1. 64

    I find Docker funny, because it’s an admission of defeat: portability is a lie, and dependencies are unmanageable. Installing dependencies on your own OS is a lost battle, so you install a whole new OS instead. The OS is too fragile to be changed, so a complete reinstall is now a natural part of the workflow. It’s “works on my machine” taken to the conclusion: you ship the machine then.

    1. 17

      We got here because dependency management for C libraries is terrible and completely inadequate for today’s development practices. I also think Docker is a bit overkill, but I don’t think this situation can be remedied with anything short of NixOS or unikernels.

      1. 8

        I place more of the blame on just how bad dynamic language packaging is (pip, npm), intersected with how bad most distributions butcher their native packages for those same dynamic languages. The rule of thumb in several communities seems to be a recommendation to avoid using native packages altogether.

        Imagine if instead static compilation was more common (or even just better packaging norms for most languages), and if we had better OS level sandboxing support!

        1. 3

          Can you explain what you find bad about pip/npm packaging?

          1. 2

            I don’t think npm is problematic to Docker levels. It always supported project-specific dependencies.

            Python OTOH is old enough that by default (if you don’t patch it with pipenv) it expects to use a shared system-global directory for all dependencies. This setup made sense when hard drive space was precious and computers were off-line. Plus the whole v2/v3 thing happened.

            1. 5

              by default (if you don’t patch it with pipenv)

              pipenv is…controversial.

              It also is not the sole way to accomplish what you want (isolated environments, which are called “virtual environments” in Python; pipenv does not provide that, it provides a hopefully-more-convenient interface to the thing that actually provides that).

        2. 4

          Yes, unikernels and “os as static lib” seem the sensible way forward from here to me, also. I don’t know why it never caught on.

          1. 4

            People with way more experience than me on the subject have made a strong point about debuggability. Also, existing software and libraries make assumptions about the filesystem and other things that are not immediately available on unikernels being there, and rewriting them to be reusable on unikernels is not an easy task. I’m also not sure about the state of the tooling for deploying unikernels.

            Right now it’s an uphill battle, but I think we’re just a couple years away and we’ll get there eventually.

            1. 6

              Painfully easy to debug with GDB: https://nanovms.com/dev/tutorials/debugging-nanos-unikernels-with-gdb-and-ops - Bryan is full of FUD

              1. 4

                GDB being there is great!

                Now you also might want lsof, netstat, strace, iostat, ltrace… all the tools which exist for telling you what’s going on in the application to kernel interface are now gone because the application is the kernel. Those interfaces are subroutine calls or queues instead.

                It’s not insurmountable but you do need to recreate all of these things, no? And they won’t be identical to what people are used to.

                I guess the upside is that making dtrace or an analogue of it in unikernel land is prolly easier than it was in split kernel userspace land: there’s only one address space in which you need to hot patch code. :)

                1. 1

                  Perhaps some tools you’d put in as plugins but most of the output from these tools would be better off being exported through whatever you want to use for observability (such as prometheus). One thing that confuses a ton of people is that they are expecting to deal with a full blown general purpose operating system which it isn’t. For example if you take your lsof example - suppose I’m trying to figure out what port is tied to what process - well in this case you already know cause there’s only one.

                  As for things like strace - we actually already did implement something similar a year or so ago as it was vital to figure out what applications were doing what. We also have ftrace like functionality too.

                  Finally, as for tool parity you are right if all you are using is Linux then everything should be relatively the same, but if you jump between say osx and linux you’ll find quite a few different flags or different names.

                  1. 1

                    It obviously wouldn’t be “identical to what people are used to” though, that’s kind of the point. And you don’t want a narrow slice of a full linux system with just the syscalls you use compiled in, it’d be a completely different and much simpler system designed without having to constantly jump up and down between privelege levels, which would make a regular debugger a lot more effective to track a wider array of things than it can now while living in the user layer of a full OS.

            2. 1

              Can you further clarify? With your distribution’s package manager and pkg-config development in C and C++ seems fine. I could see docker being more of a thing on Windows with C libraries because package management isn’t really a thing on that OS (although msys seems like it has pacman which is nice). Also wouldn’t you use the same C library dependency management inside the container?

              Funny enough, we are using docker at work for non-C languages (dotnet/mono).

            3. 6

              That’s exactly what I said at work when we began Dockerization of our services. “We just concluded that dependency management is impossible, so we may as well hermetically seal everything into a container.” It’s sad that we’re here, but there are several reasons both technical and business related why I see containerization as being useful for us at $WORK.

              1. 5

                Which is what we used to do back in the 70s and 80s. Then operating systems started providing a common set of interfaces so you could run multiple programs safe from each other (in theory), then too many holes started opening up and programs relying on specific global shared libs/state which would clash, and too many assumptions about global filesystem layout, and now we’ve got yet another re-implementation of the original idea, just stacked atop of and wrapped around the old, crud piling up around us comprised of yak hair, old buffer overflows, and decisions made when megabytes of storage were our most precious resource.

                1. 1

                  What if I told you that you don’t need an os at all in your docker container? You can, and probably should, strip it down to the minimal dependencies required.

                  1. -1

                    This is amazing insight. Wow. :O Saving and sending this.

                      1. 1

                        Thanks for the laugh :’)

                  1. 18

                    What this rant does not focus on: It’s a good thing that these usecases are broken. Wayland prohibits your desktop applications from capturing keystrokes or recording other apps’ screens by default. X’s security model (and low level graphics APIs) is/are severely outdated, and Wayland promises not only to be more secure, but also expose cleaner APIs at the lower level (rendering, etc.)

                    These usecases are/will still be supported though, but this time via standardized interfaces, many of which already exist and are implemented in today’s clients.

                    X is based on a 30 year old code base and an outdated model (who runs server-side display servers these days?). Of course, switching from X to Wayland will break applications, and until they are rewritten with proper Wayland support they will stay that way. For most X11 apps there even is Xwayland, which allows you to run X11 apps in Wayland if you must.

                    1. 25

                      What this rant does not focus on: It’s a good thing that these usecases are broken

                      You should have more compassion for users and developers who have applications that have worked for decades, are fully featured, and are being asked to throw all of that away. For replacements that are generally very subpar. With no roadmap when party will be reached. For a system that does not offer any improvements they care about (you may care about this form of security, not everyone does).

                      I could care less about whether when I run ps I see Xorg or wayland. And I doubt that most of the people who are complaining really care about x vs wayland. They just don’t want their entire world broken for what looks to them like no reason at all.

                      1. 5

                        I’m not saying that those apps should be thrown away immediately. Some of these work under XWayland (I sometimes stream using OBS and it records games just fine).

                        If your application really does not run under XWayland, then run an X server! X is not going to go away tomorrow, rather it is being gradually replaced.

                        I’m simply explaining that there are good reasons some applications don’t work on Wayland. I’m a bit sore of hearing “I switched to Wayland and everything broke” posts: Look behind the curtain and understand why they broke.

                      2. 17

                        I’m kind of torn on the issue.

                        On the one hand, the X security model is clearly broken. Like the UNIX security model, it assumes that every single application the user wants to run is 100% trusted. It’s good that Wayland allows for sandboxing, and “supporting the use cases, but this time via standardized interfaces” which allow for a permission system sounds good.

                        On the other hand, there’s clearly no fucking collaboration between GNOME and the rest of the Wayland ecosystem. There’s a very clear rift between the GNOME approach which uses dbus for everything and the everything-else approach which builds wayland protocol extensions for everything. There doesn’t seem to be any collaboration, and as a result, application authors have to choose between supporting only GNOME, supporting everything other than GNOME, or doing twice the work.

                        GNOME also has no intention of ever supporting applications which can’t draw their own decorations. I’m not opposed to the idea of client-side decorations, they’re nice enough in GTK applications, but it’s ridiculous to force all the smaller graphics libraries which just exist to get a window on the screen with a GL context - like SDL, GLFW, GLUT, Allegro, SFML, etc - to basically reimplement GTK just to show decorations on GNOME on Wayland. The proposed solution is libdecorations, but that seems to be at least a decade away from providing a good, native-feeling experience.

                        This isn’t a hate post. I like Wayland and use Sway every day on my laptop. I like GNOME and use it every day on my desktop (though with X because nvidia). I have written a lot of wayland-specific software for wlroots-based compositors. But there’s a very clear rift in the wayland ecosystem which I’m not sure if we’ll ever solve. Just in my own projects, I use the layer-shell protocol, which is a use-case GNOME probably won’t ever support, and the screencopy protocol, which GNOME doesn’t support but provides an incompatible dbus-based alternative to. I’m also working on a game which uses SDL, which won’t properly support GNOME on Wayland due to the decorations situation.

                        1. 13

                          the X security model is clearly broken

                          To be honest I feel the “brokenness” of the security model is vastly overstated. How many actual exploits have been found with this?

                          Keyloggers are a thing, but it’s not like Wayland really prevents that. If I have a malicious application then I can probably override firefox to launch something that you didn’t intend (via shell alias, desktop files) or use some other side-channel like installing an extension in ~/.mozilla/firefox, malicious code in ~/.bashrc to capture ssh passwords, etc. Only if you sandbox the entire application is it useful, and almost no one does that.

                          1. 10

                            This isn’t a security vulnerability which can be “exploited”, it’s just a weird threat model. Every single time a user runs a program and it does something to their system which they didn’t want, that’s the security model being “exploited”.

                            You might argue that users should never run untrusted programs, but I think that’s unfair. I run untrusted programs; I play games, those games exist in the shape of closed-source programs from corporations I have no reason to trust. Ideally, I should be able to know that due to the technical design of the system, those closed source programs can’t listen to me through my microphone, can’t see me through my webcam, can’t read my keyboard inputs to other windows, and can’t see the content in other windows, and can’t rummage through my filesystem, without my expressed permission. That simply requires a different security model than what X and the traditional UNIX model does.

                            Obviously Wayland isn’t enough on its own, for the reasons you cite. A complete solution does require sandboxing the entire application, including limiting what parts of the filesystem it can access, which daemons it can talk to, and what hardware it can access. But that’s exactly what Flatpak and Snaps attempts to do, and we can imagine sandboxing programs like Steam as well to sandbox all the closed source games. However, all those efforts are impossible as long as we stick with X11.

                            1. 3

                              Every single time a user runs a program and it does something to their system which they didn’t want, that’s the security model being “exploited”.

                              If you think a permission system is going to solve that, I going to wish you good luck with that.

                              Ideally, I should be able to know that due to the technical design of the system, those closed source programs can’t listen to me through my microphone, can’t see me through my webcam, can’t read my keyboard inputs to other windows, and can’t see the content in other windows, and can’t rummage through my filesystem, without my expressed permission.

                              Ah yes, and those closed-source companies will care about this … why exactly?

                              They will just ask for every permission and won’t run otherwise, leaving you just as insecure as before.

                              But hey, at least you made the life of “trustworthy” applications worse. Good job!

                              But that’s exactly what Flatpak and Snaps attempts to do […]

                              Yes, letting software vendors circumvent whatever little amount of scrutiny software packagers add, that will surely improve security!

                              1. 7

                                If you think a permission system is going to solve that, I going to wish you good luck with that.

                                It… will though. It’s not perfect, but it will prevent software from doing things without the consent of the user. That’s the goal, right?

                                You may be right that some proprietary software vendors will just ask for every permission and refuse to launch unless given those permissions. Good. That lets me decide between using a piece of software with the knowledge that it’ll basically be malware, or not using that piece of software.

                                In reality though, we don’t see a lot of software which takes this route from other platforms which already have permission systems. I’m not sure I have ever encountered a website, Android app or iOS app which A) asked for permissions to do stuff it obviously didn’t need, B) refused to run unless given those permissions, and C) wasn’t obviously garbage.

                                What we do see though is that most apps on the iOS App Store and websites on the web, include analytics packages which will gather as much info on you as possible and send it back home as telemetry data. When Apple, for example, put the contacts database behind a permission wall, the effect wasn’t that every app suddenly started asking to see your contacts. The effect was that apps stopped snooping on users’ contacts.

                                I won’t pretend that a capability/permission system is perfect, because it isn’t. But in the cases where it has already been implemented, the result clearly seems to be improved privacy. I would personally love to be asked for permission if a game tried to read through my ~/.ssh, access my webcam or record my screen, even if just to uninstall the game and get a refund.

                                Yes, letting software vendors circumvent whatever little amount of scrutiny software packagers add, that will surely improve security!

                                I mean, if you wanna complain about distros which use snaps and flatpaks for FOSS software, go right ahead. I’m not a huge fan of that myself. I’m talking about this from the perspective of running closed source software or software otherwise not in the repos, where there’s already no scrutiny from software packagers.

                                1. 3

                                  There’s probably evidence from existing app stores on whether users prefer to use software that asks for fewer permissions. There certainly seems to be a market for that (witness all the people moving to Signal).

                                  1. 3

                                    But hey, at least you made the life of “trustworthy” applications worse. Good job!

                                    “Trustworthy software” is mostly a lie. Every application is untrustworthy after it gets remotely exploited via a security bug, and they all have security bugs. If we lived in a world without so much memory-unsafe C, then maybe that wouldn’t be true. But we don’t live in that world so it’s moot.

                                    Mozilla has its faults, but I trust them enough to trust that Firefox won’t turn on my webcam and start phoning home with the images. I could even look at the source code if I wanted. But I’d still like Firefox sandboxed away from my webcam because Firefox has memory bugs all the time, and they’re probably exploitable. (As does every other browser, of course, but I trust those even less.)

                                  2. 1

                                    A complete solution does require sandboxing the entire application, including limiting what parts of the filesystem it can access, which daemons it can talk to, and what hardware it can access. But that’s exactly what Flatpak and Snaps attempts to do

                                    But that’s quite limited sandboxing, I think? To be honest I’m not fully up-to-speed with what they’re doing exactly, but there’s a big UX conundrum here because write access to $HOME allows side-channels, but you also really want your applications to do $useful_stuff, which almost always means accessing much (or all of) $HOME.

                                    Attempts to limit this go back a long way (e.g. SELinux), and while this works fairly well for server applications, for desktop applications it’s a lot harder. I don’t really fancy frobbing with my config just to save/access a file to a non-standard directory, and for non-technical users this is even more of an issue.

                                    So essentially I don’t really disagree with:

                                    I should be able to know that due to the technical design of the system, those closed source programs can’t listen to me through my microphone, can’t see me through my webcam, can’t read my keyboard inputs to other windows, and can’t see the content in other windows, and can’t rummage through my filesystem, without my expressed permission. That simply requires a different security model than what X and the traditional UNIX model does.

                                    and I’m not saying that the Wayland model isn’t better in theory (aside from some pragmatical implementation problems, which should not be so casually dismissed as some do IMHO), but the actual practical security benefit that it gives you right now is quite limited, and I think that will remain the case for the foreseeable future as it really needs quite a paradigm shift in various areas, which I don’t really seeing that happening on Linux any time soon.

                                    1. 2

                                      I don’t really fancy frobbing with my config just to save/access a file to a non-standard directory

                                      If a standard file-picker dialog were used, it could be granted elevated access & automatically grant the calling application access to the selected path(s).

                                      1. 1

                                        there’s a big UX conundrum here because write access to $HOME allows side-channels, but you also really want your applications to do $useful_stuff, which almost always means accessing much (or all of) $HOME.

                                        This is solved on macOS with powerboxes. The Open and Save file dialogs actually run as a separate process and update the application’s security policy dynamically to allow it to access files that the user has selected, but nothing else. Capsicum was designed explicitly to support this kind of use case, it’s a shame that NIH prevented Linux from adopting it.

                                        1. 1

                                          This sounds like a good idea! I’d love to see that in the X11/Wayland/Unix ecosystem, even just because I hate that awful GTK file dialog for so many reasons and swapping it out with something better would make my life better.

                                          Still; the practical security benefit I – and most users – would get from Wayland today would be very little.

                                    2. 5

                                      I think “broken” is too loaded; “no longer fit for purpose” might be better.

                                      1. 2

                                        Well, the security model is simply broken.

                                        I agree that a lot of focus is put on security improvements compared to Wayland’s other advantages (tear-free rendering being the one most important to me). But it’s still an advantage over X, and I like software which is secure-by-default.

                                        1. 1

                                          How many actual exploits have been found with this?

                                          They were very common in the ‘90s, when folks ran xhost +. Even now, it’s impossible to write a secure password entry box in X11, so remember that any time you type your password into the graphical sudo equivalents that anything that’s currently connected to your X server could capture it. The reason it’s not exploited in the wild is more down to the fact that *NIX distros don’t really do much application sandboxing and so an application that has convinced a user to run it already has pretty much all of the access that it needs for anything malicious that it wants to do. It’s also helped by the fact that most *NIX users only install things from trusted repositories where it’s less likely that you’ll find malware but expect that to change if installing random snap packages from web sites becomes common.

                                        2. 4

                                          It’s good that Wayland allows for sandboxing

                                          If I wanted to sandbox an X application, I’d run it on a separate X server. Maybe even an Xnest kind of thing.

                                          I’ve never cared to do this (if I run xnest it is to test network transparency or new window managers or something, not security), so I haven’t tried, but it seems to me it could be done fairly easily if someone really wanted to.

                                          1. 2

                                            Whoa, I’ve never heard about the GNOME issues (mostly because I’m in a bubble including sway and emersion, and what they do looks sensible to me). That sucks though, I hope they somehow reconcile.

                                            Regarding Nvidia I think Simon mentioned something that hinted at them supporting something that has to do with Wayland, but I could just as easily have misunderstood.

                                          2. 8

                                            Wayland prohibits your desktop applications from capturing keystrokes or recording other apps’ screens by default

                                            No, it doesn’t. Theoretically it might enable doing this by modifying the rest of the system too, but in practice (and certainly the default environment) it is still trivial for malware to keylog and record screen on current Wayland desktop *nix installs.

                                            1. 3

                                              it is still trivial for malware to keylog and record screen on current Wayland desktop *nix installs.

                                              I don’t think that’s true. The linked article says recording screens and global hotkeys is “broken” by Wayland. How can it be so trivial for “malware” to do something, and absolutely impossible for anyone else?

                                              Or is this malware that requires I run it under sudo?

                                              1. 10

                                                It’s the difference between doing something properly and just doing it. Malware is happy with the latter while most non malware users are only happy with the former.

                                                There are numerous tricks you can use if you are malware, from using LD_PRELOAD to inject code and read events first (since everyone uses libwayland this is really easy), to directing clients to connect to your mitm Wayland server, to just using a debugger, and so on and so forth. None of these are really Wayland’s fault, but the existence of them means there is no meaningful security difference on current desktops.

                                                1. 2

                                                  I don’t know if I agree that the ability to insert LD_PRELOAD in front of another application is equivalent to sending a bytestring to a socket that is already open, but at least I understand what you meant now.

                                              2. 4

                                                I’m sick of this keylogger nonsense.

                                                X11 has a feature which allows you to use the X11 protocol to snoop on keys being sent to other applications. Wayland does not have an equivalent feature.

                                                Using LD_PRELOAD requires being on the other side of an airtight hatch. It straight-up requires having arbitrary code execution, which you can use to compromise literally anything. This is not Wayland’s fault. Wayland is a better lock for your front door. If you leave your window open, it’s not Wayland’ fault when you get robbed.

                                                1. 7

                                                  Indeed, it’s not waylands fault, and I said as much in response to the only reply above yours, an hour and 20 minutes before you posted this reply. You’re arguing against a straw man.

                                                  What is the case is that that “airtight hatch” between things that can interact with wayland and things that can do “giant set of evil activities” has been propped wide open pretty much everywhere on desktop linux, and isn’t reasonably easy to close given the rest of desktop software.

                                                  If you were pushing “here’s this new desktop environment that runs everything in secure sandboxes” and it happened to use wayland there would be the possibility of a compelling security argument here. Instead what I see is people making this security argument in a way that could give people the impression it secures things when it doesn’t actually close the barn doors, which is outright dangerous.

                                                  In fact, as far as I know the only desktop *nix OS that does sandbox everything thing is QubesOS, and it looks like they currently run a custom protocol on top of an X server…

                                                  1. 2

                                                    Quoting you:

                                                    Wayland prohibits your desktop applications from capturing keystrokes or recording other apps’ screens by default

                                                    No, it doesn’t.

                                                    Yes, it does. Wayland prohibits Wayland clients from using Wayland to snoop on other Wayland clients. X11 does allow X11 clients to use X11 to snoop on other X11 clients.

                                                    Other features of Linux allow you to circumvent this within the typical use-case, but that’s a criticism of those features moreso than of Wayland, and I’m really tired of it being trotted out in Wayland discussions. Wayland has addressed its part of the problem. Now it’s on the rest of the ecosystem to address their parts. Why do you keep dragging it into the Wayland dicsussion when we’ve already addressed it?

                                                    1. 7

                                                      This

                                                      Wayland prohibits your desktop applications from capturing keystrokes or recording other apps’ screens by default

                                                      And this

                                                      Wayland prohibits Wayland clients from using Wayland to snoop on other Wayland clients.

                                                      Are two very different statements. The latter partially specifies the method of snooping, the former does not.

                                                      Why do you keep dragging it into the Wayland dicsussion when we’ve already addressed it?

                                                      I do not, I merely reply to incorrect claims brought up in support of wayland claiming that it solves a problem that it does not. It might one day become part of a solution to that problem. It might not. It certainly doesn’t solve it by itself, and it isn’t even part of a solution to that problem today.

                                              3. 4

                                                X’s design has many flaws, but those flaws are well known and documented, and workarounds and extensions exist to cover a wide range of use cases. Wayland may have a better design regarding modern requirements, but has a hard time catching up with all the work that was invested into making X11 work for everyone over the last decades.

                                                1. 3

                                                  X’s design has many flaws, but those flaws are well known and documented, and workarounds and extensions exist to cover a wide range of use cases.

                                                  Once mere flaws become security issues it’s a different matter though.

                                                  [Wayland] has a hard time catching up with all the work that was invested into making X11 work for everyone over the last decades.

                                                  This may be true now, but Wayland is maturing as we speak. New tools are being developed, and there isn’t much missing in the realm of protocol extensions to cover the existing most-wanted X features. I see Wayland surpassing X in the next two, three years.

                                                  1. 2

                                                    Yeah, I started to use sway on my private laptop and am really happy with it. Everything works flawlessly, in particular connecting an external HiDPI display and setting different scaling factors (which does not work in X). However, for work I need to be able to share my screen in video calls occasionally and record screencasts with OBS, so I’m still using X there.

                                                2. 4

                                                  I wonder if X’s security model being “outdated” is partly due to the inexorable slide away from user control. If all your programs are downloaded from a free repo that you trust, you don’t need to isolate every application as if it’s out to get you. Spotify and Zoom on the other hand are out to get you, so a higher level of isolation makes sense, but I would still prefer this to be the exception rather than the rule.

                                                  In practice 99.9% of malicious code that is run on our systems is done via the web browser, which has already solved this problem, albeit imperfectly, and only after causing it in the first place.

                                                  1. 4

                                                    If all your programs are downloaded from a free repo that you trust, you don’t need to isolate every application as if it’s out to get you

                                                    I completely agree, as long as all of my programs are completely isolated from the network and any other source of untrusted data, or are formally verified. Otherwise, I have to assume that they contain bugs that an attacker could exploit and I want to limit the damage that they can do. There is no difference between a malicious application and a benign application that is exploited by a malicious actor.

                                                    1. 1

                                                      all of your programs are completely isolated from the network?

                                                      how are you posting here?

                                                      1. 2

                                                        They’re not, that’s my point and that’s why I’m happy that my browser runs sandboxed. Just because I trust my browser doesn’t mean that I trust everyone who might be able to compromise it.

                                                        1. 1

                                                          that makes sense for a browser, which is both designed to run malicious code and too complex to have any confidence in its security. but like i said i would prefer cases like this to be the exception. if the rest of your programs are relatively simple and well-tested, isolation may not be worth the complexity and risk of vulnerabilities it introduces. especially if the idea that your programs are securely sandboxed leads you to install less trustworthy programs (as appears to be the trend with desktop linux).

                                                          1. 2

                                                            Okay, what applications do you run that never consume input from untrusted sources (i.e. do not connect to the network or open files that might come from another application)?

                                                            1. 1

                                                              I don’t think you are looking at this right. The isolation mechanism can’t be 100% guaranteed free of bugs any more than an application can. Your rhetorical question is pretty far from what I thought we were discussing so maybe you could rephrase your argument.

                                                  2. 1

                                                    This argument seems similar to what happened with cinnamon-screensaver a few weeks ago:

                                                    https://github.com/linuxmint/cinnamon-screensaver/issues/354#issuecomment-762261555 (responding to https://www.jwz.org/blog/2021/01/i-told-you-so-2021-edition/)

                                                    It’s a good thing for security (and maybe for users in the long term once they work again) that these usecases are broken, but it is not a good thing for users in the short term that these usecases don’t work on Wayland.

                                                  1. 10

                                                    🎄

                                                    1. 3

                                                      🎁

                                                      1. 4

                                                        🦞

                                                        1. 4

                                                          I wonder who sponsored that emoji… :-)

                                                    1. 9

                                                      This reminds me of http://vanilla-js.com/ 😉. I do agree with the sentiment when possible though – keep your footprint as small and sleek as possible so long as it doesn’t cripple your ability to maintain and scale.

                                                      1. 3

                                                        That’s amazing

                                                        1. 1

                                                          My favorite part about this website has always been that the gzipped version is 25 bytes due to the compression header. I think I checked once they it was correct by gzipping an empty file.

                                                      1. 3

                                                        I currently have a similar issue with my webcam (Logitech StreamCam). When I use it, my system freezes or peripherals stop working (please let me know if and how I can be of help for debugging and troubleshooting, or if somebody else here is also experiencing this problem).

                                                        I know from experience that it’s most likely due to a race condition in the firmware, and I’ll have to wait for a firmware update (or an update in the Linux UVC driver), but I find it fascinating that a single misbehaving peripheral can destabilize the entire system.

                                                        I know there are good reasons against this, but one can only dream of an ideal world where a kernel is more resilient and self-segregational (i.e. a microkernel) with strictly mandated IPC mechanisms.

                                                        I’d gladly trade a bit of performance for the advantages it would provide.

                                                        1. 4

                                                          I don’t think a microkernel would actually help though, right? The problem wasn’t the kernel, it was that the hardware was bad in certain situations. If you put your WiFi/Ethernet card driver in a userspace process, that’s not going to change the fact that the physical networking card is getting lots of interference from the USB and HDMI cards, and is dropping or corrupting packets like nobody’s business.

                                                        1. 2

                                                          @gempain this looks great. Frankly I’ve been wanting to write something like this for my own personal use for years.

                                                          It’s a bit of a bummer to see this under the BSL. However, it looks like the change date to Apache 2.0 is extremely close to release date. Can you talk a bit about what you’re trying to accomplish/what the thinking is there?

                                                          1. 3

                                                            Thanks for the kind words ! This is a mistake from us, the change date should be in 2023, thanks for pointing this out. The reason behind choosing a BSL is that we’d like to finance the project by running a cloud version of Meli :) Basically you can do all you want with the tool, but we find this license fair enough so that a team like us can fully dedicate its time to making this project awesome while allowing others to use it for free.

                                                            1. 1

                                                              Hey, really cool project! Honestly I was looking for something exactly like this anddd youve got packaged up in docker, saves me from having to do that!

                                                              Looking forward to using it.

                                                              Also, I personally think that the license choice is appropriate but considering how this is a new type of license do you think after some time your team could share some thoughts on how successful it was?

                                                              I don’t want to detract too far, but I think finding a sweet spot between user freedom (open source) and sustainability is very important. I’d rather a BSL project that is updated and improved over the years than an open source prototype that cant reliably be used because the developers had to move on to another project.

                                                              1. 3

                                                                Thank you for this really nice comment ! I think exactly the same way as you ! I am aware that the debate over BSL is hot at the moment, and not every one will agree. We want to focus solely on developing this tool, and in this context, BSL makes sense as it gives the team a chance to monetize the project fairly. Everyone can use the tool for free, with no limitations, except the one mentioned in the license. It’s a fair model, which has been supported by the OS foundation even though they have not recognized it officially yet. We’re part of the people that believe in it and would love to see the community supporting this choice - it’s a good way to ensure healthy evolution of a platform like this. I think BSL makes sense for platforms, but for libraries, we always use MIT or GPL as I think it’s more suited. We’ll definitely blog about how it goes with this license, it’s a topic I hold at heart.

                                                              2. 1

                                                                Basically you can do all you want with the tool

                                                                From the license:

                                                                (…) make non-production use of the Licensed Work

                                                                Am I missing something, or can one do everything except use it?

                                                                1. 2

                                                                  BSL: You can self host or pay for hosting but not sell hosting to others.

                                                                  1. 1

                                                                    It’s not that simple from the BSL alone, but I missed the concrete parameters to this use of the license:

                                                                    Additional Use Grant: You may make use of the Licensed Work, provided that you may not use the Licensed Work for a Static Site Hosting Service.

                                                                    A “Static Site Hosting Service” is a commercial offering that allows third parties (other than your employees and contractors) to access the functionality of the Licensed Work by creating organizations, teams or sites controlled by such third parties.

                                                                    For an unmodified BSL, any “production use” is outside the grant, but Meli grants “use” outside of running a service as specified (it appears they allow a non-commercial service though).

                                                                    1. 1

                                                                      It may be a good idea to design a “composable” set of shared source licenses like Creative Commons did with their licenses for creative works. E.g. SourceAvailable-ProductionUse-NoSublicensing-NoCloud.

                                                                2. 1

                                                                  Thanks for clarifying. This does make sense!

                                                              1. 9

                                                                I would love to read a thread where someone explains why the app is so gigantic to begin with. It does not do a whole lot, so what is all this code doing?

                                                                1. 19

                                                                  The author explains this in a reply here: https://mobile.twitter.com/StanTwinB/status/1337055778256130062

                                                                  The app looks simple from the user perspective. But on the global scale the business rules are insanely complicated. Every region has custom rules/regulations. Different products have different workflows. Some regions have cash payments. Every airport has different pick rules…

                                                                  See also the people replying to that discussion, they talk about how unreliable networking means they can’t do this stuff on the backend.

                                                                  1. 2

                                                                    they talk about how unreliable networking means they can’t do this stuff on the backend.

                                                                    Uber is infamous for having over 9000 microservices. They even had to “re-invent” distributed tracing, because NIH syndrome or something (Jaeger, now open-tracing). I really, really doubt they do it all on the client. They have to make sure the transaction is captured anyway and without network, how can you even inform drivers?

                                                                    1. 4

                                                                      Presumably they verify everything on the backend anyway because you can’t trust the client. My guess is that the network is reliable enough to submit a new trip, but not reliable enough to make every aspect of the UI call out to the backend. Imagine opening the app, waiting for it to locate you, then waiting again while the app calls out to the network to assess regulations for where you are. Same thing picking a destination. That latency adds up, especially perceptually.

                                                                  2. 12

                                                                    Yeah that’s the part that gets me, it’s like the dril tweets about refusing to spend less on candles. Just write less code! Don’t make your app the Homer Simpson car! What is the 1mb/week of new shit your app does good for anyways? It’s easy, just play Doom instead of typing in Xcode.

                                                                    I don’t have hypergrowth mentality though, I guess that’s why Uber rakes in all the profits.

                                                                    1. 6

                                                                      I guess that’s why Uber rakes in all the venture capital dollars to subsidize their product

                                                                      Fixed it for ya ;-)

                                                                      1. 1

                                                                        I would love to see Chuck Moore’s (RIP) take on 1 MB/week. He might just have a seizure.

                                                                        1. 5

                                                                          Thankfully, Chuck Moore is alive.

                                                                          1. 5

                                                                            Ah, man, well I have egg on my face. I feel quite silly. I’m going to slink into a corner somewhere.

                                                                      2. 4

                                                                        I recall a few years ago someone disassembled Facebook’s (I think) Android app and found it had some stupendously huge number of classes in it. Which led to a joke about “I guess that’s why their interviews make you implement binary trees and everything else from scratch, every developer there is required to build their own personal implementation every time they work on something”.

                                                                        Which is cynical, but probably not too far off the mark – large organizations tend to be terrible at standardizing on a single implementation of certain things, and instead every department/team/project builds their own that’s done just the way they want it, and when the end product is a single executable, you can see it in the size.

                                                                        1. 4

                                                                          I wonder if there could also be some exponential copy-paste going on, where instead of refactoring some existing module to be more general so it satisfies your need, you copy-paste the files and change the bits you need. Then somebody else comes along and does the same to the package that contains both your changed copy and the original package, so there are now 4 copies of that code. The cancerous death of poorly managed software projects.

                                                                          1. 2

                                                                            Scary… and probably very true.

                                                                      1. 6

                                                                        I think the nature of Stream is acceptable. Since it’s a midway point between RHEL minor releases, general quality should be fine. My issue is with the reduced lifetime. Stream is only maintained for the duration of RHEL Full Support, 5 years instead of 10. 5 years is the same lifetime as Debian or Ubuntu but those have mature support for in-place upgrades.

                                                                        1. 1

                                                                          those have mature support for in-place upgrades.

                                                                          Will CentOS Stream not? (Genuine question; I think I might just be misunderstanding you.)

                                                                          1. 2

                                                                            I was under the impression that RHEL still had no official in place upgrades. That’s not true anymore.

                                                                        1. 13

                                                                          I have to admit I have no context here, and was mislead by the headline into clicking through, because I read “you” as “any arbitrary person,” and not “specific people who got a letter from Brown University about accessing Brown buildings and networks,” so I was curious, and then a little annoyed…

                                                                          But with that out of the way, were there really people surprised by these letters, and needing it spelled out?

                                                                          People are so naive they don’t think the University is tracking access to their buildings and networks? What do they think the access cards are for?

                                                                          1. 13

                                                                            There are college students so naive they don’t think the University is tracking access to their buildings and networks?

                                                                            Yeah. 🙁 This situation has surprised a lot of students on campus.

                                                                            1. 4

                                                                              Disappointing, but fair enough.

                                                                              1. 4

                                                                                The silver lining is that now there will be an increased awareness of this behavior, so that’s something (even if it is fleeting for the most part…)

                                                                              2. 8

                                                                                It’s interesting how many people do not realize this and more. Few year ago some students broke into campus in Maryland and sprayed some swastikas and racial messages. They were caught because their phones connected to school wifi with their logins…

                                                                                1. 6

                                                                                  They think the access cards are to get into buildings - it doesn’t occur to them that it’s an entire, campus-wide networked system because it doesn’t look like it is. It’s easy for us in a technology forum to realize that this kind of tracking is possible and probably occurring, but imagine you didn’t have the technical background to understand that there must be some sort of centralized network/database/etc. Do you really think you would make the connection? Both that this kind of logging is possible in the first place, but also that the university might actually be doing this (extremely invasive) logging? IT is generally a trusted entity whose job is to keep students safe; it wouldn’t even occur to most students that IT might be hostile (at least, from their perspective).

                                                                                  1. 6

                                                                                    I doubt even many computer science students have this in their threat models…

                                                                                    1. 9

                                                                                      Exactly. I mean frankly I spend a lot of time/effort protecting my privacy and security and am pretty much the most paranoid person I know on my campus (at least when it comes to technology). I assume my university WiFi is hostile (especially because on the guest network, which admittedly seems to be run by a different organization than the regular network, I have used OONI Probe to catch them censoring traffic), and generally speaking I do not fully trust the IT department. And even I didn’t seriously consider that the university might be going to this extreme level to surveil students, although I did wonder if they were monitoring building swipes to enforce no-guest policies*.

                                                                                      It isn’t news that Brown (or my university, or presumably tons of other universities) has these capabilities. It’s just a reminder that they do, and that those surveillance systems are ripe for abuse. But more importantly, what’s really noteworthy here is that Brown actually decided that it was a good idea to deploy this kind of invasive surveillance and tracking against students. Whether the public health benefit of enforcing the Student Code of Conduct’s COVID-19 policies outweighed the cost of the invasive way they did so is a separate, highly complex issue that honestly I don’t want to comment on without having more information. But I don’t think it’s controversial to say that said cost was quite high.

                                                                                      *: it was later confirmed to me by a university official that they considered this - implemented this? I can’t remember - but that it wasn’t/wouldn’t be effective because swipe access is deactivated for residential buildings you don’t have authorization to be in. So most students wouldn’t even try the swipe because they knew it wouldn’t work; instead they’d just call their friend they were going to see to let them into the building.

                                                                                      1. 6

                                                                                        I TAed my university’s security class. For one of the assignments (which really was a CTF I put together), I gave our students access to a rpi3 that they could comb for flags.

                                                                                        I don’t know how much nmapping of the school network was done from the pi, but I do know that it was a nonzero amount, mostly by accident by scanning too many subnets in the process of learning how nmap worked. And no one seemed to care ultimately…

                                                                                        The extra credit on the assignment was to break into my Linux account via a privilege escalation. Only one team succeeded, but I had a pair of students determine which building I lived in from examining reverse DNS. I wish I could have given them extra credit for that.

                                                                                        Anyway, it was the coolest group of students ever.

                                                                                        1. 3

                                                                                          Man, that sounds fantastic. I wish I could take that class!

                                                                                          1. 2

                                                                                            They had fun. The group that basically was able to track me down with metadata in our pentest assignment made lots of that grading worth it.

                                                                                            There was another group that said that I had been social engineered by giving them an account on the raspberry pi. Technically correct, since it was given to them so they could do the assignment :-)

                                                                                            On our binary exploitation project, another group accidentally got a shell on one of the targets with ROP. That’s a discussion for another day…

                                                                                    2. 1

                                                                                      IT is generally a trusted entity whose job is to keep students safe; it wouldn’t even occur to most students that IT might be hostile (at least, from their perspective).

                                                                                      Doesn’t helping to enforce quarantine during a pandemic count as keeping students safe?

                                                                                      1. 1

                                                                                        The rule being enforced relates more so to where you quarantine, not whether you’re quarantining. It does not apply to the significant number of Brown students in Providence who elected to take an academic leave this semester (but are oftentimes still employed as TAs).

                                                                                    1. 4

                                                                                      Neat idea! A tangent, but I worked on a commercial project once that was basically ZFS send, but built on top of any other file system (doing the deduplication/compression/encryption at the application layer). That would be a really cool side project for someone.

                                                                                      1. 5

                                                                                        I think rsync.net offers this ability too, right? either way, great to see this

                                                                                        1. 1

                                                                                          Sounds a bit like BorgBackup or Restic?

                                                                                          1. 1

                                                                                            oh nice, they support zfs receive?

                                                                                            1. 3

                                                                                              Oop, sorry to never reply to this - I think one or both of us misunderstood parent’s comment :P

                                                                                              I can really only speak for Borg, although my understanding is that Restic has a similar design. Borg acts at the application layer, so it’s filesystem-agnostic; the elevator pitch is, “backups take the space and bandwidth of incremental backups, but each one acts like a full backup”. That is, you can restore, delete, etc. each backup independently.

                                                                                              Borg does this by having a consistent read/write “repository” at the other end, instead of just giving you some files you can stick anywhere. (In practice I’m sure you could make this work with pretty much anything; you can definitely hack a POSIX filesystem for Borg on top of e.g. object storage, though it might not be pretty.) I’m not sure if this is actually how it works internally, but the way I like to think about a Borg repository is as a collection of reference-counted (compressed and encrypted) file chunks. Whenever you run a new backup, it will reuse chunks when possible, incrementing their reference count. So effectively each backup contains the entire dataset and is a “full backup” for the purposes of restoration, deletion etc., it just happens to be that it shares most of its data with previous backups, which is that gives it the “space and bandwidth of an incremental backup” property.

                                                                                              So to answer your original question, no, Borg has no knowledge of ZFS send/receive, or really any other filesystem. But, it has some similar magic-feeling abilities - in particular, paying only the cost of incremental changes, but still having the final result (a ZFS snapshot or a Borg backup) act like a full, independent filesystem tree. Assuming you are sending your ZFS snapshots to zfs receive on another zpool and not files in a different filesystem, you never have the problem of, “oh no, I want to restore from backup but my last full backup was 6 incrementals behind where I need to restore from, so now I need to download the last full one and then apply the 6 incrementals on top of them.” You can just access (or zfs send) the relevant snapshot directly. Same with Borg.

                                                                                        1. 15

                                                                                          If the site is about no JS, then what’s the point in having a bar that shows the page size? Is the size of the page somehow relevant to sites not running JS?

                                                                                          I get that this is a direct copy of sites like 1mb, 512kb and 200kb club, but I don’t get the focus on page size for this application. Surely there’s a better measure to add on the page?

                                                                                          1. 2

                                                                                            What’s a better measure? I’m open to suggestions.

                                                                                            1. 7

                                                                                              NoJS vs JS is a binary distinction, there is nothing to measure other than presence or absence.

                                                                                              1. 2

                                                                                                Sure. That’s The criteria for being added to the list the page size is an objective measure to stack rank them. It could have been alphabetical but size is a bit more substantial.

                                                                                                1. 3

                                                                                                  A minimal or lightweight site could have more data per page in principle, if it has more content. But in practice heavier pages have more cosmetic BS, not more content, which I think is what you were hoping to get at.

                                                                                              2. 6

                                                                                                That’s kinda my point…there’s no way to measure a negative, so it seems counterintuitive to measure something completely unrelated just for the sake of having “a measurement”.

                                                                                                1. 1

                                                                                                  I disagree

                                                                                                2. 4

                                                                                                  How about full site loading time with a browser? I think considering that people usually dislike JS in that it makes sites feel slow, this would be a more useful measure.

                                                                                                  1. 1

                                                                                                    Good idea. I’ll investigate how easy it is to run phantom or cdp in GitHub actions.

                                                                                                    1. 5

                                                                                                      I also agree with the other comments here arguing that there are ways to judiciously use JS… however, JS usage is definitely overall ridiculous and out of hand and so I can’t resist pointing out that a particularly ironic metric to look at here would be Time to First Meaningful Paint, which AFAIK basically only exists because of dumb JS tomfoolery “booting” pages and filling in all the content client-side.

                                                                                                      Maybe you could even have a second version of the page that would add (with red bars for “bad” or something) a few JS heavy sites to demonstrate just how dramatically improved TTFMP is on the no-JS sites?

                                                                                              1. 19

                                                                                                Atlassian uses GitHub for all its projects. I think it keeps Bitbucket for existing customers that still pay but probably ships no features as it’s a waste of time. I am always surprised how so many companies still use Atlassian when for every single product they have, a better alternative exists.

                                                                                                1. 8

                                                                                                  Jira is the most configurable issue tracker i know.

                                                                                                  Confluence is the best wysiwyg wiki i know.

                                                                                                  For Bitbucket I’m not sure, but it might also win for configurability.

                                                                                                  1. 28

                                                                                                    Jira is the most configurable issue tracker i know.

                                                                                                    That’s why it’s so bad. It makes busywork a full time job.

                                                                                                    1. 5

                                                                                                      An old go-to joke of mine is that I’d like to work at Atlassian for a year just to see the world’s only correctly-configured Jira install.

                                                                                                      1. 2

                                                                                                        I dunno. A lot of other tooling assumes a lot about workflows that you might not think about because it suits your workflow. I work in the games industry at a small shop. The server team, web team, gameplay teams, QA teams, art teams, content writing teams, and translation teams all have very different workflows, so the configurability is helpful. We have a yearly release cycle so we tweak the Jira workflows about once a year. But we also use BitBucket and it does indeed suck a whole lot, as does Confluence.

                                                                                                      2. 11

                                                                                                        How configurable do you need your issue management to be? Linear does pretty much everything one may need for issue tracking and does it fast.

                                                                                                        For Confluence, I had personal bad experience where I dreaded adding content to it because of its wysiwyg editor amongst horrible search and again super slow UI.

                                                                                                        Things may have changed though.

                                                                                                        1. 5

                                                                                                          Linear is probably great for software projects. I think Jira is used much more broadly to track any given process in enterprises.

                                                                                                          1. 2

                                                                                                            Yes, JIRA is also used basically as a project management toolkit that goes beyond issue tracking. Epics, boards, service tickets are all things I’ve seen used at a huge international corporation.

                                                                                                            That doesn’t mean it’s good, just what it’s used for. I think GitLab does a lot of this stuff.

                                                                                                          2. 2

                                                                                                            It isn’t just about issue management being configurable, it’s also about reporting and statistics-collecting being configurable. If your boss wants this report done this way, helping them deal with disappointment isn’t always the optimal answer, and Enterprise Software is Middle-Management-Ware first and foremost.

                                                                                                            1. 1

                                                                                                              Linear doesn’t even have on-premise installs, does it?

                                                                                                              1. 1

                                                                                                                Atlassian is phasing out on-premise installs of Jira.

                                                                                                                https://www.atlassian.com/blog/announcements/journey-to-cloud

                                                                                                                On February 2, 2021 Pacific Time (PT), the following changes will go into effect:

                                                                                                                • End of new server license sales: You can no longer purchase or request a quote for a new server product.
                                                                                                                • Updates to server prices: We will implement new prices for server renewals and upgrades.

                                                                                                                On February 2, 2024 PT, the following change will go into effect:

                                                                                                                • End support for all server products: This means that support and bug fixes will no longer be available for your server products.
                                                                                                                1. 1

                                                                                                                  Have a guess why people using Jira are looking at alternatives that have a comparable feature set, one of the features being on-premise installs.

                                                                                                                  1. 1

                                                                                                                    My point exactly.

                                                                                                            2. 6

                                                                                                              Does anyone have any recommendations for issue management that aren’t online-only? We’re using Jira now, but since Atlassian has decided to stop developing the on-premises variant we’re in need of something new (eventually, we’ve got a couple of years to transition).

                                                                                                              Both Asana and Linear (which got recommended in this thread) seem to be online only.

                                                                                                              1. 2

                                                                                                                there’s always bugzilla…

                                                                                                                1. 3

                                                                                                                  Upstream Bugzilla is very far from the nice experience you get on bugzilla.mozilla.org though. You have to work a lot to get it to be not really ugly.

                                                                                                                2. 1

                                                                                                                  Why do you guys need on-prem? Regulatory issues?

                                                                                                                  1. 7

                                                                                                                    We’d like to keep our secrets where we can see them, I suppose.

                                                                                                                    Edit: and also not be auto-updated to newer versions of a tool that could mess up our internal workflow with no chance of going back to a version that worked the way we liked it. Or have the provide go out of business. Or other similar issues.

                                                                                                                    1. 1

                                                                                                                      Redmine?

                                                                                                                    2. 4

                                                                                                                      Yes. Storing critical data on other peoples’ computers is simply not an option.

                                                                                                                      1. 4

                                                                                                                        Amen. It’s nice to use other peoples’ computers sometimes, for “unimportant” things. (Scare quotes used there, because I include things that are only unimportant owing to careful contingency planning that makes it so in that bucket.)

                                                                                                                        But for critical, core things, the question should be “what have you done to make it OK for this to live in the cloud?” Not “why do you need on-prem?”

                                                                                                                        1. 3

                                                                                                                          I used to work in a place where adopting new tools was pretty straightforward if you needed them, but they required a reasonable bit of planning ahead, after the company got burned many years before when a software package they used got retired and a whole product line got delayed because there was no way to test them on time. There was a small sub-section in the proposal that read “Migration Path” and basically required you to list how you’d move to another solution should the current one stop working for whatever reason (company goes under, licensing costs become prohibitive etc.) Due to that sub-section the company was basically fully on-prem.

                                                                                                                          When the expected lifetime of a company is in the 3-5 years range (ship something, get acquired) you can use pretty much anything from anywhere, but these guys had been in business for a very long time. They’d outlived virtually all of their suppliers, sometimes by decades.

                                                                                                                          1. 1

                                                                                                                            Same story here. Dropping/rejecting a lot of dependencies based on “we are unsure whether this stuff will exist in 20 years/built by Google”.

                                                                                                                    3. 1

                                                                                                                      My team is also looking into alternatives to JIRA and also wants to keep it on-prem. I would be curious as well as to what solutions others come up with.

                                                                                                                      1. 2

                                                                                                                        Paid GitLab? We use it even as an internal forum.

                                                                                                                        1. 1

                                                                                                                          We actually are already using paid gitlab on prem. Not sure if thats being considered.

                                                                                                                      2. 1

                                                                                                                        Fossil might be worth a look? It’s from the SQLite folks I think.

                                                                                                                        https://www.fossil-scm.org/

                                                                                                                        (It does a lot more than issue tracking though.)

                                                                                                                      3. 1

                                                                                                                        Jira is the most configurable issue tracker i know.

                                                                                                                        I recommend to check out Asana. It comes pretty close.

                                                                                                                        1. 1

                                                                                                                          Asana doesn’t even have on-premise installs, does it?

                                                                                                                            1. 0

                                                                                                                              Did you click on the link?

                                                                                                                              (Assuming you did, guess why people using Jira are looking at alternatives with a comparable feature set, one of the features being on-premise installs?)

                                                                                                                              1. 1

                                                                                                                                Because Jira’s UX sucks. Which is what the submission is about. Except it’s about Bitbucket.

                                                                                                                                I get the point you’re making but self-hostedness didn’t come up so far in this thread. Only UX and flexibility.

                                                                                                                                So if this is a requirement for you that’s fine and I acknowledge you can’t use Asana. Just stop implying I did not read the submission or am missing the point of the discussion.

                                                                                                                                1. 2
                                                                                                                                  1. 3

                                                                                                                                    self-hostedness didn’t come up so far in this thread

                                                                                                                                    Let me rephrase: I was responding to a poster that did not bring up self-hosted as requirement or apprechiated feature. I would not respond to a statement about Jira being the most configurable issue tracker if I didn’t consider Asana to be comparable in that regard.

                                                                                                                      4. 2

                                                                                                                        The hosted version of bitbucket (as opposed to bb server which is a completely separate thing for self hosting) is surely on life support at this point.

                                                                                                                        Then again, I think it’s hard to say it’s ever not been on life support, with issues like this one being open 10 years without even commitment to implement, much less actual implementation.

                                                                                                                        1. 4

                                                                                                                          For a while BitBucket offered some pretty decent competition to GitHub; for example the whole “copying code” thing from this article was pretty borked on GitHub too up until 2 or 3 years ago. Even though BitBucket was always a “GitHub clone” some features were done better in BitBucket IMHO. It had stuff like proper code reviews way before GitHub had.

                                                                                                                          But at some point it was pretty clear GitHub was on the winning side and they seemed to have just given up. Some features even regressed and became worse. It’s a shame in way, because it had a lot of potential and could have been what GitLab is today. The Atlassian acquirement was both a blessing and a curse, but ultimately more curse than blessing.

                                                                                                                      1. 7

                                                                                                                        What’s the advantage of this vs. just expressing dependencies directly? That is, if you have some frontend service Foobar that needs Postgres, why not just have foobar.service do After=postgresql.service etc. directly, instead of going through the hassle of putting that directive in infra.target and then having frontend.target depend on that? It just seems like a lot of abstraction for very little gain. In fact, you’ll probably take a boot performance hit because systemd can no longer fully parallelize boot. Specifically, if some frontend service Baz does not require Postgres, under this setup systemd is not allowed to start Baz at the same time as Postgres, even though it could.

                                                                                                                        What I have found targets to be very helpful for is grouping different services that make up one “app” together. For example: foobar-web@.service and foobar-worker@.service, where there might be an arbitrary number of web frontend processes and background job worker processes, respectively. It’s very helpful to bind these together into e.g. foobar.target so you can query and change the state of the entire Foobar app with a single systemctl command.

                                                                                                                        1. 2

                                                                                                                          Additionally what I would personally do is to make most of these services start on demand instead. This would allow me to make services start when really needed at cost of some initial connections.

                                                                                                                          1. 1

                                                                                                                            What’s the advantage of this vs. just expressing dependencies directly?

                                                                                                                            Now it’s quite simple to add another dependency to all your apps, say redis. As I run more and more apps knowing I get the same services to boot before them lets me think of my server more of a platform. E.g. starting nginx after all container names are registered makes it super easy to have route traffic to the correct app without having to hand out IP manually.

                                                                                                                            In fact, you’ll probably take a boot performance hit because systemd can no longer fully parallelize boot.

                                                                                                                            Yep, that’s true there’s a little overhead event with my simple use case I’m seeing 39s instead of 37s which in the end is something.

                                                                                                                            What I have found targets to be very helpful for is grouping different services that make up one “app” together.

                                                                                                                            That’s also very nice to have I was using namespaces for this but it’s much simpler.

                                                                                                                            1. 3

                                                                                                                              Now it’s quite simple to add another dependency to all your apps, say redis.

                                                                                                                              Does all that apps require Redis? I highly doubt it. And finer grade control would allow to start such services before Redis, which could result in better startup performance.

                                                                                                                              E.g. starting nginx after all container names are registered makes it super easy to have route traffic to the correct app without having to hand out IP manually.

                                                                                                                              Or you can dynamically register services and just reload Nginx configuration after each new service is registered. This would allow to handle services faster with proper fallback to error message. You could use for example Consul to do so, with consul-template. No manual handling of IPs, distributed if needed, and more robust.

                                                                                                                              1. 3

                                                                                                                                I think we are getting further and further from each others use case, I run one VPS for my wonky web apps not software in production. That said it’s just very nice to add one new app and be sure it will get the same services as all the others, I can always register it as WantedBy=multi-user.target or specify its Wants if needed.

                                                                                                                                Or you can dynamically register services and just reload Nginx configuration after each new service is registered.

                                                                                                                                that’s all very nice but I will always take my configuration as text files thank you, I looked into using the nginx HTTP API and it’s not worth it for my usage. I have some M4 templates around and a shell script for adding and removing them and so far so good.

                                                                                                                          1. 66

                                                                                                                            Soon we’ll need Google-approved browsers to access Google’s version of the web. Well played.

                                                                                                                            1. 34

                                                                                                                              You already do! Try visiting a site using recaptcha from a non-approved browser sometime…

                                                                                                                              1. 14

                                                                                                                                One can only hope that the US DOJ’s lawsuit against google will result in any real penalties/changes for this, but I’m not holding out too much hope.

                                                                                                                                1. 13

                                                                                                                                  The Chromium-based Edge seems immune to these. I get far fewer requirements to do some mechanical Turk work to classify images for Google’s self-driving cars on Edge on Windows than I do on Safari on Mac, Firefox anywhere, or pre-Chromium Edge on Windows. As @craftyguy says, this is exactly the kind of thing that I hope the DOJ will look at: Subtly making large amounts of the web worse for users unless they use a Google browser seems like the kind of thing that antitrust laws are supposed to prevent.

                                                                                                                                  1. 2

                                                                                                                                    Could the browser spoof the user agent to be something Google likes?

                                                                                                                                    1. 12

                                                                                                                                      yes totally, but of course this will end up in the usual cat and mouse game where Google will detect the circumvention technique and the circumventers will circumvent the circumvention technique circumvention.

                                                                                                                                      1. 5

                                                                                                                                        Isn’t Google trying to kill user agent?

                                                                                                                                        1. 5

                                                                                                                                          Yes It’s one of the many great ironies of Google - the Chrome team (along with other major browsers) are trying to kill the User Agent, but the rest of Google UA-sniffs. Exactly the kind of behavior they’re trying to kill the User Agent over.

                                                                                                                                          1. 2

                                                                                                                                            that and the address bar too

                                                                                                                                      2. 6

                                                                                                                                        Tried to log into my Google account from an OpenBSD laptop in Chrome today. Right creds, just got redirected to “we couldn’t verify that belongs to you”.

                                                                                                                                      1. 6

                                                                                                                                        So planning to break even more websites?

                                                                                                                                        I’m already struggling to find energy to keep using Firefox when it generally performs much worse than Chrome, adding more friction won’t make anything better in my opinion.

                                                                                                                                        Let’s see, I believe in a world where FF leads the way once again, one can only hope.

                                                                                                                                        1. 11

                                                                                                                                          This is opt-in. Did you read the full article?

                                                                                                                                          1. 11

                                                                                                                                            The future of the web is HTTPS-Only

                                                                                                                                            Once HTTPS becomes even more widely supported by websites than it is today, we expect it will be possible for web browsers to deprecate HTTP connections and require HTTPS for all websites. In summary, HTTPS-Only Mode is the future of web browsing!

                                                                                                                                          2. 5

                                                                                                                                            This isn’t on by default.

                                                                                                                                            1. 3

                                                                                                                                              I missed that. Thanks!

                                                                                                                                            2. 3

                                                                                                                                              Since the launch of Let’s Encrypt, every browser (not only Firefox) has incrementally pushed HTTPS-related features to incentive its generalization.

                                                                                                                                              Sure, FF83 is making a radical (but optional) move here, but I have the feeling that it’s only the continuation of that trend every browser support. That is, I wouldn’t be surprised if Chrome follows and releases a similar feature in near future.

                                                                                                                                            1. 1

                                                                                                                                              The linked demo application (Reply) brings my 2020 phone to a grinding halt. Apparently, re-implementing hardware accelerated UI components in canvas an javascript is slow (who’d have guessed?)

                                                                                                                                              I’m not worried about it taking over the web.

                                                                                                                                              1. 1

                                                                                                                                                I’m not worried about it taking over the web.

                                                                                                                                                Why not? Because it has performance problems? Since when has that stopped people?

                                                                                                                                              1. 1

                                                                                                                                                Flutter is a misguided attempt to achieve the impossible: quality cross platform experiences.

                                                                                                                                                I don’t think it is impossible at all, just moderately difficult.

                                                                                                                                                Anecdotally, I’ve been able to achieve a usable forum website which is compatible with Mosaic, Netscape, IE, Lynx, Links, Firefox, Chrome, Opera, in many different versions, with and without JS when applicable.

                                                                                                                                                The beauty of bending over backwards for compatibility is that for each platform you adapt to, it becomes more likely it will work out of the box for the next one you try out of the box or with a small effort.

                                                                                                                                                For example, the first time I know of a regular screen-reader user testing my site, they were able to complete all the tasks and didn’t have any issues, even though I had not designed anything specifically for screen-readers by that point.

                                                                                                                                                1. 2

                                                                                                                                                  The article means native apps on the platform. Android apps, not a web app running in an Android web browser.

                                                                                                                                                1. 26

                                                                                                                                                  I just can’t take this serious. It already starts with the linked website for firefox and it’s privacy, which is already questionable. Complaining about portal detection ? Malicious Website Detection ? Trying to prevent abusive Plugins? Giving People the possibility to use Netflix & co ? (You may also say “yeah no, use windows+chrome for netflix, can’t have nice things because of people screaming against anything DRM in firefox”) Oh and of course the old “plugin API change is bad” argument coupled with “they’re evil for doing that”. And complaining about mozilla taking money from google for their search bar (which you can change btw), while giving literally no realistic replacement.

                                                                                                                                                  I can also start searching the evil in literally everything while following a zero tolerance policy regarding anything I don’t like..

                                                                                                                                                  Oh and about them not caring about your configuration opinions: Have you tried getting the Developers of any other free software to change it the way you want ? Did you go to the gnome people and told them that you dislike their new apple-ish bar and you want an options to disable it, make it look more like windows ? Did you go to anyone’s software and told them “I don’t like this, you have to change this and maintain this or you’re evil” ?

                                                                                                                                                  The only valid claim for me is that firefox/mozilla does not give you every possible configuration option you may want while pushing forward their ideas, which may be totally ignorant and/or wrong. And that they may be taking their “david vs goliath” stance to pressure you into using firefox.(I really liked this idea/view.) But otherwise I just can’t think of anything else than grumpy ol’ grandpa with his shotgun going “you dare to take a step on my land”.

                                                                                                                                                  1. 15

                                                                                                                                                    I absolutely agree. XUL add-ons were unsustainable and had to be removed. It also is not wrong for Mozilla to do what they think is best for users. Preferences have costs and Mozilla can’t make everything under the sun configurable. If you want to disagree with them then that’s fine, but the idea that they can’t take a stance on what they think is the best user experience and ship only that is silly. This is my least favorite meme in free software: “the maintainer said no to the feature I wanted so they’re evil.” (Or alternatively: “we have to add every feature that any user requests, ever.”)

                                                                                                                                                    See also: Is Linux About Choice?

                                                                                                                                                    1. 1

                                                                                                                                                      This would sound way better if they weren’t losing users each and every month …

                                                                                                                                                      1. 1

                                                                                                                                                        I don’t think that everything should be configurable, just that subsequent versions should make less things less configurable. The problem is that Firefox looks poor when compared to itself (or rather older versions).

                                                                                                                                                      2. 4

                                                                                                                                                        To elaborate a little bit more: I strongly agree that some of mozillas decisions are very questionable and that some of firefox additions are pretty uncalled for. I think the voices criticizing firefox are valid. But this article just feels like a negative rant that gives no room for other opinions*, while promoting chrome of all things and saying everything is lost. Well then please just stay silent ?! You won’t get anywhere by verbally shitting on other peoples work with very questionable arguments. (Who don’t owe you anything by the way.)

                                                                                                                                                        *I LIKE the new URL bar, I don’t care at all about the plugin change. And yes, I was a heavy user of things like “tabmixplus” and whatnot. Still I just can’t see the benefit anymore. Things change, people change.

                                                                                                                                                        1. 6

                                                                                                                                                          Did you go to the gnome people and told them that you dislike their new apple-ish bar and you want an options to disable it, make it look more like windows?

                                                                                                                                                          The power differential is completely different:

                                                                                                                                                          Gnome people don’t care about having users, while Mozilla is constantly guilt-tripping people to use them.

                                                                                                                                                          1. 13

                                                                                                                                                            Gnome people don’t care about having users….

                                                                                                                                                            This is actually not the case and not a claim to make off-handed.

                                                                                                                                                            1. 3

                                                                                                                                                              I interpreted it as “Gnome people won’t sacrifice their principles to get more users” which … dunno if that was the intent, but it makes a lot more sense.

                                                                                                                                                              1. 7

                                                                                                                                                                I disagree strongly: I think the ascribed principles (or at least their prioritization) to Mozilla are wrong and both Gnome and Mozilla act quite strongly in the same direction. They both got their mind on the end user. Through that lens, Gnome is even often struggling, e.g. if you check the state of their software distribution. It’s not fair to play out those to orgs against each other and certainly not something they want to see themselves in.

                                                                                                                                                                1. 2

                                                                                                                                                                  Last I checked the Gnome Web browser doesn’t support DRM.

                                                                                                                                                                  My understanding is that the big difference between these orgs is that Mozilla consists of primarily paid staff all under a single reporting hierarchy. Gnome has a mix of paid and unpaid contributors, but most of the paid contributors are not being told what to do by the people who are paying their salary. It shouldn’t be surprising that these different organizational structures result in different kinds of decisions being made.

                                                                                                                                                            2. 2

                                                                                                                                                              Fair enough