1. 2

    Prime example of why you should never pipe curl output straight into bash.

    I’m really surprised this is not a top story here or HN .. millions of projects are potentially compromised or have at least their CI secrets / API keys stolen.

    1. 2

      This was my first response as well, but in a way it represents a larger problem of auto-updating/live dependencies.

      From what I’ve seen in the past, the standard “alternative” to piping curl to the shell is to download the file, “read” it, and then execute it. [1] [2] [3] That wouldn’t’ve helped here. Even if a thoughtful user had downloaded the file and run it in two separate steps, they’d still be vulnerable.

      The “actual” solution would be to download, verify the checksum against something, and then execute the script. That an issue as well: where do you get the checksum from? For the codecov script, they post the checksums in the GitHub repo which might be a safe place. But if you’re downloading the file from a remote source it’s technically possible that file has also been compromised.

      If you instead download the file once, “pinning” it to a version: what if you’ve downloaded the file during the period when it was malicious. Now you’ve pinned a malicious version.

      There’s no easy solution here, and while I agree that curl | bash is a bad idea for many reasons, that isn’t the root issue here. This is a reminder that everything should be considered malicious, but little more than that.

      1. 3

        Even if a thoughtful user had downloaded the file and run it in two separate steps, they’d still be vulnerable.

        This is only true if they had downloaded it from the compromise window of February-March. The smart thing to do is download it once and drop it in your repo; that makes it trivial to go back later and see whether any given build was compromised. If people had done this instead of following codecov’s advice, then only projects which added codecov during that window would have been compromised, rather than literally every project which used codecov during the window.

        No one is saying that “avoiding curl|bash means you’re completely safe”; it’s all about limiting the blast radius of an intrusion.

        1. 2

          The thing is that a lot of people focus on the “piping curl to bash”-part; which is what the top comment did as well (“you should never pipe curl output straight into bash”). There is little difference between piping directly to bash or saving it first, or between that bash script and some library you added from your language package tool.

          The problem in this specific case – which is actually not very common because most curl | bash things are one-time installers – is that you’re always directly loading the code from a remote source, possibly dozens of times per day.

          A good solution would be to limit the access of such things; all it needs to do is read a file and upload it; there’s no need for it to access anything else on the filesystem, or even access the environment beyond a few basics. All of this is possible already I think, but not very easy. Certainly not as easy as something like:

          run-limit --deny-all \
              --allow-fs coverage.profile --allow-http api.codecov.com \
              --allow-env PATH --allow-env CODECOV_KEY \
              'curl codecov.com/sh | bash'
          
    1. 2

      The cult of objects and abstractions and patterns everywhere.

      All you need is an enum like type and a function to convert input to that type. Maybe in some insanely more complicated example you could justify the factories and objects and visitors and what not but this code the question was asked about can be made type safe fool proof and no repetitive with a basic type and a function.

      He advises against an enum in the article. I don’t really understand why. Maybe it is too simple. Too pragmatic.

      1. 1

        He says why right in the article. The assumption is that you will be conditioning real behaviournon this, probably in many places in the system. If you’re not, you don’t even need the enum and a string will do, if you are then the enum will lead to repeated cases all over the system vs a set of objects encapsulsting that complexity.

      1. 2

        Does anyone here use straight? I never got the advantage, compared to just cloning the repositories yourself (or as submodules). Plus you have to run random code from a github repository.

        1. 2

          You run random code anyway. Even without straight? Or do you audit all the packages and their dependencies before you use them?

          1. 2

            I minimize the number of packages I use and usually skim through the source code. Automatically downloading and evaluating code from a repository seems more dangerous, but I do get your point.

          2. 2

            No I haven’t felt the need.

            I (ab)used Cask for a long time because it was a nice declarative way of configuring packages in ~/.emacs.d. Since I’ve returned back to using package.el and the fact that it handles dependencies much better now, I just rely on it maintaining package-selected-packages and if needed I can just call (package-install-selected-packages) but I don’t have more sophisticated needs.

          1. 4

            You can simplify this with http.Handle("/", http.FileServer(content))

            1. 9

              I don’t really like Go, and have only done like …. 5 pages of it ever. But I feel like that goroutine example is pretty convincing that Go is easy? The amount of futzing about I have to do in Python to get a similar-working pipeline would lead to maybe 3x as much code for it to be that clean.

              I dunno, Go reintroduces C’s abstraction ceiling problem meaning it’s hard for someone to show up and offer nicer wrapper for common patterns. But if you’re operating at the “message passing” and task spinup level, you’re gonna have to do flow control, and that code looks very nice (and local, which is a bit of a godsend in this kind of stuff).

              Though I feel you for the list examples. Rust (which, granted, has more obstacles to doing this) also involves a lot of messing around when trying to do pretty simple things. At least it’s not C++ iterators I guess

              1. 18
                import asyncio
                
                async def do_work(semaphore, id):
                    async with semaphore:
                        # do work
                        await asyncio.sleep(1)
                        print(id)
                
                async def run():
                    semaphore = asyncio.Semaphore(3)
                    jobs = []
                    for x in range(20):
                        jobs.append(do_work(semaphore, x))
                    await asyncio.gather(*jobs)
                    print("done")
                
                asyncio.run(run())
                

                About the same length in lines, but IMO quite a bit easier to write.

                1. 4

                  That is a good example but you can’t really compare asyncio and go routines. The latter are more like “mini threads” and don’t need to inherit all the “ceremony” that asyncio needs to prevent locking up the io loop.

                  1. 12

                    Goroutines are arguably worse IMO. They can be both run on the same and a different thread, which makes you think about the implications of both. But here’s an a bit more wordy solution with regular Python threads which can be more comparable:

                    import threading
                    import time
                    
                    def do_work(semaphore, id):
                        with semaphore:
                            # do work
                            time.sleep(1)
                            print(id)
                    
                    def run():
                        semaphore = threading.Semaphore(3)
                        threads = []
                        for x in range(20):
                            thread = threading.Thread(target=do_work, args=(semaphore, x))
                            thread.start()
                            threads.append(thread)
                        for thread in threads:
                            thread.join()
                        print("done")
                    
                    run()
                    

                    As you can see, not much has changed in the semantics, just the wording changed and I had to manually join the threads due to a lack of a helper in the standard library. I could probably easily modify this to work with the multiprocessing library as well, but I’m not gonna bother.

                    Edit: I did bother. It was way too easy.

                    import multiprocessing as mp
                    import time
                    
                    def do_work(semaphore, id):
                        with semaphore:
                            # do work
                            time.sleep(1)
                            print(id)
                    
                    def run():
                        semaphore = mp.Semaphore(3)
                        processes = []
                        for x in range(20):
                            process = mp.Process(target=do_work, args=(semaphore, x))
                            process.start()
                            processes.append(process)
                        for process in processes:
                            process.join()
                        print("done")
                    
                    run()
                    
                    1. 10

                      goroutines aren’t just good for async I/O. They also work well for parallelism.

                      Python’s multiprocessing module only works well for parallelism is basic cases. I’ve written a lot of Python and a lot of Go. When it comes to writing parallel programs, Go and Python are in different categories.

                      1. 4

                        It’s best to decide which one do you actually want. If you’ll try to reap benefits of both event loops and thread parallelism, you’ll have to deal with the disadvantages of both. Generally, you should be able to reason about this and separate those concerns into separate tasks to be able to separate your concerns. Python has decent support for that, with asyncio supporting running functions in threadpool or processpool executors.

                        I do agree though that Python isn’t the best at parallelism, because it carries quite a lot of historical baggage. When it’s threading was being designed in 1998, computers with multiple CPU’s where rare, and the first multi-core CPU was still 3 years away[1], with consumer multi-core CPU’s arriving 7 years later. The intention for it was to allow multiple tasks to run seemingly concurrently for the programmer on a single CPU and speed up IO operations. At the time, the common opinion was that most of the things will continue to have only a single core, so the threading module was designed appropriately for the language, with a GIL, giving it safety that it will not corrupt the memory. Sadly the things didn’t turn out how they initially thought they would, and now we have a GIL problem on our hands that is very difficult to solve. It’s not unlike the errno in C, which now requires macro hacks to correctly work between threads. Just that GIL touches things that are a bit harder to hack over.

                        1. 7

                          I’m aware of the history. My point is that the Python code you’ve presented is not a great comparison point because it’s comparing apples and oranges in a substantial way. In the Go program, “do work” might be a CPU-bound task that utilizes shared mutable memory and synchronizes with other goroutines. If you try that in Python, it’s likely you’re going to have a bad time.

                          1. 3

                            The example with multiprocessing module works just fine for CPU tasks. asyncio works great for synchronization and sharing memory. You just mix and match depending on your problem. It is quite easy to deffer CPU heavy or blocking IO tasks to an appropriate executor with asyncio. It forces you to better separate your code. And in this way, you only need to deal with one type of concurrency at a time. Goroutines mashes them together, leaving you to deal with thread problems where coroutines would have worked just fine, and coroutine problems, where threads would have worked just fine. In go you only have a flathead scredriwer for everything betweem nails and crosshead screws. It surely works, sometimes even well. But you have to deal with warts of trying to do everything with one tool. On the other hand, Python tries to give you a tool for most situations.

                            1. 6

                              The example with multiprocessing module works just fine for CPU tasks.

                              But not when you want to add synchronization on shared mutable memory. That’s my only point. You keep trying to suck me into some larger abstract conversation about flat-head screwdrivers, but that’s not my point. My point is that your example comparison is a bad one.

                              1. 3

                                Give me an example of a task of that nature that cannot be solved using multiprocessing and asyncio and I’ll show you how to solve it. You shouldn’t try to use single tool for everything - every job has it’s tools, and you might need more than one to do it well.

                                1. 4

                                  I did. Parallelism with synchronized shared writable memory is specifically problematic for multiprocessing. If you now also need to combine it with asyncio, then the simplicity of your code goes away. But Go code remains simple.

                                  You shouldn’t try to use single tool for everything

                                  If you think I need to hear this, then I think this conversation is probably over.

                                  1. 2

                                    Parallelism with synchronized shared writable memory

                                    You describe a class of problems. But I cannot solve a class of problems without knowing at least one concrete problem from the class. And I do not.

                                    1. 3

                                      Here’s an example of something I was trying to do yesterday:

                                      I wanted to use multiprocessing to have multiple workers pull (CPU-bound) tasks off a (shared) priority queue, process each task in a way that generates zero or more new tasks (with priorities) and put them back on the queue.

                                      multiprocessing.Manager has a shared Queue class, but not a shared priority queue, and I couldn’t figure out a way to make it work, and eventually I gave up. (I tried using heapq with a shared multiprocessing.list and that didn’t work.)

                                      If you can tell me how to solve this, I would actually be pretty grateful.

                                      1. 1

                                        I gave it a bit of time today, here’s the result. Works decently well, if you don’t do CPU expensive stuff (like printing big numbers) in the main process and your jobs aren’t very short.

              1. 2

                I think Cocoa Emacs may need a bigger rewrite to become future proof. It will probably survive macOS 11 but the Cocoa integration code really is a huge complicated 20? year old hair ball.

                1. 2

                  Would be interesting to see if the new pgtk (pure gtk) integration works, since gtk3 does support macOS. It’s still WIP of course, and I’m not saying it should replace cocoa, but still…

                  1. 2

                    As a macos user, there is nothing about gtk3 or gtk4 that would make me want it to be used in gui emacs on macos.

                    Why would I trust a work in progress over something that actually uses the platform? Why is macos special in this regard and windows being left out? Why not just update cocoa emacs instead of make emacs an even worse experience on macos? Will gtk improve the spawned process speed on macos?

                1. 13
                  1. 6

                    No, seems like it’s still on the homepage & in the source code as of 3.0.0.

                    1. 6

                      And thereby possibly violating the GDPR of those are in the EU. But any discussions about this are immediately censored in the Homebrew project.

                      1. 1

                        Can confirm, as a project they don’t like being told their approach isn’t fantastic.

                        1. 2

                          As someone who has been on the receiving end of many discussions like that (specifically, Firefox for Android aka Fenix), I can say the following:

                          An open source project and their maintainers can make decisions about how they wish t run and implement the project.

                          People can file all the bugs and re-open all the discussions for things that they do not agree with, but at one point they will have to accept that a decision has been made by the people running the project.

                          What I see over and over again are the same responses:

                          • they do not listen
                          • they do care
                          • they censure me
                          • they don’t deal well with criticism
                          • i will leave if you don’t do what I want
                          • I will fork the project
                          • the project is doomed

                          As someone who has been on the receiving end of this many many times I can tell you that it is extremely tiring and unproductive. As a maintainer you simply cannot satisfy all requests from all users. For all kinds of reasons. Sometimes it is as simple as “we like the way this works”.

                          So dead horses will be beaten and discussion threads will be closed. Sometimes no is no. It is that simple. How do you reach consensus? Well often you do. Sometimes you don’t.

                          What makes it even more complicated is that the user base is usually also fully split. I can guarantee you that in this case, sending anonymous usage to google analytics, many people could not care less and probably don’t bother to disable it even after reading the note that is shown about it.

                          So I ask people here, as a maintainer of a project, what do you do? Do you submit yourself to a small group of very vocal and strongly opinionated users? Or do you just stick with what you and fellow maintainers think is the best way to go forward?

                          (What I find really interesting is that in communities like this, Lobsters, there is often a lot of agreement about how bad it is that people ask for time or free support from open source projects. It is often quickly labeled as unacceptable entitlement. How are issues like https://github.com/Homebrew/brew/issues/142 different I ask you?)

                          1. 2

                            As a maintainer you simply cannot satisfy all requests from all users.

                            Nobody asked them to satisfy all requests from all users.

                            I’d imagine I’m pretty safe to say that no single user anywhere asked them to add analytics, using one of the most privacy invasive companies on the planet.

                            Debian, as usual, shows how to do this right:

                            (a) prompt the user on-install/first-run, if they’re happy to provide anonymous usage information. Provide links to more information if necessary.

                            (b) don’t rely on a privacy abusing mega-corp to provide the backend for said usage tracking.

                            1. 1

                              … shows how to do this right

                              This is an opinion. And exactly why these discussions are so difficult.

                        2. 1

                          Can you explain how it violates the GDPR?

                          1. 2

                            You need informed consent before you send any identifiable data, and most data points are identifiable.

                            1. 1

                              I am not a lawyer but I am pretty sure that you don’t need consent for anonymous analytics since there is no connection to an person.

                              If you think the data that Homebrew sends is indeed PII (Personally Identifiable Information) then you should definitely raise that with them. But I highly doubt this is the case since Homebrew does not know who you are.

                              1. 1

                                I’m not a lawyer either, but e.g. cookies require consent. Obviously a shell doesn’t have cookies, but Home-brew essentially re-creates them, by generating a UUID (and storing it, only generating a new one if it can’t read an existing one) and sending it with the calls to GA.

                                If you accept that a cookie is a little piece of text on your computer that can be used to uniquely identify you, I’m not sure how “a UUID strode on your computer that can be used to uniquely identify you” wouldn’t be considered the same thing.

                                1. 2

                                  The nuance here is “identify you”. Again I am not a lawyer but a random session or install ID is not PII and not something that identifies you. If it is connected to for example an email address then it would be.

                                  Home brew has no relationship with its users. It does not know who those are or how to identify them. If you would send a GDPR request to them to ask for your data then they cannot send you anything because they cannot uniquely identify you. Only when you give them that UUID and tell them, that’s me, they can. But at that point you have made the connection.

                                  1. 1

                                    As I understand it (also not a lawyer) - because the data can later be combined with another source to identify the customer (that is, ‘this uuid is that persons laptop’), it’s covered.

                                    The GDPR is not written to allow clever hacks to get around it.

                                    On the bright side - violators can expect formal letters of warning at no cost. If you persistently ignore those for a year or so you’re likely to get a really damn big fine, but it’s not like it’ll come as a surprise.

                      1. 1

                        Reeder.app on iOS and macOS. Wonderful app.

                        1. 1

                          How do you browse the web if you think OCSP is unsolicited? I mean 5 minutes of browsing on articles posted here will probably generate more scary random requests.

                          1. 5

                            These forks are unsustainable because they tend be developed by people without the resources to develop a browser, leading to not actually being able to keep up with security patches from upstreams/able to support standards (real ones, not counting shit like WebUSB), and used/developed by the most finicky users that can never be pleased, causing a cycle of no one to be happy if anyone changes anything

                            1. 2

                              These forks are unsustainable because they tend be developed by people without the resources to develop a browser,

                              This is the crux of it - the only people who HAVE the resources to develop a browser these days are MSFT and GOOG. I am Not an Expert, but it seems to me that a modern web browser is a beast of sufficient complexity that no independent FLOSS project could hope to be able to maintain one.

                              IMO this complexity problem isn’t unique to browsers either. Modern graphical desktop environments are creatures of positively enormous complexity being developed by a small dedicated band of people, and they can’t hope to have the resources needed to keep up.

                              Not sure if this is a solvable problem either, at least from the perspective of wanting FLOSS projects to be free of big corporate sponsorship.

                              1. 3

                                [T]he only people who HAVE the resources to develop a browser these days are MSFT and GOOG.

                                Sorry for being nitpicky, but what we have today is large outfits including MSFT and GOOG able to change web standards at a fast pace and push out updates so the install base has them. From there, web developers start using them, which leaves it impossible for anyone without those resources to build a compatible web browser. But note the whole thing is circular - the existence of well funded outfits, auto updates, and living standards is self perpetuating.

                                Modern graphical desktop environments are creatures of positively enormous complexity being developed by a small dedicated band of people, and they can’t hope to have the resources needed to keep up.

                                Personally I think this is very different. For one, there’s no equivalent to the web ecosystem - people are free to use whichever desktop environment suits their needs without being shut out of current content. Secondly, it seems as though the well funded outfits are making lots of visual change in the hope of differentiating their current products from prior products, but users aren’t demanding those changes, and given a choice frequently wouldn’t want them.

                                I’m writing this from FVWM (which doesn’t really count as a desktop environment), but if I wanted a full DE I’d probably use MATE, which is fairly similar to Pale Moon in terms of origin story. Even without a lot of development activity, it’s still a good DE, because there’s no intrinsic need for it to have adopted lots of changes in the last couple years.

                                1. 1

                                  Sorry for being nitpicky, but what we have today is large outfits including MSFT and GOOG able to change web standards at a fast pace and push out updates so the install base has them. From there, web developers start using them, which leaves it impossible for anyone without those resources to build a compatible web browser. But note the whole thing is circular - the existence of well funded outfits, auto updates, and living standards is self perpetuating.

                                  I actually don’t think that’s nit-picky at all and is an important point worthy of note and discussion.

                                  It also IMO asks the question “What would the ideal evolution of the web look like?” and maybe the answer is something like “HTML + simpler CSS and call it a day” where rich interactive applications can be handled by some other technology better suited to it, but I dunno.

                                  If my 32 years in tech have taught me anything, it’s that technical excellence or elegance are rarely paramount where market adoption are concerned.

                                2. 2

                                  Even if standards were as they were in say, 2009, it would still be likely irresponsibility developed from the perspective of “noooo not this feature” instead of trying to be a good steward of the web and keeping up with fixes.

                                  1. 2

                                    Totally agree. Part of the problem is that the web started out as one thing (A mechanism for presenting straight text with a relatively limited markup language) and evolved over time into something else entirely - a platform for delivering arbitrarily rich applications that’s as deep as native operating systems.

                                    1. 1

                                      Are you suggesting that it would be irresponsible for web standards to evolve at a slower pace?

                                      As a user, what new scenarios have been enabled to you as a result of the last decade of web standards?

                                      To me at least, existing sites for social media or video streaming or online banking have been rewritten to use newer standards, thereby forcing me to upgrade, but the functionality they provide me with hasn’t appreciably changed. If I was less technical, I’d perceive that I’m being forced to upgrade in order to retain access to something I previously had access to.

                                      Note that if standards weren’t evolving so quickly, and weren’t evolving to be more computationally intensive, we’d have other benefits. Our devices would have better battery life, last longer, be lighter and more portable, etc. We’d have a more competitive browser market, which would enable less dependence on large corporate actors, and that would enable things like cheap phones that respect privacy far more than exists today. We’d probably have more competition at the hardware level too, and be less beholden to a couple of huge companies that are pushing performance per watt of ARM as hard as they can.

                                      IMO, we’re giving up more value than we’re getting, which is not accidental. The interests pushing web standards control the browser and the content, have interests in reducing privacy, and maintain control through continual upgrades which we pay for in terms of hardware. We are paying a high but hidden price for the status quo.

                                      1. 2

                                        I’m saying the problem Pale Moon et all face are independent of standards. I agree that web standards are kind of a mess right now, but that’s not the point. The point is that their issues come from their user and developer base, and the priorities they take.

                                    2. 2

                                      the only people who HAVE the resources to develop a browser these days are MSFT and GOOG

                                      Hmmm some company seems to be missing from that list …

                                  1. 3

                                    Looking at your list of services .. you can probably run all of those on a single 1GB / $5/month instance and dockerize or even just systemd them. And still under utilize that host.

                                    1. 2

                                      I’m gonna systemd them yeah.

                                      1. 1

                                        You could runit them on void linux musl and have room for a minecraft server!

                                      1. 11

                                        A dark mode did exist but it was reverted:

                                        https://github.com/lobsters/lobsters/pull/823 https://github.com/lobsters/lobsters/commit/65b0b3422d71432db4d3b78f15fd46133a120caf .

                                        Firefox support is mentioned but Chrom{e,ium} isn’t any better - in the name of intuitive user experience, no theme selection UI is exposed on the desktop builds, unlike on mobile builds.

                                        The irc channel is a good place to talk about this kind of stuff: https://lobste.rs/chat

                                        1. 2

                                          Why was it reverted? What needs to happen for it to come back?

                                          1. 8

                                            Firefox support is half-baked. There’s no user or devtool UI to toggle between states, inspecting an element always shows the style for ::selection instead of the element, and it lists the name of a color variable with no way to see the value of the variable or where it is set. Punting until it’s debuggable.

                                            1. 8

                                              There is now a feature flagged button for toggling this in Firefox devtools, and it’s on track for being enabled by default. https://stackoverflow.com/a/60481298

                                              1. 8

                                                Thanks for quoting this. I just wanted to post to confirm this is the latest state on it. Someone volunteered to do it, the tooling isn’t quite ready, but it’s a popular request and I look forward to merging it when it’s maintainable.

                                                Though I don’t look forward to another round of the bikeshedding that immediately popped up in the few hours this was live, and would appreciate it if folks with strong opinions on the exact colors of dark mode express them on the PR before merge. And obviously, the easiest way to see your opinion reflected on the site is to create the PR and help get it over the line. :)

                                              2. 2

                                                IIRC there was a lot of bike shedding on the colors and also there’s browser support stuff too.

                                                To be honest I think part of this is that in the grand scheme of things there are more time sensitive/higher payoff work that can go into lobsters for the amount of effort dark mode was becoming.

                                                1. 3

                                                  I threw the dark mode together in a few hours, wasn’t a big deal to be honest.

                                              3. 2

                                                On that note, are there any alternate user stylesheets that folks have made that they would like to share? Dark Mode or otherwise.

                                                1. 5

                                                  darkreader works but the colorscheme is kinda meh. I turn it on at night.

                                                  1. 1

                                                    What plugin do you use for alt style sheets?

                                                    1. 1

                                                      You can use greasemonkey to inject the css content at certain nodes or on page load, I am not aware of one someone has created for dark mode in lobste.rs. If someone has created the css I would be happy to make a greasemonkey script for it.

                                                      1. 1

                                                        I use Stylus myself

                                                      2. 1

                                                        You can load the dark-mode CSS I wrote for lobste.rs into the Stylus extension: https://pastebin.com/raw/tQfN73az

                                                      3. 2

                                                        It’s a pity the link to the chat is not on the top line of the page. I only now find about it :/

                                                        1. 10

                                                          Why does software specifically need to support Apple Silicon, not just Aarch64, to run natively? The instruction set is 9 years old, runs in every mobile device, and has been the second most important instruction set to support for the last 5 years or so: Everyone should expect support for this silicon from every programming language worth using by now.

                                                          I’m very surprised that Fortran and Go somehow don’t support it already, and even that general software, no matter if it’s compiled through Homebrew, has issues being compiled on ARM. Such microscopic problems should evaporate pretty quickly once exposed, assuming all APIs stay the same.

                                                          What I’m unsurprised about is that JIT runtimes and other software with heavy assembly optimization are more or less lacking ARM/NEON optimizations, because that takes human labor. Also relevant to future proofing, I would like to see a Dav1d benchmark. It should be one of the better optimized code bases by now.

                                                          1. 10

                                                            There is an aarch64 port of gfortran, it’s used for e.g. raspbian. However there isn’t yet a stable aarch64 port for darwin as there are substantial ABI differences compared with linux. See the tracking issue.

                                                            1. 4

                                                              Why does software specifically need to support Apple Silicon, not just Aarch64

                                                              For most software x86 vs ARM doesn’t even matter and it is just a recompile. Most software doesn’t know or even care what architecture it runs on.

                                                              Where it does matter, and get a lot more complicated, is with software that does interact with the CPU or the OS at a much lower level. Compilers, code generators, JITs, highly optimized code that uses assembly code.

                                                              Brew mostly has issues because of build system issues.

                                                              1. 2

                                                                Why does software specifically need to support Apple Silicon, not just Aarch64, to run natively?

                                                                This is me being cynical, but I expect Apple to start extending Aarch64 with custom instructions any day now. Have to wonder how ARM feels about that.

                                                                1. 5

                                                                  They’ve been shipping their own ARM chips for a decade, so if that’s going to happen soon, it would likely be happening already. (Is it?)

                                                                  1. 1

                                                                    That’s a good point. I thought it was to a small extent at least, but I can’t find details on such if they exist, so I might be wrong.

                                                                  2. 2

                                                                    AFAIK They are already doing that. Apple can probably do whatever they want on their own platform. There is no ARM police.

                                                                    1. 5

                                                                      There is no ARM police.

                                                                      There is. It’s called “Arm Ltd.” In order to add custom instructions (or design your own chip), you need an “architectural license.” Otherwise you must use the CPU core IP as-is (though you can of course add custom peripherals). Apple is one of the few companies with an architectural license.

                                                                      1. 1

                                                                        Apple is one of the few companies with an architectural license.

                                                                        Which isn’t too surprising since ARM was originally founded back in 1990 as a joint venture between Apple, Acorn and VLSI.

                                                                      2. 3

                                                                        I am not sure if their license will allow them to use aarch64 name for such “extended architecture”. Also I do not think that they are interested in such extensions to the arch, as I think that they could easily push them into “standard” and then benefit from all the existing features of ARM community. They do not need Embrace, Extend, Extinguish as they are one of the big shareholders of ARM Holdings.

                                                                        1. 2

                                                                          They don’t use the aarch64 name though.

                                                                          1. 1

                                                                            Google for “A13 AMX” - which is their CPU instruction set extension for matrix operations.

                                                                            1. 1

                                                                              I find mostly French tanks so I couldn’t check if this is coprocessor or extension to the main CPU, but I believe that you may be right.

                                                                              1. 1

                                                                                It is not documented very well - mostly reverse engineered …

                                                                                1. 1

                                                                                  Seems not bad and for sure not reverse engineered.

                                                                    1. 2

                                                                      at a $999 price point

                                                                      Or $1340 for Europeans.

                                                                      1. 6

                                                                        This is largely because the 20% VAT is included in the price and because the EU mandates twice the mandatory warranty of the US on all purchased electronics. So no, the price isn’t really that different.

                                                                        1. 4

                                                                          Thanks for the reply! So Americans actually pay $1100 for what they call a $1000 product.

                                                                          Still a difference of $240.

                                                                          (BTW, this is not meant as negative criticism of your review – I actually like it a lot)

                                                                          1. 5

                                                                            Not in all states. When I was in Oregon (not sure if this is still true), they didn’t have sales tax.

                                                                            1. 2

                                                                              Still true. No state wide sales tax in Oregon.

                                                                        2. 6

                                                                          Or $2430 for Brazilians :) (I’m actually crying)

                                                                          1. 2

                                                                            You mean 835 EUR right?

                                                                            1. 3

                                                                              No. Apple’s listed prices are more expensive in Europe as discussed above, due to higher VAT.

                                                                              On top of that, over here (Europe) the advertised price almost always includes those taxes; unlike in the US where they are added at the time of purchase.

                                                                              1. 2

                                                                                The reason I posted this, is because I think these price comparisons between difference currencies have no meaning. Why post a dollar amount for europeans who can only buy in euros. If you want to compare prices, compare to something like the big mac index or a cost of living index.

                                                                                1. 1

                                                                                  Ah. That’s a pretty good point to make, and I completely agree. But I don’t think that’s clear from your original comment.

                                                                                  Why post a dollar amount for europeans who can only buy in euros. If you want to compare prices, compare to something like the big mac index or a cost of living index.

                                                                                  For an accurate comparison, I think you’d have to compare the price to your chosen index across various US states as well.

                                                                                  1. 1

                                                                                    And then, there are countries in Europe that are not a part of the Euro zone yet and still have their own currencies, and that dosn’t make the situation any better.

                                                                          1. 4

                                                                            From the “cons” section:

                                                                            Go won’t officially support Apple Silicon binary compilation until February 2021. This is pretty slow especially compared to Rust. Apple’s been giving out dev kits since June.

                                                                            (Emphasis in original).

                                                                            I don’t believe the dev kits were free. They required an Apple dev membership and cost $500 (possibly defrayed by a rebate on new hardware when it became available) and there wasn’t an infinite amount of them.

                                                                            1. 5

                                                                              I assume the main reason for this is the Go release cycle. It basically has a release every six months and three months of code freeze before that. Therefore, when the DTKs were shipped, the code freeze for the release in August had already happened. The next release is the upcoming one in February. The ..x releases are made just for fixing “critical issues”.

                                                                              This probably also means that most of the hard work is done and the upcoming beta of Go 1.16 will support Apple Silicon.

                                                                              1. 1

                                                                                Most of the work has been done. You can grab tip and run that rather successfully right now.

                                                                              2. 2

                                                                                Surely Apple and Google could agree on a bunch of dev kits so that Apple Silicon could launch with support for one the world’s most important programming languages?

                                                                                1. 2

                                                                                  Agreed. I know that even the Nix foundation got one. I assume it is more a matter of putting it somewhere in the release schedule. The other issue is that you couldn’t really set up CI infrastructure until the M1 Macs were released.

                                                                                2. 2

                                                                                  I remember Go’s design targeting particular scale problems seen at Google, notably the need for fast compiles. To what degree are Go’s priorities still set by Google? If that’s significant, what is their business interest in compiling to ARM?

                                                                                1. 3

                                                                                  It would be great if anyone here with practical Nim experience could write down a few paragraphs of what they think of that language.

                                                                                  1. 1

                                                                                    I don’t know if you’d call my experience “practical”, but back in March of 2020 I explored Nim to see if it would be a good main language for me to write general-purpose CLI programs in. The Nim files left over from my experiments contain a total of 72 non-blank lines, so I wrote perhaps 120 lines of Nim while trying it out.

                                                                                    To give you an idea of my background, at the time I had used C#, C++, Ruby, and Python but not C, Go, D or Rust. I was hoping for a strict upgrade from Ruby—I wanted something about as easy to use, but with static typing and perhaps better performance.

                                                                                    I liked Nim’s concise syntax and its type safety compared to Ruby. But I found Nim’s documentation (edit: and its Learn pages) difficult to learn the language from. I see that one of my leftover Nim files contains type errors in two functions that use generic types—I assume this means generics were difficult to learn. I also remember encountering some code samples in the non-experimental section of the manual that wouldn’t work without enabling certain undocumented experimental features. I submitted PRs to fix the problems I noticed, but the documentation may contain other, similar problems.

                                                                                    The last straw for me was learning that despite my expectations for a recently-designed language, Nim doesn’t solve the “billion-dollar mistake” of nulls. That is, Nim allows any ptr or ref to potentially contain nil. (Nim includes an experimental notnil feature, but it does not solve the problem in practice.) I decided that if I were to go to the effort of learning a new language for my personal projects, I’d like it to be one that avoids that problem.

                                                                                    I haven’t picked a replacement language in the space of imperative, null-safe languages to learn instead. Kotlin and Swift are platform-specific, and Rust requires tedious memory management for the sake of performance that my programs wouldn’t need. I’m in no hurry to find a better language, though—so far I’ve been okay using the languages I was using before in personal projects.

                                                                                    1. 1

                                                                                      I found Nim’s documentation difficult to learn the language from

                                                                                      That’s why there is also the learn section, where you can find lots of both official and unofficial tutorials and other resources for learning the language.

                                                                                      1. 1

                                                                                        Sorry for the confusion. When I was trying to learn Nim, I did read that Learn section of Nim’s website in addition to the Documentation section. In my comment I left out the link to the Learn section because I had forgotten the structure of Nim’s website and I assumed all learning materials would be under Documentation.

                                                                                  1. 1

                                                                                    “ Not every story on Medium is free, like this one. Become a member to get unlimited access and support the voices you want to hear more from.”

                                                                                    Are paywalled stories not verboten here?

                                                                                    1. 2

                                                                                      Funny reasons. I hope people realize that you never have to use the Finder or even Xcode. You can totally be a terminal user on macOS. You would barely notice the difference between OpenBSD and macOS if you work in the terminal.

                                                                                      1. 1

                                                                                        Recently: a piece of paper. One per week. I create 9 sections. Top left contains the week number. The rest Mon to Fri. In the remaining sections I write some bigger themes for the week.

                                                                                        I’ve tried all apps and tools and paper is what seems to work the best for me personally.