1.  

    Programming Rust is really, really good. Well worth the $15.

    1.  

      Reading Programming Rust which I picked up from https://www.humblebundle.com/books/functional-programming-books ($15 USD). It is highly illuminating, and even reading the early chapters will probably teach you a lot, if you’re not already in the top few % of Rust experts. I’m 1/6 of the way through now, and have already learned/unlearned a ton of Rust tricks/mistakes. Amazing book!

      1. 5

        Finishing the signing of Android APKs in Go.

        1. 1

          To be clear, it’s the signing that happens in Go, and the APKs are just regular APKs, right?

          1. 1

            Yep

        1. 7

          Meta: Would this not be considered a rant? Although the tone of the article is lighthearted and not incendiary, the author is definitely ranting about how complex webdev is today, and not attempting to educate or inform the user on a technical solution.

          I think it’s important to tag rants as such, because that tag has a hotness demod, and this kind of story is easily upvoted because people generally can agree on common complaints.

          Edit: Since this comment is getting a few upvotes – if you agree with my comment, please use the “suggest” link beneath the story to suggest tags as you see appropriate.

          1. 1

            Qt GUIs with Rust is pretty cool. With his code generation approach, you still don’t get to write everything in Rust – you still need some QML and some C++/JSON binding glue – but it sounds like a good way to write your business logic in Rust while keeping the GUI code isolated.

            1. 7

              The Register is utter crap. This story was already posted here days ago in less sensationalized form.

              Cue the hate bandwagon. Firefox is next in line. Pile on everybody! MIcrosoft, Apple and Google are so passe!

              1. 5

                So, yes, the Register is a tabloid. Do you have a link to the other story? I can’t find it.

                In any case, this isn’t a hate wagon. I strongly feel that most forms of advertising are detrimental to society and our mental health, and I distance myself from ads as much as possible.

                1. 4

                  here is the other story.

                  In my opinion, the categorization of the recommendations that Pocket will provide in the new tab as “advertising” is questionable.

                  I’m a heavy Pocket user, and I use their Recommended Stories feature quite often to great effect. Their engine does in fact recommend stories I’m interested in.

                  This isn’t Mozilla heavy-handedly blasting dialog based blocker ads to their users, this is them taking advantage of a partnership they’re in to provide users with a useful source of new content that they see as a default background in their “New” tab.

                  And you can turn it off as a part of the regular preferences as detailed here

                  1. 5

                    In my opinion, the categorization of the recommendations that Pocket will provide in the new tab as “advertising” is questionable.

                    Today it’s not “advertising.” It will be. Straight from Mozilla’s blog:

                    we will soon experiment with showing an occasional sponsored story within the Pocket Recommendations section in New Tab Page

                  2. 2
                  3. 1

                    People getting upset about this before it’s a real fiasco is probably the best possible situation. You’d rather is languish and become a festering wound before people react. It would not be better for Mozilla, in fact it would be horrible.

                    1. 2

                      I disagree with the characterization of this as “advertising” - see my previous response for more color.

                  1. 3

                    Ugh. ActivityPub makes me sad – we have so many good, deployed solutions to 80%+ of the social networking stuff, and ActivityPub just ignores all prior art (including prior art by its creators) and does everything from scratch.

                    1. 3

                      Why in your opinion did ActivityPub “make it” while others have failed?

                      Disclosure: I contributed to Rstat.us for a while.

                      1. 2

                        How do you mean “make it”? You mean mastodon? Because mastodon got popular before it had implemented any ActivityPub, so that’s unrelated :)

                        OStatus and IndieWeb tech are still the most widely-deployed non-mastodon (and are partially supported by mastodon as well)

                        1. 1

                          Bah, I apologize for not being clear. By “make it”, I mean, why has ActivityPub been promoted as a standard instead of OStatus or IndieWeb or another attempt at a protocol for the same space?

                          1. 3

                            OStatus mostly described a best practice for using other standards in a way that created a decentralized social network – so it never really needed standardization on its own. That + that the people behind it moved towards a next generation standards instead, eg. identi.ca moving to pump.io

                            IndieWeb though is getting standardized by the very same group as has published this recommendation and eg. WebMention and Micropub has been recommendations longer than this one even.

                            1. 3

                              Atom, PubSuHubBub (now WebSub), and Webmention are all standards with various bodies

                              1. 1

                                PubSuHubBub

                                Seeing some silly things they did with regard to best practices I can’t really say I feel bad about this. Things like using GETs instead of POSTs (if memory serves correctly) because of legacy stupid decisions.

                                1. 1

                                  Yeah, Webmention was a W3C Recommendation for quite a while now even. I still don’t like how W3C standardized two ways of doing roughly the same thing…

                          2. 2

                            I think AP is an okay standard (although it, again, underspecifies a lot), but it doesn’t make anything possible that wasn’t already possible with OStatus, or some very simple extensions to it.

                            1. 1

                              In what way did you think that ActivityPub did not learn from OStatus?

                              1. 1

                                so many good, deployed solutions to 80%+ of the social networking stuff

                                For example?

                                1. 3

                                  friendica, hubzilla, gnu social, pleroma

                                  1. 4

                                    pleroma

                                    Pleroma either currently supports or is very close to fully supporting AP, and was a pretty important goal from the outset.

                                    1. 4

                                      I know, I wrote it :)

                                      1. 2

                                        I think I follow you then :) Thanks for writing Pleroma <3

                              1. 15

                                I believe the majority of the credit goes to Christopher Lemmer Webber, whom you can follow on Mastodon: https://octodon.social/@cwebber – He’s been working hard on ActivityPub for ~3 years.

                                Edit: Ah, apparently you are him, @paroneayea. Congratulations!

                                1. 3

                                  Looks like the TextMate/SublimeText Elixir plugin got recent support for automatic mix format on save: https://github.com/elixir-editors/elixir-tmbundle/commit/a3095cc1f041f37694d1ff47e94d6ec0d230ab3b

                                  1. 4

                                    What problem does this solve? What does it cost in increased complexity for the codebase?

                                    1. 3

                                      What problem does this solve?

                                      It improves the security surrounding third-party scripts and applications. Today it is already possible to write third-party scripts, with authentication using cookies. But cookies are easily abused, so OAuth improves on that security problem.

                                      @nickpsecurity mentions some reasons why an API in general is better than no-API. I’m talking about the OAuth aspect only.

                                      What does it cost in increased complexity for the codebase?

                                      A lot of it would be isolated from existing logic: OAuth would have a mostly-separate login flow. It would add new mostly-isolated endpoints for registering API consumer applications.

                                      It would add maintenance burden to JSON APIs: As a best practice, there would be new endpoints (/api/v1/...) corresponding to each of the existing (~3-5?) JSON read-only endpoints, as well as new endpoints for performing actions as a logged-in user (voting, posting, commenting). The business logic remains the same, but the new endpoints would route through the OAuth validator, instead of today’s existing cookie/session validator.

                                      Existing JSON endpoints could either be deprecated or kept around, depending on to what extent they’re being used today.

                                      1. 3

                                        Given this is first-and-foremost a site for techies, would a (somewhat simpler) ‘generate an API key and choose permissions via the profile screen’ be sufficient?

                                        The permissions I can think of:

                                        • Vote
                                        • Post
                                        • Comment
                                        • Suggest tag
                                        • Flag
                                        • Hide
                                        • Save
                                        • Invite
                                        • Read PMs
                                        • Write PMs
                                        1. 2

                                          Let me clarify: I think what you’re proposing is an API key tied to a single account, rather than an OAuth application that can potentially service multiple different accounts. Thereby eliminating the OAuth login flow.

                                          Have you seen such a system in use anywhere? One benefit of OAuth is that it’s a standard, so people sort of understand the ins-and-outs and use cases of it. An ad hoc API key system would probably work on a technical site like lobste.rs, but may be confusing to API consumers and/or site maintainers/forks, solely due to the fact that it’s ad hoc.

                                          Which brings me to another point: the lobste.rs codebase can be forked and used for non-tech sites. So simplifying the end-user experience, using OAuth, would be much preferable given that use case.

                                      2. 2

                                        Far as an API, people are always makimg requests about changes to the site to reflect their preferences. An API would let them code up solutions themselves or for sharimg with others. This happens regularly on HN with its API. This is also a site full of programmers who could handle that with UI preferences ranging from native apps in terminals to Electron apps built on web browsers.

                                        Might also help on productivity where people could scrape the site to consume it later in their own way. They just get digests or something based on certain tags or users. There’s more possibilities.

                                          1. 1

                                            Thanks. @pushcx could we get the submission URL edited please?

                                          1. 1

                                            I’m trying out Mastodon on the flagship instance (https://mastodon.social) and it’s pretty buggy compared to a few weeks ago. My Home timeline was showing as empty until I unfollowed and re-followed people. And after doing that, it’s only showing history from the latest follow, although the streaming new toots still seem to work for other followers.

                                            Also trying a Remote follow now seems to get stuck on the /authorize_follow?acct=someone@example.social page. It shows that I’m logged in, and shows the profile of the person I’m trying to follow. But there’s no button to actually do anything other than log out.

                                            For now, Mastodon 2.0 seems to have some serious bugs to iron out.

                                            1. 1

                                              Update: The above issues seem to be resolved now. It’s working normally again. Maybe the server was overloaded?

                                            1. 2

                                              The post mentions embedded devices. What would be the viability of running Plaid on Android and iOS devices? Is it (will it be) easier than what they had to do for Not Hotdog to run TensorFlow on smartphones?

                                              1. 1

                                                This release is focused on supporting research and education on desktop platforms with OpenCL, it would be some work to add iOS and Android support. You’d need to add GLES and probably Metal but it is a good idea. Let us know if you want to give it a shot.

                                              1. 3

                                                Is there a visual example of the lowdown-diff output? I was disappointed not to see a ready comparison of the output versus the diff and wdiff examples in the introduction.

                                                EDIT: Apparently I missed the line near the top:

                                                For a quick example of this functionality, see diff.diff.html, which shows the difference between this document and a [fabricated] earlier version.

                                                1. 3

                                                  Thanks—I’ll put in an in-line exemplar as well when next editing.

                                                1. 3

                                                  I recently switched to Windows after nearly a decade of Linux desktops. I’ve been containerizing app in a effort to keep the base os in a clean state. I’ve also been searching for how to create a pico driver to no success but If I figure it out I plan on writing a toy OS and programming language in the windows kernel.

                                                  1. 2

                                                    Why the switch to Windows? Seems kind of backwards!

                                                  1. 6

                                                    Seems like this would require some extra infrastructure/monitoring to make sure the security.txt itself is not tampered with. Imagine malware infecting popular webservers that rewrites email addresses to one owned by the hacker.

                                                    It wouldn’t be too farfetched to register a fake email and domain appsec@example-security.net for a target website example.com and get free 0day security disclosures to your inbox. The separate domain is little suspicious, sure, but if security contact info were always obvious like security@example.com (primary domain) then security.txt wouldn’t be that necessary in the first place.

                                                    What would the extra protection look like? Maybe start with PGP signing the security.txt file? But wait, the PGP file is part of the proposed contents of security.txt. The hacker could change that URL too. Hmm.

                                                    I guess my point is, adding an important file like this is not as trivial as it sounds. It’s not merely a convenience, but also an additional point of attack. Sure, it may not be that likely for a file to be compromised in the first place, but the rewards for compromising the file would be pretty huge depending on the company/owner. So this really requires someone to pay attention to their web stack, which may be a tall order for a non-web developer trying to setup a simple info website for their non-web product, for example.

                                                    1. 3

                                                      I’m far from a security expert but I don’t see the need of being signed (certifying who signed it). You just need to be sure that it didn’t changed in time, and if it does, you need a way to check it’s normal. I was thinking to few ideas that might be total crap:

                                                      • Store a strong hash of it in a DNS TXT field?
                                                      • Store it on a blockchain? So you have an history of previous hashes.
                                                      1. 1

                                                        The security implications for this don’t seem to be any different from hosting a Security page in HTML on your website explaining your reporting process?

                                                        1. 2

                                                          I guess the differences are that security.txt is trying to be a standard, and is not visible on the website itself. If the owner doesn’t know about it, a hacker can put one there without the owner ever noticing, since it’s not visible when browsing the website. But security researchers may still use it, assuming the owner put it there.

                                                      1. 1

                                                        android-job is the missing compatibility library between the old AlarmManager API and the newer JobScheduler API available since Android 5.0. It also replaces the GcmNetworkManager component made by Google, which serves a similar purpose but has a hard dependency on Google Play, so it doesn’t work on Amazon devices for example.

                                                        Notable about 1.2.0 is support for the newest Android 8.0 “Oreo.”

                                                        1. 13

                                                          Bro project is a network security monitor: https://www.bro.org

                                                          1. 5

                                                            And here’s a mailing list message linking the project with the GDoc: http://mailman.icsi.berkeley.edu/pipermail/bro/2017-October/012542.html

                                                          1. 2

                                                            I’ve been using Pigeon in production for close to a year. Works smoothly and the maintainer is great about collaboration and diagnosing/fixing bugs quickly.

                                                            Disclosure: I contributed the Pigeon implementation for ADM (Amazon Device Messaging).