1. 6

    This is dangerous, as you are now potentially telling people their name is not actually their name. You link to the Falsehoods Programmers Believe About Names in the article itself, but I would still like to point out number 12:

    People’s names are case sensitive.

    and number 13:

    People’s names are case insensitive.

    Trying to capitalise names based on what you believe to be correct does not guarantee it actually is correct. Telling someone called “Jack MCK” they are actually called “Jack McK” would be incorrect, but would be the result this script gives you. Serving them a page with their name incorrectly capitalised can be hurtful, especially because they did enter it correctly themselves.

    1. 4

      That’s indeed what’s also said in the article itself. It notes that you might just use the snippet for suggesting a normalized format, letting a user decide which form is correct.

      1. 5

        But why assume it’s incorrect in the first place? You would still be telling them “hey I believe your name is incorrect, do you actually know how to spell your own name?”.

    1. 1

      I believe there are more than that, including Active cables (although these may not include C-to-C, I’m not sure), judging by the table above the linked header here.

      1. 2

        And alt-mode adapters/cables. I had a MacBook Pro 2016 that I wanted to hook up with a DisplayPort screen. Since the Apple USB-C to HDMI adapter (which used to be ~80 Euro) does not support 4k@60Hz (only 30Hz), I bought a USB-C DisplayPort Alternate mode adapter. Worked great on the MacBook Pro 2016, I drove my external 4k screen for about 1.5 years in that way.

        Then I upgraded to a MacBook Pro 2018 and the adapter does not do anything at all, there is simply no signal. I now have the same adapter on my 2019 NUC running NixOS and it works without any issues. Why it doesn’t work with my MacBook Pro 2018 is a mystery to me. I ordered yet another adapter and it works.

        Another tire fire: some series of the initial Apple USB-C to multiport adapters (both VGA and HDMI) had an USB 2.0 hub. So, you have a laptop with USB 3.1, but you can only use the bandwidth of USB 2.0 with the adapter.

        USB-C is a mess and a money sink.

      1. 2

        ConEmu https://conemu.github.io is , by far, the best Windows terminal emulator. Just use that.

        1. 3

          It doesn’t work, at all, for what I’m trying to do.
          It looks similar to CMDer, which is in the top left of this screenshot: https://timvisee.com/blog/fix-windows-terminals-use-linux-terminal/overview.png

        1. 14

          The instructions in this post are great, and if you live and breathe *nix, it’s indeed a great way to bring all your existing tools over. That said, if you’re doing this purely because you’re disappointed with the speed/quality of the Windows console, I’d really encourage you to follow along with the Windows Terminal betas instead. You’ll get tabs, proper colors, drastically improved speed, etc. but you can use the same terminal for both the Windows and Linux side, plus you don’t need to install and configure X, and you’ll get better integration with the rest of the host OS.

          The other thing I’d personally probably do before this is use Hyper.js (which ≥v3.0 is actually very fast), but I totally grok why going that route might feel a bit too gross.

          1. 3

            Slightly sheepishly also using Windows after it came on my new laptop and I wanted to see what power and screen management was like before I nuked it.

            @gecko @timvisee What do you think of the new Windows Terminal so far? I’ve found it ok - annoyingly there are a couple of tmux/vim keys that it caught but otherwise seems nice so far.

            1. 7

              It’s moving fast, so it’s hard for me to really have a strong opinion on it at the moment. The initial launch was crashy and had issues with 256 color support. It’s now relatively stable (in a crashing sense), and colors are better, but there’s still just tons of little things that aren’t 100% there yet. Scrolling is smooth except when it isn’t, there are some odd keybinding collisions that I’m not sure are from WSL or from Terminal or what, and so on. I chose my word choice of “…follow along with” instead of “use” on purpose; I’m really excited and pretty confident about where it’s going, but I’m not convinced it’s there yet for everyone, either.

              1. 3

                I’ve only used it for a short while, and that was some time ago. For what I recall, I had trouble with rendering xterm-256colors, and some bindings I used where caught (like you’re experiencing). I should give it another try with a fresh build, it might be better now, so don’t quote me on it. It’s in rapid development after all.

                Based on that experience I do agree that it is ok, but not good enough. It doesn’t work as well (yet) as the solution I’ve suggested with the XFCE terminal, even though that takes some effort to set up. There are some minor annoyances with broke the awesome terminal feeling for me, and I’m done tinkering around with all kinds of settings.

              2. 2

                Thanks. I totally agree that this is intended for *nix power users, and might edit the post to make that a bit more clear.

                I really hope the Windows Terminal will get as plug and play as current terminals on Linux when it is released, that would be awesome.

                1. 3

                  It should. Windows Terminal will be replacing the existing Windows console client once it’s finished, and Windows console is already the default terminal used for both WSL 1 and 2, so the overall effect should be that you get a native, actually good terminal with your pseudonative Linux installation out-of-the-box. (If you opt in the Insider previews, you can live in this world now.) Things can always change before shipping, but right now, it looks very promising.

                2. 2

                  Don’t forget the smileys! (Or whatever they are called these days)

                  1. 3

                    I can’t cover every tool in a post, but I did give it a try. Cygwin is an awesome project, but I didn’t succeed in properly rendering the tool I’m using, and it isn’t a WSL replacement for me because:

                    Cygwin is not: a way to run native Linux apps on Windows. You must rebuild your application from source if you want it to run on Windows.

                    1. 5

                      I try really hard to make blanket statements like this, but:

                      in the world of WSL, I can think of absolutely zero reasons to use Cygwin, and a lot of reasons not to. So I don’t think you’re missing anything.

                      1. 2

                        Agreed. This was a valliant effort and did a Yoeman’s job for many a year, but its time has past.

                    2. 3

                      Cygwin is a worse distro than any normal linux and way way slower than WSL

                      1. 2

                        way way slower than WSL

                        I am not saying youre wrong, but do you have any data to back this up?

                        I am pretty skeptical of this statement. Also some other issues:

                        1. 2

                          No I never measured, but I remember it being immediately apparent that WSL was faster when I switched over

                    1. 4

                      I’ve been doing this for a while and it works ok, copy paste takes a few attempts sometimes and generally it’s not as good as it should be. But then all the native windows terminals are just awful (how does opening a box with text take multiple seconds????) and this works a lot better.

                      For actually starting terminals I have this autohotkey script:

                      #Enter::
                      	Run C:\Program Files\Alpine Linux\st.vbs
                      	WinWait Xming,, 1
                      	if ErrorLevel = 0
                      		WinMaximize
                      	return
                      

                      and st.vbs is:

                      WScript.CreateObject( "shell.application" ).ShellExecute "C:\Program Files\Alpine Linux\Alpine.exe", "run cd;env DISPLAY=:0 st", "", "open", 0
                      
                      1. 3

                        Never thought about autohotkey/VBS, those snippets are actually quite useful, thanks for sharing!

                        I have not had any issues with the clipboard myself (other than regular command-line clipboard issues also present on Linux and macOS), and syncing it between X and a X server on Windows seems to work fine.

                      1. 4

                        I think the device(s) used are the problem here. Not Android.

                        1. 4

                          I only have so much time and money to buy and test so many devices.

                          1. 0

                            That’s why Android folks wanting a good experience often buy a flagship device. Whatever is the best gives them the best experience. I don’t know about the tablets but the Galaxies are steadily top in phones (esp hardware). Pixels were, too, but I haven’t seen one in a while. Maybe discontinued or something. Only gripe on Galaxy is the interface upgrade. Not sure if it’s that good or maybe I just didn’t get used to the change yet.

                            1. 1

                              It’s interesting though, because I don’t really like Galaxy’s at all due to what is running on them. I prefer to go for OnePlus or something similar. I guess it’s personal opinion after all.

                              1. 1

                                I don’t necessarily like everything on it. I ignore most of the stuff they bundle. I’m just saying the difference between what’s in the article and three of my phones are like different worlds.

                        1. 8

                          Behind paywall. Can’t read it.

                          1. 3

                            I just let my Medium membership lapse since I realized I wasn’t nearly getting $60/year worth out of it. This is the first paywall I hit.

                            1. 3

                              I don’t notice a paywall. How does it work?

                              1. 2

                                I think you get something like 5 free reads a month and then you get a “We notice you like reading, upgrade?” paywall.

                                1. 2

                                  Wow. Does any of that money go to the authors of the blog articles?

                                  1. 4

                                    I doubt it.

                              1. 6

                                This is amazing, thanks for sharing! I like that everything is linked/clickable.

                                I also came across this container cheat sheet a while back: open in Google Drive

                                1. 3

                                  Ah, that’s handy as well!

                                1. 10

                                  My conclusion, based on reviewing evidence from numerous large software projects using C and C++, is that we need to be migrating our industry to memory safe by default languages (such as Rust and Swift).

                                  I totally support this. C(++) is awesome for being so bare bones when working with low level stuff. But I feel software projects not needing such functionality could greatly benefit from safe languages.

                                  1. 15

                                    Could you elaborate on what you consider low-level stuff, where Rust, Ada, or other safe languages are not an option? You can compile Rust to STM32 microcontrollers with 20KB RAM and 64KB flash (with no_std), Rust has SIMD intrinsics for various platforms, etc.

                                    To me, the major reason to go for C or C++ are ecosystems in which they are traditionally strong. gcc targets a lot of platform. Many embedded toolchains are only available for C or C++. The best traditional GUI libraries are in C or C++ (e.g. Qt). And (obviously) a gazillion lines of existing code are in C or C++, from open source unix kernels to deeply proprietary systems that will be used and maintained for decades to come.

                                    Even though it may not be the (only) goal of the C++ standards committee, I see Modern C++ as a band-aid for maintaining C++-based systems that will be around for a long time, than a serious contender for modern, safe languages.

                                    1. 1

                                      Of course, ‘low level’ is very vague. I meant projects in which you want to use raw pointers and want to calculate with them, want to use CPU registers, want to have control over the produced asm, projects for very constrained platforms or obscure architectures, and so on. I do not necessarily mean other languages aren’t an option. I’m sure languages like Rust could replace a lot of C(++) code bases, even for these ‘low level’ things. In fact, I’d totally go for replacing such projects with a Rust variant if possible. But at the same time I can understand why some might choose to go with C(++).

                                      1. 9

                                        As far as I can tell as soon as your code is complex enough to make you want to move from C to C++ then you should probably reach for something safer. It’s hard to keep both the complexities of the invariants you need to manually ensure in your head while solving complex software problems.

                                        1. 4

                                          ATS is an option here. It allows type safe use of low level pointers, including addiction, dereferencing, etc.

                                      2. 2

                                        C and C++ are completely different languages at completely different ends of a lot of spectrums. C is certainly bare bones, but C++ is not. What do you mean by ‘C(++)’?

                                      1. 1

                                        Agree. However, I’d argue you shouldn’t really wait on tests.

                                        Sure, when tweaking something run relevant tests locally. That’s usually just a small subset though. Then push to origin and let Continuous Integration take care of the rest to test in the background. Don’t wait on it, just take action if it suddenly fails due to your changes. When merging, enable auto merge once testing pipelines succeed. Don’t wait on it, don’t waste time, continue with a new feature.

                                        This is probably easier said than done, but I do believe there are quite a few projects and developers that could benefit from such a workflow. And I don’t want to use this as an argument to not-optimize your tests. But, when you do have to wait, be sure to use your time as efficiently as possible.

                                        1. 2

                                          Sure, mostly I don’t wait, but that brings on the second cost I talk about: context switching.

                                        1. 1

                                          Yes, I’m experiencing the same, and it’s tiring. I also tend to forget quite a few day-to-day things outside of development, when focusing on a project for a while.

                                          1. 1

                                            If you have an Android phone I highly recommend Habits for day-to-day things / developing good habits. You get tight control over the intervals for each habit (do dishes every 2nd day, make dinner 6 out of 7 days, etc) and visibility on how you’re doing over time.

                                          1. 56

                                            Fortunately, it’s also the best of currently available major browsers, so it’s not exactly a hardship.

                                            1. 22

                                              Not on macOS. Sure, it has a whole lot of great features, but it’s just slow. It feels slow, looks slow, and macOS keeps telling me that Firefox is using an excessive amount of power compared to other browsers.

                                              I guess it’s too much to ask for, for Firefox to feel like a good, native macOS app, like Safari, but the fact of the matter is that that is why I don’t use it as my main browser.

                                              1. 19

                                                I use it on Mac OS X and it doesn’t feel slow to me at all. And it’s not using an excessive amount of power that I can tell. Perhaps it’s the version of Firefox being used?

                                                1. 14

                                                  I’ve been sticking to Safari on MacOS because I’ve read that it really does make a difference to battery life (and I’m on a tiny Macbook so, you know, CPU cycles aren’t exactly plentiful). This thread just prompted me to check this for myself.

                                                  I opened a typical work mix of 10 tabs in both Safari 12.1 and Firefox 66.0.3 on MacOS 10.14.4: google calendar + drive, an open gdocs file, two jira tabs, this lobsters thread (well, it is lunchtime…) and the rest github. Time for some anec-data! :-)

                                                  After leaving both browsers to sit there for 10 mins while I made lunch (neither in the foreground, but both visible and showing a github page as the active tab), these are the numbers I eyeballed from Activity Monitor over about a 30 second period:

                                                  Firefox:

                                                  • Energy Impact: moving between 3.3 and 15.6, mostly about 4
                                                  • CPU: various processes using 0.3, 0.4, 0.5 up to one process using 1.4% CPU

                                                  Safari:

                                                  • Energy Impact: moving between 0.1 and 1.3, mostly around 0.5
                                                  • CPU: more processes than Firefox, but most using consistently 0.0 or 0.1% CPU

                                                  Firefox isn’t terrible but Safari seems really good at frequently getting itself down to a near-zero CPU usage state. I’ll be sticking with Safari, but if I was on a desktop mac instead I think I’d choose differently.

                                                  As an aside, Activity Monitor’s docs just say “a relative measure of the current energy consumption of the app (lower is better)”. Does anyone know what the “Energy Impact” column is actually measuring?

                                                  1. 5

                                                    I have had the same experience with Firefox/Chrome vs Safari.

                                                    I use Chrome for work because we’re a google shop and I tend to use Firefox any time my MacBook is docked.

                                                    But I’m traveling so much, I generally just use Safari these days.

                                                  2. 9

                                                    I use it on Mac OS X and it doesn’t feel slow to me at all.

                                                    If you can’t feel and see the difference in the experience between, say, Firefox and Safari, I don’t know what to tell you.

                                                    And it’s not using an excessive amount of power that I can tell. Perhaps it’s the version of Firefox being used?

                                                    Have you tried checking in the battery menubar-thing? There’s an “Using Significant Energy” list, and Firefox is always on it on my machine if it’s running. And that is both Firefox as well as Firefox Nightly, and it is so for all versions since a long time. My two installs are updated per today, and it’s the same experience.

                                                    1. 1

                                                      If you can’t feel and see the difference in the experience between, say, Firefox and Safari, I don’t know what to tell you.

                                                      There are plenty of people who can’t hear the difference between $300 and $2000 headphones. Yes, there are audiophile snobs who’re affronted by the mere idea of using anything but the most exquisitely constructed cans. But those people are a vanishingly small minority of headphone users. The rest of us are perfectly happy with bog standard headphones.

                                                      Apple likely had to descend through numerous circles of hell while hand-optimizing Safari for the single platform that it needs to run on. Will Firefox get there? Unlikely. Will most users even notice the difference? Most certainly not.

                                                      1. 6

                                                        They will when their battery life is abysmal and they start hearing that it’s because of Firefox.

                                                        I really want to see Firefox get more adoption, but there are a lot of techies with influence who will keep away because of this, myself included. It’s not a convenience thing - I just can’t get to mains power enough as it is in my job, so more drain is a major problem.

                                                        1. 1

                                                          They will when their battery life is abysmal and they start hearing that it’s because of Firefox.

                                                          The problem is that the feedback cycle isn’t even long enough for them to hear about this. The cause and effect are almost immediate depending on your display resolution settings with bug 1404042.

                                                          1. 3

                                                            This is what happens when you fight the platform.

                                                            1. 2

                                                              This is what happens when the platform is hostile to outsiders.

                                                              1. 8

                                                                See, I don’t see it that way. I see it as Mozilla deciding on an architecture for their software that renders that software definitely suboptimal on the Mac. It’s just a bad fit. I’m not claiming that Mozilla should have done things differently – they are welcome to allocate their resources as they see fit, and the Mac is most definitely a minority platform. There are many applications that run on the Macintosh that are not produced by Apple that don’t have these problems.

                                                                iOS is a different story, one where hostility to outsiders is a more reasonable reading of Apple’s stance.

                                                        2. 2

                                                          Now that I’m at work, I’m seeing what hjst is showing. This doesn’t bother me that much because I use the laptop at work more like a desktop (I keep it plugged in). But yes, I can see how Firefox might be a bit problematic to use on the Mac.

                                                        3. 1

                                                          I’ll have to check the laptop at work. At home I have a desktop Mac (okay, a Mac mini).

                                                        4. 4

                                                          There are known issues which are taking a long time to fix. Best example is if you change the display resolution on a retina Mac. You can almost see the battery icon drain away on my machine.

                                                          1. 3

                                                            I find it depends a lot on what FF is doing - usual browsing is fine, but certain apps like Google Docs or anything involving the webcam make it go crazy.

                                                            1. 20

                                                              Google sites, unsurprisingly if disappointingly, don’t work as well in Firefox as they do in Chrome. But that’s really on Google, not Mozilla.

                                                              1. 15

                                                                They used to actively break them - e.g. GMail would deliberately feed Firefox Android a barely-functional version of the site. https://bugzilla.mozilla.org/show_bug.cgi?id=668275 (The excuse was that Firefox didn’t implement some Google-specific CSS property, that had a version in the spec anyway.) They’ve stopped doing that - but Google’s actions go well beyond passively not-supporting Firefox.

                                                          2. 5

                                                            For me, it feels faster than Chrome on MacOS, but the reason I don’t use it is weird mouse scroll behavior (with Apple mouse). It differs too much from Chrome’s behavior. I don’t know how to debug it, how to compare, what is right behavior (I suspect Chrome’s scrolling is non-standard and it dampens acceleration, while Firefox use standard system scrolling). It just feels very frustrating, but in subtle way: I become nervous after reading lots of pages (not right after the first page). I tried various mouse-related about:config settings but none of them had any effect (and it’s hard to evaluate results because differences are very subtle).

                                                            Maybe the answer is to use standard mouse with clicky scroll wheel, but I hate clicky scroll wheels. “Continuous” scrolling is one of the best input device improvements of recent times (however it would be better if it was real wheel/trackball instead of touch surface).

                                                            1. 1

                                                              Have you tried Nightly yet? I believe there are some great improvements made recently for this. It isn’t all fixed, but it has improved.

                                                              1. 3

                                                                I’m on Nightly right now, and it hasn’t improved for me at least.

                                                              2. -1

                                                                I think macOS disadvantages apps that compete with Apple products. That’s unfortunate though.

                                                                1. 7

                                                                  Any evidence for this statement?

                                                                  1. 9

                                                                    Do you have any proof?

                                                                    Anecdotally I use a lot of third-party apps that are a lot better than Apples contemporaries.

                                                                    I just think the truth is that Firefox’ hasn’t spent enough time on optimizing to each platform, and on macOS where feel and look is a huge deal, they simply fall through.

                                                                    1. 1

                                                                      The reports that Firefox has issues on macOS and Apple’s behaviour with iOS, for starters.

                                                                      1. 7

                                                                        Often the simplest solution is the correct one, meaning that it’s more likely that Firefox just hasn’t optimized for macOS properly. If you look at the bug reports on the bug tracker, this seems to be the case.

                                                                        Also if your theory were to be correct, why is other non-apple browser like chromium not having these issues? Could it perhaps be that they have in fact optimized for macOS, or do you propose that apple is artifically advantaging them?

                                                                        1. 13

                                                                          pcwalton hints at twitter that gains that e.g. Safari and Webkit have is through the usage of private API in macOS. You could probably use those API as well from Firefox, at the cost of doing tons of research on your own, while Webkit can just use them. (further down the thread, he hints at actually trying to bind to them)

                                                                          https://twitter.com/pcwalton/status/1068933432275681280

                                                                          1. 3

                                                                            That’s very interesting, and it’s probably a factor. However these are problems that Firefox have, not all third-party browsers. No Chromium based browser have these issues, at least in my experience. Maybe it’s through privat API that you can optimise a browser the most on macOS, but it doesn’t change the fact that Firefox is under-optimised on macOS, which is why it performs as it does.

                                                                            1. 8

                                                                              Point being: Chromium inherits optimisations from apples work which Mozilla has to work hard to develop in a fashion working with their architecture. Yes, there’s something to be said about organisational priorities, but also about not being able to throw everyone at that problem.

                                                                              I’m really looking forward to webrender fixing a lot of those problems.

                                                                              1. 1

                                                                                And it’s a sad fact, because I’d love to use Firefox instead of Safari.

                                                                                1. 7

                                                                                  Sure, from a users perspective, all of that doesn’t matter.

                                                                                  Just wanted to say that this is hard and an uphill battle, not that people don’t care.

                                                                                  The Firefox team is well aware of those two contexts.

                                                                          2. 0

                                                                            It’s certainly possible. But at the very least Apple has little incentive to have Firefox work well on macOS. Chrom{e|ium} is so widely used, that Apple would hurt themselves if it didn’t work well on macOS.

                                                                            I’d be a bit surprised if Mozilla is really falling down on optimising Firefox on macOS. It’s not as if Mozilla is a one man operation with little money. But perhaps they decided to invest resources elsewhere.

                                                                      2. 1

                                                                        That’s true in cases where apps want you to pay for features (like YouTube not offering Picture-in-Picture since it’s a paid feature and Apple wants money for it to happen) but not true in the case of Firefox. Unfortunately, Firefox’s JavaScript engine is just slower and sucks up more CPU when compared to others.

                                                                    2. 7

                                                                      Yeah, I’ve switched between Firefox and Chrome every year or two since Chrome came out. I’ve been back on Firefox for about 2 years now and I don’t see myself going back to Chrome anytime soon. It’s just better.

                                                                      1. 3

                                                                        Vertical tabs or bust.

                                                                      1. 5

                                                                        I agree, and would even extend it for other kinds of content: how about parody or humor?

                                                                        1. 3

                                                                          Yes, to make it useful more than once a year.

                                                                        1. 1

                                                                          What about coreutils?
                                                                          https://github.com/coreutils/coreutils/tree/master/src

                                                                          I mean, the codebase isn’t small, but it consists of quite a few standalone applications that are super small. And they are highly impactfull for sure!

                                                                          1. 2

                                                                            I found coreutils surprisingly easy to hack on, when I wanted to work around Emacs hanging at 100% CPU when given very long lines (which are quite common when running terminals inside Emacs). I wanted to pipe everything through the fold command to insert newlines every 1000 characters, but that didn’t work since it buffers the content (i.e. the current line, containing the shell prompt and the command we’re writing, wouldn’t appear until it reached 1000 characters). I ended up forking it, ripping out a bunch of optional stuff (including memory allocations) and hard-coding it to my use-case, and it works really well.

                                                                            I know it’s only a small, standalone utility (as you say), but I was surprised how trivial I found it; considering that I generally try to avoid touching C, and have heard horror stories about GNU’s coding conventions, build system, etc.

                                                                          1. 5

                                                                            I think Wikipedia should do this on all European pages, such as the Dutch one.

                                                                            1. 2

                                                                              Czech and Slovak wikis have joined as well.

                                                                            1. 3

                                                                              Would you also categorize command-line tooling under this tag, or just the actual shells?

                                                                              1. 2

                                                                                I was also thinking of tooling - hence the zsh-utils example. Similar to a programming language tag - updates for the language and anything written in that language could fall under the tag. This would also avoid separate tags for bash, zsh, posix shell etc, because of how similar they are overall.

                                                                                1. 2

                                                                                  It might be worth is just to have a tooling tag.

                                                                                  I could make a much better case for that, though the concern is that it’d become a dumping ground for product advertising.

                                                                                  1. 3

                                                                                    I think the name tooling might be too broad for what I was imagining. Since you could easily make the case that something like docker should be included under tooling because it’s dev tooling.

                                                                                    It’s also a bit farther from my interest in shell scripting, which is a big part of the reason for my tag proposal.

                                                                              1. 10

                                                                                Cool, this is how image should be made!

                                                                                At work we even go a little further. We strip unnecessary symbols from binaries binaries and use extreme compression on files using upx. I believe we’re hitting the 3MB mark. We define a non-root user and disable as much capabilities as possible to make things even more constrained and secure.

                                                                                1. 15

                                                                                  The symbols are unnecessary right up to the point that your program crashes and you’d like to know why.

                                                                                  1. 7

                                                                                    You can still keep the ELF symbols as separate files outside of the image, right? Similar to how dbg packages work with package managers.

                                                                                    1. 3

                                                                                      True. However, for our use cases this tradeoff is fine. We consider nginx to be stable enough, and haven’t had any crashes yet. The container will automatically restart if it does, and if we do need to debug a repeating crash we switch to a version with symbols.

                                                                                      1. 12

                                                                                        Which may or may not have the same problem…

                                                                                        1. 5

                                                                                          But isn’t it more fun to just watch people discover this on their own?

                                                                                    2. 3

                                                                                      Thanks for the kind words!

                                                                                      That’s maybe too far of a stretch, but it’s not a bad idea.

                                                                                      Feel free to check out my lighttpd and dnsmasq images, too.

                                                                                      I’m in the works of doing a haproxy image and writing a blog post about my process for building tiny (IMO, correct) images like this one.

                                                                                      1. 1

                                                                                        If you want small and secure, check out Lwan. It might fit one of your use-cases. It’s supposed to be useful from embedded to servers.

                                                                                        1. 1

                                                                                          I’ve heard wonders about Lwan, but I haven’t had the time to try it out.

                                                                                      2. 2

                                                                                        I tried to build OP’s container and it gave errors copying rootfs (I think it has a build/CI process that isn’t in the repo).

                                                                                        So I hacked it up to always use musl, strip the binary, and upx it. I verified that it builds with -fPIC to produce Position-Independent Code. The final container size is 3.2MB and it builds easily.

                                                                                        https://github.com/sean-public/nginx-tiny

                                                                                        1. 1

                                                                                          OP here, you shouldn’t have any issues building the image.

                                                                                          I think I know the issue are you running into. Try with the following:

                                                                                          1. clone repo, cd into it
                                                                                          2. run docker build -t nginx:glibc -f glibc/Dockerfile .

                                                                                          Replace with musl for musl-based image

                                                                                      1. 5

                                                                                        I trust Mozilla so I will take them at their word that the file is being encrypted end-to-end. (And I know I could go read the code.) But can there be a way for a lay user to see that a file is actually encrypted? A user can compare a visual hash of the entire contents of the file. But how can they know it’s strong encryption? Perhaps we need to move the E2E support to the browser or the OS.

                                                                                        1. 19

                                                                                          I can confirm that they do (as I’ve been reversing it to build ffsend). The file content, along with additional metadata is encrypted on the client. The hash part of a share URL contains the secret required to decrypt a file, and is thus never sent to the remote server. They’re currently using 128-bit AES-GCM along with some derived keys using HKDF SHA-256, as described here, so decide for yourself.

                                                                                          1. 5

                                                                                            Cool, thanks for the info! I never doubted that, but I’m just thinking out loud about ways we can make this obvious to non-technical users (something like the green lock in the URL bar.)

                                                                                            1. 4

                                                                                              It’s actually really funny how close this is to a project I wrote on a weekend a few years back at my first security company. The main difference was mine was focused on text oriented blobs instead of files, so I didn’t do metadata: https://blacknote.aerstone.com/

                                                                                              I also used NaCL instead of relying on AES-GCM. My testing also made me hyper skeptical about JavaScript random number generation, to this day I’m not certain how to solve that problems and still highly suggest that people steer clear of JavaScript for high entropy needs.

                                                                                              1. 4

                                                                                                Any idea why it’s 128-bit? I thought FF had 256-bit.

                                                                                                1. 3

                                                                                                  I think this (and the following comments) answer it: mozilla/send/issues/86

                                                                                                  1. 4

                                                                                                    That a weak argument. Looking at big picture, though, the kind of folks that will be able to break the crypto can already afford 0-days from brokers to hack those Firefox users. So, probably not that important.

                                                                                                    1. 3

                                                                                                      It’s a horrible argument. There is very little difference to the developers to choose the stronger ciphers, especially since it is using the client for encryption. When I did this I just used NaCL and stuck to actually ya know…. listening to cryptographers. I really don’t understand why you wouldn’t select the more forwardly secure option.

                                                                                                      1. 2

                                                                                                        The only times it makes sense to go weaker by default are legacy (no choice) and resource-constrained microcontrollers (also no choice). This shit is running on desktops that routinely do 256-bit crypto. No excuse.

                                                                                                        They so need to remember other developers might imitate whst popular projects do. Gitta set a good example with good defaults.

                                                                                            1. 3

                                                                                              I feel like I’ve been using this for at least a year, is it really actually new? Or did it just go from open beta to stable release?

                                                                                              1. 2

                                                                                                The user experience is the same. The internals have changed.