1. 9

    Wanted to comment on the “Install Nix:” section since I helped narrowly with the Catalina installer update this May, just finished updating the Nix installer for Big Sur, and happen to be working this morning on a draft PR that may finally de-complicate Catalina+ installs.

    This works.

    Edit: I think I told a small lie; this method of install works, but the correct incantation is actually curl -L https://nixos.org/nix/install | sh :)

    • Catalina with a T2 chip: sh <(curl -L https://nixos.org/nix/install) –darwin-use-unencrypted-nix-store-volume (according to the site, “unecrypted” is a misnomer as the chip will encrypt it anyway).

    The scare-flag’s goal is to encourage anyone who cares (or is compelled to care by some policy) to go read the docs before installing. “Unencrypted” is only a ~misnomer for T2 macs and is quite accurate on non-T2 macs :)

    • Catalina without a T2 chip: follow these instructions 4.

    It isn’t this complicated/manual on a non-T2 Mac unless you use FileVault (in which case, the linked instructions are a good resource). If you do not use FileVault, sh <(curl -L https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume should be sufficient.

    1. 1

      Thanks for the info! I’ll update the post later tonight.

      1. 1

        If you see it as an evergreen post, you may want to keep an eye on https://github.com/NixOS/nix/pull/4181. I can’t swear if/when it’ll land, but hopefully it’ll de-complicate things a little.

    1. 1

      While pretty cool, my major worry is that faces will be biased toward whatever the sample set is – we’re all gonna start looking like whatever Nvidia thinks we should look like. Admittedly this happens on a smaller scale whenever engineers pick coefficients for lossy compression algorithms, but usually that’s done based on psychoacoustic or psychovisual (?) terms as opposed to “this matched our sample set.”

      1. 1

        Bias is ‘loss’ in lossy compression; skin is smoother and blemishes fewer at lower bitrates as well in other encoders and so on. Predictable motion will be have favourable compression, arrive faster and appear smoother in streamed video – The point is, biases trickle in regardless of what you do. It is just that the author of the algorithm doesn’t have some magical conspiracy certified control switch. If the end results are not plausible it’ll not be adopted and you can verify the output by streaming to yourself.

        If you look at examples of the same set of technqiues (search for ESRGAN in gaming and emulation forums) being applied for upsampling of old video games and current realtime raytracing (the other side of the sameish coin) you’ll see that it is more of a quality filter than it is the more questionable ‘style transfer’ (different but related).

      1. 13

        Obligatory reference to Urbit’s creator: https://en.wikipedia.org/wiki/Curtis_Yarvin.

        Platforms are designed around their founders’ beliefs, so when a platform wants to “win” computing it may be a good idea to understand what “winning” means. More information is here.

        1. 7

          Please, please criticize the tech and not the developer.

          Urbit developed by Mother Theresa or Obama or Mao would still be just as clunky.

          And like yes, the obtuseness of Urbit makes it hard it read enough to actually engage with its technical shortcomings, but ugh.

          It’s all so tiresome.

          1. 6

            Guess we’ll have to agree to disagree on this – I think these positions are too extreme to push aside regardless of how good the technology is. Imagine trying to give a presentation on the technological innovations of ReiserFS without mentioning anything about Hans Reiser. If the technology really is useful and politically agnostic it’ll show up elsewhere without the toxicness attached.

            1. 6

              This is one of those things where I think that ‘Death of the Author’ is actually really useful. It is commonly misunderstood as meaning that the author is irrelevant, when what it really means is that when we are analysing a thing, we don’t have to automatically defer to what an author claims, especially when they seem to be acting in bad faith, and sometimes the totality of an author is useful to show why a particular interpretation makes sense, though at the same time the faults of the author are not necessarily present in the thing.

              For a timely example, there had been some discourse in the analysis of the Harry Potter books about transphobic messages (primarily around the character Rita Skeeter), as well as antisemitic and homophobic stuff. When the author publicly went mask off as a terf (as well as (debatably) a homophobe and a believer in antisemitic conspiracy theories), it really strengthened the analysis of the work. But it isn’t enough to go ‘JKR bad, so work bad’ - for it to be useful to the analysis you have to tie it to stuff in the work.

              For an example of not being able to tie it to stuff in the work, you have the Haber process. Fritz Haber was involved in the invention of chemical warfare, a crime against humanity. His life is useful to contextualize the invention of the Haber process, but it doesn’t taint it or make it ‘morally unusable’, as chemical warfare is not somehow present in (or encoded into) the work.

              I think that Curtis Yarvin’s beliefs are relevant here in a way that Hans Reiser’s crimes are not, because we can tie them to the structure of the work in the critique. For a few example:

              • Purposeful obscurantism
              • A system of hierarchy (while claiming no hierarchy)
              • Too few ‘real person’ nodes by design for everyone to be a real person in the system
              • A totalising feudal system structure which combines elements of fascism and feudalism
              • Gibberish syncretic occultism, most obviously the way Urbit stuff uses things like ‘functional programming’ ‘determinism’ etc - Nock for example is in no sense a functional substrate with a formal analysis and a proof theory in the way they state it is - they don’t give either a denotational nor an operational semantics, there are way too many rules and reductions which are redundant and overlapping, there is no proof of progress or proof of consistency, no proof theory, etc etc etc.
              • Constant lies about history especially about historic conditions, which ties in to the constant lies in the Urbit literature about the history of computing especially about performance comparisons - actually comparing Urbit’s throughput and reliability to DNS or the Visa payment network is illustrative here
            2. 2

              Urbit is an attempt to create a kind of digital feudalism. It /is/ a polittcal project at its heart: you can’t have an honest review of the project that ignores the political goals that the project embodies & you can’t really talk about that without talking about the politics of its founder(s).

          1. 5

            It’s not very high quality, but occasionally I’ve found useful open source tools on https://alternativeto.net/. It’s definitely more focused on end-user apps instead of libraries or infrastructure, but it’s better than nothing.

            1. 33

              A long time ago I was a huge fan of a certain programmer¹ who had a lot of technical prowess and put TONS of angry rants that I thought were funny in their code. Bashing other tech companies’ engineers in a funny way while writing awesome code seemed to be a great thing to aspire to. One day I decided to contribute a one-line patch to this programmer’s side project which was on their self-hosted git instance. Not wanting to go through the annoying process of setting up git to work with gmail for a one-line patch, I just typed the diff into what I thought was a decent and friendly email. I received no response and forgot about it.

              A few months later the programmer, not realizing (or caring) that I followed them on twitter wrote a pointed angry rant about idiots who could only use github and not send in a properly formatted git patch. This was followed by a tweet asking a question about the thing my patch aimed to fix, meaning that the previous rant was almost certainly about me. Suddenly, all the programmer’s funny angry rants weren’t so funny anymore, and just made this programmer seem like… a jerk. They are now the CEO of a successful startup. Am I going to apply to work for them? Probably not. Am I going to use their product were I to need its features? Maybe, but with hesitation.

              The whole reason I’m telling this story is to remind people that it’s possible to be opinionated without being a jerk, and that it’s bad to celebrate when people voice good opinions in a jerk-like way². The programmer in question could have emailed me back asking for a properly formatted git patch, privately complained to their friends, or expressed their frustration on twitter in a way that wasn’t mean. I think the last part is the most important – rants have their place to vent frustration (and clearly Drew is very frustrated) or even change people’s minds, but have a different tone entirely when one of the core aspects of a rant is “I am smarter and more ethical than these other people.”

              I hope Drew’s concerns get addressed, but I also hope he is able to voice them more constructively in the future.

              ¹ Left unnamed, but not @ddevault

              ² See Linux Torvalds, for example

              1. 16

                Not to pile on, but this is the reason I unfollowed Drew on fosstodon. How angry rants become very pointed and are sometimes on the brink of harassment.

                1. 5

                  I didn’t even had to do that, he blocked me after insulting me. I still like to read his posts, but more for the spectacle than for objective opinions, really.

                2. 5

                  rants have their place to vent frustration (and clearly Drew is very frustrated)

                  I think this is key. Drew seems to be generally angry and frustrated with the state of the world, technology, ethics of technologists, etc. And he’s right to be angry, a lot of stuff sucks! Anger can be a good/useful emotion, if it drives you to change shitty situations instead of accepting them, and that’s something I admire about Drew, his refusal to take the status quo for granted and his ability to follow through on groundbreaking projects. (I’m rooting for Sourcehut because it isn’t a clone of Github, it has a different philosophy and design goals, whereas many open source products look like inferior knockoffs of some proprietary progenitor.) Maybe he wouldn’t be making the kind of software+projects he does if he weren’t so angry. But, like most things, anger can be toxic when taken to extremes or misdirected, and it can drive people away.

                  Whenever I introduce one of Drew’s projects like Sourcehut to my friends/colleagues, or forward a post of his, I have to add the disclaimer that Drew is kind of a dick, even though I tend to agree with him on many things. At some point his anger may do more damage to his projects by preventing people from using or contributing to them than whatever motivational benefits his anger provides to his personal productivity.

                  1. 4

                    One of the effects of having some of my own posts being posted on sites like Reddit and Hacker News a few times is that I’ve become a lot more careful in how I comment on other people’s posts. In general, I strive to write anything public as if the author of the post would actually read it. In quite a few cases, they probably do.

                    It’s easy to think you’re oh-so-witty-and-funny with your snarky sarcastic takes or whatever; but in reality it’s usually not, especially not over the internet.

                    I’ll readily admit I don’t always succeed at this though; but I try. I sometimes rant a bit to my friends or girlfriend in private, which has the same frustration-venting effect and doesn’t upset anyone. Just because someone is wrong, or because you strongly disagree with them, isn’t a reason to be a jerk to them.

                  1. 2

                    Deleting tests or parts of an application to narrow down where a bug might be. If you have a VCS that supports local branches, it’s totally fine to go WILD with a codebase as long as your changes don’t get merged to your main branch. Deleting a bunch of passing tests or initialization code can speed up the fix/compile/test loop, helping you find the bug quicker.

                    This also applies if you have a CI system where the CI configuration is stored in a file such as .travis.yml or a Jenkinsfile. Go ahead and rip stuff out of there if it’s in your way, just make sure you revert those changes before creating a PR.

                    1. 4

                      Yeah, I feel my lack of statistics knowledge sometimes leads me to the wrong conclusion (especially about performance measurements). Any crustaceans have stats programming book recommendations? Preferably Python (R is fine too) and project-driven?

                      1. 2

                        The end of the article lists a bunch of them.

                        1. 2

                          Oh yeah, but I was curious if anyone had further suggestions (particularly more modern books since the programming ones looked a bit dated)

                          1. 1

                            I enjoyed Statistics Done Wrong by Alex Reinhart. It’s not really a programming book but a catalog of common statistical errors, and is written in a more accessible style than your average textbook.

                      1. 8

                        Already seeing several friends complaining that they can’t use it because they have restricted it to people who have their phones set to use the German app store. https://github.com/corona-warn-app/cwa-app-android/issues/478 Here in Berlin immigrants make up something like 30% of the population, and there is generally no need to get a German phone when you move here. Add “app store location is where you physically live” to the list of myths programmers mistakenly believe in.

                        1. 1

                          I really wonder, what’s the goal of such measure?

                          Let’s say I leave in a neighboring country like France for example, but work in Germany, it would make sense for me to have both apps, right? (Actually it would make even more sense to have one app for all countries, but that’s another story…). By tying the apps to a given national store, then it makes things harder, which is counter productive.

                          1. 2

                            My impression is that it was an easy way for Apple/Google to enforce the one app per country rule, but outside of that I’m not really sure.

                            I had a similar weird experience when trying to purchase RainToday (en) while my phone was set to the US app store.¹ Many of MeteoGroup’s other apps are available in the US app store, but not RainToday, and when asked I simply got a response that “[t]he warnings and the radar in RainToday are not available for the USA. That’s why RainToday is not available in the US store.” I guess they didn’t want to deal with the support load of people buying the app and expecting it to work in the States.

                            ¹ Dark Sky’s rain alerts don’t work in Europe, but that doesn’t even matter any more because the world sucks.

                        1. 1

                          I had always thought this was the reason the LOOP instruction was slow on Athlon and later processors: that it was artificially slowed down to support old timing routines. After reading this SO post, however, I’m not so sure anymore.

                          1. 1

                            I’ve found LWN to be consistently high-quality technical journalism, and well worth your (or your employer’s) money. If you’re working for a FAANG, it’s likely you can click a button and get it expensed. Older articles are available for free.

                            One of the more fundamental aspects of my engineering philosophy with regard to optimization came from a quote in an LWN article from more than 10 years ago:

                            “It’s not about booting faster, it’s about booting in 5 seconds.” Instead of saving a second here and there, set a time budget for the whole system, and make each step of the boot finish in its allotted time.

                            That mentality has set me up for a lot of success in taming unruly systems.

                            Outside of LWN, the asshole filter was a helpful post in dealing with cross-team communication. The tldr is: people want to get things done and if the official process is not the best way to do that, people are then incentivized to violate boundaries. I’ve seen this a lot in client-based teams that grow from ad-hoc email requests to a formal ticketing system: usually the ticketing system is where tickets go to die, while the clients know that to get real work done you just ping someone on the team directly. Eventually, the only way the ticket system survives is for people who get pinged to reject the ping: “Sorry, we’re trying to use the ticket system for this. Can you make a ticket and we’ll continue there?” By making the ticket system the best way to get something done, people are incentivized to do the right thing. Of course, this only works if the tickets are actually looked at and responded to, and only if the whole team makes a unified effort – otherwise the pings just get shifted somewhere else.

                            1. 2

                              Having used something like this in a previous life, I’m very excited to see a publicly available web-based VCS-backed IDE come to life. Congrats to the team!

                              1. 1

                                xmake looks really interesting and is something I’ll probably consider for my next project (especially if the FreeBSD package is updated). The documentation that I’ve seen so far all does in-tree builds though, which is probably the worst antipattern in build-system design. Are they any docs for driving the build from the build directory?

                                1. 1

                                  The documentation that I’ve seen so far all does in-tree builds though, which is probably the worst antipattern in build-system design. Are they any docs for driving the build from the build directory?

                                  ? I do not understand it.

                                  1. 1

                                    @david_chisnall is asking if it is possible to build in a different directory than the directory with the source code. A good test for this is: “can I mount the source on a read-only filesystem, and compile somewhere else?” This is often useful for people who work on multiple branches in a large codebase, or CI systems for large codebases which heavily rely on caching.

                                    1. 2

                                      oh, it is supported. xmake will not write any files to the source directories by default, only write some target and cache files in curdir/build, tmp, curdir/.xmake and ~/.xmake directories, but we can also modify the location of these directories.

                                      modify global and local cache directory

                                      export XMAKE_GLOBAL_DIR=/xxx
                                      export XMAKE_CONFIG_DIR=/yyy
                                      

                                      modify tmpdir

                                      export XMAKE_TMP_DIR=/ttt
                                      

                                      modify the build output directory:

                                      xmake f --buildir=xxx
                                      xmake
                                      
                                      1. 3

                                        ~/.xmake

                                        Please, use XDG Base Directory instead.

                                    2. 1

                                      All of the examples (unless I am misreading them, please correct me if I’m wrong) run xmake from the source directory. Modern build systems drive the build from the build directory. This has a number of advantages:

                                      • The source directory can be on a read-only or write-is-expensive filesystem (e.g. an aggressively cached local copy of a slow network filesystem), whereas the build directory can be on fast throw-away storage (e.g. the local SSD on a cloud VM).
                                      • It’s easy to have different backup policies for the source and build directories.
                                      • Your per-build configuration is stored in the build directory, so you can easily rerun.
                                      • A completely clean build, even in the presence of build-system bugs, is trivial to do by simply deleting the build directory.
                                      • You don’t need to add a load of things to .gitignore for build outputs and it’s really easy to keep your source tree clean.
                                      • If you have generated source files, it’s trivial to tell the generated ones apart from the others (the generated ones are only in the build directory, not the source tree).

                                      With CMake (which has many other problems), the normal workflow is:

                                      1. Create a new build directory.
                                      2. Run ccmake to configure the build with all of the options that you want.
                                      3. Run ninja to build it.

                                      You can repeat these steps for multiple build configurations and you can build each independently. For example, for LLVM I have a release build and a debug+ASan build that I can link against, and when I’m writing something that depends on LLVM libraries I will do the same thing and have a release build and a debug build with ASan. When I want rapid edit-compile-test cycles, I use the release build, but as soon as something goes wrong I switch to the ASan version and get much more useful debugging information.

                                      In contrast, the instructions that I read for xmake said to run xmake in the source directory. This makes me really nervous, because it remind me of the bad old days when you ran make in your source directory and got a load of generated files interleaved.

                                      The tool I would like is something that I can use in the same way that I use CMake but where the input language is not a horrible macro language that’s been gradually extended and where there is clean layering in the standard library with nothing hard-coded in the tool (for example, the way CMake hard codes the flags that it passes to cl.exe).

                                      1. 2

                                        Although xmake runs by default in the root directory of the project with the xmake.lua file, it will not write any files to the source directory. All files will be generated in a separate build directory.

                                        cd projectdir
                                        xmake
                                        

                                        It will generate ‘build’ and ‘.xmake’ directories to projectdir.

                                        But the build directory can also be modified.

                                        cd projectdir
                                        xmake f --buildir=/tmp/build
                                        xmake
                                        

                                        But xmake still generate .xmake directory to projectdir/.xmake

                                        we can also do not generate .xmake to projectdir

                                         export XMAKE_CONFIG_DIR=/tmp/build/cache
                                        xmake f --buildir=/tmp/build
                                        xmake
                                        

                                        Now, even xmake is still running under the project directory, but the project directory will always be very clean.

                                        In addition, xmake can also not run under the project directory.

                                         cd otherdir
                                         xmake -P projectdir
                                        
                                        1. 1

                                          Thanks, it sounds as if it can do what I want. It’s a shame that the documentation and default behaviour encourages bad style though.

                                  1. 2
                                    • Sublime Text - I’m still astonished at how fast it renders/scrolls.
                                    • Sublime Merge - my day job has a heavy rebase/commit split workflow, and Sublime Merge is a godsend when doing tricky interactive rebases.
                                    • autojump - as mentioned earlier. It’s one of the first things I install on a new workstation. I believe there are alternates such as z and fasd which you may want to check out.
                                    • Pull Reminders - I absolutely hate email notifications, and things like review requests or responses to comments usually get buried in my inbox. I also find the GitHub notification workflow suboptimal – I still have to click to archive notifications, which means they pile up, which means things get lost. By hooking up Pull Reminders to Slack I get notifications that I don’t have to click to archive. This has dramatically reduced my response time to PRs.
                                    • Pull Assigner - Automatic PR assignment has made reviews in a team go much smoother. Without this, I often find teams fall into bimodal patterns where a few people review everything and the other people don’t respond due to bystander effect.
                                    • mtr - A fantastic way to diagnose latency and packet loss issues in your network. I feel like it’s not as well known as it should be.
                                    • A “percentile latency” graph - I’m not sure if there is an official term for it, but a graph where the X axis is a percentile and the Y axis is latency. I first saw these in Gil Tene’s How Not to Measure Latency (summarized here) and was blown away – not only are they very effective at describing how a system operates in normal cases and at the limits, but you can directly lay your SLAs on top of them and see how much wiggle room you have before you’re in violation.
                                    • black and isort - mentioned otherwise in this submission, but a great way to focus more on the code instead of the style.
                                    1. 2

                                      I just wanted to circle back and say that I ended up going with @colindean’s recommendation and bought a Ubiquiti Dream Machine. So far I’m really happy with it, although it was confusing to set up at first.

                                      For the record: for home use you probably want to set it up using “remote access” (formerly called “cloud access”), and access the controller via https://unifi.ui.com/. It’s possible to log in via the controller’s IP address directly, but then you’d need to accept its cert or bypass SSL cert verification. Additionally, read performance optimizations from the Ubiquiti forums with a grain of salt – some of those people are optimizing for business or conference installations with dozens or hundreds of devices, and what they recommend may not be appropriate for a home network with different use cases and constraints.

                                      Other than that initial setup, it seems to do everything I want. Thanks again!

                                      1. 1

                                        Glad to hear it. Welcome to the Ubiquiti world!

                                      1. 7

                                        Avoid meshes if you can. You’ll want n access points, where n is an integer and depends on the area to cover. Connect those access points to the upstream using cabled ethernet.

                                        Mesh is fine if you want coverage, not so fine if you want capacity in a saturated environment. Every packet has to be sent more than once across the air, and the impact of that is worse than a doubling because if the way radio time is shared.

                                        Clueful friends of mine tend to use either Ubiquiti or Mikrotik. One has Cisco Aironets brought home from work when they replaced them with new radios. I have Mikrotik hardware myself, the oldest is 10+ years old at this point and still receiving OS upgrades. If you consider Mikrotik, look for metal hardware, not plastic. The metal is built to last.

                                        My own policy is to use those slow old APs forever, and to say that if something wants 100Mbps or more then that device needs an ethernet cable. That’s been a good policy for me in practice. For example it’s kept the WLAN free of bandwidth hogs, even if those hogs (like a few giant rsync jobs I run) aren’t time sensitive.

                                        1. 2

                                          [I asked an extended version of this in a different reply in this thread]

                                          Is there anything special you need to do to enable switching amongst the various access points as you wander around the house?

                                          1. 1

                                            Enable, no, but there are things you can do to improve quality of service. I use a Mikrotik feature called capsman, I understand that Ubiquiti and Cisco Aironet provide the same functionality. (I don’t know about other vendors, those three are just what friends of mine use.)

                                            The only thing to watch out for is really that you have to purchase APs from one vendor if you want the nice roaming. If you mix brands, TCP connections will be interrupted when you move through the house, and a moving station may remain connected to an AP for as long a that’s possible, not just for as long as that AP is the best choice.

                                          2. 1

                                            You’ll want n access points, where n is an integer and depends on the area to cover. Connect those access points to the upstream using cabled ethernet.

                                            If I could get ethernet to everywhere I want wifi, I wouldn’t need the wifi.

                                            1. 1

                                              That’s true of course, but isn’t it rather beyond the point? The goal is to get ethernet to enough points that the entire area has a good WLAN signal.

                                              When I installed my cables I strictly needed two APs, but I got three instead in order to simplify the cabling. More APs, but less work pulling cables.

                                            2. 1

                                              I don’t know if you’d call the environment saturated here in an urban road but mesh is working nicely. No dropouts, fast, covers everything, cheap. What sort of environment would cause it trouble?

                                              1. 2

                                                At one point 27 different WLANs were visible in what’s now our kitchen, two of them often with a great deal of traffic, and intuitively I think there was some other noise source, not sure what. That was usually good, occasionally saturated, and bulk transfer throughput would drop deep, even as low as 1Mbps. I cabled and now I don’t need pay attention to the spectral graph.

                                                I’ve worked in an office where over 50 WLANs from various departments and companies in the same building were visible. Some people did >100-gigabyte file transfers over our WLAN, so I expect our WLAN bothered the other companies as much as their us. The spectral graph was pure black.

                                                1. 1

                                                  As of right now, I see 21 networks from a Macbook in my living room. 2 of those are even hotspots from the street, run by competing phone companies. It doesn’t help that many ISPs offer “homespots,” where customers who rent their router create several SSIDs – one for the user, and one for other customers of that ISP to use as a hotspot. So I guess mesh is not a good idea where I am.

                                                  1. 2

                                                    Well, most people don’t have a lot of guests who transmit a lot of traffic, so maybe?

                                                    Still, I haven’t regretted the cable I had installed. Remember that you can simplify the problem, you don’t have to install the cable along the most difficult route.

                                            1. 2

                                              It’s been mentioned in passing a few times in here, but I wanted to call it out specifically: @pytest.mark.parametrize is great. The syntax takes a little getting used to (you have to feed it a string of comma-separated parameter names) but other than that it works as expected. As a bonus, you can stack multiple @pytest.mark.parameterize decorators on a test to get a cartesian product of test cases.

                                              1. 3

                                                I’ve been using Nix (NixOS?) as a replacement for Homebrew and so far it’s been pretty good. Not the best learning curve but so far I’ve been able to install the packages I need (although getting git installed with shell completion took up the better part of an afternoon…). The main reason I like it over Homebrew is that every time I go to install a package I’m not rolling the dice on how long the operation will take. Homebrew operations seem to take 5 seconds or 15 minutes depending on whether it needs to recompile openSSL or not, and you can’t predict this before you run brew install… Good to know that from the packager’s side it’s a bit more tricky.

                                                1. 1

                                                  iPhone Fits-In-Your-Hand (SE). I thought about giving in and buying a 7 over the holidays but decided to stick with this until it dies or they release another phone this size.

                                                  1. 6

                                                    I find it curious that the Blink team at Google takes this action in order to prevent various other teams at Google from doing harmful user-agent sniffing to block browsers they don’t like. Google certainly isn’t the only ones, but they’re some of the biggest user-agent sniffing abusers.

                                                    FWIW, I think it’s a good step, nobody needs to know I’m on Ubuntu Linux using X11 on an x86_64 CPU running Firefox 74 with Gecko 20100101. At most, the Firefox/74 part is relevant, but even that has limited value.

                                                    1. 14

                                                      They still want to know that. The mail contains a link to the proposed “user agent client hints” RFC, which splits the user agent into multiple more standardized headers the server has to request, making “user-agent sniffing” more effective.

                                                      1. 4

                                                        Oh. That’s sad. I read through a bit of the RFC now, and yeah, I don’t see why corporations wouldn’t just ask for everything and have slightly more reliable fingerprinting while still blocking browsers they don’t like. I don’t see how the proposed replacement isn’t also “an abundant source of compatibility issues … resulting in browsers lying about themselves … and sites (including Google properties) being broken in some browsers for no good reason”.

                                                        What possible use case could a website have for knowing whether I’m on ARM or Risc-V or x86 or x86_64 other than fingerprinting? How is it responsible to let the server ask for the exact model of device you’re using?

                                                        The spec even contains wording like “To set the Sec-CH-Platform header for a request, given a request (r), user agents MUST: […] Let value be a Structured Header object whose value is the user agent’s platform brand and version”, so there’s not even any space for a browser to offer an anti-fingerprinting setting and still claim to be compliant.

                                                        1. 4

                                                          What possible use case could a website have for knowing whether I’m on ARM or Risc-V or x86 or x86_64 other than fingerprinting?

                                                          Software download links.

                                                          How is it responsible to let the server ask for the exact model of device you’re using?

                                                          … Okay, I’ve got nothing. At least the W3C has the presence of mind to ask the same question. This is literally “Issue 1” in the spec.

                                                          1. 3

                                                            Okay, I’ve got nothing.

                                                            I have a use case for it. I’ve a server which users run on a intranet (typically either just an access point, or a mobile phone hotspot), with web browsers running on random personal tablets/mobile devices. Given that the users are generally not technical, they’d probably be able to identify a connected device as “iPad” versus “Samsung S10” if I can show that in the web app (or at least ask around to figure out whose device it is), but will not be able to do much with e.g an IP address.

                                                            Obviously pretty niche. I have more secure solutions planned for this, however I’d like to keep the low barrier to entry that knowing the hardware type from user agent provides in addition to those.

                                                          2. 2

                                                            What possible use case could a website have for knowing whether I’m on ARM or Risc-V or x86 or x86_64 other than fingerprinting?

                                                            Benchmarking and profiling. If your site performance starts tanking on one kind of processor on phones in the Philippines, you probably want to know that to see what you can do about it.

                                                            Additionally, you can build a website with a certain performance budget when you know what your market minimally has. See the Steam Hardware and Software Survey for an example of this in the desktop videogame world.

                                                            Finally, if you generally know what kinds of devices your customers are using, you can buy a bunch of those for your QA lab to make sure users are getting good real-world performance.

                                                        2. 7

                                                          Gecko 20100101

                                                          Amusingly, this date is a static string — it is already frozen for compatibility reasons.

                                                          1. 2

                                                            Any site that offers you/administrators a “login history” view benefits from somewhat accurate information. Knowing the CPU type or window system probably doesn’t help much, but knowing it’s Firefox on Ubuntu combined with a location lookup from your IP is certainly a reasonable description to identify if it’s you or someone else using the account.

                                                            1. 2

                                                              There are terms I’d certainly like sites to know if I’m using a minority browser or a minority platform, though. Yes, there are downsides because of the risk of fingerprinting, but it’s good to remind sites that people like me exist.

                                                              1. 1

                                                                Though the audience here will play the world’s tiniest violin regarding for those affected the technical impact aspect may be of interest.

                                                                The version numbering is useful low-hanging-fruit method in the ad-tech industry to catch fraud. A lot of bad actors use either just old browsers[1] or skew browser usage ratios; though of course most ‘fraud’ detection methods are native and just assume anything older than two major releases is fraud and ignore details such as LTS releases.

                                                                [1] persuade the user to install a ‘useful’ tool and it sits as a background task burning ads or as a replacement for the users regular browser (never updated)

                                                              1. 2

                                                                I was happy to see GoatCounter come up recently, as I keep thinking “you know, all these cookie warnings are only needed if you use third-party analytics” and was wondering if someone offered analytics without that. I hope this gives them a boost!