1. 1

    Can I ask a potentially ignorant question? Why would someone who’s not already using Subversion choose to run it at this point? What are some of its advantages over Git or Fossil or Mercurial?

    1. 6

      For software version control? Probably very little (especially as you included mercurial in the alternatives)

      I think however, that SVN could be the basis of quite a good self-hostable blob/file storage system. WebDAV is a defined standard and accessible over HTTP and you get (auto-)versioning of assets for ‘free’.

      1. 1

        Why would Mercurial in particular stand out on this list? Are you extrapolating from your own experience? I don’t think there are complete and reliable global usage statistic about any of these systems, are there?

        1. 2

          On top of what stephenr says, Mercurial has an increasingly solid story for large assets from things like remotefilelog and other similar work from Facebook. That means I’d feel comfy using it for e.g. game asset tracking, at least to a point. Git is getting there too (specifically the work from Microsoft), but it’s a bit less mature at the moment.

          1. 0

            Git is not the easiest thing in the world to learn/use.

            If you just day “why use svn when git exists” it’s easy: because svn is easier to learn and understand.

            Mercurial muddies that because you get the benefits of dvcs with usability that’s pretty close to svn.

            I’ve worked in the last few years with entire teams that used no vcs.

            1. 1

              Yeah, very much agreed that hg hits a rather nice middle ground. Their UI design is great.

              Still, I don’t think we could infer anything from this about the actual number of users across the various vcs. Not sure though if I simply misunderstood what you meant.

              1. 1

                Oh I’m not at all claiming to have stats on actual usage.

                It was a hypothetical: if hg wasn’t an option, some developers will be more productive with svn than git.

              2. 1

                why use svn when git exists

                I think this sums it up well: https://sqlite.org/whynotgit.html

                Not about subversion in particular though, just a bash at git.

            2. 1

              Are you referring to mod_dav_svn? The last time I tried it it was pretty unreliable. It often truncated files silently. That’s probably not Subversion’s fault. Apache HTTPd’s WebDAV support doesn’t seem to be in a great state.

              1. 1

                That’s the only subversion http server that I’m aware of.

                I suspect that post is about mod_dav - WebDAV into a regular file system directory.

                Mod_dav_svn provides WebDAV + Svn into a repo backend.

            3. 4

              I know some game studios still run subversion, because of large art assets along side code, and the ability to check out specific subdirectories.

              1. 3

                SVN is still heavily used by companies that are not pure software dev shops yet still produce their own software, e.g. in the financial sector and manufacturing industry.

                I don’t think many people on lobsters still encounter SVN at their place of work, but that is due to lobster’s demographic rather than everyone on the planet migrating away from SVN. That is not the case. (Some people still use tools like ClearCase at work!)

                1. 2

                  For something closer to my heart, LLVM’s official repository is still SVN.

              1. 17

                As phk so eloquently put it: Git Is Not Revision Control. His full take posted here:

                https://blog.feld.me/posts/2018/01/git-is-not-revision-control/

                1. 3

                  Git is a tool which allows people and projects to manage, modify, fork and merge the many different views, instances, variations and modifications of a work in progress across barriers of distrust.

                  The crucial word there was “many different”, which is the exact opposite of what a VCS strives for.

                  Uh. Yeah, all DVCSes allow users to have their own view of the repo, that’s the point. In the DVCS world, the official remote’s admin is responsible for maintaining the definitive timeline, that is, not allowing force pushes. I don’t see how that’s any different from an SVN admin not allowing anyone to manually overwrite SVN files on the server to screw up the history!

                  you just have to augment it with an out-of-band definition of which tree is the ‘definitive’, and settle who gets to define what ‘a version’ means.

                  neither SVN nor Git will ever be able to do both [collaboration and version control], because the requirements are fundamentally different and in conflict with each other

                  What exactly is the conflict? You “out-of-band” “define” the official git remote’s history as “definitive” (i.e. state an incredibly obvious fact), boom, done, no conflict, it’s a perfectly adequate revision control system.

                  1. 4

                    One of my biggest gripes with Git is that it doesn’t track renames. Linus doesn’t think they matter. Much of the world disagrees, but here’s his take on it:

                    –follow is a total hack, meant to just satisfy ex-SVN users who never knew anything about things like parenthood or nice revision graphs anyway.

                    It’s not totally fundamental, but the current implementation of “–follow” is really a quick preprocessing thing bolted onto the revision walking logic, rather than being anything really integral.

                    It literally was designed as a “SVN noob” pleaser, not as a “real git functionality” thing. The idea was that you’d get away from the (broken) mindset of thinking that renames matter in the big picture.

                    So by not tracking renames, history is broken, and I fail to see how Git is a real VCS.

                    1. 1

                      I don’t see how storing “old file deleted, new file added” instead of explicitly tracking renames might break history o_0

                      1. 3

                        Because sometimes you want to see the entire changelog that has ever happened to that file, including before the rename happened.

                        1. 12

                          You make it sounds like was an easily solved problem and git just messed up, but that is not the case.

                          Linus is absolutely right about the fact that, in general, tracking and merging renames is hard.

                          You have a potentially large number of permutations of tree changes, and edits of file content, which people can commit with any given recorded change.

                          Tree changes include: add, delete, copy, move. These can happen at any level in the tree, and as often as needed to achieve some particular new tree configuation in the new commit.

                          File content edits matter as well because they conflict with some structual changes. E.g. if one side edits content which the other side deletes, there is no obviously correct answer to the question of what the merge result should be.

                          And users expect a revision control implementation to be able to run useful merges after committing several such permutations (read: refactorings) even when each of these is entirely different.

                          In SVN’s model the “address” of every node in this tree is a path, so tracking moves becomes a horror of a path-segment matching problem: http://svn.apache.org/repos/asf/subversion/trunk/notes/resolve-moves (this covers some ground but leaves several more complicated situations open for future design and development).

                          In Git’s model we face the same fundamental issue, expect a path segment becomes a (hash, name) tuple in a tree object; where the tree objects form the chain which, when folowed, results in a path. To detect a move, we have to guess which ‘name’ in a tree object on one side corresponds to which other ‘name’ in any of the tree objects on the other side of the merge. Git can take some shortcuts because its model also includes hashes of contents, so comparing files or even entire subtrees can sometimes be solved with a simple string comparison, whereas SVN always needs to diff content.

                          I am not aware of any version control system which gets this 100% right for all conceivable cases.

                          1. 1

                            Everything you listed sounds like an edge case. I don’t care about edge cases, I only want git history to work across renames when there are never any merges between a rename.

                            --follow mostly does that. It would be even better if all invocations of git mv resulted in the rename being recorded in a file in the repo. Again, I don’t care if that “rename history” file gets invalidated and deleted in edge cases such as hairy merges.

                            1. 1

                              I don’t think rename + merge is an edge case. I know for a fact (from years of consulting) that git’s support for this was a major factor for several companies to migrate away from svn to git.

                              But yes not everyone needs it. Depends on your workflow.

                1. 4

                  Bring in OpenBSD’s tetris(6).

                  Very good choice!

                  1. 1

                    Damnit, thats a rabbit hole I shouldnt of dove into.

                  1. 1

                    For our fine BSD-flavored Lobsters…what’s the deal with GPU support? Is it good, bad, impossible?

                    I figure that nvidia is probably a no-go on OpenBSD because of binary blobs, but hasn’t AMD finally offered fully open-sourced drivers for their cards? What’s left?

                    Also, is there any attempt at getting Wayland over to OpenBSD? If there’s one project cranky enough about fixing brain damage to fix the back catalog of X11 apps, I figure it’d be them.

                    1. 2

                      There was an update to radeon drivers committed just in time for OpenBSD 6.3.

                      The main problem with the graphics stack is that we have too few people working on it, and Linux has too many. Keeping on top of a large code base with rapid upstream code churn and development is not easy if you don’t have enough people who will read all that code to screen it for potential holes, and to integrate and test it.

                      That’s also why the open source nvidia driver hasn’t been ported. Nobody wants to add the necessary hours required to their voluntary work schedule.

                      1. 2

                        Are you only interested in OpenBSD or do you mean BSDs in general?

                        If you want NVIDIA binary drivers you can get them with FreeBSD. I know there have been efforts on Wayland as well. I have no clue on the status but there is a port/package you can install:

                        https://www.freshports.org/graphics/wayland/

                      1. 7

                        I have been using OpenBSD at my laptop for the last year and a half. The only issue I have is that Firefox is way slower than in Void Linux or Debian. But apart from that it works perfectly fine.

                        1. 5

                          Might be faster in 6.3 which ships ff quantum.

                        1. 8

                          I run OpenBSD as my only operating system on:

                          • on my daily driver (T420 Thinkpad) that I use for work, gaming & everything else (OpenBSD -current)
                          • on the Lenovo G50-70 which is a daily driver for my wife - currently running OpenBSD 6.3 (just updated from 6.2)
                          • our server on vultr running OpenBSD 6.2 (soon to be updated to 6.3)
                          • an asus intel atom eeepc running snapshots/-current and serves as a backup machine for hacking on stuff

                          I do have a fallback work assigned laptop with Linux, that I haven’t booted even once this year. I do however use the PS4 extensively for additional gaming and streaming Netflix/HBO Go

                          1. 2

                            How has your experience been with suspending/hibernating? When I bought a ThinkPad X41, I first installed OpenBSD, but the fact that every time when I suspended the device, the screen permanently blanked until I forcefully rebooted, really prevented me from using it.

                            1. 5

                              If there is a TPM config option in the BIOS, try to disable the TPM and try again (not sure if this applies to the x41 but it applies to some of the more recent models).

                              1. 5

                                Suspend & hibernate works perfectly on both laptops I mentioned in my post. Keep in mind, a lot will depends on the hardware model and the amount of time since you tried (OpenBSD is not standing still).

                                1. 3

                                  I have an ThinkPad X41 that has been running OpenBSD from new and both suspend and hibernate work on it.

                                  Sometimes when it comes out of hibernation / sleep the X desktop did appear to come up blank - but if your press the brightness keys (Fn + Home button on my X41) the screen restored as normal - but I sometimes see this on my Toshiba laptop as well. I have not noticed this on my X41 recently.

                                2. 2

                                  This isn’t completely related, but I also use (Free)BSD on vultr. I’m not really a sysadmin type and barely know that I’m doing, but I like it.

                                1. 19

                                  There are several *BSD developers on lobsters (see https://lobste.rs/hats) so don’t be surprised if you get many positive responses. I suppose most of them use a *BSD desktop, apart from a subset of FreeBSD devs famous for using MacOS X.

                                  1. 1

                                    We really don’t deserve such accolades :)

                                  1. 4

                                    The writing had been on the wall for much too long.

                                    1. 15

                                      What happened? Did Oracle find a judge who does not know programming?

                                      1. 29

                                        In 2010, Oracle sued Google. In 2012, District Court ruled API uncopyrightable. In 2014, Appeals Court ruled API copyrightable. Google petitioned Supreme Court, which denied the petition. In 2016, District Court, operating under the assumption that API is copyrightable, ruled Google’s use was fair use. In 2018, Appeals Court ruled Google’s use was not fair use. Now the case is back in District Court to determine the damage, operating under the assumption that API is copyrightable and Google’s use was not fair use.

                                        1. 3

                                          Most people do not understand the significance of this decision, so it’s enough for Oracle to re-roll the dice until they get the answer they want.

                                          Besides I think the crowds inflate the significance of this. It’s almost as if somebody unconditionally respected copyrights here.

                                        1. 2

                                          Found via https://lobste.rs/s/4nxylk/f_zero_true_horizons but I thought these maps deserve to stand on their own :)

                                          1. 2

                                            Not sure if “formal methods” would be an accurate tag addition here. Would it be?

                                            1. 2

                                              Definitely. I just saved this PDF as an exemplary work applying formal methods to a real-world problem that found real vulnerabilities in it. I’ll do a suggest formal methods on it. Also, thanks for submitting it! :)

                                              1. 2

                                                Yeah it’s very nice work. And no silly domain names for marketing the vulns!

                                                Though I suppose if the title was “unfixable security problems in LTE protocol found” a lot more people would read this paper…

                                                1. 2

                                                  Yeah, those are good points. I get tired of the marketing gimmicks. Your alternative title is a lot scarier. I’m a little wary of them since I’ve seen them used on stuff that got patched or worked-around later on. They seemed unfixable at the time. Maybe “All 4G Phones Vulnerable to these Attacks.” Still sounds a bit scaremongering but wouldn’t require a retraction if they fixed the problems.

                                                2. 1

                                                  It seems I cannot edit my submission anymore and can’t suggest tags either. I would appreciate if a few more folks suggested the tag so it gets added. Thanks.

                                              1. 22

                                                Ironically, the biggest thing that stops people from joining a Mastodon instance is the paradox of choice. If you want a Twitter account, there’s exactly one place to go and a newcomer has zero things to figure out before joining.

                                                If you want to join a Mastodon instance, you have to grok the distributed nature, figure out why some instances block other instances, which code of conduct you endorse (or pick an instance without one). All those choices create a higher barrier new users have to overcome to “get in”.

                                                1. 2

                                                  Ironically, the biggest thing that stops people from joining a Mastodon instance is the paradox of choice.

                                                  And network effects. I am not very active on Mastodon, since most friends and colleagues (computational linguistics, ML) are not on Mastodon.

                                                  I also think that the default user interface, even though it is nice for advanced users, is not simple enough.

                                                  1. 2

                                                    I think it largerly depends on how your interests match the instance you join.

                                                    I was invited to join mastodon.social social but I now realize that I mainly follow people from other instances.

                                                    Probably the fact that I’m mostly interested in software related matters (even if from a wide range of perpectives, including law and ethics) is what make the local timeline pretty boring to me…

                                                    Finding the right instance might not be simple.

                                                    Maybe a tag cloud representing the topics threated in the instance could help in the decision (together with the code of conduct obviously).

                                                  2. 2

                                                    I can see why you’d think this, but my experience has been that it really doesn’t matter, other than obvious stuff like not picking a fascist-friendly place. If you’re on a small instance then your local timeline will be quieter, but personally I found the majority of people to follow thru IRC or threads like this, so the local timeline didn’t really come into it.

                                                    1. 1

                                                      I have never depended heavily on the local or federated timeline for discoverability, but I joined during a wave of signups where lots of people I already knew on Twitter were already joining.

                                                      I imagine that, if the one person you know on the fediverse is also the person who told you about it, and that person is also a newbie or has mostly different interests, the local timeline matters a lot more. (And, if you’re reasonably ‘normie’ – if your strong interests aren’t geared toward witchcraft, furry fandoms, communism, and the internal politics of the FSF – you might have a really hard time finding an instance geared toward you anyway.)

                                                      I couldn’t be the one to do it, but I wonder if it would make sense to make a handful of sports-centric nodes. It would probably attract a lot of users.

                                                    2. 1

                                                      And so instead of taking the time to make informed choices, these users would rather delegate that responsibilty to a corporation which then makes all sorts of important choices for them….

                                                      1. 12

                                                        I think it’s a bit flippant to say that they don’t make an informed choice. Some people really do prioritize their time over other things.

                                                        1. 3

                                                          or they have no idea what advantages a decentralised system would provide, and completely overlook its existence

                                                          1. 5

                                                            or they don’t value the benefits the decentralised system provides, and consider the centralisation a pro.

                                                    1. 3

                                                      Nixpkgs / NixOS has run in to this problem as well, with the same strictness of hash checking. We’ve instead developed tools to normalize the results from GitHub, and compare the hash after normalization, not prior. This works for us since the contents of the archive is what we care about, and not the implementation detail of the archiving process.

                                                      1. 2

                                                        Does this mean archives are being extracted before they’re verified?

                                                        1. 2

                                                          Yes

                                                          1. 2

                                                            This opens up an attack vector through your tar & compression implementations - a bug in them could lead to code execution via maliciously crafted archive.

                                                            1. 3

                                                              Indeed. Only in specific cases are the archives extracted prior to verification, and GitHub is one of the few. However: Nix with sandboxing turned on (and everybody should have sandboxing turned on) will extract the contents in a very limited sandbox, with read access to limited paths, and write access to a single directory. The code could execute, but couldn’t do very much to the host itself. Other potential concerns involve access to a limited set of environment variables, and possibly the nscd socket. There is the chance of sandbox escapes and kernel vulnerabilities, yes, but we’ve found this to be an acceptable trade off in the few cases we’ve needed it.

                                                              1. 2

                                                                I applaud sandboxing. However I believe we (as the general community of people packaging software for various OSes) should coordinate on fixing the root issue. Get people to upload release tarballs, stop them from silently moving tags etc. Many people are just not aware, asking them nicely may be enough to solve it - one by one. You won’t get all of them to switch, but many more will if approached - instead of working around the issue.

                                                                1. 3

                                                                  I completely agree, and as a community we advocate for efforts in reproducible builds and good packaging practices. I’m sure we’ve asked people to make good releases in the past. I applaud OpenBSD’s efforts to push here as well.

                                                              2. 2

                                                                I mean, gunzip + untar is a lot less complicated than, say, TLS 1.2 + HTTP2 + gzip. Which we pass untrusted data through all the time.

                                                                Perhaps this fear is really an issue with the raw C implementation in gnutar.

                                                                1. 3

                                                                  Reducing attack surface anywhere in the chain is valuable.

                                                        1. 1

                                                          I’m not fully understanding what issue is being described here. Is it that the archive URLs are unreliable, i.e. the “Source code (zip / tar.gz)” URL?

                                                          1. 2

                                                            The hash of the auto-generated tar files is not stable. I assume the compression level changes or the tar implementation to create them.

                                                            1. 1

                                                              And what about the zip files?

                                                              1. 3

                                                                Same problem with zip files.

                                                                The OpenBSD ports tree stores checksums of release artifacts to ensure authenticity of code that is being compiled into packages.

                                                                Github’s source code links create a new artifact on demand (using git-archive, I believe). When they upgrade the tooling which creates these artifacts the output for existing artifacts can change, e.g. because the order of paths inside the tarball or zip changes, or compression level settings have changed, etc.

                                                                Which means that trying to verify the authenticity of a github source link download against a known hash is no better than downloading a tarball and comparing its hash against the hash of another distinct tarball created from the same set of input files. Hashes of two distinct tarballs or zip files are not guaranteed to match even if the set of input files used to create them is the same.

                                                                1. 1

                                                                  Thank you for the detailed response! I understand the issue now.

                                                                  There are likely tradeoffs from GitHub’s perspective on this issue, which is why they create a new artifact on demand. They maintain a massive number of repositories on their website, so they probably can’t just store all those artifacts for long periods of time as one repository could potentially be gigantic. There are a number of other reasons I can think of off the top of my head.

                                                                  Why not have the checksum run against the file contents rather than the tarball or zip?

                                                                  1. 3

                                                                    Why not have the checksum run against the file contents rather than the tarball or zip?

                                                                    One reason is that this approach couldn’t scale. It would be insane to store and check potentially thousands of checksums for large projects.

                                                                    It is also harder to keep secure because an untrusted archive would need to be unpacked before verification, see https://lobste.rs/s/jdm7vy/github_auto_generated_tarballs_vs#c_4px8id

                                                                    I’d rather turn your argument around and ask why software projects hosted on github have stopped doing releases properly. The answer seems to be that github features a button on the web site and these projects have misunderstood the purpose of this button. While some other projects which understand the issue actively try to steer people away from the generated links by creating marker files in large friendly letters: https://github.com/irssi/irssi/releases

                                                                    I’d rather blame the problem on a UI design flaw on github’s part than blaming best practices software integrators in the Linux and BSD ecosystems have followed for ages.

                                                                    1. 2

                                                                      Some more specifics on non-reproducible archives: https://reproducible-builds.org/docs/archives/.

                                                                      Why not have the checksum run against the file contents rather than the tarball or zip?

                                                                      Guix can do something like that. While it’s preferred to make packages out of whatever is considered a “release” by upstream, it is also possible to make a package based directly on source by checking it out of git. Here’s what that looks like.

                                                            1. 5

                                                              My comment in another thread (sorry @Shamar, didn’t realize you had also submitted your blog post as a separate story): https://lobste.rs/s/yz7npb/gpl_enforcement_update#c_fdcggi

                                                              1. 1

                                                                Following up on the above: So @Shamar, my take would be that the test code you added in this commit is copyrightable, but s/uint32_t/uint64_t/ is not.

                                                                And I would also hope that adding ‘const’ to function parameters does not make the result a derivative work. You could probably find a lawyer who would support this claim though, as long as that laywer doesn’t know C.

                                                                1. 2

                                                                  You could probably find a lawyer who would support this claim though, as long as that laywer doesn’t know C.

                                                                  Well, the lawyer I consulted knows enough about these stuffs to suggest me to record the issue evolution in the WaybackMachine when I told him that they where using git rebase to remove me from the repository.

                                                                  He is pretty smart, actually. ;-)

                                                                  As for the const matter: are you sure you know the modifier’s semantic deeply enough? ;-)

                                                                  The modifier enables several optimizations (they can vary depending on the compiler).
                                                                  It was not supported by Ken-C.

                                                                  My patch enabled these optimizations not only for the functions you can find in the ISO C standard (that btw was not supported, in any way, by the Harvey’s libc), but also for others that were specific for Harvey, such as all the rune related ones.

                                                                  Now, I agree that my patch is the simplest possible way to enable such optimizations.
                                                                  But not the only one!

                                                                  If you barely know C, you know that there are several other ways to do the same. In a word: macros.
                                                                  But if they really wanted to support ISO C, they had several other alternatives to address the optimization problem without using a patch that conflicted with mine. They have an ISO C library in APEX after all!

                                                                  1. 2

                                                                    Whatever the semantics of const are in various implementations of C, this question boils down to whether your change is a copyrightable “derivative work” or not. I suspect you can only determine the legal answer in a long court case. Do you really wanna go there, after they’ve already removed all code that everyone already agrees consitutes a derivative work? I think you’re blowing this out of proportion.

                                                                    1. 1

                                                                      No no no! As I said otherwhere, I wont bore them anymore.

                                                                      According to my lawyer, my github fork (frozen before the rebase) and the archive on the WaybackMachine should be enough to defeat in court any pretension on my code.

                                                                      The medium post is, as it has been defined by @mempko, just “a cautionary tale”.
                                                                      For younger devs pondering to contribute to Open Source Software.

                                                                      1. 3

                                                                        I don’t think what you’re doing is encouraging younger devs to contribute to open source :(

                                                                        1. 6

                                                                          Indeed! I strongly suggest them to contribute to Free Software, instead!

                                                                          1. 9

                                                                            You had one problem with one project. Generalizing this experience to an entire class of communities doesn’t seem appropriate.

                                                                            1. 2

                                                                              Please, read more carefully.
                                                                              I wrote:

                                                                              Free Software feels proud of each person that contributes.
                                                                              Whatever the license, a Free Software community will be very happy to add your name to their code base. Because you studied and changed the code.
                                                                              You made it useful. You are a sign of honor.
                                                                              They trust you. And respect you.

                                                                              On the other hand, Open Source managers are eager to take your code.
                                                                              But while your code becomes their asset, your copyright is a liability.

                                                                              I’m not generalizing to “an entire class of communities”.

                                                                              I’m saying that, whatever the license, you should not assume that you are working for a Free Software community that will trust and respect you.

                                                                              And, that you should really know what you are doing before contributing to Open Source Software leaded by big firms, because there you will probably be just another minion to use.

                                                                  2. 1

                                                                    Ah.. yes… since you cited the scheduling issue, please try to get their change with s/uint32_t/uint64_t/! ;-)

                                                                    I don’t want to be a jerk, but as I wrote, I do not play poker. I try to back my statements with facts.

                                                                    1. 1

                                                                      please try to get their change with s/uint32_t/uint64_t/! ;-)

                                                                      Well, what other change in that diff do you mean? This one?

                                                                      -uint32_t tk2ms(uint32_t);

                                                                      +#define tk2ms(x) ((x)*(1000/HZ))

                                                                      Are you convinced that change must carry your copyright?

                                                                      I don’t mean to be confrontational, I’m just trying to help you find a perspective on the matter that doesn’t leave you in a bad mood.

                                                                      1. 1

                                                                        No, problem.

                                                                        What I mean is: open one the file modified files in that commit, eg sys/src/9/amd64pv/devarch.c or sys/src/9/k10/dat.h, at the state before the change and try to use s/uint32_t/uint64_t/ all over it.

                                                                        You will notice that you had just broken the system.

                                                                        Finding the right type to change was not trivial.
                                                                        And I had to do some iterations, testing manually that everything was working in kernel and user space.
                                                                        That’s why I wrote the test you cited.

                                                                        Do you really think that work does not constitute a derivative work? Are you sure it was a trivial change not deserving any authorship?

                                                                          1. 1

                                                                            That was exactly what happened, hobbes!

                                                                            Thanks for sharing!

                                                                          2. 0

                                                                            Yes, so copyright your test. Doesn’t that solve the problem?

                                                                  1. 6

                                                                    It may be the late hour, but I’m having trouble synthesizing the information presented here. It seems that Giacomo contributed some code to Harvey, a Plan9 fork, but then forked Harvey at some point to create Jehanne. He stopped paying attention to Harvey at some point after focusing efforts on Jehanne. A friend pointed out that Harvey’s attributions no longer included his name. He verified this and then posted an issue about it. The Harvey folks said something along the lines of “no big deal” and after some discussion, the Harvey folks decided that it would be better to remove all of his contributions than to attribute them to him. He pointed out that their rework didn’t really remove his contributions but rather reimplemented them minorly. Then he posted a blog post about it.

                                                                    Does the Harvey team still have work to do if they want to actually mitigate a need to attribute to Giacomo?

                                                                    1. 12

                                                                      He laid it out cleanly in the end. Instead of respecting him and his contributions, they bitterly removed them. He feels the Free Software people respect contributors, while big corporate open source folks dont. I agree with his conclusion. It’s a cautionary tale.

                                                                      1. 8

                                                                        It’s a cautionary tale.

                                                                        Exactly. But note that it’s not just a matter of Free Software’s ethics.

                                                                        As I tried to explain them, if you use somebody else code without proper copyright statements, you pose a threat to their own right to use their code elsewhere.

                                                                        1. 1

                                                                          It sucks a lot but I think it’s something that we as contributors have to accept. Code changes. When our contributions are no longer present, there’s no longer a need to actively recognize those contributions. At least, that seems to be the terms of the license.

                                                                          1. 10

                                                                            except thats not what seems to have happened. They actively removed and reimplemented so the name isnt on the project. Thats some nasty stuff.

                                                                            1. 4

                                                                              They actively removed and reimplemented so the name isnt on the project. Thats some nasty stuff

                                                                              Umm, no, that’s not nasty. It happens, sometimes for good reasons: https://marc.info/?l=openbsd-cvs&m=99118918928072&w=2

                                                                              1. 3

                                                                                The point @stsp is not that they reimplemented my stuff. Surely they can!
                                                                                But their new implementation can be obtained by trivial, non recursive, modifications of my patches (that is: you can do that with notepad, you don’t even need for a regular expression).
                                                                                And, accidentally, their reimplementation work went mixed in few huge commits that were a squash of several commits from several authors.

                                                                                Now, I wont bore them anymore. But I really learned a lesson there.

                                                                                1. 1

                                                                                  And if the parts of your patches they kept could be obtained by trivial, non recursive, modifications of their original code, what then?

                                                                                  Your statement shows that you are applying the derivative work concept, but only where it favours your own cause.

                                                                                  1. 4

                                                                                    And if the parts of your patches they kept could be obtained by trivial, non recursive, modifications of their original code, what then?

                                                                                    If you think that my patches can be obtained by trivial, non recursive, modifications of their original code, you didn’t look at the code at all…

                                                                                    1. 1

                                                                                      This is about parts of patches, not the patches as a whole.

                                                                            2. 3

                                                                              I cannot agree @colindean: I didn’t complain for the code they removed or replaced.
                                                                              For example I ported zlib to Harvey and wrote a console filesystem in user space, and they properly removed them together with the copyright statements, here and here.
                                                                              I’m fine with this: it’s their project, they are many different people, they can always choose better approaches.

                                                                              What I cannot accept, is people using my code and patches (that I’m using elsewhere) without any attribution.
                                                                              SCO teaches that things can get hairy in the long term.
                                                                              And they are backed by Software Freedom Conservancy.

                                                                        1. 1

                                                                          Well, it’s very interesting to contrast this article with what happened to my copyright in Harvey.

                                                                          What a perfect timing!

                                                                          1. 4

                                                                            Sorry, but I think you’re overreacting a bit there.

                                                                            I think the question boils down to whether your remaining contributions constitute a derivative work.

                                                                            What this means in practice is that copyright claims are usually added only for substancial rewrites or entirely new files. When modifying an existing work in a way that does not make the result a derivative work in the legal sense, it is better to retain the original copyright and licence claim, i.e. fold the contributions into it. This is because ownership of copyright implies the power to change the licence of the work. So adding copyright statements is not something that should be done willy-nilly because otherwise anyone getting a one-line fix into a project could arbitrarily change the licence of the affected file (EDIT: Of course, copyright could nowadays be tracked to individual lines thanks to version control, but the legal rules involved are older than version control, and always up to interpretation by lawyers).

                                                                            You deserve recognition for your contributions, no doubt. But adding a copyright claim is not the only way to recognize a contribution.

                                                                            1. 1

                                                                              Sorry, but I think you’re overreacting a bit there.

                                                                              Well, if you feel that as an “overreaction”, do not visit Italy. Ever. It would be scary, to you. ;-)

                                                                              Of course, copyright could nowadays be tracked to individual lines thanks to version control, but the legal rules involved are older than version control, and always up to interpretation by lawyers.

                                                                              And this is exactly what I’m afraid of!
                                                                              I don’t want a lawyer to sue me because he saw my code in my project and he trusts the (git rebased) Harvey’s repository more then mine.

                                                                              There was a reason why I asked to git revert the commits when they said that they prefer to remove the contributions instead of fixing the attribution.

                                                                              Many reasons, actually.

                                                                              You deserve recognition for your contributions, no doubt. But adding a copyright claim is not the only way to recognize a contribution.

                                                                              Sorry, but I think you have completely misunderstood the matter.
                                                                              Not your fault, though.

                                                                              I do not care about any recognition from Harvey’s team. Really.
                                                                              My contributions were gifts. Hadn’t I suggested my friend to try Harvey, I would have never noticed the issue.

                                                                              But they removed the few copyright statements I added back in 2015 and also removed the CONTRIBUTORS file that contained my name (because it was “too much trouble” to maintain it).

                                                                              Had they moved, say, to GitLab after an unfortunate git rebase, I would have had an hard time to prove I’ve ever actually contributed a single line of those I reused in my project.

                                                                              1. 2

                                                                                I think you are now mixing up two different parts of the conversation.

                                                                                Yes, they removed a lot of code with your copyright on it, and that was done correctly and you already said you had no problem with that. But this is not the part of the conversation I am talking about.

                                                                                What I am talking about is your concern about some changes which were left in their source tree after your copyrighted code was removed: https://github.com/Harvey-OS/harvey/issues/698#issuecomment-365286356

                                                                                You claim that they must add your copyright back to those changes, and what I am saying (and I think it is what dancrossnyc from Harvey is saying as well) is that your copyright claim on those changes is valid only if those changes consititute a “derivative work”. If they don’t, then no copyright claim can be made which extends on that of the original copyright on the codebase. Which means both you and Harvey are entitled to make these same “non-derivative-work” mechanical changes in your projects without risking copyright infringement. So I don’t follow your argument that your copyright claim must be on those changes in order to legally protect your derived project. Essentially, there was no reason to ever have your copyright on those specific changes in the first place.

                                                                                Now, for contributions which are consiered a “derived work”, the situation is different, and this is why Harvy removed all of those changes we (you and me) both agree they should remove.

                                                                                But you are still pursuing an argument with Harvey which boils down to the question of what constitutes a “derivative work”. I think it’s not worth having that argument for either side. Just chill. It seems they’ve already removed all they had to remove.

                                                                                1. 2

                                                                                  No, sorry, I know there’s a lot of confusion and some contradictory statements in that issue, so it needs a careful read.

                                                                                  The statement

                                                                                  If you feel you can’t remove those changes because they are important for Harvey, you can still add my copyright statement to each of modified files.

                                                                                  was ironic.

                                                                                  I just wanted to point out that they had to use alternative solutions. That exist.

                                                                                  Btw, as I said otherwhere, I wont bore them anymore.

                                                                                  According to my lawyer, my github fork (frozen before the rebase) and the archive on the WaybackMachine should be enough to defeat in court any pretension on my code.

                                                                                  The medium post is, as it has been defined elsewhere, just “a cautionary tale”, for younger devs pondering to contribute to Open Source Software.

                                                                                  1. 1

                                                                                    why would you waste money on a lawyer for something you don’t even make money with. Your whole story is baffling.

                                                                                    1. 2

                                                                                      Well, I cannot measure everything I do with money. I have three daughters I love most.
                                                                                      I do my mistakes, but I know they learn from what I do, not from what I say.

                                                                                      But your is a good question, since I’m often called “greedy” just because I’m Ads Adverse.

                                                                                      My decision was pretty simple. And rational.

                                                                                      I pay the bills as a programmer.
                                                                                      Compared to the value of the time I’ve spent hacking for Harvey, the lawyer’s fee is tiny.
                                                                                      But compared to the value I put in my own fork, the time I spent for Harvey means nothing.

                                                                                      1. 1

                                                                                        Where I’m from trying to get value for your money isn’t considered greedy.

                                                                                        I respect you value your time invested, but I do think spending on it is a sunken cost fallacy, trying to recover an unrecoverable loss. In the future sign your commits and keep your version of the repository on github. Don’t be so concerned about what people do with your work unless it costs you real money in some way. That’s how I would do it anyway.

                                                                                        1. 1

                                                                                          I do not think that my contribution to Harvey was “an unrecoverable loss”.

                                                                                          I will keep to send bugfixes to Open Source Softwares that I use in the future.
                                                                                          Opportunistically, since I do not want to maintain them locally.

                                                                                          But I will not donate my time and skills to them again.

                                                                                          Obviously I won’t just look at the license they use!
                                                                                          I’ve worked very well with communities using all sort of license.
                                                                                          I’ve never checked before, but you can still see my name in php-mode, for example, 14 years after my introduction of PHP 5 support.

                                                                                          In the future I will look at the leaders, who they are, where they work…
                                                                                          I will consider to donate only if I’ll see they both trust and respect their developers and users.

                                                                                          And this will automatically exclude many big firms that treat their users as laboratory mice.

                                                                                          1. 1

                                                                                            Oh, as for GPG signing the commits, it’s a good idea.

                                                                                            But back then, in 2015, Harvey had a convoluted “standardized” workflow based on GerritHub.

                                                                                            It was so cumbersome that, after I managed to integrate travis-ci and coverity scan to Harvey, I fought against it very strongly. You might find something on the mailing list.

                                                                                            But given it used to break almost weekly, adding GPG signatures project wide was unrealistic.
                                                                                            They just required devs to sign-off commits.

                                                                            1. 1

                                                                              Not immediately obvious from the title: This is an important step towards quantum computers.

                                                                              1. 4

                                                                                This is very relevant as I’ve been working with a therapist this month to fix my posture and ergonomics after developing tendonitis in my wrist and shoulder. I’d like to stop it now before it becomes carpal tunnel which my understanding it can be difficult to treat.

                                                                                Would love to hear what others are doing to make their computer centric work and life more body-friendly.

                                                                                1. 4

                                                                                  Find a friendly gym. I use the one at my local tech uni. It’s boring, annoying, painful at first, and takes time. But your body will tell you that it is worth it. You don’t need to grow mucles there, just go regularly to move and get some blood flowing in parts of your body which are usually neglected. Especially when I start feeling pain in wrists and fingers, I can go there and the pain gets fixed. Sometimes I use the time there to reflect on things I’m working on, and already even found bugs in my code that way. You should get an intro from either staff or someone experienced. If you they ask you what you want, and you don’t really know, just ask for a set of exercises that will keep your back in good shape. Worked well for me.

                                                                                  1. 3

                                                                                    Switching to a split keyboard (kinesis freestyle 2) and 70-degree-rotated mouse (like the Microsoft sidewinder) helped a fair bit, as did getting a good chair. All told I’ve spent about $1200 on ergonomic equipment and it all feels well spent.

                                                                                    1. 2

                                                                                      I’ve been wearing wrist braces for about a month now. They’ve helped immensely. Also I’ve been trying to understand posture and ergonomics, like you… it’s hard; I never really paid much attention before.

                                                                                    1. 1

                                                                                      Last I looked into this topic I found the situation of available Life cycle inventory datasets quite sad.

                                                                                      A lot of research and life cycle assessment studies depend on these databases. Most datasets are being produced by private companies tailored to specific proprietary tools (such as Gabi) which researchers then use for modelling their subject of interest. There are some public datasets but they are considered incomplete by life cycle assessment profesionals I have talked to.

                                                                                      Setting aside the issue that most software used in this research domain is proprietary, the licence terms of these data sets are very obnoxious. The terms of use are very narrowly restricted. And these data sets are very expensive, especially if they come with some seal of approval of some (self-appointed?) authority in the field. This data is being treated like trade secrets in many respects, even though it is essential for public research about our climate.

                                                                                      Granted, it takes a lot of effort and expertise to compile and maintain accurate LCI databases. But this problem seems like a great fit for a community project which provides a platform for researches and other experts to share and accumulate data they have gathered, in a wikipedia-like fashion, free for everyone to use for any purpose.

                                                                                      What is your view on this?

                                                                                      1. 2

                                                                                        Yes, the secrecy of scientific data is a huge problem. Even paying for the data, there can be problems with providers about the usage conditions of that data.

                                                                                        I don’t know what to say. People who painstakingly compiled the data don’t seem to know how to profit off it except by restricting access to the data. I believe perhaps there should be more government initiatives to collect and free the data. That’s not an easy thing to do either, though.