1. 5

    My comment in another thread (sorry @Shamar, didn’t realize you had also submitted your blog post as a separate story): https://lobste.rs/s/yz7npb/gpl_enforcement_update#c_fdcggi

    1. 1

      Following up on the above: So @Shamar, my take would be that the test code you added in this commit is copyrightable, but s/uint32_t/uint64_t/ is not.

      And I would also hope that adding ‘const’ to function parameters does not make the result a derivative work. You could probably find a lawyer who would support this claim though, as long as that laywer doesn’t know C.

      1. 2

        You could probably find a lawyer who would support this claim though, as long as that laywer doesn’t know C.

        Well, the lawyer I consulted knows enough about these stuffs to suggest me to record the issue evolution in the WaybackMachine when I told him that they where using git rebase to remove me from the repository.

        He is pretty smart, actually. ;-)

        As for the const matter: are you sure you know the modifier’s semantic deeply enough? ;-)

        The modifier enables several optimizations (they can vary depending on the compiler).
        It was not supported by Ken-C.

        My patch enabled these optimizations not only for the functions you can find in the ISO C standard (that btw was not supported, in any way, by the Harvey’s libc), but also for others that were specific for Harvey, such as all the rune related ones.

        Now, I agree that my patch is the simplest possible way to enable such optimizations.
        But not the only one!

        If you barely know C, you know that there are several other ways to do the same. In a word: macros.
        But if they really wanted to support ISO C, they had several other alternatives to address the optimization problem without using a patch that conflicted with mine. They have an ISO C library in APEX after all!

        1. 2

          Whatever the semantics of const are in various implementations of C, this question boils down to whether your change is a copyrightable “derivative work” or not. I suspect you can only determine the legal answer in a long court case. Do you really wanna go there, after they’ve already removed all code that everyone already agrees consitutes a derivative work? I think you’re blowing this out of proportion.

          1. 1

            No no no! As I said otherwhere, I wont bore them anymore.

            According to my lawyer, my github fork (frozen before the rebase) and the archive on the WaybackMachine should be enough to defeat in court any pretension on my code.

            The medium post is, as it has been defined by @mempko, just “a cautionary tale”.
            For younger devs pondering to contribute to Open Source Software.

            1. 3

              I don’t think what you’re doing is encouraging younger devs to contribute to open source :(

              1. 5

                Indeed! I strongly suggest them to contribute to Free Software, instead!

                1. 9

                  You had one problem with one project. Generalizing this experience to an entire class of communities doesn’t seem appropriate.

                  1. 2

                    Please, read more carefully.
                    I wrote:

                    Free Software feels proud of each person that contributes.
                    Whatever the license, a Free Software community will be very happy to add your name to their code base. Because you studied and changed the code.
                    You made it useful. You are a sign of honor.
                    They trust you. And respect you.

                    On the other hand, Open Source managers are eager to take your code.
                    But while your code becomes their asset, your copyright is a liability.

                    I’m not generalizing to “an entire class of communities”.

                    I’m saying that, whatever the license, you should not assume that you are working for a Free Software community that will trust and respect you.

                    And, that you should really know what you are doing before contributing to Open Source Software leaded by big firms, because there you will probably be just another minion to use.

        2. 1

          Ah.. yes… since you cited the scheduling issue, please try to get their change with s/uint32_t/uint64_t/! ;-)

          I don’t want to be a jerk, but as I wrote, I do not play poker. I try to back my statements with facts.

          1. 1

            please try to get their change with s/uint32_t/uint64_t/! ;-)

            Well, what other change in that diff do you mean? This one?

            -uint32_t tk2ms(uint32_t);

            +#define tk2ms(x) ((x)*(1000/HZ))

            Are you convinced that change must carry your copyright?

            I don’t mean to be confrontational, I’m just trying to help you find a perspective on the matter that doesn’t leave you in a bad mood.

            1. 1

              No, problem.

              What I mean is: open one the file modified files in that commit, eg sys/src/9/amd64pv/devarch.c or sys/src/9/k10/dat.h, at the state before the change and try to use s/uint32_t/uint64_t/ all over it.

              You will notice that you had just broken the system.

              Finding the right type to change was not trivial.
              And I had to do some iterations, testing manually that everything was working in kernel and user space.
              That’s why I wrote the test you cited.

              Do you really think that work does not constitute a derivative work? Are you sure it was a trivial change not deserving any authorship?

              1. 0

                Yes, so copyright your test. Doesn’t that solve the problem?

      1. 6

        It may be the late hour, but I’m having trouble synthesizing the information presented here. It seems that Giacomo contributed some code to Harvey, a Plan9 fork, but then forked Harvey at some point to create Jehanne. He stopped paying attention to Harvey at some point after focusing efforts on Jehanne. A friend pointed out that Harvey’s attributions no longer included his name. He verified this and then posted an issue about it. The Harvey folks said something along the lines of “no big deal” and after some discussion, the Harvey folks decided that it would be better to remove all of his contributions than to attribute them to him. He pointed out that their rework didn’t really remove his contributions but rather reimplemented them minorly. Then he posted a blog post about it.

        Does the Harvey team still have work to do if they want to actually mitigate a need to attribute to Giacomo?

        1. 12

          He laid it out cleanly in the end. Instead of respecting him and his contributions, they bitterly removed them. He feels the Free Software people respect contributors, while big corporate open source folks dont. I agree with his conclusion. It’s a cautionary tale.

          1. 8

            It’s a cautionary tale.

            Exactly. But note that it’s not just a matter of Free Software’s ethics.

            As I tried to explain them, if you use somebody else code without proper copyright statements, you pose a threat to their own right to use their code elsewhere.

            1. 1

              It sucks a lot but I think it’s something that we as contributors have to accept. Code changes. When our contributions are no longer present, there’s no longer a need to actively recognize those contributions. At least, that seems to be the terms of the license.

              1. 10

                except thats not what seems to have happened. They actively removed and reimplemented so the name isnt on the project. Thats some nasty stuff.

                1. 4

                  They actively removed and reimplemented so the name isnt on the project. Thats some nasty stuff

                  Umm, no, that’s not nasty. It happens, sometimes for good reasons: https://marc.info/?l=openbsd-cvs&m=99118918928072&w=2

                  1. 3

                    The point @stsp is not that they reimplemented my stuff. Surely they can!
                    But their new implementation can be obtained by trivial, non recursive, modifications of my patches (that is: you can do that with notepad, you don’t even need for a regular expression).
                    And, accidentally, their reimplementation work went mixed in few huge commits that were a squash of several commits from several authors.

                    Now, I wont bore them anymore. But I really learned a lesson there.

                    1. 1

                      And if the parts of your patches they kept could be obtained by trivial, non recursive, modifications of their original code, what then?

                      Your statement shows that you are applying the derivative work concept, but only where it favours your own cause.

                      1. 4

                        And if the parts of your patches they kept could be obtained by trivial, non recursive, modifications of their original code, what then?

                        If you think that my patches can be obtained by trivial, non recursive, modifications of their original code, you didn’t look at the code at all…

                        1. 1

                          This is about parts of patches, not the patches as a whole.

                2. 3

                  I cannot agree @colindean: I didn’t complain for the code they removed or replaced.
                  For example I ported zlib to Harvey and wrote a console filesystem in user space, and they properly removed them together with the copyright statements, here and here.
                  I’m fine with this: it’s their project, they are many different people, they can always choose better approaches.

                  What I cannot accept, is people using my code and patches (that I’m using elsewhere) without any attribution.
                  SCO teaches that things can get hairy in the long term.
                  And they are backed by Software Freedom Conservancy.

            1. 1

              Well, it’s very interesting to contrast this article with what happened to my copyright in Harvey.

              What a perfect timing!

              1. 4

                Sorry, but I think you’re overreacting a bit there.

                I think the question boils down to whether your remaining contributions constitute a derivative work.

                What this means in practice is that copyright claims are usually added only for substancial rewrites or entirely new files. When modifying an existing work in a way that does not make the result a derivative work in the legal sense, it is better to retain the original copyright and licence claim, i.e. fold the contributions into it. This is because ownership of copyright implies the power to change the licence of the work. So adding copyright statements is not something that should be done willy-nilly because otherwise anyone getting a one-line fix into a project could arbitrarily change the licence of the affected file (EDIT: Of course, copyright could nowadays be tracked to individual lines thanks to version control, but the legal rules involved are older than version control, and always up to interpretation by lawyers).

                You deserve recognition for your contributions, no doubt. But adding a copyright claim is not the only way to recognize a contribution.

                1. 1

                  Sorry, but I think you’re overreacting a bit there.

                  Well, if you feel that as an “overreaction”, do not visit Italy. Ever. It would be scary, to you. ;-)

                  Of course, copyright could nowadays be tracked to individual lines thanks to version control, but the legal rules involved are older than version control, and always up to interpretation by lawyers.

                  And this is exactly what I’m afraid of!
                  I don’t want a lawyer to sue me because he saw my code in my project and he trusts the (git rebased) Harvey’s repository more then mine.

                  There was a reason why I asked to git revert the commits when they said that they prefer to remove the contributions instead of fixing the attribution.

                  Many reasons, actually.

                  You deserve recognition for your contributions, no doubt. But adding a copyright claim is not the only way to recognize a contribution.

                  Sorry, but I think you have completely misunderstood the matter.
                  Not your fault, though.

                  I do not care about any recognition from Harvey’s team. Really.
                  My contributions were gifts. Hadn’t I suggested my friend to try Harvey, I would have never noticed the issue.

                  But they removed the few copyright statements I added back in 2015 and also removed the CONTRIBUTORS file that contained my name (because it was “too much trouble” to maintain it).

                  Had they moved, say, to GitLab after an unfortunate git rebase, I would have had an hard time to prove I’ve ever actually contributed a single line of those I reused in my project.

                  1. 2

                    I think you are now mixing up two different parts of the conversation.

                    Yes, they removed a lot of code with your copyright on it, and that was done correctly and you already said you had no problem with that. But this is not the part of the conversation I am talking about.

                    What I am talking about is your concern about some changes which were left in their source tree after your copyrighted code was removed: https://github.com/Harvey-OS/harvey/issues/698#issuecomment-365286356

                    You claim that they must add your copyright back to those changes, and what I am saying (and I think it is what dancrossnyc from Harvey is saying as well) is that your copyright claim on those changes is valid only if those changes consititute a “derivative work”. If they don’t, then no copyright claim can be made which extends on that of the original copyright on the codebase. Which means both you and Harvey are entitled to make these same “non-derivative-work” mechanical changes in your projects without risking copyright infringement. So I don’t follow your argument that your copyright claim must be on those changes in order to legally protect your derived project. Essentially, there was no reason to ever have your copyright on those specific changes in the first place.

                    Now, for contributions which are consiered a “derived work”, the situation is different, and this is why Harvy removed all of those changes we (you and me) both agree they should remove.

                    But you are still pursuing an argument with Harvey which boils down to the question of what constitutes a “derivative work”. I think it’s not worth having that argument for either side. Just chill. It seems they’ve already removed all they had to remove.

                    1. 2

                      No, sorry, I know there’s a lot of confusion and some contradictory statements in that issue, so it needs a careful read.

                      The statement

                      If you feel you can’t remove those changes because they are important for Harvey, you can still add my copyright statement to each of modified files.

                      was ironic.

                      I just wanted to point out that they had to use alternative solutions. That exist.

                      Btw, as I said otherwhere, I wont bore them anymore.

                      According to my lawyer, my github fork (frozen before the rebase) and the archive on the WaybackMachine should be enough to defeat in court any pretension on my code.

                      The medium post is, as it has been defined elsewhere, just “a cautionary tale”, for younger devs pondering to contribute to Open Source Software.

                      1. 1

                        why would you waste money on a lawyer for something you don’t even make money with. Your whole story is baffling.

                        1. 2

                          Well, I cannot measure everything I do with money. I have three daughters I love most.
                          I do my mistakes, but I know they learn from what I do, not from what I say.

                          But your is a good question, since I’m often called “greedy” just because I’m Ads Adverse.

                          My decision was pretty simple. And rational.

                          I pay the bills as a programmer.
                          Compared to the value of the time I’ve spent hacking for Harvey, the lawyer’s fee is tiny.
                          But compared to the value I put in my own fork, the time I spent for Harvey means nothing.

                          1. 1

                            Where I’m from trying to get value for your money isn’t considered greedy.

                            I respect you value your time invested, but I do think spending on it is a sunken cost fallacy, trying to recover an unrecoverable loss. In the future sign your commits and keep your version of the repository on github. Don’t be so concerned about what people do with your work unless it costs you real money in some way. That’s how I would do it anyway.

                            1. 1

                              I do not think that my contribution to Harvey was “an unrecoverable loss”.

                              I will keep to send bugfixes to Open Source Softwares that I use in the future.
                              Opportunistically, since I do not want to maintain them locally.

                              But I will not donate my time and skills to them again.

                              Obviously I won’t just look at the license they use!
                              I’ve worked very well with communities using all sort of license.
                              I’ve never checked before, but you can still see my name in php-mode, for example, 14 years after my introduction of PHP 5 support.

                              In the future I will look at the leaders, who they are, where they work…
                              I will consider to donate only if I’ll see they both trust and respect their developers and users.

                              And this will automatically exclude many big firms that treat their users as laboratory mice.

                              1. 1

                                Oh, as for GPG signing the commits, it’s a good idea.

                                But back then, in 2015, Harvey had a convoluted “standardized” workflow based on GerritHub.

                                It was so cumbersome that, after I managed to integrate travis-ci and coverity scan to Harvey, I fought against it very strongly. You might find something on the mailing list.

                                But given it used to break almost weekly, adding GPG signatures project wide was unrealistic.
                                They just required devs to sign-off commits.

                1. 1

                  Not immediately obvious from the title: This is an important step towards quantum computers.

                  1. 4

                    This is very relevant as I’ve been working with a therapist this month to fix my posture and ergonomics after developing tendonitis in my wrist and shoulder. I’d like to stop it now before it becomes carpal tunnel which my understanding it can be difficult to treat.

                    Would love to hear what others are doing to make their computer centric work and life more body-friendly.

                    1. 4

                      Find a friendly gym. I use the one at my local tech uni. It’s boring, annoying, painful at first, and takes time. But your body will tell you that it is worth it. You don’t need to grow mucles there, just go regularly to move and get some blood flowing in parts of your body which are usually neglected. Especially when I start feeling pain in wrists and fingers, I can go there and the pain gets fixed. Sometimes I use the time there to reflect on things I’m working on, and already even found bugs in my code that way. You should get an intro from either staff or someone experienced. If you they ask you what you want, and you don’t really know, just ask for a set of exercises that will keep your back in good shape. Worked well for me.

                      1. 3

                        Switching to a split keyboard (kinesis freestyle 2) and 70-degree-rotated mouse (like the Microsoft sidewinder) helped a fair bit, as did getting a good chair. All told I’ve spent about $1200 on ergonomic equipment and it all feels well spent.

                        1. 2

                          I’ve been wearing wrist braces for about a month now. They’ve helped immensely. Also I’ve been trying to understand posture and ergonomics, like you… it’s hard; I never really paid much attention before.

                        1. 1

                          Last I looked into this topic I found the situation of available Life cycle inventory datasets quite sad.

                          A lot of research and life cycle assessment studies depend on these databases. Most datasets are being produced by private companies tailored to specific proprietary tools (such as Gabi) which researchers then use for modelling their subject of interest. There are some public datasets but they are considered incomplete by life cycle assessment profesionals I have talked to.

                          Setting aside the issue that most software used in this research domain is proprietary, the licence terms of these data sets are very obnoxious. The terms of use are very narrowly restricted. And these data sets are very expensive, especially if they come with some seal of approval of some (self-appointed?) authority in the field. This data is being treated like trade secrets in many respects, even though it is essential for public research about our climate.

                          Granted, it takes a lot of effort and expertise to compile and maintain accurate LCI databases. But this problem seems like a great fit for a community project which provides a platform for researches and other experts to share and accumulate data they have gathered, in a wikipedia-like fashion, free for everyone to use for any purpose.

                          What is your view on this?

                          1. 2

                            Yes, the secrecy of scientific data is a huge problem. Even paying for the data, there can be problems with providers about the usage conditions of that data.

                            I don’t know what to say. People who painstakingly compiled the data don’t seem to know how to profit off it except by restricting access to the data. I believe perhaps there should be more government initiatives to collect and free the data. That’s not an easy thing to do either, though.

                          1. 1

                            Interesting presentation, nice to see how it’s configured in an enterprise sense. On my project list is to configure a l2tp / IPsec VPN on my digital ocean VM for occasional use from Arch Linux and Android (Windows and Mac would be a bonus) anyone had luck getting this working on OpenBSD?

                            1. 1

                              Yes. I’ve got that working with my Android phone as a client.

                              1. 1

                                Did you go with a PSK or certs?

                            1. 10

                              If maintaining a popular free and open source software project is producing stress… don’t do it!

                              Really, just stop. Maintaining it, I mean. Unless you have contractual obligations or it’s a job or something, just tune it all out. Who cares if people have problems. Help if you can, help if it makes you happy, and if it doesn’t, it’s not your problem and just walk away. It’s not worth your unhappiness. If you can, put a big flag that says “I’m not maintaining this, feel free to fork!” and maybe someone else will take it over, but if they don’t, that’s fine too. It’s also fine if you don’t put a flag! No skin off your nose! You don’t owe anything to anyone!

                              Now I’m gonna grump even more.

                              I think this wave of blog posts about how to avoid “open source burnout” and so forth might be more of a Github phenomenon. The barrier to entry has been set to too low. Back in the day, if you wanted to file a bug report, you had to jump through hoops, and those hoops required reading contributor guidelines and how to submit a bug report. Find the mailing list, see which source control they used (if they used source control), see what kind of bug tracker they used (if they use one), figure out a form to see what to submit where… Very often, in the process of producing a bug report that would even pass the filters, you would even solve the problem yourself or at the very least produce a very good bug report that nearly diagnosed the problem.

                              Now all of this “social coding” is producing a bunch of people who are afraid of putting code out there due to having to deal with the beggar masses.

                              Just don’t.

                              1. 7

                                I totally agree that your own needs are the top priority if you are an OSS provider. Nobody has a divine right to your time.

                                I do think that having people be able to report bugs easily is really good. For even relatively small projects, this also serves as a bit of a usability forum, with non-maintainers able to chime in and help. This can give the basis for a supportive community so the owner isn’t swamped with things. Many people want to help as well.

                                Though if this is your “personal project”, then it could be very annoying (I think you can turn off issues in GH luckily?).

                                Ultimately though, the fact that huge projects used by a bazillion tech companies have funding of around $0 is shameful. Things like Celery, used by almost every major Python shop, do not have the resources to package releases because it’s basically a couple people who spend their time getting yelled at. We desperately need more money in the OSS ecosystem so people can actually build things in a sustainable way without having to suffer all this stress.

                                Hard to overestimate how much a stable paycheck makes things more bearable

                                1. 5

                                  “Back in the day, if you wanted to file a bug report, you had to jump through hoops”

                                  This is where I disagree. Both maintainer and other contributors’ time are valuable. Many folks won’t contribute a bug report or fix if you put time wasting obstacles in their path. Goes double if they know it was there intentionally. I remember I did one for Servo on Github just because it was easy to do so. I didnt have time to spare to do anything but try some critical features and throw a bug report on whatever I found.

                                  I doubt Im the only one out there that’s more likely to help when it’s easy to do so.

                                  1. 5

                                    This is where I disagree. Both maintainer and other contributors’ time are valuable.

                                    !!!!!

                                    I remember I did one for Servo on Github just because it was easy to do so. I didnt have time to spare to do anything but try some critical features and throw a bug report on whatever I found.

                                    @manishearth, who set up http://starters.servo.org, dropped this very nice sentence about contribution: “People don’t start out serious, they start out curious.”

                                    1. 4

                                      The problem is that projects don’t survive on such drive-by fixes alone. Yes, you fixed a bug and that’s a good thing, but the project would probably still run along just fine without that fix. And you never came back. In the long term, what projects have to care about are interested people who keep coming back. The others really don’t matter that much.

                                      1. 5

                                        I think this is a bit like a consumer acquisition funnel.

                                        Every contributor first started off by providing a drive-by fix. If they do it enough, now they’re contributing a lot. Now you have full-time contributors.

                                        1. 1

                                          Sure but the question was about how high the bar for such drive-by contributions can be while still keeping a project healthy, based on the premise that making drive-by contributions too easy can result in toxic community behaviour overwhelming active maintainers.

                                          1. 3

                                            The “height of the contribution bar” as quality control is - in my experience - a myth. The “denying low quality contributions” is not.

                                            I’ll explain why: the bar to unfounded complaints and troll is always very low. If you have an open web form somewhere, someone will mistake it for a garbage bin. And that’s what sucks you down. Dealing with those in an assertive manner gets easier when you have a group.

                                            The bar to attempting contribution should be as low as possible. You’d want to make people aware that they can contribute and that they can get started very easily. You will always have to train - projects got workflows, styles, etc. that people can’t all learn in one go. Mentoring also gets somewhat easier as a group.

                                            Saying “no” to a contribution is a hard. Get used to it, no one takes that off you. But it must be done.

                                            Also, there’s a trend to have people voicing their frustrations blamed as “no respecting the maintainers”. There’s pretty often complaints that have some truth in them. Often, a “you’re right, can we help you with fixing it on your own?” is better then throwing stuff screenshots on Twitter.

                                            1. 1

                                              I agree with you but quality control is, again, a separate question. I wasn’t talking about quality control. The question is about how to best attract only those people with an appropriate kind of behaviour that won’t end up burning out maintainers, and whether a bar to contribution can factor into this.

                                              I think JordiGH’s point was that if someone has to jump through some hoops to even find the right forum of communication to use (which mailing list and/or bug tracker, etc.), just by showing up at a place where maintainers will listen a contributor shows they have spent time and enganged their brains a bit to read a minimum necessary amount of text about how the project and its community works. This can be achieved, for instance, with a landing page that doesn’t directly ask people to submit code by pushing a simple button, but directs them to a document which explains how and where to make contributions.

                                              If instead people can click through a social media website they sign up on only once and then have their proposed changes to various projects appear in every maintainer’s face right away with minmal effort because that’s how the site was designed, it’s no surprise that mentoring new contributors becomes relatively harder for maintainers, isn’t it? I mean, seriously, blog posts about depressed open source maintainers seem to mostly involve people using such sites.

                                        2. 1

                                          Id considered this but do we really have data proving it? And on projects trying to cast a wide net vs those that dont? I could imagine that scenario would be fine for OpenBSD aiming for quality but Ruby library or something might be fine with extra little commits over time.

                                          1. 2

                                            I think you’ll always need at least one developer dedicated enough to give the project a home, integrate changes, drive releases, and so on.

                                            A pile of drive-by patches and pull requests with nothing holding them together is not a “project”.

                                            Edit: BTW you said “extra little commits” and i said “drive-by fixes alone” so we may be talking past each other a bit… :)

                                      2. 3

                                        Really, just stop. Maintaining it, I mean. Unless you have contractual obligations or it’s a job or something, just tune it all out. Who cares if people have problems. Help if you can, help if it makes you happy, and if it doesn’t, it’s not your problem and just walk away. It’s not worth your unhappiness. If you can, put a big flag that says “I’m not maintaining this, feel free to fork!” and maybe someone else will take it over, but if they don’t, that’s fine too. It’s also fine if you don’t put a flag! No skin off your nose! You don’t owe anything to anyone!

                                        Totally. In this scenario, you should just quit cold turkey.

                                        The rest of the post is more advice that I’ve found myself giving multiple times to people who do want to keep maintaining the project, or be active in their larger community, but aren’t super focused on that particular library anymore.

                                        1. 2

                                          There’s a lot of poor communication out there with unstated assumptions on each side for relationships not just open source and that drives a lot of frustration and resentment. There are dozens of books on the subject in the self-help aisle of bookstores. The points in the article are all good advice but I think the best advice is to make it clear what on terms you volunteer your work and not be ashamed to say “I don’t want to do this but feel free to do it or fork it” if it’s not scratching your itch.

                                          Personally, I’ve turned away issues resulting from old and on bleeding-edge compiler or library releases and on OS’s or equipment I don’t run (doesn’t behave on Windows XP? doesn’t work with Chinese clone of hardware? Hell if I know…)

                                        1. 4

                                          One limitation that I find noteworthy: “Note that ‘stacking’ softraid modes (mirrored drives and encryption, for example) is not supported at this time.

                                          Either you’ll require a hardware RAID controller that OpenBSD supports or you’ll have to choose between disk encryption and software RAID. Of course, you should always be making backups, but sometimes it’s really nice if one of your drives can just fail and you don’t really have to care too much.

                                          1. 1

                                            Patches to make stacked softraid work would be welcome. Talk to jsing@ and me, we already discussed it a bit some years ago and then got distracted by other projects.

                                          1. 1

                                            How much would we have to donate to get a picture of Theo (and/or @tedu) with a lobster on his head?

                                            1. 7

                                              I know you’re joking, but jokes aside, the software released by the project should already provide sufficient incentive to make a donation.

                                              1. 1

                                                two Iridium donations might encourage the foundation to ask for them for a picture…or the whole 2018 target?

                                              1. 22

                                                I think the Fediverse (GNU Social / Mastadon) is the decentralized social network with the closest to critical mass so far. You can either join a node run by someone you trust, or run your own. If by privacy you mean you don’t want the server operator collecting usage profiles on you and so on, that might be a good fit. Messages are still usually public though.

                                                If you want messages private and not easily scrapeable on the public internet, the Fediverse isn’t quite as good of a fit, although there are ways to do it with GNU Social at least, by setting up private groups on a single node. But that’s not as widely used, and you’d have to get your social group all on a GNU Social node. Another approach might be to make an ad-hoc Signal group (you can add multiple people to a group-messaging session). Messages there are end-to-end encrypted and it’s relatively easy to get people on Signal (many people I know are already on it), but messages do go via a centralized server infrastructure, so Signal can collect metadata even if not the message contents (I think I probably trust them more than I trust Facebook/Twitter, but still).

                                                1. 2

                                                  I used Mastodon a few months back. I found its feature set closer to Twitter than Facebook; to me it’s a good platform for seeing news, cool tech trends, or following people I respect in the tech world. Not so much for staying in contact with real-world friends, organizing outings, etc.

                                                  I also find the “join a node run by someone you trust” to be a barrier to joining. My non-tech friends probably will as well.

                                                  I really don’t mind the server being centralized. As long as (1) the company has a clear mission statement and has not given reason to doubt that mission, and (2) has a zero-knowledge infrastructure (I think metadata is ok), I am happy to use it.

                                                  1. 9

                                                    One option with Mastodon is to just run your own private instance for friends. It’s pretty easy to setup, and will run fine on a $5 a month Linode instance.

                                                    1. 7

                                                      Maybe give Diaspora a try; same basic ideas, but I believe is closer to facebook than twitter.

                                                      Edit: I think the idea of not minding a centralized solution and only using a company you can trust are sort of opposed. If your solution is centralized and you lose trust in the company, you’re stuck with abandoning the network or your principles. If you’re using a federated network then you can still use the network without supporting that specific company (node/instance). And I’m not sure what’s so hard about trusting an individual/small group of people instead of a company.

                                                      1. 3

                                                        Agreed on the last part. Companies are composed of constantly changing and potentially large groups of people all hidden behind a shallow corporate identity.

                                                        Trusting individuals makes a lot more sense to me.

                                                  1. 11

                                                    I think I mostly agree with the premise here.. I tried freebsd but I hard time being happy with it compared to simply using a systemd-less linux like void or alpine.

                                                    OpenBSD on the other hand fascinates me, mostly because of the security focus and overall simplicity, I think part of that idea of focused goals is the same reason I’ve been starting to keep up with DragonFlyBSD development, the drive to do something different than the mainstream can be a strong motivator of interest.

                                                    But realistically, I dont see something like FreeNAS dying anytime soon, some of my IT friends swear only by it.

                                                    1. 20

                                                      I love running FreeBSD. I run Void whenever I have to run Linux, but honestly running FreeBSD is so much fun. The system makes so much sense, there are so few running processes. Configs are kept in the right places, packages that are installed just work, upgrades almost never broke anything, and in general there was a lot less fiddliness. I want to run Void from time to time to get the new and shiny (without having to build it for a custom platform), but in both Debian and Void (the systems I run), packages are of varying quality, and upgrades are always stressful (though Void’s running release nature makes it less so). FreeBSD’s consistency also makes me feel a lot less scared about opening it up and fiddling with the insides (such as trying my hand at creating my own rc unit runner or something), whereas with Linux I often feel like I’m peering at the edge of a Rube Goldberg machine.

                                                      Oh and don’t get me started on the FreeBSD Handbook and manpages. Talk about documentation done right.

                                                      1. 6

                                                        “Rube Goldberg machine” is a great description for much of the Linux world. Especially Debian-style packages with their incredibly complex configuration hooks and menus and stuff.

                                                        My favorite feature of pkgng is that packages do not add post-install actions to other packages :)

                                                        1. 1

                                                          I still can’t get over the fact that installing a deb service on a Debian based distribution, starts the service automatically? Why was that ever considering a good design decision?

                                                          I personally run Gentoo and Void. I had FreeBSD running really well on an older X1 carbon about two years back, but the hardware failed on the X1. I do use FreeBSD on my VPS for my openvpn server, but it seems like FreeBSD is the only one supported on major VPSes (Digital Ocean, Vultr). I wish there was better VPS support for at least OpenBSD.

                                                        2. 2

                                                          Dont get me wrong, I like FreeBSD, I’ve just never felt the same fascination towards it that I do with OpenBSD, DragonflyBSD, Haiku, ReactOS or Harvey. But perhaps thats a good thing?

                                                          I guess the main thing Is I’ve never been in a situation where I didn’t need to use linux / windows and couldn’t use OpenBSD.

                                                          1. 5

                                                            FreeBSD seems to do less in-house experimental stuff that gets press. Dragonfly has the single-system image clustering long-term vision, OpenBSD is much more aggressive about ripping out and/or rewriting parts of the core system, etc.

                                                            I do feel most comfortable with the medium-term organizational future of FreeBSD though. It seems to have the highest bus factor and strongest institutional backing. Dragonfly’s bus factor is pretty clearly 1: Matthew Dillon does the vast majority of development. OpenBSD’s is slightly higher, but I’m not entirely confident it would survive Theo leaving the project. While I don’t think any single person leaving FreeBSD would be fatal.

                                                            1. 3

                                                              I’m not entirely confident it would survive Theo leaving the project

                                                              There is no reason to worry about that: http://marc.info/?l=openbsd-misc&m=137609553004700&w=2

                                                              1. 2

                                                                FreeBSD seems to do less in-house experimental stuff that gets press

                                                                The problem is with the press here. CloudABI is the most amazing innovation I’ve seen in the Unix world, and everyone is sleeping on it ;(

                                                          2. 3

                                                            I tried freebsd but I hard time being happy with it compared to simply using a systemd-less linux like void or alpine.

                                                            The Linux distro that’s closest to the *BSD world is Gentoo - they even named their package management system “Portage” because it’s inspired by *BSD ports.

                                                            1. 2

                                                              As a long time OpenBSD & Gentoo user (they were my introduction to BSD & Linux respectively and I’ve run both on servers & desktops for years), I strongly disagree. If I wanted to experience BSD on Linux, Gentoo would be the last thing I’d look at.

                                                              1. 1

                                                                If I wanted to experience BSD on Linux, Gentoo would be the last thing I’d look at.

                                                                Then you are way off the mark, because the closest thing to *BSD ports in the Linux world is Gentoo’s Portage and OpenRC is the natural evolution of FreeBSD’s init scripts.

                                                                1. 5

                                                                  Over the past decade, I’ve used ports once or twice. Currently I don’t have a copy of the ports tree. At this day and age, ports & package management are among the least interesting properties of an operating system (if only because they all do it well enough, and they all still suck). OpenRC might be ok, but the flavor of init scripts doesn’t exactly define the system either.

                                                                  My idea of BSD does not entail spending hours fucking with configs and compiling third party packages to make a usable system. Maybe FreeBSD is like that? If so, I’m quite disappointed.

                                                          1. 5

                                                            Why discourage others from reading the paper?

                                                            Everyone: Read this paper! It’s well written and very accessible if you know the basics of how CPUs work.

                                                            1. 2

                                                              Yeah the paper isn’t that difficult to understand.

                                                              1. 1

                                                                The irony of your username is pretty great here :p

                                                            1. 2

                                                              A competent CPU engineer would fix this by making sure speculation doesn’t happen across protection domains. Maybe even a L1 I$ that is keyed by CPL.

                                                              I feel like Linus of all people should be experienced enough to know that you shouldn’t be making assumptions about complex fields you’re not an expert in.

                                                              1. 22

                                                                To be fair, Linus worked at a CPU company,Transmeta, from about ‘96 - ‘03(??) and reportedly worked on, drumrolll, the Crusoe’s code morphing software, which speculatively morphs code written for other CPUs, live, to the Crusoe instruction set.

                                                                1. 4

                                                                  My original statement is pretty darn wrong then!

                                                                  1. 13

                                                                    You were just speculating. No harm in that.

                                                                2. 15

                                                                  To be fair to him, he’s describing the reason AMD processors aren’t vulnerable to the same kernel attacks.

                                                                  1. 1

                                                                    I thought AMD were found to be vulnerable to the same attacks. Where did you read they weren’t?

                                                                    1. 17

                                                                      AMD processors have the same flaw (that speculative execution can lead to information leakage through cache timings) but the impact is way less severe because the cache is protection-level-aware. On AMD, you can use Spectre to read any memory in your own process, which is still bad for things like web browsers (now javascript can bust through its sandbox) but you can’t read from kernel memory, because of the mitigation that Linus is describing. On Intel processors, you can read from both your memory and the kernel’s memory using this attack.

                                                                      1. 0

                                                                        basically both will need the patch that I presume will lead to the same slowdown.

                                                                        1. 9

                                                                          I don’t think AMD needs the separate address space for kernel patch (KAISER) which is responsible for the slowdown.

                                                                  2. 12

                                                                    Linus worked for a CPU manufacturer (Transmeta). He also writes an operating system that interfaces with multiple chips. He is pretty darn close to an expert in this complex field.

                                                                    1. 3

                                                                      I think this statement is correct. As I understand, part of the problem in meltdown is that a transient code path can load a page into cache before page access permissions are checked. See the meltdown paper.

                                                                      1. 3

                                                                        The fact that he is correct doesn’t prove that a competent CPU engineer would agree. I mean, Linux is (to the best of my knowledge) not a CPU engineer, so he’s probably wrong when it comes to get all the constraints of the field.

                                                                        1. 4

                                                                          So? This problem is not quantum physics, it has to do with a well known mechanism in CPU design that is understood by good kernel engineers - and it is a problem that AMD and Via both avoided with the same instruction set.

                                                                          1. 3

                                                                            Not a CPU engineer, but see my direct response to the OP, which shows that Linus has direct experience with CPUs, frim his tenure at Transmeta, a defunct CPU company.

                                                                            1. 5

                                                                              frim his tenure at Transmeta, a defunct CPU company.

                                                                              Exactly. A company whose innovative CPU’s didn’t meet the markets needs and were shelved on acquisition. What he learned at a company making unmarketable, lower-performance products might not tell him much about constraints Intel faces.

                                                                              1. 11

                                                                                What he learned at a company making unmarketable, lower-performance products might not tell him much about constraints Intel faces.

                                                                                This is a bit of a logical stretch. Quite frankly, Intel took a gamble with speculative execution and lost. The first several years were full of erata for genuine bugs and now we finally have a userland exploitable issue with it. Often security and performance are at odds. Security engineers often examine / fuzz interfaces looking for things that cause state changes. While the instruction execution state was not committed, the cache state change was. I truly hope intel engineers will now question all the state changes that happen due to speculative execution. This is Linus’ bluntly worded point.

                                                                                1. 3

                                                                                  (At @apg too)

                                                                                  My main comment shows consumers didnt pay for more secure CPU’s. So, that’s not really a market requirement even if it might prevent costly mistakes later. Their goal was making things go faster over time with acceptable watts despite poorly-written code from humans or compilers while remaining backwards compatible with locked-in customers running worse, weirder code. So, that’s what they thought would maximize profit. That’s what they executed on.

                                                                                  We can test if they made a mistake by getting a list of x86 vendors sorted by revenues and market share. (Looks.) Intel is still a mega corporation dominating in x86. They achieved their primary goal. A secondary goal is no liabilities dislodging them from that. These attacks will only be a failure for them if AMD gets a huge chunk of their market like they did beating them to proper 64-bit when Intel/HP made the Itanium mistake.

                                                                                  Bad security is only a mistake for these companies when it severely disrupts their business objectives. In the past, bad security was a great idea. Right now, it mostly works with the equation maybe shifting a bit in future as breakers start focusing on hardware flaws. It’s sort of an unknown for these recent flaws. All depends on mitigations and how many that replace CPU’s will stop buying Intel.

                                                                                2. 3

                                                                                  A company whose innovative CPU’s didn’t meet the markets needs and were shelved on acquisition.

                                                                                  Tons of products over the years have failed based simply on timing. So, yeah, it didn’t meet the market demand then. I’m curious about what they could have done in the 10+ years after they called it quits.

                                                                                  might not tell him much about constraints Intel faces.

                                                                                  I haven’t seen confirmation of this, but there’s speculation that these bugs could affect CPUs as far back as Pentium II from the 90s….

                                                                              2. 1

                                                                                The fact that he is correct doesn’t prove that a competent CPU engineer would agree.

                                                                                Can you expand on this? I’m having trouble making sense of it. Agree with what?

                                                                          1. 1

                                                                            Which BSDs still support 32-bit architectures? I assume NetBSD does, but AFAICT the others are gradually dropping it from their latest releases.

                                                                            1. 2

                                                                              I believe all of them do except Dragonfly, like the article said. Also, TrueOS (which wasn’t covered in the article) only supports amd64. Do you have a link or can you cite something that says the major BSD operating systems are dropping 32 bit? Certainly the majority of development is occurring on 64 bit architectures but I think 32 bit is still supported for a while.

                                                                              1. 1

                                                                                My soekris and my alix are still running.

                                                                            1. 8

                                                                              Wow. This guy is the Miod Vallat of desktop environments.

                                                                              1. 1

                                                                                My…friend…doesn’t know who Miod Vallat is.

                                                                                1. 7

                                                                                  Miod and his machine room.

                                                                                  1. 1

                                                                                    He had an Alpha-based laptop, too. I didn’t know Tadpole made those. Ran OpenVMS, too, for a little over $10,000. If FOSS’d, that kind of laptop could be useful today for verifiable or non-backdoored computing given Alpha’s with those specs were on a 500nm process. That’s still verifiable without electron microscopes or whatever.

                                                                                    Plus, PALcode was the shit. We need a RISC-V that’s microcoded and/or PALcoded with a HLL compiler for those. One can do many neat things.

                                                                              1. 1

                                                                                Still no code on their GitHub profile :’(

                                                                                1. 3

                                                                                  check the FAQ

                                                                                  1. 5

                                                                                    Needs a new distributed version control system where the versioned objects are sheets of paper and changelists are composed of paper cutouts and glue.

                                                                                    1. 3

                                                                                      It’ll certainly bring a fresh perspective to the “your project is still stuck on CVS?” :)

                                                                                1. 2

                                                                                  Anyone else think the aardvark desktop background looks like the top bit of a skull peering out of the screen…

                                                                                  1. 2

                                                                                    Maybe not a skull, but I could see a girl’s head with a bow on one side, and a little whisp of hair on the other side, looking sideways, kind of like a certain Japanese food company mascot.

                                                                                    To try and keep it on topic, I still don’t know if I’m sold on GNOME, but I’ll definitely at least try it when 18.04 comes out. There’s a big pile of little things across the interfaces that don’t gel with me, but I could see myself switching away from Cinnamon if they (and/or Wayland) got their HiDPI features working better. I don’t see much hope on Cinnamon’s side for the particular issues I am facing as long as it is still on X, but I put up with those because everything else works so well.

                                                                                    1. 2

                                                                                      I’ve been using the latest Gnome 3 at work and Cinnamon at home – just to experiment. Gnome sacrifices function for form and expects users to memorize more keybindings. When you alt-tab it will group windows of the same application – eg. all your terminals are grouped and you have to Alt-` to switch within the group. The window bar default does not show minimize or restore buttons. And the biggest visible difference, the top bar does not show all your windows in Gnome. If you want to know what’s open you either have to alt-tab, or press the super key to bring up the activities menu. The top bar has a lot of unused space – like new Apple products that lack ports and buttons. To contrast Cinnamon shows each window in the top bar – they’re more like thinkpad and a bit less sexy. I’m going to keep using both because I’m an indecisive person.

                                                                                      1. 2

                                                                                        There is a gnome3 shell extension to change the alt-tab behaviour back to *normal” and another one to bring minimise/maximise window buttons back.

                                                                                        1. 1

                                                                                          When you alt-tab it will group windows of the same application

                                                                                          It’s behavior from MacOS, I’m using MacOS for about 5 years and still can’t get used to it. However it makes sense there, because focus is applied to application, not window on MacOS. Displayed menu depends on app in focus and you can focus on app without windows. AFAIK, gnome has no such behavior (not tried recent versions).

                                                                                          The top bar has a lot of unused space – like new Apple products that lack ports and buttons.

                                                                                          I think it was borrowed from early 2000’s mobile phone UIs, almost all old phones (not smartphones) had similar panel too, usually without clock, but with signal strength, battery level, etc indicators. It looks out-of-context on desktop, nowadays industry is too obsessed with bringing handset controls to workstations. IMHO this panel is most frustrating thing in Gnome 3 UI.

                                                                                      1. 6

                                                                                        I sometimes experience anxiety episodes when I see my own score

                                                                                        We cannot change the world to better suit your mood. Write a user script and alter the site to your liking in your own browser.

                                                                                        1. 15

                                                                                          We cannot change the world to better suit your mood

                                                                                          I mean, we absolutely can. Because “the world” in this case is a bunch of code that’s open source. And that code was already written with some moods in mind. For example:

                                                                                          • It requires an explanation of downvotes, in order to reduce ill-considered downvote behavior
                                                                                          • It makes public all moderation logs, in order to increase transparency and trust
                                                                                          • It supports an interface entirely through email, in order to emulate a very specific user experience from the distant past

                                                                                          It’s not at all clear to my why we can’t add this to the list:

                                                                                          • It hides user karma score from the home screen, in order to reduce upvote-chasing and competitive behavior
                                                                                          1. 0

                                                                                            It requires an explanation of downvotes, in order to reduce ill-considered downvote behavior

                                                                                            That obviously did not work. I’m constantly downvoted as “troll” even when posting purely factual comments. “troll” is the new “fuck you”. Oh, there’s a new entry on my top level comment here: “-1 me-too”. How does that make any sense?

                                                                                            When you force people to choose from a list of justifications for downvoting, they’ll either choose an insulting one or a random one. Anything but give up downvoting because they see the error of their ways. It’s basic human nature.

                                                                                            1. 3

                                                                                              So you’re saying that sometimes it’s worth changing the way we do things because what we do sometimes has unintended effects?

                                                                                              Well, then I’m glad you agree that we should consider hiding the user’s karma score from the home screen.

                                                                                          2. 7

                                                                                            I personally don’t mind them, but perhaps a profile preference could be added, that hides karma for those who wish to avoid seeing it?

                                                                                            1. 6

                                                                                              That’s a great way of driving people with anxieties away so they leave the site. And in the end we’re left with just the bunch of users who talk and walk like stefantalpalaru…

                                                                                              1. 4

                                                                                                I don’t care either way, but I think the anxiety issue needs a different solution. If the karma numbers concern somebody, then lots of other things will too.

                                                                                                1. 0

                                                                                                  And in the end we’re left with just the bunch of users who talk and walk like stefantalpalaru…

                                                                                                  You say it like it’s a bad thing :-)

                                                                                                2. 2

                                                                                                  change the world to better suit your mood

                                                                                                  I think the lyric is “change my life to better suit your mood” (Santana’s “Smooth”)

                                                                                                  self-amusement aside, I like the karma count and don’t see it as a distraction or a significant motivator.