1. 2
    • Still working on multi-site stuff for $CLIENT - provisioning pretty much works now, but I need to look at some of the tables that will be shared.

    • Digging up, and re-routing the buried ethernet (that I dug and buried) where I managed to break the conduit removing a bush over the weekend.

    • Reconnecting a bunch of existing (and one nw) sprinkler lines to a new feed line, so we’re able to use the full pressure capacity of the pump.

    1. 6

      I find it curious that the Blink team at Google takes this action in order to prevent various other teams at Google from doing harmful user-agent sniffing to block browsers they don’t like. Google certainly isn’t the only ones, but they’re some of the biggest user-agent sniffing abusers.

      FWIW, I think it’s a good step, nobody needs to know I’m on Ubuntu Linux using X11 on an x86_64 CPU running Firefox 74 with Gecko 20100101. At most, the Firefox/74 part is relevant, but even that has limited value.

      1. 14

        They still want to know that. The mail contains a link to the proposed “user agent client hints” RFC, which splits the user agent into multiple more standardized headers the server has to request, making “user-agent sniffing” more effective.

        1. 4

          Oh. That’s sad. I read through a bit of the RFC now, and yeah, I don’t see why corporations wouldn’t just ask for everything and have slightly more reliable fingerprinting while still blocking browsers they don’t like. I don’t see how the proposed replacement isn’t also “an abundant source of compatibility issues … resulting in browsers lying about themselves … and sites (including Google properties) being broken in some browsers for no good reason”.

          What possible use case could a website have for knowing whether I’m on ARM or Risc-V or x86 or x86_64 other than fingerprinting? How is it responsible to let the server ask for the exact model of device you’re using?

          The spec even contains wording like “To set the Sec-CH-Platform header for a request, given a request (r), user agents MUST: […] Let value be a Structured Header object whose value is the user agent’s platform brand and version”, so there’s not even any space for a browser to offer an anti-fingerprinting setting and still claim to be compliant.

          1. 4

            What possible use case could a website have for knowing whether I’m on ARM or Risc-V or x86 or x86_64 other than fingerprinting?

            Software download links.

            How is it responsible to let the server ask for the exact model of device you’re using?

            … Okay, I’ve got nothing. At least the W3C has the presence of mind to ask the same question. This is literally “Issue 1” in the spec.

            1. 3

              Okay, I’ve got nothing.

              I have a use case for it. I’ve a server which users run on a intranet (typically either just an access point, or a mobile phone hotspot), with web browsers running on random personal tablets/mobile devices. Given that the users are generally not technical, they’d probably be able to identify a connected device as “iPad” versus “Samsung S10” if I can show that in the web app (or at least ask around to figure out whose device it is), but will not be able to do much with e.g an IP address.

              Obviously pretty niche. I have more secure solutions planned for this, however I’d like to keep the low barrier to entry that knowing the hardware type from user agent provides in addition to those.

            2. 2

              What possible use case could a website have for knowing whether I’m on ARM or Risc-V or x86 or x86_64 other than fingerprinting?

              Benchmarking and profiling. If your site performance starts tanking on one kind of processor on phones in the Philippines, you probably want to know that to see what you can do about it.

              Additionally, you can build a website with a certain performance budget when you know what your market minimally has. See the Steam Hardware and Software Survey for an example of this in the desktop videogame world.

              Finally, if you generally know what kinds of devices your customers are using, you can buy a bunch of those for your QA lab to make sure users are getting good real-world performance.

          2. 7

            Gecko 20100101

            Amusingly, this date is a static string — it is already frozen for compatibility reasons.

            1. 2

              Any site that offers you/administrators a “login history” view benefits from somewhat accurate information. Knowing the CPU type or window system probably doesn’t help much, but knowing it’s Firefox on Ubuntu combined with a location lookup from your IP is certainly a reasonable description to identify if it’s you or someone else using the account.

              1. 2

                There are terms I’d certainly like sites to know if I’m using a minority browser or a minority platform, though. Yes, there are downsides because of the risk of fingerprinting, but it’s good to remind sites that people like me exist.

                1. 1

                  Though the audience here will play the world’s tiniest violin regarding for those affected the technical impact aspect may be of interest.

                  The version numbering is useful low-hanging-fruit method in the ad-tech industry to catch fraud. A lot of bad actors use either just old browsers[1] or skew browser usage ratios; though of course most ‘fraud’ detection methods are native and just assume anything older than two major releases is fraud and ignore details such as LTS releases.

                  [1] persuade the user to install a ‘useful’ tool and it sits as a background task burning ads or as a replacement for the users regular browser (never updated)

                1. 1

                  More preparation to make $CLIENT’s site multi-site.

                  If it arrives, installing an additional IP camera.

                  Finishing the cabling inside the house for the cameras.

                  1. 2

                    Well I spent the last two days installing 3 external IP cameras (nothing quite like the combination of spools of Ethernet and a masonry hammer drill to start the week) and in ~12 hours I’m flying to Singapore for a few days.

                    Oh and I still need to get a Proprietary API ~> SMTP change tested and merged for $CLIENT so their site doesn’t stop working when a certain mail provider has a ridiculously long planned outage window in ~9 days

                    1. 3

                      I’m a bit in between - I live in a country that doesn’t celebrate Christmas, but work remotely, and my current most-of-the-time client does celebrate Christmas, however as a small business I’m not sure he has “a week off”..

                      Anyway, so this week, I’ll probably be (in no specific order):

                      For $HOME:

                      • Putting together some more shelving/storage furniture in various rooms
                      • Maybe running some of the external ethernet for IP cameras
                      • Maybe maybe running the internal ethernet from the router/to the PoE switch/outside the wall for the IP cameras, and to the AppleTV (wifi + a house made of concrete makes for slow loading HD media)

                      For $CLIENT:

                      • hopefully putting finishing touches on a new ‘feature’ to migrate off of Mandrill API based emails, and onto standard SMTP emails sent via a job queue (but still using an external mail service)
                      1. 43

                        I’ll never be a fan of JavaScript.

                        Funny to read this on a website that doesn’t load if JavaScript is disabled :).

                        1. 16

                          What is especially odd since it’s mostly text.

                          1. 1

                            This is to ensure the text doesn’t jump around when the fallback font is replaced by the webfont after it finished loading. I don’t think there is a way to do this without JS, since even font-display: block results in “a short block period”.

                            So basically you have to choose between two suboptimal options, and when you consider that practically all users see the text swapping and roughly 99.8% of users have JS, the JS requirement isn’t so odd.

                            1. 30

                              If you use Javascript to add the webfont and the display:none (or whatever), it should Just Work.

                              Progressive enhancement has been a thing for over 20 years. I was using these techniques as an intern in 2005.

                              1. 14

                                This.

                                It’s not that it’s impossible, or even that it’s hard. It’s that people don’t care.

                                1. 4

                                  I think it’s fair to assume the author cares. That doesn’t mean they had time to figure it out. It’s obvious in hindsight, but not necessarily trivial to think of or to find such a jewel in the growing cesspit of bad advice that is the Internet.

                              2. 21

                                There is another option here and it rhymes with “don’t use web tonts”

                                1. 22

                                  He’s a typographer, and sells both fonts and books about typography. There’s no way he can serve his business properly with shitty default web typography.

                                  1. 5

                                    Given the experience, I’d suggest that web fonts are the ‘shitty’ option here.

                                    My browser (on all my devices) comes with a font that’s literally optimised for better display on a high PPI screen.

                                    That one page, of pure text with a single video embedded (ok so one image because it loads a preview) is 5.8MB. 4MB of that is CSS embedding fonts.. that is shitty.

                                    1. 5

                                      Having a web page that crashes PageSpeed Insights sure helps.

                                      1. 5

                                        web typography that changes as you are reading it is shitty web typography. the only non-shitty web typography is that which is built into the client. if anyone should understand this, a web typographer should.

                                        CSS lets you suggest the use of fonts which may or may not be installed. beyond that, typography can be showcased via file formats such as GIF, JPEG, and PNG.

                                        1. 9

                                          web typography that changes as you are reading it is shitty web typography. the only non-shitty web typography is that which is built into the client. if anyone should understand this, a web typographer should.

                                          He’s not a “web typographer.” But, I digress. Progressive loading of documents on the web is part of the problem here. If we didn’t have shitty browsers, shitty networks, shitty people who have no patience, then a browser could blit the entire rendered page to the screen and you’d see the right thing, the right way.

                                          But, things are imperfect. Quite imperfect. But, I can assure you that the state of the web has improved a lot over the last 25 years, so maybe the state of the art for putting good typography on the web can/will, too.

                                          typography can be showcased via file formats such as GIF, JPEG, and PNG.

                                          The whole point of typography is to arrange text to be accessible and appealing (i.e. you worry about kerning and leading to ensure that the text can be read without confusion). Putting it in images might make it “appealing” but certainly reduces the accessibility of it, and the usefulness of it.

                                          1. 6

                                            But do I really want to wait half a minute to load a page and start reading because the author demands I have the exact presentation? I’d rather start reading usably as early as possible, then enhance when my connection gets to it.

                                            1. 5

                                              I don’t think da Vinci would prefer that you see the Mona Lisa one square inch at a time…

                                              Why do we not consider the author’s presentation choices valid? Why do we treat creators of content so abusively?

                                              Prince (the musician) pretty famously defended his copyrights so that he could control the experience of listeners. That’s well within his rights to do so…why not authors of web content?

                                              (I don’t believe Butterick has a license that requires you to view his content only in the way it is presented, but does ask that you pay to support him if you can)

                                              1. 5

                                                CSS is not and has never been about making pixel perfect layouts.

                                                If you want to control the layout to the pixel, deliver an SVG, or a PDF, or if you must, an image.

                                                1. 2

                                                  It may not have been intentional, but you can actually get 95% of visitors to see the exact pixels you wanted without a tremendous amount of work if you know the platform well.

                                                  1. 1

                                                    “Pixel perfect” requirements enforced via glorified screenshot comparison type integration testing is not really uncommon in the industry

                                                    1. 1

                                                      Even 10-12 years ago I was working with frontenders who could reliably get a design to look right in both the browsers clients cared about - IE6 and Firefox.

                                                      TBH, if I could figure out how to reliably turn off font antialiasing, I’d use screenshot comparisons all the damn time.

                                                    2. 1

                                                      that’s why it’s a bad path. 95% of visitors if you know the platform well, after 20 years of “progress.”

                                                  2. 2

                                                    I don’t think da Vinci would prefer that you see the Mona Lisa one square inch at a time…

                                                    One of best comebacks of the year. Great way to make the point.

                                                    1. 1

                                                      The Mona Lisa is one of the most famous paintings in the world.
                                                      A web page with tracking scripts isn’t remotely comparable.
                                                      Why do the author’s presentation choices trump the right of the client to render the page?
                                                      I don’t think it’s abusive to use high contrast mode, disable JavaScript, use NVDA or use Lynx for that matter.

                                                      1. 1

                                                        Why do you think the point was that blog posts were equatable artistically with Mona Lisa and not that artists ideally should universally be respected for their intentions? Sure, you could say those intentions are stupid, and maybe even from that, that the art sucks. But the point is that it’s still the work of the artist at the end of the day, and you should be judging them on those terms, and not taking the work at nothing more than surface value, such as by assuming that some random person on the internet has any tenable control over how the standards of their livelihood are negotiated such as to not permit correct rendering as a page loads without the use of javascript.

                                                        1. 1

                                                          if da vinci accidentally got shit all over the back of the mona lisa, you could appreciate the art while critiquing the smell one must endure in order to view it.

                                                  3. 1

                                                    He’s not a “web typographer.”

                                                    If he’s not web typographing, I don’t know what he’s doing.

                                                    But, I can assure you that the state of the web has improved a lot over the last 25 years, so maybe the state of the art for putting good typography on the web can/will, too.

                                                    I can assure you it’s gotten much worse, and the state of the art for web typography has along with it. Think how well the linked website accomplishes the goal of allowing text to be “read without confusion,” compared to a 25 year old web site.

                                                    1. 1

                                                      If he’s not web typographing, I don’t know what he’s doing.

                                                      This was bad phrasing on my part. Yes, he’s doing typography on the web. But, to my knowledge he’s not on the standards body that defines how that works. He designs fonts. He wants to make them available to use on the web, and uses the standards by which to do that with. Does that make more sense?

                                                      1. 1

                                                        yeah i just thought it was funny to use “typographer” like “pornographer”

                                            2. 7

                                              I don’t think there is a way to do this without JS

                                              Surely a small jump is better than not having text at all ? You could always load a fallback in a <noscript> block.

                                          2. 9

                                            You don’t have to like JS to use it.

                                            1. 3

                                              Yeah, but if he’s using it as the basis of an argument that Eich does stupid stuff, doesn’t that cut both ways?

                                              “WHOA WHOA, you can’t come in here without wiping your feet! OK, now that you’re in: I think Eich’s invention of wiping your feet before you walk in has a lot of stupid in it. Even Eich admits it has a lot of stupid, and therefore his other idea of wearing slippers indoors is also stupid.”

                                              That page is blank for me if I turn of JavaScript. If it’s stupid, and Butterick’s making me do it, doesn’t that make Butterick complicit in the stupid too?

                                            2. 3

                                              Isn’t this sort of the same joke as https://thenib.com/mister-gotcha

                                              1. 4

                                                This wasn’t intended in this way, I just actually found it funny that the author dislikes JavaScript but forced readers to use it.

                                                Now that I see the off-topic discussion my comment spawned, I regret writing it. I’ll refrain from writing such comments in the future.

                                                1. 2

                                                  I don’t think so. This isn’t Butterick trying to improve JavaScript and getting criticism for using it while trying to improve it. I tried turning off JavaScript (because after all, Butterick says it’s stupid) and the page was blank. If it’s so stupid, why is it also mandatory on the page?

                                                  I think it’s an appeal to authority. “Eich agrees with me that JavaScript is stupid sometimes, so if you agree with Eich, you agree with me. Now I’m going to give you something else to agree with me on.”

                                                2. 3

                                                  How else would you get those wonderfully difficult to tap footnote links things. Certainly a linked, js-free number thingy wouldn’t have the same functionality.

                                                  I can only hope that soon Brave starts blocking and replacing this with a js-free, faster version.

                                                  1. 4

                                                    Furthermore, screen readers read those little circles as “degrees”. I had no idea they were supposed to be footnotes.

                                                1. 3

                                                  In the embarrassingly simple category:

                                                  Reset password (via email) links breaking because a non url-safe parameter in the link wasn’t urlencoded.

                                                  A more interesting one:

                                                  HAProxy returning a “no servers available” response with a very specific combination of chained PROXY calls (i.e. from a load balancer to an app server, both running HAProxy), also with chained PROXY calls on each box (i.e. doing some routing ‘internally’ in HAProxy between proxy components), and setting the “src IP” for the request to an ipv6 address from a header field (i.e. the XFF field from a trusted CDN server).

                                                  If the XFF specified address was ipv4, it worked fine. If we didn’t set the “src IP”, it worked fine. The “fix” (for now at least) was to be explicit about a port number, where the config had been implicit previously. Some chats with the HAProxy project revealed that (a) our config has a non-optimal/non-ideal setup in terms of the internal routing (not completely fixed yet), but that it’s not even clear why the issue presented the way it did.

                                                  1. 1

                                                    So far for $client:

                                                    • Finally got the prod db cluster nodes backing up directly, thus allowing decomm of a legacy machine that was doing backups of the db.
                                                    • Finally got GoAccess (log based analytics) setup with combined access logs from the load balanced varnish instances

                                                    The rest of the week will likely be taken up with:

                                                    • Introducing the other full time dev to the various parts of the ever more complex stack that makes the whole thing work
                                                    • More planning for multi-site operation.

                                                    Also, for $company, I’d like to:

                                                    At $home I have more plumbing to finish and it seems, a trip to Singapore to plan.

                                                    1. 9

                                                      If you don’t want to bother with .PHONY targets, tabs, weird syntax, and arcane built-in assumptions about build processes, check out Just, which is Make-inspired, but firmly focused on running commands, not producing files.

                                                      1. 9

                                                        I have a really hard time imagining what problems this solves that aren’t already solved by “a bin/ directory”?

                                                        1. 1

                                                          For example, just recursively walks up searching for justfile, so you can be deep in the project and still run just build, without clobbering PATH.

                                                          Consider the case where there are multiple projects, you’d have to use relative paths, or insist on unique name for scripts across all projects, or constantly reset PATH to project’s bin.

                                                          1. 2

                                                            I imagine you could use direnv for this, too—you could configure it so that whenever you enter a directory within ~/Projects/someproject it adds ~/Projects/someproject/bin to your PATH, and it would undo the change if you entered some other hierarchy. If you’re collaborating with others then I imagine that getting them to install Just would be easier than getting them to install and configure direnv, though.

                                                            1. 1

                                                              I solve this problem a simpler way; I always have a shell open in the root of any project I’m ever working on, so bin scripts are very easy to use.

                                                        2. 7

                                                          tabs

                                                          yeah because that’s the problem with Make, it doesn’t use spaces.

                                                          1. 1

                                                            I have seen a few people mention Just. It looks like, while it does have a concept of dependencies, it doesn’t have a way to track if that dependency is satisfied or not, rather it just always runs all dependencies. Does it have a way to detect if the dependency is satisfied? In a Makefile, this is where the file timestamps play a role (and as I showed, we can use this even for tasks that don’t produce files).

                                                            1. 1

                                                              AFAIR, Just always runs the dependencies, it is simpler mental model. This issue recommends using make in tandem with just when you want incremental runs.

                                                          1. 60

                                                            This site is claiming to offer a “standard for opting out of telemetry”, but that is something we we already have: Unless I actively opt into telemetry, I have opted out. If I run your software and it reports on my behavior to you without my explicit consent, your software is spyware.

                                                            1. 11

                                                              but that is something we we already have: Unless I actively opt into telemetry, I have opted out.

                                                              I know this comes up a lot, but I disagree with that stance. The vast majority of people leaves things on their defaults. The quality of information you get from opt-in telemetry is so much worse than from telemetry by default that it’s almost not worth it.

                                                              The only way I could see “opt-in” telemetry actually work is caching values locally for a while and then be so obnoxiously annoying about “voluntarily” sending the data that people will do it just to shut the program up about it.

                                                              1. 26

                                                                That comment acts like you deserve to have the data somehow? Why should you get telemetry data from all the people that don’t care about actively giving it to you?

                                                                1. 12

                                                                  That comment acts like you deserve to have the data somehow?

                                                                  I’ve got idiosyncratic views on what “deserving” is supposed to mean, but I’ll refrain from going into philosophy here.

                                                                  Why should you get telemetry data from all the people that don’t care about actively giving it to you?

                                                                  Because the data is better and more accurate. Better and more accurate data can be used to improve the program—which is something everyone will eventually benefit from. But if you skew the data towards the kinds of people who opt into telemetry.

                                                                  Without any telemetry, you’ll instead either (a) get the developers’ gut instinct (which may fail to reflect real-world usage), or (b) the minority that opens bug tickets dictate the UI improvements instead, possibly mixed with (a). Just as hardly anyone (in the large scale of things) bothers with opting into telemetry, hardly anyone bothers opening bug tickets. Neither group may be representative of the silent majority that just wants to get things done.

                                                                  Consider the following example for illustration of what I mean (it is a deliberate oversimplification, debate my points above, not the illustration):

                                                                  Assume you have a command-line program that has 500 users. Assume you have telemetry. You see that a significant percentage of invocations involve the subcommand check, but no such command exists; most such invocations are immediately followed by the correct info command. Therefore, you decide to add an alias. Curiously, nobody has told you about this yet. However, once the alias is there, everyone is happier and more productive.

                                                                  Had you not had telemetry, you would not have found out (or at least not found out as quickly, only when someone got disgruntled enough to open an issue). The “quirk” in the interface may have scared off potential users to alternatives, not actually giving your program a fair shot because of it.

                                                                  1. 3

                                                                    Bob really wants a new feature in a software he uses. Bob suggests it to developers, but they don’t care. As far as they can tell, Bob is the only one wanting it. Bob analyzes the telemetry-related communication and writes a simple script that imitates it.

                                                                    Developers are concerned about privacy of their users and don’t store IP addresses (it’s less than useless to hash it), only making it easier for Bob to trick them. What appears as a slow growth of active users, and a common need for a certain feature, is really just Bob’s little fraud.

                                                                    It’s possible to make this harder, but it takes effort. It takes extra effort to respect users’ privacy. Is developing a system to spy on the users really more worthy than developing the product itself?

                                                                    You also (sort of) argued that opt-in telemetry is biased. That’s not exactly right, because telemetry is always biased. There are users with no Internet access, or at least an irregular one. And no, we don’t have to be talking about developing countries here. How do you know majority of your users aren’t medical professionals or lawyers whose computers are not connected to the Internet for security reasons? I suspect it might be more common than we think. Then on the other hand, there are users with multiple devices. What can appear as n different users can really just be one.

                                                                    It sort of depends on you general philosophical view. You don’t have to develop a software for free, and if you do, it’s up to you to decide the terms and conditions and the level of participation you expect from your users. But if we talk about a free software, I think that telemetry, if any, should be completely voluntary on a per-request basis, with a detailed listing of all information that’s to be sent in both human- and machine- readable form (maybe compared to average), and either smart enough to prevent fraudulent behavior, or treated with a strong caution, because it may as well be just an utter garbage. Statistically speaking, it’s probably the case anyway.

                                                                    I’m well aware that standing behind a big project, such as Firefox, is a huge responsibility and it would be really silly to advice developers to rather trust their guts instead of trying to collect at least some data. That’s why I also suggested how I imagine a decent telemetry. I believe users would be more than willing to participate if they saw, for example, that they used a certain feature above-average number of times, and that their vote could stop it from being removed. It’s also possible to secure per-request telemetry with a captcha (or something like that) to make it slightly more robust. If this came up once in a few months, “hey, dear users, we want to ask”, hardly anyone would complain. That’s how some software does it, after all.

                                                                    1. 1

                                                                      The fraud thing is an interesting theory, but I am unaware how likely it is; you’ve theorised a Bob who can generate fraudulent analytics but couldn’t fake an IP address or use multiple real IP addresses or implement the feature he actually wants.

                                                                      1. 0

                                                                        It’s not that he couldn’t do it, it’s just much simpler without that. It’s really about the cost. It’s easy to curl, it’s more time consuming or expensive to use proxies, and even more so to solve captchas (or any other puzzles). The lower the cost, the higher the potential inaccuracy. And similarly, with higher cost, even legitimate users might be less willing to participate.

                                                                        I don’t have some universal solution or anything. It’s just something to consider. Sometimes it might be reasonable to put effort into making a robust telemetric system, sometimes none at all would be preferred. I’m trying to think of a case “in between”, but don’t see a single situation where jokingly-easy-to-fake results could be any good.

                                                                    2. 1

                                                                      Telemetry benefits companies, otherwise companies wouldn’t use it. Perhaps it can benefit users, if the product is improved as a result of telemetry. But it also harms users by compromising their privacy.

                                                                      The question is whether the benefits to users outweigh the costs.

                                                                      Opt-out telemetry-using companies obviously aren’t concerned about the costs to users, compared to the benefits they (the companies) glean from telemetry-by-default. They are placing their own interests first, ahead of their users. That’s why they resort to dark patterns like opt-out.

                                                                  2. 12

                                                                    You assume that we actually need telemetry to develop good software. I’m not so sure. We developed good software for decades without telemetry; why do we need it now?

                                                                    When I hear the word “telemetry”, I’m reminded of an article by Joel Spolsky where he compared Sun’s attempts at developing a GUI toolkit for Java (as of 2002) to Star Trek aliens watching humans through a telescope. The article is long-winded, but search for “telescope” to find the relevant passage. It’s no coincidence that telemetry and telescope share the same prefix. With telemetry, we’re measuring our users’ behavior from a distance. There’s not a lot of signal there, and probably a lot of noise.

                                                                    It helps if we can develop UsWare, not ThemWare. And I think this is why it’s important for software development teams to be diverse in every way. If our teams have people from diverse backgrounds, with diverse abilities and perspectives, then we don’t need telemetry to understand the mysterious behaviors of those mysterious people out there.

                                                                    (Disclaimer: I work at Microsoft on the Windows team, and we do collect telemetry on a de-facto opt-out basis, but I’m posting my own opinion here.)

                                                                    1. 5

                                                                      we don’t need telemetry to understand the mysterious behaviors of those mysterious people out there

                                                                      Telemetry usually is not about people’s behaviors, it’s about the mysterious environments the software runs in, the weird configurations and hardware combinations and outdated machines and so on.

                                                                      Behavioral data should not be called telemetry.

                                                                      1. 3

                                                                        One concrete benefit of telemetry: “How many people are using this deprecated feature? Should we delete it in this version or leave it in a while longer?”

                                                                        We developed good software for decades without telemetry; why do we need it now?

                                                                        Decades-old software is carrying decades-old cruft that we could probably delete, but we just don’t know for sure. And we all pay the complexity costs one paper cut at a time.

                                                                        I’m as opposed to surveillance as anybody else in this forum. But there’s a steelman question here.

                                                                      2. 12

                                                                        The quality of information you get from opt-in telemetry is so much worse than from telemetry by default that it’s almost not worth it.

                                                                        A social scientist could likewise say: “The quality of information you get from observing humans in a lab is so much worse than when you plant video cameras in their home without them knowing.”

                                                                        How is this an argument that it’s ok?

                                                                        1. 1

                                                                          There are three differences as far as I can tell:

                                                                          The data from a hidden camera is not anonymizable. Telemetry, if done correctly (anonymization of data as much as possible, no persistent identifiers, transparency as to what data is and has been sent in the past), cannot be linked to a natural person or an indvidual handle. Therefore, I see no harm to the individual caused by telemetry implemented in accordance with best data protection practices.

                                                                          Furthermore, the data from the hidden camera cannot cause corrective action. The scientist can publish a paper, maybe it’ll even have revolutionary insight, but can take no direct action. The net benefit is therefore slower to be achieved and very commonly much less than the immediate, corrective action that a software developer can take for their own software.

                                                                          Finally, it is (currently?) unreasonable to expect a hidden camera in your own home, but there is an increased amount of awareness of the public that telemetry exists and settings should be inspected if this poses a problem. People who do care to opt out will try to find out how to opt out.

                                                                          1. 2

                                                                            Finally, it is (currently?) unreasonable to expect a hidden camera in your own home, but there is an increased amount of awareness of the public that telemetry exists and settings should be inspected if this poses a problem. People who do care to opt out will try to find out how to opt out.

                                                                            I think this is rather deceptive. Basically it’s saying: “we know people would object to this, but if we slowly and covertly add it everywhere we can eventually say that we’re doing it because everyone is doing it and you’ve just got to deal with it”.

                                                                            1. 1

                                                                              I still disagree but I upvoted your post for clearly laying out your argument in a reasonable way.

                                                                          2. 3

                                                                            You seem to miss a very easy, obvious, opt-in only strategy that worked for the longest time without feeling like your software was that creepy uncle in the corner undressing everyone. As you pointed out everyone keeps the defaults, you know what else most normies do? Click next until they can start their software. So you add a dialog in that first run dialog that is supposed to be there to help the users and it has a simple “Hey we use telemetry to improve our software (here is where you can see your data)[https://yoursoftware.com/data] and our (privacy policy)[https://yoursoftware.com/privacy]. By checking this box you agree to telemetry and data collection as outlined in our (data collection policy)[https://yoursoftware.com/data_collection] [X]”

                                                                            and boom you satisfy both conditions, the one where people don’t go out of their way to opt into data collection and the other where you’re not the creepy uncle in the corner undressing everyone.

                                                                          3. 3

                                                                            You can also view this as an standardized way for opt-in, which isn’t currently available either.

                                                                            1. 2

                                                                              No, it is not. It is a standardized way for opt-out.

                                                                            2. 3

                                                                              This is a bad comment, because it doesn’t add anything except for “I think non-consensual tracking is bad”, and is only tangentially related to OP insofar as OP is used as a soapbox for the above sentiment. Therefor I have flagged the comment as “Me-too”, regardless however much I may agree with it.

                                                                              1. 22

                                                                                Except that in the European Union, the GDPR requires opt-in in most cases. IANAL, but I think it applies to the analytics that Homebrew collects as well. From the Homebrew website:

                                                                                A Homebrew analytics user ID, e.g. 1BAB65CC-FE7F-4D8C-AB45-B7DB5A6BA9CB. This is generated by uuidgen and stored in the repository-specific Git configuration variable homebrew.analyticsuuid within $(brew –repository)/.git/config.

                                                                                https://docs.brew.sh/Analytics

                                                                                From the GDPR:

                                                                                The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons.

                                                                                I am pretty sure that this UUID falls under identification number or online identifier. Personally identifyable information may not be collected without consent:

                                                                                Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

                                                                                So, I am pretty sure that Homebrew is violating the GDPR and EU citizens can file a complaint. They can collect the data, but then they should have an explicit step during the installation and the default should (e.g. user hits RETURN) be to disable analytics.

                                                                                The other interesting implication is that (if this is indeed collection of personal information under the GDPR) is that any user can ask Homebrew which data they collected and/or to remove the data. To which they should comply.

                                                                                1. 3

                                                                                  The data subjects are identifiable if they can be directly or indirectly identified, especially by […]

                                                                                  As far as I can tell, you’re not actually citing the GDPR (CELEX 32016R0679), but rather a website that tries to make it more understandable.

                                                                                  GDPR article 1(1):

                                                                                  This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

                                                                                  GDPR article 4(1) defines personal data (emphasis mine):

                                                                                  ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;


                                                                                  Thus it does not apply to data about people that are netiher identified nor identifiable. An opaque identifier like 1BAB65CC-FE7F-4D8C-AB45-B7DB5A6BA9CB is not per se identifiable, but as per recital 26, determining whether a person is identifiable should take into account all means reasonably likely to be used, such as singling out, suggesting that “identifiable” in article 4(1) needs to be interpreted in a very practical sense. Recitals are not technically legally binding, but are commonly referred to for interpretation of the main text.

                                                                                  Additionally, if IP addresses are stored along with the identifier (e.g. in logs), it’s game over in any case; even before GDPR, IP addresses (including dynamically assigned ones) were ruled by the ECJ to be personal data in Breyer v. Germany (ECLI:EU:C:2016:779 case no. C-582/14).

                                                                                  1. 9

                                                                                    Sorry for the short answer in my other comment. I was on my phone.

                                                                                    Thus it does not apply to data about people that are netiher identified nor identifiable. An opaque identifier like 1BAB65CC-FE7F-4D8C-AB45-B7DB5A6BA9CB is not per se identifiable,

                                                                                    The EC thinks differently:

                                                                                    Examples of personal data

                                                                                    a cookie ID;

                                                                                    the advertising identifier of your phone;*

                                                                                    https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

                                                                                    It seems to me that an UUID is similar to cookie ID or advertising identifier. Using the identifier, it would also be trivially possible to link data. They use Google Analytics. Google could in principle cross-reference some application installs with Google searches and time frames. Based on the UUID they could then see all other applications that you have installed. Of course, Google does not do this, but this thought experimentat shows that such identifiers are not really anonymous (as pointed out in the working party opinion of 2014, linked on the EC page above).

                                                                                    Again, IANAL, but it would probably be ok to reporting installs without any identifier linking the installations. They could also easily do this, make it opt-in, report all people who didn’t opt in using a single identifier, generate a random identifier for people who opt-in.

                                                                                    1. 4

                                                                                      They locked the PR talking about it and accused me of implying a legal threat for bringing it up. The maintainer who locked the thread seems really defensive about analytics.

                                                                                      1. 3

                                                                                        Once you pop, you can’t stop.

                                                                                        I, too, thought that your pointing out their EU-illegal activity was distinct from a legal threat (presumably you are not a prosecutor), and that they were super lame for both mischaracterizing your statement and freaking out like that.

                                                                                        1. 3

                                                                                          The maintainer who locked the thread seems really defensive about analytics.

                                                                                          It seems this is just a general trait. See e.g. this

                                                                                        2. 1

                                                                                          Now I really wish I had an ECJ decision to cite because at this point it’s an issue of interpretation. What is an advertising identifier in the sense that the EC understood it when they wrote that page—Is it persistent and can it be correlated with some other data to identify a person? Did they take into account web server logs when noting down the cookie ID?

                                                                                          Interesting legal questions, but unfortunately nothing I have a clear answer to.

                                                                                        3. 1

                                                                                          Please cite the rest of paragraph 4, definitions:

                                                                                          ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

                                                                                          https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679

                                                                                          Which was what I quoted.

                                                                                          1. 1

                                                                                            Your comment makes the following quotations:

                                                                                            The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons.

                                                                                            Please ^F this entire string in the GDPR. I fail to find it as-is. They only start matching up in the latter half starting at “an identifier” and ending with “social identity”.

                                                                                            (1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

                                                                                            I agree it’s pedantic of me, but it’s not a 1:1 quote from the GDPR if a sentence is modified, no matter how small.


                                                                                            I’ve edited in the second half in any case though. I do not, however, see any way that modification would invalidate any of the points I’ve made there, however.

                                                                                        4. 2

                                                                                          If that is true, consider submitting a PR, because GDPR violations are serious business.

                                                                                          1. 3

                                                                                            Or don’t submit a PR. As the project has stated:

                                                                                            Do not open new threads on this topic.

                                                                                            People have been banned from the project for doing exactly this.

                                                                                            1. 7

                                                                                              “We don’t want to hear complaints” is not a new stance for Homebrew.

                                                                                              1. 2

                                                                                                Yeah, I got the impression that they are pretty hardline on this. I hope that they’ll reconsider before someone files a GDPR complaint.

                                                                                                Personally, I don’t really have a stake in this anymore, since I barely use my Mac.

                                                                                                I guess a more creative solution would be to fork the main repo and disable the analytics code and point people to that.

                                                                                                Edit: the linked PR is from before the GDPR though.

                                                                                            2. 1

                                                                                              But the above user didn’t post that did they? Your comment was meaningful and useful, but theirs was just sentimental. A law violation is a law violation, but OP just posted their own feelings about what they think is spyware and didn’t say anything about GDPR.

                                                                                            3. 4

                                                                                              hmm I disagree, the OP is claiming that we should have a unified standard for “Do_Not_Track”. Finn is arguing that we shouldn’t need such a standard because unless I specifically state that I would like to be tracked, I should not be tracked and that any attempts to track is a violation of consent. Finn here is specifically disagreeing with the website in question. Should we organize against attempts to track without explicit consent, or give a unified way to opt out. These are fundamentally different questions and are actually directly related. If I say everyone should be allowed into any yard unless they have a private property sign, that may cause real concern for people who feel that any yard shouldn’t permit trespassing unless they have explicit permission. They are different concerns, that are related, and are more nuanced than “thing is bad”.

                                                                                            4. 1

                                                                                              Okay. By your (non-accepted) definition, spyware abounds and is in common use.

                                                                                              Simply calling it “spyware” and throwing up your hands doesn’t work. They have knobs to turn the spying off, to opt-out. I just want all those knobs to have the same label.

                                                                                            1. 47

                                                                                              Please do. I don’t have a Mac or iPhone, but I can respect encouraging native application development.

                                                                                              1. 21

                                                                                                I can’t remember who said it but “the Web set user interface development back by twenty years” or something to that effect.

                                                                                                1. 8

                                                                                                  If you want to develop for either of those platforms, you will have to buy a mac. That fact alone should raise some flags for folks.

                                                                                                  1. 11

                                                                                                    Why is that a bad thing? I’d expect a developer targeting Windows to have a machine with Windows installed.

                                                                                                    I can cross-compile to Windows from my Gentoo machine with a mingw toolchain just fine, but I would never want to release any of those artifacts without testing them properly in the target environment.

                                                                                                    1. 12

                                                                                                      I’d expect a developer targeting Windows to have a machine with Windows installed.

                                                                                                      but a Mac isn’t an iPad or iPhone. Apple requires you to have their computer to target their other device, even if you happen to own the other device.

                                                                                                      1. 7

                                                                                                        Of all the companies out there whose exclusive little ecosystem I could choose to import my entire life into, Apple seems the most likely to shaft me, both as a developer and a user.

                                                                                                        1. 2

                                                                                                          Apple seems the most likely to shaft me, both as a developer and a user

                                                                                                          Could you elaborate on that? I don’t have a strong opinion for or against, I’m just genuinely curious about your reasons.

                                                                                                          1. 2

                                                                                                            This article demonstrates the pattern I’ve observed well: https://lobste.rs/s/tdkwyq/future_my_games_on_apple_post_catalina

                                                                                                            As far as Apple is concerned, developing for their platform is a privilege. And using it means letting them make all the decisions for you. This is not what I want from my tools.

                                                                                                            1. 2

                                                                                                              I can only share my personal experience, but as someone who has had an Apple device for only a couple months, I was shafted very soon after I joined the Apple ecosystem when my iPhone SE installed a slower, buggier OS, without asking, and with no possibility to revert.

                                                                                                              Part of me knew I was signing up for this mistreatment but it still sucks.

                                                                                                          2. 2

                                                                                                            It’s a bad thing because it’s an extra step which requires the purchase of hardware from a particular company. Windows development requires developers to purchase nonfree software, as you point out, which is not as bad but still a problem. Web development does not require any of this.

                                                                                                        2. 4

                                                                                                          I think it’s better to have 10 apps, 2 natives and 8 web apps, rather than to have just 2 native apps altogether. I think web application programming enabled lots of people to create their own apps. Maybe they’re not the best apps, they are large and slow; but nobody forces anyone to use them.

                                                                                                          1. 7

                                                                                                            but nobody forces anyone to use them.

                                                                                                            Until their employer adopts Slack.

                                                                                                            1. 1

                                                                                                              You can just use it on your desktop or laptop, no?

                                                                                                              1. 2

                                                                                                                I am sorry, but I don’t understand what you mean. If the argument is that web apps are ok because you don’t need to use them, but you DO have to use them for your work, then how does it matter where you run them?

                                                                                                                1. 1

                                                                                                                  I was asking if OP is forced to use the Slack app on their phone, or if he has the option of using the desktop version.

                                                                                                                2. 1

                                                                                                                  Slack on desktop is the web version, it’s electron.

                                                                                                                  1. 2

                                                                                                                    But you’re not forced to use electron apps on your phone, at least.

                                                                                                                    1. 2

                                                                                                                      I’m positive that’s only because they won’t run.

                                                                                                                      If it was feasible people would release iOS apps built with electron. Guaranteed.

                                                                                                                      1. 1

                                                                                                                        I was under the impression that /u/yakubin said people might be forced to use electron apps on their phone, where they are slow. So I asked if employees have the option of just using the desktop version.

                                                                                                                        1. 1

                                                                                                                          Electron apps don’t AFAIK run on any mobile device.

                                                                                                                          They’re slow on any device.

                                                                                                                          What is your point?

                                                                                                                          1. 1

                                                                                                                            What’s yours? I was just saying employees have the option of just using desktop Slack, if their employer uses Slack.

                                                                                                                3. 1

                                                                                                                  I’d rather use Slack than Microsoft Lync / Skype for Business!

                                                                                                                  1. 1

                                                                                                                    Weird, I’d rather use Microsoft Teams than Slack ;)

                                                                                                            1. 15

                                                                                                              Apple won’t ship anything that’s licensed under GPL v3 on OS X. Now, why is that?

                                                                                                              There are two big changes in GPL v3. The first is that it explicitly prohibits patent lawsuits against people for actually using the GPL-licensed software you ship. The second is that it carefully prevents TiVoization, locking down hardware so that people can’t actually run the software they want.

                                                                                                              So, which of those things are they planning for OS X, eh?

                                                                                                              Copyright lawyers from multiple organizations that I’ve spoken to simply aren’t too happy with the GPLv3 because to them it lacks clarity. It took quite a while for GPLv2 to be acceptable in any place where lawyers have a veto because of its unusual construction, and GPLv3 added more of that, in language that doesn’t make it easy to interpret (apparently, I’m not a lawyer).

                                                                                                              1. 6

                                                                                                                I work at a large company and the guidelines from above are that we should avoid GPL licensed code at all cost. If we cannot avoid it, we need to get permission and isolate it as well as possible from the rest of the source code. This is done not because we want to sue our customers or begin with TiVoization, but simply to guard ourselves against lawsuits and being forced to release sensitive parts of our code.

                                                                                                                1. 4

                                                                                                                  That’s the generic “careful with GPL” policy. There are companies that are fine with GPLv2 specifically (for the most part) but aren’t fine with GPLv3 because they consider its potential consequences less clear.

                                                                                                                  1. 3

                                                                                                                    Which is why I now use AGPLv3 for everything I personally write. Fuck people taking and taking and not giving anything back. I feel like we’ve lost our open source way. I referenced this very article a few years back when I wrote this:

                                                                                                                    https://battlepenguin.com/tech/the-philosophy-of-open-source-in-community-and-enterprise-software/

                                                                                                                    1. 1

                                                                                                                      This is counterintuitive.

                                                                                                                      Less people willing/able to even consider using your software instantly means less potential for submissions to fix bugs or add features.

                                                                                                                      1. 1

                                                                                                                        It depends on your priorities. Do you want more users or do you want your software to be free?

                                                                                                                        1. 1

                                                                                                                          You seem to want more contributions, which is why I commented.

                                                                                                                    2. 3

                                                                                                                      The company I work for has the same policy.

                                                                                                                      1. 3

                                                                                                                        Yep. Policies like your employer’s are the main reason that I carefully choose licenses these days. I want to exclude as many corporations as possible from using the code without disqualifying it from being Free Software. I think WTFPL is the best widely-used license for this purpose; does your employer’s policy allow WTFPL?

                                                                                                                        1. 2

                                                                                                                          One of my employers explicitly put WTFPL on the backlist. Apparently it’s important to have the warranty disclaimer somewhere which it lacks. Consider the ISC-L (https://opensource.org/licenses/isc) instead, which is short and to the point, yet ticks all the boxes that seem to be important to lawyers.

                                                                                                                          1. 1

                                                                                                                            The ISC license is a fine license indeed, but if you re-read my original comment, I am looking for licenses which are not employer-friendly. Indeed, I had considered the ISC license, but found that too many corporations would be willing to use ISC-licensed code.

                                                                                                                            1. 1

                                                                                                                              Ah, right. I misread, I’m sorry.

                                                                                                                              Yes, WTFPL is corporate kryptonite (but still theoretically compatible, unlike the CC-*-NC variants that are explicitly non-corporate, but therefore non-free software compatible, too), so I guess it’s a fine choice for that.

                                                                                                                      2. 11

                                                                                                                        It feels to me like the FSF overplayed their hand with GPLv3, and it’s led to more aggressive efforts away from the GPL.

                                                                                                                        1. 2

                                                                                                                          Are there any articles from lawyers about what form this lack of clarity takes?

                                                                                                                          Or is this just the old concern about linking and the GPLv3 has provided a convenient FUD checkpoint?

                                                                                                                          1. 1

                                                                                                                            I talked to people (several years ago, so a bit hazy on the details, too), so I don’t have anything to read up on. Generally speaking these lawyers are friendly towards open source and copyleft, so I doubt it was just a FUD checkpoint for them.

                                                                                                                            The best I found (but I’m not sure it matches the points that I heard) is Allison Randal’s take on the GPLv3 from 12 years ago: http://radar.oreilly.com/2007/05/gplv3-clarity-and-simplicity.html. That one focuses more on the “laypersons reading a license” aspect that shouldn’t worry copyright lawyers too much.

                                                                                                                        1. 1

                                                                                                                          It seems like you’re referring to workstation backups, so I’ll comment on that.

                                                                                                                          For my local machines, both backup to a local Time Machine drive, and both also backup to Backblaze.

                                                                                                                          1. 0

                                                                                                                            JAMstack.systems is the presentation about fast, secure and dynamic sites built with JavaScript, APIs, and prerendered Markup, served without web servers. I’ll appreciate it if you will star the repo share the deck on twitter.

                                                                                                                            Table of content 📖 About JAMstack.systems
                                                                                                                            1. 3

                                                                                                                              served without web servers

                                                                                                                              …. What serves it then, pixie dust?

                                                                                                                            1. 19

                                                                                                                              This seems to break my browser’s back button.

                                                                                                                              1. 6
                                                                                                                                1. 2

                                                                                                                                  Yeah, not quite functional.

                                                                                                                                  1. 1

                                                                                                                                    Yeah this is pretty poor experience, combined with the lack of scroll control (i.e. you can’t scroll to navigate) it’s pretty much unusable IMO.

                                                                                                                                  1. 22

                                                                                                                                    Just because you can, doesn’t mean you should!

                                                                                                                                    ()  ascii ribbon campaign - against html e-mail 
                                                                                                                                    /\  www.asciiribbon.org   - against proprietary attachments
                                                                                                                                    
                                                                                                                                    1. 3

                                                                                                                                      And against proportional fonts, too? ;-)

                                                                                                                                      1. 1

                                                                                                                                        Proportional fonts are very pleasant for reading, but not as easy to write text in (if you want to do some custom layout), in which case a markup language is getting used.

                                                                                                                                        That probably means that we shift email from a tool to write to a tool to read.

                                                                                                                                        Of course, if most of what is transmitted by email is web services notifications and files to access over IMAP elsewhere, we get to read write much less in proportion.

                                                                                                                                      2. 3

                                                                                                                                        While people who do not care about how email works or are implemented enjoy highlighting the keywords of their sentence, people interested into the email stack (and eventually trying to make it not so tall) will keep enjoying the relative simplicity of SMTP + IMAP + SPF + DKIM + DMARC + TLS + STARTTLS + RFC3522 + MIME + Quoted-Printable over SMTP + IMAP + SPF + DKIM + DMARC + TLS + STARTTLS + RFC3522 + MIME + Quoted-Printable + XML + HTML + CSS.

                                                                                                                                        1. 6

                                                                                                                                          Ooh! Don’t forget format=flowed, my favorite email feature that every MUA documents as The Right Way to fix things but that doesn’t actually work with Outlook, Gmail, Fastmail, or many others.

                                                                                                                                          Or maybe everyone loves seeing emails like

                                                                                                                                          Owen, why are your emails always fucked up?
                                                                                                                                          
                                                                                                                                          I think this is a fair idea but really it deserves
                                                                                                                                          more thought.
                                                                                                                                          Frobulating this widget may have unintended
                                                                                                                                          consequences. 
                                                                                                                                          Instead we should consider an approach
                                                                                                                                          that avoids unneeded frobulation; instead lets
                                                                                                                                          quux
                                                                                                                                          
                                                                                                                                          On September 10th, your cow orker orked:
                                                                                                                                          
                                                                                                                                          > why don’t you just frobulate all the impacted
                                                                                                                                          widgets
                                                                                                                                          
                                                                                                                                          1. 2

                                                                                                                                            Misplaced newlines…

                                                                                                                                            Here is some explanation helpful to me from that email-litterate company: https://fastmail.blog/2016/12/17/format-flowed/

                                                                                                                                            1. 2

                                                                                                                                              I adore format=flowed. It solves one of the four major problems well. (I’m not facetious — one out of four is much better than zero IMO, even if haters tend to pick on it being less than four.)

                                                                                                                                          2. 2

                                                                                                                                            I really like gmail’s HTML email. Parsing and rendering that is so much more pleasant than text/plain HTML. It has CSS classes for quotes and signatures, and the tables use HTML table syntax, so making the content readable on a narrowish phone screen is trivial.

                                                                                                                                            Try rendering that ASCII ribbon table nicely on a phone screen that’s wide enough for five words… it’s a three-column, table, right? Or two? Can the text in each table cell be wrapped so the table will fit onscreen?

                                                                                                                                            1. 1

                                                                                                                                              IMO that page is misleading in part, because it presents a bad practice that some follow, as the only potential way it can be done.

                                                                                                                                              In multiple points, it says some clients/users/assistive technologies can’t process HTML email, and suggests that for this reason HTML email should be verboten, instead of the more practical, and common practice of sending the message content in two media types: text/plain, and text/html.

                                                                                                                                            1. 4

                                                                                                                                              out of the loop here: What exactly does “serverless” mean (unironically) in this context? As far as I’m aware, “serverless” refers to peer-to-peer network protocols like BGP, some video games’ multiplayer, or ARP. None of these seem like they could be replaced by cgi-bin.

                                                                                                                                              1. 5

                                                                                                                                                Serverless Computing is a model where you provision things at a different level than “server”. They still obviously require a server to run, but you don’t have to manage things at the server level. A common example is Lambdas from AWS.

                                                                                                                                                Resources for more information:

                                                                                                                                                1. 1

                                                                                                                                                  Are you being serious?

                                                                                                                                                  This is referring to the ridiculous use of the term ‘server less’ to describe the pattern modelled by AWS Lambda, Azure Functions etc - “Functions as a Service” is the sometimes quoted ‘generic’ term.

                                                                                                                                                  1. 9

                                                                                                                                                    Are you being serious?

                                                                                                                                                    Not everyone lives and breathes cloud network services.

                                                                                                                                                1. 11

                                                                                                                                                  Speaking as someone who has been writing SQL since the late 90s I find some ORMs to be a welcome comfort until they begin creating SQL that is inefficient (the whole N+1 query issue) and then you’re forced to write the SQL by hand anyway. They are a tool and serve a purpose and like all tools they are flawed in certain use cases.

                                                                                                                                                  1. 5

                                                                                                                                                    To me this is just highlighting that developers sometimes (often times?) use the wrong tool for the job.

                                                                                                                                                    If I am plumbing my water pump, I’ll be using 1/2” or 1” PVC generally, and when I want to cut the pipe, I’ll use my PVC pipe cutters, because they’re quick, leave a clean cut, work well in tight spaces and its just ready to go,

                                                                                                                                                    When I put a 3” drain pipe on the carport, I used a hacksaw to cut the pipe. Yes the edge it leaves is a little rougher, and I had to get a blade out and put it in the saw, etc.

                                                                                                                                                    Just because the task seems similar (cut some PVC) doesn’t mean the best tool for the job is the same - the context matters.

                                                                                                                                                    To come back to SQL: I find that a query builder works for probably 90%+ of queries, possibly more possibly less, depending on how well it can e.g. join and load linked models in one query, etc.

                                                                                                                                                    To me the problem is if the query buider/ORM doesn’t provide any way to substitute some or all of the query it would generate. Or of course, developers who refuse to use such functionality when it makes sense.

                                                                                                                                                    1. 3

                                                                                                                                                      I enjoyed reading your reply and completely agree.

                                                                                                                                                      I find that a query builder works for probably 90%+ of queries

                                                                                                                                                      I find those who dislike query builders or ORMs in general are the same people who work day to day on those 10% of queries that query builders are painful to use on.

                                                                                                                                                      1. 1

                                                                                                                                                        Yeah, I agree.

                                                                                                                                                        Not doing so much web stuff these days every time I start a new project I end up using ~10-15 distinct SQL queries, they take me 2h? to write (basic CRUD + user management) - sure, if I used Rails and ActiveRecord it might be only 30mins, but the absolute savings are just not there. But on the plus side I just have SQL and more than once I have rewritten such a small hobby project in another language and just reused my plain SQL snippets.

                                                                                                                                                        TLDR: Most of the times I think all the “But with the ORM everything is so much quicker” just amounts to a few more hours, single-digit percents of your total time in the project. On the other hand, I’ve long not seen an ORM where you can’t just use plain SQL for complicated stuff.

                                                                                                                                                        1. 1

                                                                                                                                                          I’ve long not seen an ORM where you can’t just use plain SQL for complicated stuff.

                                                                                                                                                          The Eloquent ORM in PHP Laravel does allow for “raw” SQL. Also for a long time subqueries in Eloquent were a bit of a nightmare but in the recently launched Laravel 6 they seem to have some support for it.

                                                                                                                                                  1. 13

                                                                                                                                                    If you need an ad-blocker for your terminal, maybe the solution is to stop using shit from people/projects who think it’s ok to spam your terminal.

                                                                                                                                                    1. 4

                                                                                                                                                      I see this project as more of performance art/protest than something that’s actually meant to be used in earnest.

                                                                                                                                                    1. 1

                                                                                                                                                      Looks fine. It’s just a JSON-y and more powerful version of IMAP though. Evolutionary, not revolutionary. I like the support for tags and such though.

                                                                                                                                                      Can we fix SMTP yet?

                                                                                                                                                      1. 4

                                                                                                                                                        As explained at jmap.io, it’s a whole new protocol, not just an expanded JSON version of IMAP. I hope it catches on.

                                                                                                                                                        1. 1

                                                                                                                                                          in what way is it different from an expanded JSON version of IMAP?

                                                                                                                                                          1. 8

                                                                                                                                                            It also supports outbound client mail, replacing SMTP for the clients. That’s pretty different. It also doesn’t use a persistent socket, and the API is quite different.

                                                                                                                                                            1. 1

                                                                                                                                                              So no notification (imap IDLE) support? Polling an HTTP api is what to do?

                                                                                                                                                              1. 1

                                                                                                                                                                Yes it support notifications:

                                                                                                                                                                For desktop clients and webmail, there’s an event source interface. This requires a persistent HTTP connection.

                                                                                                                                                                No firewall / Timeout problems?

                                                                                                                                                                For mobile, and web integrations, you can set a callback handler, which conforms with the use of a push endpoint by an Application Server as defined in RFC8030.

                                                                                                                                                                Be careful with abuses!

                                                                                                                                                        2. 4

                                                                                                                                                          … No it’s not?

                                                                                                                                                          And, in terms of client access, this literally addresses that:

                                                                                                                                                          JMAP (JSON Meta Application Protocol) is a modern standard for email clients to connect to mail stores. It therefore primarily replaces IMAP + SMTP submission. It does not replace MTA-to-MTA SMTP transmission.

                                                                                                                                                          1. 0

                                                                                                                                                            it’s not? how so?