos. He even announced ahead of time he would do something like this, so “buyer” beware.

                                                                                      I realize GitHub TOS covers them to remove accounts and repos at their discretion, but it’s a little unsettling that they’ll actually do so arbitrarily without a clear TOS violation. It might be time I move everything to Sourcehut and treat GitHub as a mirror…

                                                                                      1. 24

                                                                                        It might be time I move everything to Sourcehut…

                                                                                        The Sourcehut guy has always seemed a little unstable to me (didn’t he get banned from this site, in fact?) So, why would I trust him any more than I trust GitHub?

                                                                                        1. 33

                                                                                          I banned him and I would not call him unstable. Not just because that kind of insult is inappropriate here, but because it obviously doesn’t apply. He writes inflammatory hyperbole that’s not a good fit for this site, but he’s a skilled, accomplished professional who looks like he’s seeing a lot of success in his life.

                                                                                          1. 11

                                                                                            I didn’t mean to insult him. Maybe “erratic” would have been a better word without any mental health connotations (which I absolutely didn’t intend)? Poor word choice on my part, I’m sorry for that.

                                                                                            …but he’s a skilled, accomplished professional who looks like he’s seeing a lot of success in his life.

                                                                                            Sure, same goes for the GitHub guys. A person who can’t tone it down enough to keep a Lobsters account just isn’t someone I feel I can trust to host my code, particularly given that he’s in charge of the whole operation. Obviously everyone is free to decide who to trust and for what reasons.

                                                                                            1. 8

                                                                                              A person who can’t tone it down enough to keep a Lobsters account just isn’t someone I feel I can trust to host my code

                                                                                              Bear in mind, Linus Torvalds would also probably have been banned from here multiple times in the past.

                                                                                              I’d be perfectly happy to trust someone that volatile a lot (and I guess I do, running Linux since 1996 :) ). But I would be careful which groups and forums I invited them to :)

                                                                                              1. 2

                                                                                                …I guess I do, running Linux since 1996

                                                                                                Very different, at least to me. If Linux was a service, control would have been taken away from Linus a long time ago (I mean, as it is they made him step back for awhile to work on his issues). But it’s not, it’s just code that other people then build into something, often applying patches in the process. If Linus had a meltdown there is already sufficient infrastructure in place that the vast majority of us wouldn’t even notice.

                                                                                                I wouldn’t trust a code hosting service Linus ran by himself either.

                                                                                                1. 1

                                                                                                  Nobody made Linus step back. He recognized that he had issues and took a sabbatical to deal with them himself. Are you saying you wouldn’t trust a service by a guy who has been diligently working on the same project for 30 years? Not to mention the guy who invented the base of all of the services discussed in this thread.

                                                                                                  Why do people assume that “Bigger is better” when it comes to web services? The two most reliable services I use are Pinboard, run by an insanely opinionated and outspoken developer, and NewsBlur, who was, and may still be, a one man shop that just quietly does his own thing. In the same time as those services have been faithfully up and running, Google has shut down more services than I can count, because “It didn’t fit with their corporate vision”

                                                                                                  It’s misguided, and harmful.

                                                                                                  1. 1

                                                                                                    Nobody made Linus step back.

                                                                                                    We’ll probably never know for sure, but the subtext (well, and the text) of his announcement email sure makes it sound like his hand was forced, at least to me.

                                                                                                    Are you saying you wouldn’t trust a service by a guy who has been diligently working on the same project for 30 years?

                                                                                                    No, I’m saying I wouldn’t trust a service run by a guy who randomly goes off on people in totally inappropriate ways (his admission). Or, as is the case here, a guy who can’t even behave himself well enough to keep a Lobsters account.

                                                                                                    Not to mention the guy who invented the base of all of the services discussed in this thread.

                                                                                                    That has literally nothing to do with anything. A person can be productive or brilliant and also have other, undesirable, qualities.

                                                                                                    Why do people assume that “Bigger is better” when it comes to web services?

                                                                                                    I don’t, so I can’t answer that.

                                                                                                    Google has shut down more services than I can count…

                                                                                                    Agree with you there! I don’t trust Google for anything but search (I don’t even use Gmail), because that’s the one thing I don’t think they’ll ever kill (or break). I don’t think GitHub is going anywhere either, the worst case scenario is that Microsoft sells it.

                                                                                                    It’s misguided, and harmful.

                                                                                                    If there was a person who had the views you seem to ascribe to me, then I might agree!

                                                                                          2. 30

                                                                                            That’s unfair to Drew. He’s passionate, and rude, and opinionated, and submissions here from his site generally stirred up giant flamewars. But I do believe he’s got what it takes to keep sourcehut running.

                                                                                            1. 18

                                                                                              GitHub will keep running, too. I’m not sure we’ve answered the question of

                                                                                              why would I trust him any more than I trust GitHub?

                                                                                              1. 8

                                                                                                Not only is the sourcehut software available under the AGPL, the issue trackers and such give you export and import functions to pull your data into another instance easily. The software itself is not trivial to host, but it’s not prohibitively hard either. If I needed to eject because Drew became untrustworthy, I am very comfortable that I could do that.

                                                                                                Even though that’s a non-zero amount of work, GitHub gives me no comparable ability. That’s a good reason to trust him more than I trust GitHub, in my opinion.

                                                                                                1. 3

                                                                                                  GitHub gives me no comparable ability.

                                                                                                  The GitHub command line client provides this functionality, as does the API. Obviously, the data formats are specific to the way GH works, but there are ways to extract most if not all of the relevant data (I use this heavily with my team to script up our findings workflow, for example).

                                                                                                  1. 5

                                                                                                    Interesting. Unless I’m missing something, you can’t stand up your own self-hosted instance of github, and import that, can you? The ability to stand up my own instance of the forge and import my data, to use on a self-hosted site, is what I meant by “comparable”. (That’s the angle I was coming from… if Drew won’t let me use his hosted service, I can just set up my own copy on any host I want since upstream is AGPL, then import my data from the sr.ht export since sr.ht exposes those functions.)

                                                                                                    1. 2

                                                                                                      GitLab supports importing to a self-hosted instance from GitHub [1], although I’m sure it’s not perfect, so it may or may not be useful. It also isn’t clear to me based on a 15 second review whether you can import from some kind of local data dump or raw GitHub API responses or if your GitHub account needs to be currently active.

                                                                                                      [1] https://docs.gitlab.com/ee/user/project/import/github.html

                                                                                                      1. 2

                                                                                                        That looks much better than I thought, particularly if it turns out to work off saved data/responses. And it’s nice that Gitlab enable that for all their tiers.

                                                                                                      2. 1

                                                                                                        Unless I’m missing something, you can’t stand up your own self-hosted instance of github, and import that, can you?

                                                                                                        GitHub Enterprise can be bought as a GitHub-hosted or self-hosted thing. These support (most of) the same APIs as the public GitHub, so you can run your own instance if you are willing to pay.

                                                                                                        1. 2

                                                                                                          It would be an interesting experiment to see whether they would sell an enterprise installation to someone whose account they forcibly closed. I was sort of assuming that if they won’t let you be a customer of their public service, they won’t sell you the private one, but that is uninformed speculation.

                                                                                                  2. 3

                                                                                                    Because sourcehut is open source so nothing is lost when I leave. More than that chances are if sourcehut goes a bad route there would likely be others jumping in.

                                                                                                  3. 2

                                                                                                    Not that you exactly claim otherwise, but Drew also makes some nice things and has created a business structure that enables at least one other developer to make some nice things.

                                                                                                    Quite apart from that, though, and similarly quite apart from whether he has what it takes to keep sourcehut running, he’s given me an out so that I don’t, strictly speaking, need him to. He’s released the software that runs the forge under the AGPL, here. And it exposes ways for me to export the hosted stuff and import it into a self-hosted instance.

                                                                                                    So regardless of whether I trust Drew personally, he’s made it so I don’t need to for this purpose.

                                                                                                    If Drew got angry and decided I couldn’t be his customer anymore, I could stand up my own instance or pay someone to do that for me and import my data. My repos wouldn’t be down at all, my tickets, docs, etc. would be down for a day or so, and my mailing lists might see a bit more disruption than that. If github decided that I shouldn’t be their customer anymore, I’d have my repos. For the rest, I’d kind of be out of luck. (I think this last paragraph is more responsive to @glesica ‘s comment than the one I’m replying to, and I’m too lazy to split it to another reply.)

                                                                                                  4. 17

                                                                                                    Because “more than I trust Microsoft” is a damn low bar.

                                                                                                    1. 7

                                                                                                      It’s like a little devil hovering over my right shoulder, and a slightly less predictable devil hovering over the other.

                                                                                                  5. 6

                                                                                                    From other options there’s also fediverse approach with Gitea, and p2p approach will be available soon with Radicle.

                                                                                                    1. 11

                                                                                                      It might be time I move everything to Sourcehut and treat GitHub as a mirror…

                                                                                                      That time was years ago, but hey, better late than never.

                                                                                                      1. 5

                                                                                                        Consider hosting your own, instead. I published a blog post with a list of defunct code hosting sites which I update occasionally. Maybe that list is a good reminder. Remember, it’s not just code that goes away with such sites, it’s also issue queues and in some cases, wikis and mailing lists too.

                                                                                                        1. 4

                                                                                                          Are you also start hosting a list of defunct private websites that used to host Git repos that are gone forever and where the disappearence came completely unexpected? I would trust Github more with staying online since that’s their job than a developer running a Gitweb on some VPS with some domain name that requires regular payment to stay online.

                                                                                                          Kinda like I registered callcc.org after it lapsed to make sure the links to the CHICKEN website don’t break and it doesn’t get domain-squatted and I’m redirecting to the official website these days.

                                                                                                          1. 1

                                                                                                            Are you also start hosting a list of defunct private websites that used to host Git repos that are gone forever and where the disappearence came completely unexpected?

                                                                                                            I can’t think of anything offhand where I’ve taken a dependency that’s done that. But when I do take a dependency on something, I generally mirror the SCM repo if there is one. And I am very reluctant to take dependencies on things I can’t have the source to. Since the things I depend on generally haven’t gone away, I haven’t bothered to publish my mirrors, but I would if the license permits it.

                                                                                                            1. 3

                                                                                                              But when I do take a dependency on something, I generally mirror the SCM repo if there is one.

                                                                                                              I learned that the hard way when Rubyforge went down, a few employers ago. We weren’t that active in the Ruby community anymore, so we missed the notice. When the site went away and I had to do some small maintenance tasks on a legacy project, all the third party svn subtrees from Rubyforge were no longer working (and, more painfully, another project of ours was completely gone too). Note that Rubyforge was huge in the Ruby community back in the day.

                                                                                                            2. 1

                                                                                                              I would trust Github more with staying online since that’s their job than a developer running a Gitweb on some VPS with some domain name that requires regular payment to stay online.

                                                                                                              Like I said, history has shown these hosting sites are not as trustworthy as people like to believe they are. The GitHub company can get sold to an untrustworthy partner (har har, like that’d ever happen… oh wait) or go out of business (what if MS decides to sell the company to, I dunno, Oracle or something because it’s not making a profit?), or there might be some other new VCS that comes out that completely blows git out of the water. I’m sure nobody saw coming what happened to Bitbucket - it started out as a Mercurial hosting site, then started offering git and finally dropped Mercurial after Atlassian took over. Its founders probably never would have let that happen if it were still in their power.

                                                                                                              From my own perspective, I’ve personally ran into at least five hosting sites who were hosting projects I started or heavily contributed to that are no longer available now (Rubyforge, Dutch govt OSOSS’ uitwisselplatform, Berlios, Bitbucket and Google Code). And then there’s Sourceforge which at least still hosts some of my defunct projects, but had for a while been injecting malware into downloads. If I or my employers (as the case may be) had hosted our own projects from the start, this pain would’ve been completely avoided. These are projects in which I had a stake, and it was in my interest to not let them die.

                                                                                                              Now, having said that, I agree that from a third party perspective (someone who is using the hosted code) that’s different. I understand your point saying you don’t want to rely on some random developer’s VPS being up, and neither would I. But then, people change repositories on code hosting sites all the time, too. They move to other hosting sites, or rename repositories etc. Links rot and die, which is unfortunate and something we all have to live with.

                                                                                                              Case in point:

                                                                                                              Kinda like I registered callcc.org after it lapsed to make sure the links to the CHICKEN website don’t break and it doesn’t get domain-squatted and I’m redirecting to the official website these days.

                                                                                                              Thanks for doing that. AFAIK this domain was never communicated as being official, but I might be wrong.

                                                                                                        2. 8

                                                                                                          I don’t know what the GitHub rationale was, but the ‘limitation of liability’ bit in most open source licenses only goes so far. If I intentionally introduce malicious behaviour into one of my open source projects, knowing that it would damage downstream consumers, then I’d probably be liable under the Computer Misuse Act in the UK and similar legislation elsewhere. GitHub’s T&C’s don’t explicitly prohibit using their service for criminal purposes but that’s normally implicit: if GitHub didn’t act then they might end up being liable as an accessory (at least as an accessory after the fact). Their distribution channel (NPM) is being used by a malicious actor to attack other users.

                                                                                                          It’s normally difficult to prove malicious intent in this kind of thing (incompetence and malice look similar) but it seems pretty clear here from the author’s own statements.

                                                                                                          1. 12

                                                                                                            I don’t know what the GitHub rationale was, but the ‘limitation of liability’ bit in most open source licenses only goes so far.

                                                                                                            This is disturbing. Software is provided as is, with no liability whatsoever, but the author should still be liable for what happens when other people use it, because it broke things? What if the author decided to completely change the library’s API, or recycle it to just print squares of color, because they liked the name?

                                                                                                            If find what the author did pretty stupid, but frankly, suggesting it falls into criminal behavior call for some stepping back and put things in perspective.

                                                                                                            1. 8

                                                                                                              There is a difference, and it’s not subtle at all, between making a possibly unwanted change in software that is provided without any warranty, and deliberately making a crippling change with the express intent of breaking other people’s applications.

                                                                                                              To put it another way: if you accidentally commit an integer overflow bug that causes batteries to blow up, that is, presumably, just bad engineering. But if you deliberately commit a clever hack that causes people’s batteries to blow up, with the express intent of getting people injured, or at least destroying their phones, I think it makes a little sense to not put it under “well, it did say no warranty of any kind on the box, didn’t it?”.

                                                                                                              Obviously, this didn’t kill anyone, so I’m obviously not thinking it ought to be treated as murder. But “no warranty” is not a license to do anything.

                                                                                                              It’s not like software is being given special treatment here, it’s how warranties work everywhere. If you sell boats with two years’ servicing warranty and they break down after three years, that’s one thing, but if you fit them with bombs that go off after two years and one day, with the express intent of killing anyone on them, that still falls under “murder”, not “what happens after two years isn’t our problem, it says so on the purchase contract”.

                                                                                                              (Edit: obviously IANAL and this is not legal advice, either, I’m only parroting second-hand, non-lawyer advice about how insurance works for some high-stakes software projects)

                                                                                                              1. 5

                                                                                                                I guess that makes sense, when you put it that way :)

                                                                                                              2. 3

                                                                                                                I am not a lawyer, this is not legal advice:

                                                                                                                My understanding is that it comes down to intent. If I upload a buggy piece of crap to GitHub with an open source license, and you use it, then it sucks to be you. If I upload something to GitHub, wait for you to deploy it and then intentionally introduce a vulnerability or other malicious behaviour in it then legally dubious. Normally it’s very difficult to prove intent. If I submit a patch to the Linux kernel that introduces a vulnerability, if you wanted to prosecute me then you’d have to prove that I did so knowing that the bug was there and with the intent to cause harm. That’s very difficult to do in the general case (the NSA null-pointer dereference bugs are a great case in point here: people suspect that the NSA knew about that vulnerability class and introduced it deliberately, but no one can prove it and there’s enough reasonable doubt that it would never stick in court unless there was some corroborating evidence - it could easily have been accidental). If, before I submit the patch, I post publicly about how I am going to intentionally break things for the people using my code and then I push a new version out to public repositories then it’s likely to be easy to prove malicious intent. The author of these packages did exactly that: posted saying that he was going to break things for people if they didn’t pay him and then, when they didn’t pay him, broke things. That may (again, not a lawyer) count as blackmail, as well as computer misuse.

                                                                                                                1. 3
                                                                                                                  1. Code license != Github TOS.
                                                                                                                  2. Liability could only be disclaimed to the extent permitted by law. You cannot put a sign “free food, no liability whatsoever” and then put poison inside and expect that disclaimer to save you from prison. E.g., GPL states “THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.”
                                                                                                              3. 7

                                                                                                                I think until they make a statement about it, nobody knows but them. But my assumption is that this happened on a weekend, and whoever was on call figured that the easiest thing to do to minimize disruption till Monday was to suspend the account and hard revert the content until more people could be brought in. I’m also assuming suspending the account just automatically says that you violated the ToS.

                                                                                                                1. 3

                                                                                                                  I could imagine that somebody identified this as a possible account hack and thus locked it.

                                                                                                                  1. 2

                                                                                                                    They didn’t, they suspended his account so he can’t log in. You are still free to troll him on GitHub without any recourse whatsoever.

                                                                                                                  1. 2

                                                                                                                    This definitely seems worth a try. I don’t see any immediate flaws in the idea. The main safeguard is that there is nothing stopping developers from not opting in if they don’t like the system. It may be worth considering whether it is possible to opt out after you have opted in, i.e. how easy it is to pull your library if the collective starts doing things you don’t like. This could be a sticky point. It might be possible to stop them from selling future licenses but it would be hard to pull a license from a company that has already paid for it and now depends on it. Additionally it would be worth considering having some kind of voting rights for the developers on the policies of the collective and its management staff. There are models for this in collectively owned brick and mortar businesses that should probably be studied to work out a good working model.

                                                                                                                    Most of this comes down to decisions being made by the actual people setting up the collective, once the idea is out there, there is not much one could do to stop some malignant corporate entity from creating a for profit exploitative ‘collective’. This means the setup of the first one will be pretty important. Are you proposing to do something like this yourself?

                                                                                                                    1. 3

                                                                                                                      how easy it is to pull your library if the collective starts doing things you don’t like.

                                                                                                                      I imagine that contracts end-developer signed with the collective would generally include some long time duration or even perpetual terms. I mean - people that buy license for a given software need to be certain no one is going to pull a rug from under them, and it seems fair if they pay for it.

                                                                                                                      The whole deal brings in responsibilities that a commercial software vendor would have, possibly including support, security updates for a certain time etc. so it’s not some magical fairytale to make open source devs rich, but just an opt-in way for them to take their project to a next level when they can make money treating it like a “job” without compromising the values that made them start in the first place (FOSS).

                                                                                                                      Hopefully market pressures will keep such re-licensing agents (collectives) reasonable. If they try to abuse devs, devs will be avoiding them and they will eventually start loosing customers as well. So some balance is built-in into it, just like any market system. It’s not going to be unicorns and fairies, but that’s how business works.

                                                                                                                      1. 2

                                                                                                                        It might be possible to stop them from selling future licenses but it would be hard to pull a license from a company that has already paid for it and now depends on it.

                                                                                                                        That might actually be a benefit, considering the top thread today. Both to companies and indirectly to developers, as the added “insurance” it buys companies could be an impetus to actually start paying for what’s already freely available, thereby causing the developer to earn more. Of course, depending on how cynical you want to be, that could be considered “selling out”.

                                                                                                                      1. 18

                                                                                                                        The author must feel very spiteful, to retroactively turn his gift into not only a transaction but a trap. I think it’d be better to learn a lesson about setting healthy boundaries when you decide to give of yourself so you don’t feel that others took advantage of you.

                                                                                                                        1. 4

                                                                                                                          This. So much this. Also, it is quite possible the author is letting themselves be influenced too much by others’ whinging about companies using their free software for free.

                                                                                                                          On the one hand, it’s true that FLOSS is “under-sponsored” for the critical role some of it plays (and a color library and random value generator probably doesn’t fall in that category to begin with), but on the other hand all the attention this is getting lately is creating a lot of sour grapes and feelings of being wronged by corporations among developers. But these same developers are forgetting they originally created their software out of love/intellectual curiosity/boredom/whatever, yet they expect to get paid by people who never asked for the software in the first place. Of course, businesses now they are more than happy to use it while it’s there. Why wouldn’t they?

                                                                                                                          1. 5

                                                                                                                            I wonder how a free software author defines success. Just making the contribution and feeling good about that? Seeing it used in a lot of places? Recognition? Patreon subscribers? It must be different for everybody, but I suspect there is some missing link here by which the author’s real goals were left unfulfilled.

                                                                                                                            1. 2

                                                                                                                              But these same developers are forgetting they originally created their software out of love/intellectual curiosity/boredom/whatever, yet they expect to get paid by people who never asked for the software in the first place.

                                                                                                                              They didn’t ask for it, but they sure feel free to unilaterally prop a critical piece of their infrastructure solely on top of it, and then make millions, without paying a dime back.

                                                                                                                              Why wouldn’t they?

                                                                                                                              Well exactly, and that’s a fundamental flaw in “Open Source” as opposed to Free Software (Which to be honest, I also can’t fully agree with). Open Source was created from the start to exploit developers who were making things for other developers. It said, in big letters, “You can make money off people’s hard labour, and not have to pay them anything!”. How is that not exploitation? In any capitalist system it’s the sole definition of it! We have hundreds of thousands of pages and millions, perhaps billions, of words in our legal framework stating explicitly that people should get paid for their labour when they do work. It is, very literally, the only reason why copyright and patents exist in the first place – from the idea that, when people do work, the deserve compensation so that they can continue to exist.

                                                                                                                              Now, you can claim that they get paid through popularity, but how does that help the person tangibly? I can create a huge 1k, 10, 100k starred repo on Github, but I still have to go through the same interview process as anyone else. Except now I am (apparently) bound to maintain and document and correctly deploy my own personal projects, just because some fool at Microsoft decided it was a good idea to rest a chunk of their software stack on it?

                                                                                                                              But no, you are right, people should start choosing LICENSE files that deliberately do not give rights to companies unless there is financial exchange. It’s the only way that they will learn.

                                                                                                                            2. 3

                                                                                                                              It’s more the fault of the downstream developers and companies, though, isn’t it? They decided to take someone’s code, use it to make money, and not throw a penny in their direction. It was the ‘Open Source’ philosophy that decide to turn “Here is a gift to my fellow developers” into “Here is a project I put my sweat and labour into, feel free to exploit it with no regard for the cost”, and people bought into it wholesale.

                                                                                                                              This repo was owned solely by the person who wrote it, and there’s no reason they have to consider downstream projects that they might not even be aware of, when they make changes to their code. I am not arguing for the guy, but I absolutely think his act here was justified, and a positive thing in the long run. There’s a reason for a liability waiver in the LICENSE file and if you’re just going to take code and ignore that liability waiver, then that’s up to you, buddy. Doubly so if you’re a tech lead and you’re evaluating the dependencies your company is going to use to build stuff, right at the start.

                                                                                                                              Hopefully, rather than blaming this on one erratic individual, companies will start paying money upstream to the projects that they make money off of. But I doubt it.

                                                                                                                              1. 6

                                                                                                                                I don’t disagree that the license makes no guarantees, but that’s an unconvincing technicality when it comes to relating to one another as humans. The libraries were offered because they were useful, they were accepted in good faith, and then they were sabotaged in bad faith. To the author it may have felt like a righteous protest, but from the outside it just looks like taking your ball and going home.

                                                                                                                                I’ll add, Snyk flagged at least one of these libraries as vulnerable to DDOS today because of its deliberate infinite loop. That’s malware in my book, and that’s crossing a line.

                                                                                                                                1. 3

                                                                                                                                  I feel like if you’re going to impose an unstated and explicitly disclaimed responsibility (attempting to release only useful software) on the developer as a condition of good faith bargaining, it’s only fair to expect some compensation in consideration, particularly given the developer asked as much a year ago from what I recall. It’s still reasonable, in that good faith universe, to leave it under the MIT license to allow users to pay what they feel is fair.

                                                                                                                                  But the reality is this is exactly why businesses use contract and licensing language to expressly indicate what parties can count on one another for. Good faith, in that world, means adhering to the spirit of that language, and in this case that language clearly indicated the developer could do whatever they wanted with the library and that anyone consuming it should be on notice to verify that it did what they wanted. For what it’s worth, that cuts both ways - GitHub is also acting in the spirit of the MIT license by continuing to distribute the older version, despite the developer’s wishes.

                                                                                                                                  The malware thing is a good point though - I was under the impression this was breaking deployments and potentially causing downtime, both of which are in my opinion reasonable consequences of using something unreliable. But if the infinite loop introduced the ability for remote users to trigger downtime that’s subtly different in a way I agree crosses some kind of line.

                                                                                                                            1. 15

                                                                                                                              The emerging centralization is exactly what happened on “traditional” web, and is human nature. The web IS decentralized, its just that nobody wants the burden of constant upkeep and baseline of knowledge/skills necessary to host their own stuff. Its 0% surprising to see that in the crypto world because its even more complicated and has an added feature that mistakes can live forever and be technically irreversible. Thinking about people who have gotten wallets stolen or scammed or irretrievable for other reasons - or how the adidas smart contract meant to limit purchases was not well-designed-enough and there is zero recourse BY DESIGN.

                                                                                                                              Theres this belief in the crypto community that these are all things that can be ironed out and that there is a technical crypto-based solution to all of this, but it seems to me like they are banging their heads against a wall trying to recreate something that exists and functionally works a lot better for 99.9999% of cases with something new with tons of baggage and unsolved problems for a benefit to 0.0001% of cases. Theres a huge UX gap, and it’s going to get bridged (if at-all) by a centralized company - this whole thing feels like a play for usurpation rather than changing the game.

                                                                                                                              Knowing that there’s major problems with crypto “to be solved” it’s frustrating to see the hype at this level. Its 100% in gold rush / prospecting mode and so many people are going to lose big even if it emerges as a longterm technology.

                                                                                                                              My own perspective on crypto/blockchain hasn’t changed much in the last 5 years - its a solution looking for a problem. Lately it’s being touted as “the solution to everything”, and I don’t see that. Even more-problematic is that theres an emerging phenomenon where if you don’t play, you get scammed - lots of noise about people minting NFTs on Openseas for content they don’t own, and theres no recourse for creators outside the system.

                                                                                                                              More writing along these lines:

                                                                                                                              Is it technically neat? Yes. Time will tell if it pans out anywhere near the hype, and there is a lot of reason to believe it won’t.

                                                                                                                              1. 10

                                                                                                                                a solution looking for a problem

                                                                                                                                Ain’t that the truth. I think there’s also an assumption that “decentralized” is automatically good, as if fiat currency must be bad because SVN was bad. When the central currency authority is a democracy of citizens, decentralization throws away “one person, one vote” with regard to what money is, in favor of “one node owned, one vote”. That should only be a benefit in places where people didn’t get to vote in the first place.

                                                                                                                                1. 4

                                                                                                                                  When the central currency authority is a democracy of citizens, decentralization throws away “one person, one vote” with regard to what money is, in favor of “one node owned, one vote”.

                                                                                                                                  Can’t agree more. One of the fundamental supposed advantages of cryptocurrency is that unlike centralized banking, it’s democratic, right? You have to convince 51% of the network to adopt your change in order to make it, instead of the bank unilaterally changing the rules. But the problem with this in practice is that the ability to do this is imbalanced and heavily favors people who are able to run nodes and especially people who know how to code.

                                                                                                                                  The exact same power structures exist, except instead of banks - which are at least somewhat accountable to the government and therefore citizens - being in charge, crypto people are creating a future where they are the ones in charge, with no real accountability or oversight because the ability to code is a prerequisite for active participation in the system. I find this idea terrifying. The US Congress (feel free to mentally change this to your country’s legislature or whatever) is dysfunctional, but I would still rather they were in charge of the entire financial system than the comments section of the Orange Site.

                                                                                                                                2. 5

                                                                                                                                  Knowing that there’s major problems with crypto “to be solved” it’s frustrating to see the hype at this level.

                                                                                                                                  personally the must frustrating/exhausting aspect of the current crypto hype cycle is the unbridled optimism and lack of foresight i see from users. these systems are supposed to be trustless and magical, except “they’re not fleshed out yet, but we’ll fix it in the future by adding trusted third parties to the system in a way that somehow doesn’t undermine its value proposition”.

                                                                                                                                  imagine if someone advertised DNS V2 today as completely trustless but glossed over the fact that root servers are still going to exist.

                                                                                                                                  1. 1

                                                                                                                                    Even more-problematic is that theres an emerging phenomenon where if you don’t play, you get scammed - lots of noise about people minting NFTs on Openseas for content they don’t own, and theres no recourse for creators outside the system.

                                                                                                                                    From the sidelines, I’ve heard this practice described as scamming or even “theft” or couple of times and I’m really not seeing it. It’s as if I looked at this submission and thought “wow this is a great post by Moxie. I wish I owned the lobste.rs submission; maybe I could buy it off faitswulff?” Suppose faitswulff agreed and for $50 I became the official submitter. Has anyone of Moxie, me or faitswulff been ripped off? Not at all. It’s totally bonkers but I’m hard pressed to see the scamming element.

                                                                                                                                    1. 7

                                                                                                                                      Except that NFTs are always advertised as real, indisputable, true, verified-on-the-blockchain, no-pesky-government-can-ever-confiscate-it ownership. If you go far enough down the rabbit hole you end up in the cliché that the only thing you “own” is a receipt that says “you own this receipt”, but that’s not how people actually talk about or advertise the amazing incredible unbelievable future of “web3” and NFTs and such.

                                                                                                                                      1. 1

                                                                                                                                        Leaving aside many artists’ emotional view of copyright, which does tend to veer mostly towards the “theft” part of the spectrum, it’s a fact that being seen as involved in NFTs is a reputational black mark. Some minter creating NFTs without the artists consent can direct a ton of ire onto the artist, simply because many, many people view NFTs as money-grabbing scams, and hate that their favorite artists and projects are “selling out”.

                                                                                                                                      2. 0

                                                                                                                                        a solution looking for a problem

                                                                                                                                        Have to disagree. This new era of finance brings a lot of possibilities not available in the old bureaucratic system with all its guardians. Not talking about dog coins and outright scams, but the legit projects.

                                                                                                                                        There’s so much composeability and innovation happening. One system plugs into the other, and suddenly you have an ecosystem of financial products miles ahead of what’s available to the average pleb “in the normal world”.

                                                                                                                                        Imagine if we only had closed-source software from old giants like IBM, Oracle, Microsoft and Apple instead of the wild-west of creativity and innovation that is open-source. Same idea.

                                                                                                                                        1. 15

                                                                                                                                          “An ecosystem of financial products” that burn copious amounts of energy, are susceptible to rug-pulls, have no actual technical innovation behind any of them, have their users go through shady leaps and bounds to realize their immaterial wealth, were centralized from the start, and only grow in value if there’s enough committed exchange of actual currencies.

                                                                                                                                          Ponzi scheme enthusiasts/grifters can keep spouting this “everything is great” rhetoric, it is not true and never will be. You are part of the problem.

                                                                                                                                          1. 3

                                                                                                                                            What possibilities? There’s a lot of rhetoric and hopes here, but I don’t see much substance.

                                                                                                                                            1. 1

                                                                                                                                              There’s a bunch depending on how deep you wanna go. But starting from the top, you can:

                                                                                                                                              • Borrow dollars against your portfolio and have a line of credit not available to you in legacy finance

                                                                                                                                              • Deposit dollars and earn a pretty good interest rate not available to you in legacy finance (https://app.anchorprotocol.com/)

                                                                                                                                              • Buy stock derivatives, enabling people in for example Thailand to invest in American stocks like Apple or Tesla (https://mirrorprotocol.app/)

                                                                                                                                              • Pay online or in real life with your digital assets using something like Chai, Alice, Kash etc. Chai is used by millions of unsuspecting users in South Korea, and thousands of merchants connected: https://techcrunch.com/2020/12/09/seoul-based-payment-tech-startup-chai-gets-60-million-from-hanhwa-softbank-ventures-asia/

                                                                                                                                              https://www.alice.co/ https://www.kash.io/

                                                                                                                                              Alice and Kash goes even further than Chai I think. They are basically neo banks.

                                                                                                                                              Then, there are some more advanced features which might not be for everyone, but you can also:

                                                                                                                                              • Help secure the ledger/network by staking assets with a validator node, and get rewarded a portion of the transaction fees. It’s like if Visa or Chase Bank would partner with you and give you a small portion of the revenue.

                                                                                                                                              • Provide liquidity to various projects and get paid for doing so, for example on exchanges. A little bit of passive income with assets that might otherwise only be speculative.

                                                                                                                                              Personally I think it’s pretty cool with the composeability of a lot of projects. It’s like Lego or functional programming. The output of one project plugs into the input of another, and you can build some pretty sophisticated products/services using the basic building blocks.

                                                                                                                                              1. 2

                                                                                                                                                I can’t tell if you’re just really really enthusiastic about cryptocurrencies to a naive degree or just trying to advance an agenda. But referring to fiat currency as “legacy finance” and linking cryptocurrencies to the idea of functional programming seems to me as cheap attempts at gaining more mindshare among the folks here. Either that, or you’re living in a bubble which is sure to burst at some point.

                                                                                                                                                In any case, maybe you should relax and stop commenting so much here trying to win people over that don’t want to be won over.

                                                                                                                                                1. 1

                                                                                                                                                  Yeah ofc I’m just here to corrupt your virtuous souls

                                                                                                                                                  But referring to fiat currency as “legacy finance”

                                                                                                                                                  I didn’t. There’s plenty of fiat (stable coins) in crypto as well. I was talking about old banks & their old tech stacks.

                                                                                                                                                  linking cryptocurrencies to the idea of functional programming seems to me as cheap attempts at gaining more mindshare among the folks here

                                                                                                                                                  I’m just writing about aspects that interests me, one of which is FP. There are even a few projects written in Haskell.

                                                                                                                                                  stop commenting so much here trying to win people over that don’t want to be won over.

                                                                                                                                                  A.k.a you want to maintain the echo chamber? There must be room for other views as well.

                                                                                                                                                  bubble which is sure to burst at some point

                                                                                                                                                  There’s booms and busts everywhere. Same in the stock market & tech startups. The long game matters more.

                                                                                                                                            2. 2

                                                                                                                                              Mandrean, I think it is great that you showed up in the discussion since you’ve done a very polite job of representing a naive crypto-influenced hopeful.

                                                                                                                                              A few things I’d like to point out:

                                                                                                                                              • Proof of Stake is not decentralized and in fact cannot be decentralized. It is a permissionsed system where the only way to get voting rights is an out-of-band transaction (buying tokens) there’s also a convincing argument that you can force these platforms to recentralize if they become decentralized via coordinated bribery offers (but only if you have an oracle).
                                                                                                                                              • The oracle problem is the elephant in the room and addressing that requires social networking technology not verifiable runtimes (blockchains).
                                                                                                                                              • Proof of Work and also probably Chia’s Proof of Space+Time are things that work but /just barely/, with chia we may have a energy friendly settlement layer to build a p2p digital society on top of but they decided to premine as much as will be mined over the next 20 years.
                                                                                                                                              • The fundamental coordination problem is not byzantine fault tolerance but rather the tragedy of the commons (sybil resistance is implied by resistance to TotC). Proof of Space+Time is still a resource wasting race so it’s not an improvement over bitcoin until we have the social layer to regulate the competition.
                                                                                                                                              • NFTs can eventually become deeds to content but only once we have a legitimate platform, which people believe the combination of twitter and ethereum to be. However the legitimate platform (for the time being) is called government.

                                                                                                                                              Basically, what someone said about the crypo-world programmers not needing to do their jobs to get paid is not only correct but I also think it is the other way around, if you want to get paid you need to do a scam; the problems are hard to solve, require large investment to make a noticable change in the state of tooling to address the problems and finally there is no way our current economic system will value charitable work. Sorry I have to run to lecture now I’d be willing to go deeper into these points.

                                                                                                                                              1. 1

                                                                                                                                                Proof of Stake is not decentralized and in fact cannot be decentralized.

                                                                                                                                                Disagree; PoS can be decentralized not only in terms of geographic location & jurisdiction, but by voting power as well (and maintained that way).

                                                                                                                                                For example, see study from Leeds University:

                                                                                                                                                Our results based on simulated paths of the dynamics of nodes’ coins at stake suggest that decentralization of PoS blockchains can be largely maintained with moderate constant or dynamically adjusted coin inflation while decreasing inflation yields a large loss in active staking nodes over time when coin prices are static. Target node participation rates are not only fairer in terms of coin distribution but also yield higher value-weighted returns for participants.

                                                                                                                                                The oracle problem is the elephant in the room

                                                                                                                                                There are already decentralized oracle networks, for example Chainlink and Witnet https://chain.link/use-cases https://witnet.io/

                                                                                                                                                sybil resistance / ToTC

                                                                                                                                                It’s an interesting space to follow. Witnet’s whitepaper proposes algorithmic reputation: https://witnet.io/witnet-whitepaper.pdf

                                                                                                                                                I’m sure researchers will come up with other interesting approaches in the coming years as well.

                                                                                                                                                if you want to get paid you need to do a scam; the problems are hard to solve

                                                                                                                                                Same applies to being an engineer at Netflix, Spotify, Tesla etc. as well then. Also scams!

                                                                                                                                                1. 1

                                                                                                                                                  Disagree; …

                                                                                                                                                  Not a matter of opinion if mathematics is to be trusted. Democracy suffers from the same unsustainability problem (via totc).

                                                                                                                                                  chainlink … witnet..

                                                                                                                                                  I am aware of them, they don’t solve the incentive problem. Chainlink seems more bad-faith than witnet but neither works.

                                                                                                                                                  Netflix, Spotify, Tesla, …

                                                                                                                                                  Yes, this is a very good point. Our economic system systematically undermines non-scams so it’s no surprise that you can name many big companies, this is infact what prompted me to comment in the first place. People like to jump on a “solution” whenever there is a hard scary problem and some con man with a rationalization but the problem of “pollution” needs to be managed no matter whether or not we have a proper solution to it in the abstract, however, what we are actually seeing is that the problem is being ignored or made worse by people following the advice of those who claim to have a solution. COVID is being run on the same dynamic.

                                                                                                                                          1. 14

                                                                                                                                            People complain all the time about how verbose the Java type system is. I mean, what about this kind of code:

                                                                                                                                            List customers = new ArrayList();
                                                                                                                                            

                                                                                                                                            Do I really have to say it twice?

                                                                                                                                            That’s a disingenuous example. Java gained support for the var keyword in March 2018 with the release of Java 10:

                                                                                                                                            var customers = new ArrayList();
                                                                                                                                            

                                                                                                                                            What’s more, one might meaningfully choose to write List over var to communicate that the rest of the code should not rely on the unique behavior (performance characteristics or unique methods) of the ArrayList as compared to other List implementations.

                                                                                                                                            A lot of people (myself included) argue that the Java type system gets in the way more than it helps. […] You give up the small amount of safety for a huge amount of flexibility.

                                                                                                                                            Given that I just refuted the only example the article gave of a problem with Java’s type system, I think this argument needs expansion. I recognize that Java’s type system has limitations, such its single-dispatch that necessitates the cumbersome Visitor pattern, but I’m not convinced that a large codebase would be better off sacrificing Java’s compile-time type safety to use Clojure. (Of course, other statically typed JVM languages might be even better than Java.)

                                                                                                                                            1. 11

                                                                                                                                              Another feature that Clojurists like to claim as a feature is Clojure’s nil handling and I have to strongly disagree.

                                                                                                                                              Yes, you avoid a NullPointerException where you try to use a nil value, but instead nil quietly continues propagating through your program, being part of maps, transforms of maps and at some point something falls over because the value that you expected is nil but that’s not a valid value, so you have to trace the entire program back to where the nil actually originated and see why that was wrong and fix it in that place.

                                                                                                                                              This combined with the fact that it is way too easy to get a nil in regular Clojure code (because getting a non-existing value out of a map will give you that unless you insist on a sentinel) makes it basically the Clojure equivalent of the infamous “undefined is not a function” error. You can be extremely defensive and to Go style “if error” checks (which due to Clojure’s macro system would be more bearable than in Go), but I really don’t think this “on error resume next” strategy is a strong point of the language.

                                                                                                                                              1. 4

                                                                                                                                                I really like Clojure and I think its reliance on nil punning is absolutely one of the most boneheaded “features” of the language. It feels like it was designed exclusively to look good in a show floor demo, but spending just a little time with it makes you realize that it’s error-prone in the ways that you mention and it isn’t semantically illuminating either. I chafe every time I see or type the idiomatic (if (seq collection) true-case false-case) to test whether collection is empty, because I get the feeling that someone thought it was a cleverly elegant way of expressing that condition. It’s not. It’s really, really not.

                                                                                                                                                1. 4

                                                                                                                                                  I really like Clojure and I think its reliance on nil punning is absolutely one of the most boneheaded “features” of the language.

                                                                                                                                                  +1 to that; the nil punning is definitely one of my pet annoyances with Clojure. However, it seems that many people feel differently. It inherited the nil punning from Common Lisp, where it’s also pretty (har har) common to nil-pun (for instance, (car nil) returns nil). But another problem is that Clojure doesn’t go all the way. There are several builtins that simply forward to a native call and those will raise a NullPointerException. There’s not really any rhyme or reason to it, you basically have to know which ones will pass through the nil (most will) and which will not (some surprising ones will not, for example most of the string functions, even though strings can be seen as collections).

                                                                                                                                                  (if (seq collection) true-case false-case)

                                                                                                                                                  I never got why that was considered idiomatic either. How is (if-not (empty? collection) true-case false-case) any less readable?

                                                                                                                                                2. 2

                                                                                                                                                  I’ve been working with Clojure for around a decade now and nil punning has never been a real problem in practice in my experience. What actually happens is that you just let the nils flow through the code and you do validation at the edges. Nowadays, you’d also use Malli or Spec to define the schema at the API level. If you’re nil as an error then you’re not really writing idiomatic Clojure.

                                                                                                                                                  1. 1

                                                                                                                                                    This is the canonical answer that many issues with Clojure get: “you should’ve done it differently”, which while obviously true, I should just not have created bugs, but practically not helpful.

                                                                                                                                                    I would rather see these things being acknowledged and tackled rather than played down. To me this is the canonical “I can run with scissors, as long as I am careful not to fall with scissors (or have prepared cushions that if I fall I don’t hurt myself)”. Not specific to Clojure itself, but I have found the Clojure community to be extremely insisting that that is the right way (imagine Python users all saying that having a GIL is Good Actually™).

                                                                                                                                                    Yes sure there’s ways to deal with specific issue, like use a library that will only be invented in the future like Malli (2019) or Spec (1.9, 2017, still called “alpha”) which both came pretty late to the Clojure (2009) world and Schema which came earlier (2013) but is dead now but if the solution to this is validation of all intermediate maps then Clojure is missing a convenient language element that guarantees that keys are actually set. On the other hand, if the validation is only at the edges, you only get to know about it when it the validation fails and then you still have to trace back where that nil originally came from.

                                                                                                                                                    And sometimes you just have a codebase that’s written this way or other and it generally works so you can either trace up where you accidentally created the nil and fix it or spend many hours of rewriting and adding validation everywhere (bonus points if this is a library that is not written by you, but rather FOSS code where contributing large patches is always a somewhat painful exercise, even if the maintainer is very active).

                                                                                                                                                    1. 2

                                                                                                                                                      Every language in existence has its own patterns and best practices. So the argument that Clojure practices are different from what you’re used to isn’t terribly convincing.

                                                                                                                                                      Different languages make different design choices that have their own trade offs. This is of course the case with nil punning in Clojure as well. However, as I’ve already noted, I haven’t seen this choice manifest itself as an actual problem. If you’re claiming that it is then please show me examples that it is in fact a source of errors. For example, we could look at Github issues for popular Clojure libraries and see how many of these issues trace to nil punning.

                                                                                                                                                      What you’re doing here is making an utterly unsubstantiated assertion that nil punning leads to errors. Then you take this assertiion and treat is as a fact without providing a shred of proof to support the notion.

                                                                                                                                                      1. 3

                                                                                                                                                        What you’re doing here is making an utterly unsubstantiated assertion that nil punning leads to errors.

                                                                                                                                                        I would say it doesn’t lead to errors, it just makes debugging much more difficult by carrying on with an unexpected value until it crashes at some later point, where you may have no idea where the nil came from.

                                                                                                                                                        1. 1

                                                                                                                                                          Clojure development is typically done interactively by connecting the editor to a REPL. My workflow is to continuously run code as I write it and I always know exactly what it’s doing. For example, let’s say I need to get some data from the db, massage it in some way, and send it to a client. I’d write a function to pull the data, run it, look at the data I’m seeing. Next, I’ll pass it to the function to transform it, and look at the result there, and so on. At each step I only need to worry about the current transformation I’m making and the state of the data in the last step.

                                                                                                                                                          As I’ve mentioned in another comment, thinking of nil is a wrong value is not the right mindset here. A better way to look at it is that you’re querying into the data structure and you may or may not get a result.

                                                                                                                                                          1. 1

                                                                                                                                                            In my experience, you tend to be a lot more “rough” about what you try out in the REPL. Typically those are couple of variations of the happy path. This means you won’t be testing what happens when some part of the input you’re expecting to mostly be there will be missing (thus yielding nil).

                                                                                                                                                            Besides, the point was that it’s difficult to debug, which you’ll usually be doing after a report of something happening on production. Or very complex code in development where certain inputs yield nil somewhere along the way.

                                                                                                                                                            1. 2

                                                                                                                                                              Any real world application is going to have some sort of regression testing which will catch these kinds of problems. Meanwhile, I’ve been maintaining large apps in production for many years now and your assertions simply doesn’t ring true to me. It’s generally very easy to tell where the problem is based on the stack trace. Vast majority of the time when you see a production issue, the problem will be within a few lines of where the trace leads you.

                                                                                                                                                              As I’ve already explained, nil should be treated as an expected result, and it’s handled sanely by standard library functions. Meanwhile, your complex functions are just combinations of these functions from the standard library. So, what actually happens is that nils just flow through the execution chain, and then you decide how you want to present them at the edges. This is also where you’d typically use things like spec to do validation and coercion of data.

                                                                                                                                                        2. 1

                                                                                                                                                          Have you ever had any problems with Clojure?

                                                                                                                                                          1. 2

                                                                                                                                                            Sure, I don’t think there’s a language in existence that won’t give you problems. A few pet peeves I have would be how cons and conj work, the fact that some core functions fail to handle NPE when wrapping Java calls, hot loading of libraries being flaky (although this is more of a JVM problem), and poor REPL experience compared to CL. However, nil punning is simply not an actual problem that has any real negative impact on development or code quality.

                                                                                                                                                          2. 1

                                                                                                                                                            Every language in existence has its own patterns and best practices. So the argument that Clojure practices are different from what you’re used to isn’t terribly convincing.

                                                                                                                                                            The other language I can think of where it is somewhat common to give unexpected answers to wrong input data instead of failing is JavaScript, where it is not considered a good part of the language.

                                                                                                                                                            You’re making the assertion that is it not a problem by stating that it hasn’t been a problem for you personally in a decade (I’ve also been using Clojure on and off since before 1.0 and it being my favourite language for some time, but so what?), but even people in this thread have mentioned issues with it.

                                                                                                                                                            I can’t point at specific examples because the examples where I spend a lot of time debugging were in proprietary code bases where you often get to correlated multiple domain “objects” together to form new domain objects. I’d say this is less of a problem in popular Clojure libraries since they’re often wrappers around Java libraries, with a lot less complex data being shuffled around in maps.

                                                                                                                                                            1. 2

                                                                                                                                                              The other language I can think of where it is somewhat common to give unexpected answers to wrong input data instead of failing is JavaScript, where it is not considered a good part of the language.

                                                                                                                                                              Except that Clojure gives expected answers. As I’ve already pointed out, the only issue here is that your expectations don’t match how the language works. The way to think about it is that you’re making a query into the data structure, and the query either returns a value when present or nil when there isn’t one. This isn’t an expected answer.

                                                                                                                                                              You’re making the assertion that is it not a problem by stating that it hasn’t been a problem for you personally in a decade (I’ve also been using Clojure on and off since before 1.0 and it being my favourite language for some time, but so what?), but even people in this thread have mentioned issues with it.

                                                                                                                                                              I’m saying that it hasn’t been a problem for me personally, it hasn’t been a problem for other people I know working with the language, and I haven’t seen it be a problem in many libraries I use and have contributed to over the years.

                                                                                                                                                              I’d say this is less of a problem in popular Clojure libraries since they’re often wrappers around Java libraries, with a lot less complex data being shuffled around in maps.

                                                                                                                                                              There are plenty of Clojure libraries that do lots of complex data manipulation. I work in medical domain and I have to work with lots of complex data such as FHIR all the time.

                                                                                                                                                  1. 6

                                                                                                                                                    The original post is pretty weak, but I’m glad to see so much lively discussion in the comments. Reminds me why I keep coming back to lobste.rs!

                                                                                                                                                    1. 1

                                                                                                                                                      Same here! I hadn’t seen this article posted on this site yet, so I figured I would take the liberty and see what other people’s thoughts on it are