1. 39

    As (former) application author I find it very hard to sympathize with distro packagers if their opinions and the mentioned patches they make out of them continue to be responsible for a good chunk of bugreports that cannot be reproduced outside of their distro. Why should I cater to the whims of multiple Linux distros, what do I get out of putting more work into the product I already provide for free? Imagine Apple app store, on top of placing random restrictions on application submissions, added random patches to your application and is not sufficiently careful about which of them break the end user experience. That is what upstream maintainers have to deal with, and they don’t even get paid for it.

    See also Linus on static linking and distro packaging.

    Keep in mind that 1) this is literally only a problem on Linux distros or other third-parties repackaging applications and imposing their opinions on everybody 2) the actual context of this blogpost is that the author is mad at Python packages using Rust dylibs, it seems his sense of entitlement has not significantly improved since then.

    1. 15

      Ideally you don’t need to do anything except not make distro maintainer’s lifes harder.

      If you absolutely want to provide your own binaries directly to endusers, as of 2020 there are things like Docker images and AppImage now so you can bundle what you need at this level.

      So while we don’t have Linus dive tool in Void Linux yet, it looks easy to package and once that is done, the maintainers will take care to provide the newest version to the users, taking off work from you.

      We also generally only try to patch build issues and security fixes that did not make it into a release yet. So often, users of our binary packages get fixed versions quicker than upstream.

      1. 6

        Ideally you don’t need to do anything except not make distro maintainer’s lifes harder.

        I think the point of cognitive dissonance here is that what distro maintainers want often makes application developer’s lives harder. Dynamic linking doesn’t work well for many application developers, because libraries break even when they don’t change “major” versions: that’s just a fact of life. No software development process is perfect, and the application developer can’t reasonably test against every different patch that every different distribution applies to every different library. Being able to just drop a binary onto a machine and be confident it’ll work the same on that machine as it does on your own is a selling point of languages like Go and Rust.

        And if you want to change the libraries used for these languages it’s not exactly hard. Just change the go.mod or Cargo.toml to point to the library you want it to use, rather than the library it’s currently using, and rebuild.

        If you absolutely want to provide your own binaries directly to endusers, as of 2020 there are things like Docker images and AppImage now so you can bundle what you need at this level.

        Docker and co are worse for security than static linking. Packaging as a Docker container incurs all of the downsides of static linking, and also all of the downsides of any outdated packages in the image. Static linking only distributes the libraries you need: containers distribute effectively an entire OS minus the kernel (and also the libraries you need).

        Docker as a solution only makes sense if application developers want both dynamic linking and static linking; dynamic if you install it on the host, and effectively-static if you run it as a container. But the core issue is that many application developers do not want dynamic linking! If you do not want dynamic linking, static linking is better than using containers.

        1. 3

          I think the article confuses two separable things:

          • Bundling in the shipped product.
          • Provenance of inputs.

          The former is a problem in terms of computational resource, but not much else. If a program statically links its dependencies (or uses C++ header-only libraries, or whatever), then you need to redo at least some of the build every time there’s an update (and generally you redo the whole build because incremental builds after dependency updates are flaky). The FreeBSD project can rebuild the entire package collection (30,000+ packages) in under two days on a single machine, so in the era of cloud computing that’s a complete non-issue unless you’re running Gentoo on an old machine.

          The second is a much bigger problem. If there’s a vulnerability in libFoo, a distro bumps the version of libFoo. Anything that has libFoo as a build-time dependency is rebuilt. Security update fixed, we just burned some cycles doing the rebuild (though, in the case of static linking, possibly a lot fewer than we’d burn by doing dynamic linking on every machine that ran the program). If a program has vendored its dependency on libFoo, there’s no metadata conveniently available for the distribution that tells anyone that it needs to be rebuilt against a newer libFoo. It’s up to the program author to issue a security advisory, bump the library version, and so on. The distro will keep shipping the same library for ages without any knowledge.

          Things like Docker make this worse because they make it trivial to write custom things in the build that grab source from random places and don’t record the provenance in an auditable structure. If I have an OCI image, I have absolutely no idea what versions of any libraries I’m running. They may be patched by the person who built the container to avoid a bug that caused problems for a specific program and that patch may have introduced another vulnerability. They may be an old version from some repo. They may be the latest trunk version when the container was released.

        2. 5

          Securitywise Docker images are about as bad as static linking for the end user.

          1. 3

            Of course, but it’s easier on the entire supply chain in the 99.9% of cases there is no security problem.

            1. 8

              99.9%? do you mean 40%?

              https://www.techrepublic.com/article/docker-containers-are-filled-with-vulnerabilities-heres-how-the-top-1000-fared/

              “Over 60 percent of the top Docker files held a vulnerability that had a Kenna Risk Score above 330; and over 20 percent of the files contained at least one vulnerability that would be considered high risk under Kenna’s scoring model,” […] the average (mean) number of CVEs per container is 176, with the median at 37.

            2. 3

              Yes, and static linking has a known solution for security updates: the distro rebuilds from updated source.

              1. 3

                Yes, but this needs to be done so often and so broadly, that at least Debian just seems to do regular rebuilds of nearly everything every few weeks or so in unstable and declares that software written in Go has no proper security support in at least Debian 10 Buster and security updates will only be provided via the minor stable updates approximately every two months or so. Still a PITA and hence q.e.d.

            3. 5

              If you absolutely want to provide your own binaries directly to endusers

              You say this like it’s a method of last resort, but this is overwhelmingly how software authors prefer to package and distribute their applications. There’s lots of good reasons for that, and it’s not going to change.

              1. 1

                Ideally you don’t need to do anything except not make distro maintainer’s lifes harder.

                I don’t even need to do that. Again, I am providing free work here.

                If you absolutely want to provide your own binaries directly to endusers, as of 2020 there are things like Docker images and AppImage now so you can bundle what you need at this level.

                I am fairly sure if people started to do that at scale, distro maintainers would complain all the same as they do about static linking.

                So while we don’t have Linus dive tool in Void Linux yet, it looks easy to package and once that is done, the maintainers will take care to provide the newest version to the users, taking off work from you.

                You’re wholly missing the point with this sentence. The fact that we’re in a position where we need to build applications per-distro is unsustainable. There is very little work in building a static binary on any other platform.

                We also generally only try to patch build issues and security fixes that did not make it into a release yet. So often, users of our binary packages get fixed versions quicker than upstream.

                Yes, and then the users report bugs regressions in a version that is not supposed to have the patch that introduced it. This is literally what I am complaining about.

              2. 6

                Keep in mind that 1) this is literally only a problem on Linux distros or other third-parties repackaging applications and imposing their opinions on everybody 2) the actual context of this blogpost is that the author is mad at Python packages using Rust dylibs, it seems his sense of entitlement has not significantly improved since then.

                How is this relevant to static linking and the discussion about its security issues?

                1. 3

                  Because it’s the reason this discussion continues to exist.

                  1. 3

                    So in summary people are still angry about cryptography and Rust and so they keep posting roundabout takes on it and people get onto news aggregator sites to hawk their positions but not work on a solution? I’m really not sure how that’s productive for anyone.

                    1. 1

                      I publish static binaries for my applications. Now I have a third party who wants to redistribute my free work but wants me to change the way I write software so their use of my free work gets easier (for a debatable value of easier).

                      Frankly I don’t see a problem I have to solve. My way works just fine on Windows.

                      1. 1

                        At this point it’s up to all the parties to coordinate. It’s obvious that each of the different parties have different perspectives, desires, and annoyances. If you put your shoes in any of the various parties (application developers, distro maintainers, application users, distro users), and there’s plenty on this thread and the HN version of this link, then I think you can see the many angles of frustration. I don’t think getting angry on message boards is going to settle this debate for anyone, unless you’re just looking to vent, which I’d rather not see on lobste.rs and instead on chatrooms.

                2. 5

                  This is only a problem on Linux. The fact that anybody can create a Linux distribution means that there are lot of systems that are largely similar and yet wholly incompatible with one another. Bazaar-style development has encouraged this pattern and, as such, we have a fragmentation of Linux that have just the tiniest little differences that make packaging an app near impossible to do in an universal fashion. Like it or not, cathedral-style systems do not suffer from this problem. You can count on the libc and loader to exist in a well known and understood location in FreeBSD, Windows, and MacOS. Sure, there are going to be differences in between major versions, but not so much as the difference between glibc and musl.

                  Having your own packaging system then frees you, the application developer, from having to wait on the over 9,000 different Linux distributions to update their packages so that you can use a new shiny version of a dependency in your app. Furthermore, there are plenty of commercial, proprietary, software packages that don’t need to move at the same cadence as their deployed Linux distribution. The app might update their dependencies more frequently while in active development or less frequently if the business can’t justify the cost of upgrading the source code.

                  I lay out that this situation is not unique to Linux, but rather, it exists because of Linux’s fragmentation… And secondarily as a result of the friction associated with walled-garden ecosystems like Apple.

                1. 12

                  We go through this every time some language designer comes up with a way of packaging and distributing: CPAN,pip,gems,npm,crates and it goes on and on. It seems like everybody likes re-inventing the distribution wheel.

                  Short version is, RPMs and debs have been around for 25 years, and, while they were originally designed with C in mind, they’re flexible enough to incorporate programs written in any language.

                  Yes, they have restrictions, and some of these restrictions are uncomfortable to people who do all their work in one or two particular languages, but distros like Debian and Redhat target people who just want to have a system that works out of the box, with programs written in many different languages co-existing in one reasonably coherent system. This is the problem distro packages like RPM and deb are trying to solve.

                  I appreciate that if I’m working in ruby, I usually have something like rvm, and bundler, and other utilities for keeping multiple ruby development environments in a sane way, and I appreciate that others like these tools for programming in their preferred environment.

                  However. If I just want to be able to install and use a script written in python (take for example, “Terminator” that is written in python), as a distro, I just want to be able to install the script, and ensure that it works cleanly with the rest of the system, I don’t care about setting up a special environment and managing dependencies, and all of the other baggage that these other distribution methods involve.

                  1. 18

                    Short version is, RPMs and debs have been around for 25 years, and, while they were originally designed with C in mind, they’re flexible enough to incorporate programs written in any language.

                    No, they don’t. They don’t even work well for C++, and have been hobbling the development of template libraries for over 10 years now because of how bad they are at handling API-stable-ABI-unstable libraries.

                    1. 2

                      What’s the problem? It’s been a while since I looked at these in Linux environments, but in the FreeBSD ports collections if you upgrade a C++ library, it bumps the PORTREVISION of all of the ports that depend on that library. The next time a package set is built, the packages use the new version of the library. The FreeBSD project explicitly moved away from building packages outside of package sets to address this kind of thing - it’s easy for things to get out of sync and computers are so fast now that building everything (30,000+ packages) on a single machine is feasible in about a day.

                    2. 10
                      • apt doesn’t handle multiple versions of the same library well. You can do it by renaming packages and an indirection layer of virtual packages, but this is tortured compared to auto deduplicating dependencies according to semver.

                      • People in charge of Linux package managers generally don’t care about Windows. There is nothing technically preventing RPM/deb from working on Windows, except that it “sucks” (for shits and giggles I’ve made cargo-deb Windows compatible, and it happily builds Windows-only deb packages).

                        npm has got a huge traction as a method of distributing dev tools, because it supports Windows as a first-class platform.

                      • RPM/deb as an archive format doesn’t make that much of a difference. Rust/Python/JS could use .deb as their format, after all it’s just a bunch of files together. The real issue is where do you publish to, and how other people find it. Linux distros set themselves as gatekeepers, which has its own value, but it’s very different from npm/cargo, etc. that have npm publish free for all with zero hassle, way easier than maintaining PPAs.

                      Having written all that, I realize it all comes to usability. The distinction between “it can do it” vs “it just works”.

                      1. 8

                        I never want to care about “the rest of the system”. I want to write complete programs, not shells of programs that work if slotted into the right system.

                        The more programs are like this, the less a system that works out of the box is a problem to think about.

                        1. 5

                          I’d argue the packaging system put up by Linux distros is actually not flexible, but rather the human sitting between applications to be packaged and the Linux distribution sinking hours into patching software to fit into the packaging system is. If rpm/deb were actually flexible we would not have these conflicts.

                          It seems like everybody likes re-inventing the distribution wheel.

                          I can say the same about the state of Linux distributions. It seems that I as an application developer can only rely on the featureset that is the intersection of all the distro’s package managers if I were to follow your advice.

                          1. 2

                            rpm/deb is fairly flexible. The reason you get these arguments is mostly because of distribution policies, not because deb/rpm can’t do it.

                            https://lwn.net/Articles/843313/rss

                            1. 2

                              I did not claim rpm/deb cannot deal with large bundled apps (that’s fairly trivial, curl|sh can do that too). I’m saying rpm/deb cannot deal with dependency management to the granularity npm/cargo can, and then not in an efficient manner. Kornel already replied with other examples where rpm/deb can’t do things.

                          2. 7

                            Then the distribution maintainers should solve that problem within the constraints of the language and ecosystem the tool was developed in. The language and ecosystem are not going to change nor should they. If RPMs and debs can handle the change then they should just package them and move on. Complaining that new ways of doing development and deployment make the job harder helps no one. Either the distributions will adapt or they will lose the next generation of software developed in these new paradigms.

                            1. 9

                              A CVE gets assigned some widely popular library. For fun we will say they have a monthly release cadence and the bug is published mid release cycle. Upstream is not done with their integration tests and don’t want the release just for a 3 line patch, even if the issue is severe. Lets say it’s used for around 30 binaries.

                              What do you do?

                              If the solution here is to do some wonkey patching of Cargo.toml and Cargo.lock across 30 packages to ensure they are pulling the correct patch (is it even possible), how does this scale?

                              This isn’t the question of distributions adapting to anything, this is “the next generation of software” digging a deep grave and ignoring almost 3 decades worth of experience. This isn’t me claiming we should pretend Rust is C and package all crates like individual packages. Nobody has the time for that. But pretending this isn’t a problem is deeply unsettling.

                              1. 10

                                I don’t know, it’s not my problem, but if it were, I guess I would try solving it rather than trying to wedge everything into this old C paradigm.

                                1. 4

                                  Not having a solution doesn’t mean you can just paint an old solution as terrible.

                                  Lots of smart people are working on separating language ecosystems from system administration, and we have these problems. So now, what do we do?

                                2. 4

                                  Upstream is not done with their integration tests and don’t want the release just for a 3 line patch, even if the issue is severe.

                                  In the case of uncooperative and irresponsible upstreams, what Debian does is say “we will package this, but it is not covered by the security support that we provide for the rest of the OS”. They used to do this for webkit and node.

                                  What else can you do? At some point packaging implies cooperation.

                                  1. 3

                                    Cargo has multiple features for replacing dependencies. For individual packages you drop [patch.crates-io] (it works across the whole tree, so no need to patch deps-of-deps recursively). To do it at a distro scale, you can globally configure Cargo to use a local copy of the index instead of crates-io, and replace deps in your copy (it’s just a git repo with JSON, easy to modify).

                                    Binaries are built from lockfiles, so you can read them to know exactly what to rebuild. There are tools like cargo-audit that already deal with this.

                                    1. 1

                                      So there are then 30 patches to modify cargo. You would also need a secondary package repository to provide the patched cargo package? Does cargo build everything from source or would it require the patched packages to be built?

                                      1. 3

                                        You can tell Cargo to get code from a local directory. Distros already replace crates-io with their own packages, so they already have it all set up.

                                        Distros have managed to tame dozens of weird C build systems. Cargo is quite simple in comparison.

                                        1. 2

                                          Well, no. Most doesn’t. Just the two largest ones because of distro policies. But if you look at the raw numbers most distribution bundle everything vendored and does not provide this at all. I’m not even sure if Ubuntu follows the Debian guidelines?

                                          This is why I bring it up to begin with.

                                    2. 2

                                      I get it. Distro’s are downstream of everything. They get the sewage and the refuse and whatever else that results from trying to get hundreds if not thousands of different applications and libraries to work together and keep them patched appropriately. But that’s the job. If you don’t want that job then don’t work on a distro.

                                      In your particular example I would feel free to blacklist a project that doesn’t want to patch and test their code when it has a CVE. If the code is absolutely necessary and blacklisting it isn’t an option then patch it locally and move on. This isn’t substantially different from a terrible maintainers of a C application. Distributions have been carrying patches forward for libraries and applications for as long as I’ve been using distributions and longer.

                                      1. 7

                                        Back in the C days, it was considered basic etiquette to make sure your Makefile worked with DESTDIR properly.

                                        What happens now is simply Parkinson’s law in it’s finest. Flatpak, Snap and Docker included.

                                        It puzzles me that nobody is worried about our inability to maintain a coherent culture given the influx of programmers, but then again… Eternal September, right?

                                        Must be weird for old geezers to live through that the second time. I am far too young for that so I can’t tell.

                                        We need to negotiate a packaging standard that would not suck for most and then push it hard so that it gets adopted far and wide from Rust to ES. Funny times.

                                        I’m especially curious whether it can be done without effectively merging all distros into one. But hey, project maintainers seem to know the best how is their code supposed to be built and configured. Maybe it’s time.

                                        1. 3

                                          I am one of the old geezers and I’m fully on board with the new way of doing things. Let the software maintainers bear the burden of patching and securing their software when CVEs happen. In a way this could reduce the burden on distro packagers. Download or build the latest binaries and distribute that. If upstream won’t patch their stuff then warn the user and refer them to upstream. Yes this means packagers have to build more stuff. But we unlock a whole lot of benefits in the process. Less issues with shared libraries. More reliable software with these new tools.

                                        2. 4

                                          This isn’t substantially different from a terrible maintainers of a C application. Distributions have been carrying patches forward for libraries and applications for as long as I’ve been using distributions and longer.

                                          Previously we just needed to patch the shared library and move on. Now we suddenly need to care about what a number of upstreams vendor with complete disregard for what that implies.

                                          The comments reads as extremely unsympathetic to distributions. But why? This is a model Rust/Go/npm picked. This wasn’t decided by us, and you still need to deal with the issue regardless if there is a distribution involved or not. We are told “take this and deal with it”. Upstreams are not the one going to deal with user inquiries why XYZ isn’t fixed and what we are going to do about it. We are understaffed and given more problems to deal with.

                                          If you don’t want us to package the “next generation of software” say so… but users are going to disagree.

                                          1. 1

                                            I acknowledge the fact that you have to run cargo build more times than before. But that is the price you pay for packinging in a distro. If your users want the rust application then package it for them. Rust isn’t going to adapt for a whole host of really good reasons. And I as both a developer and someone who deploys some of these in production get a lot of benefit out of those reasons and as the primary user of the language would resist any such change.

                                            For the security issues if upstream won’t patch then remove them from the security policy and tell the user they need to take CVEs up with maintainer of the software. This isn’t hard and complaining about it gives no value to any end-user.

                                            1. 2

                                              Are we going to claim everything Rust touches to be unsupported? Seriously?

                                              I don’t think Rust is the C replacement the community thinks it is.

                                              1. 1

                                                If the distro needs something that Rust touches then they need to build the tooling to be able to package it. It’s more expensive to build it all but if that’s what you need to do then do that.

                                          2. 3

                                            But that’s the job. If you don’t want that job then don’t work on a distro.

                                            Note that Debian security team found the job so onerous that they decided to remove security support for all Go packages in Debian. See https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#golang-static-linking.

                                            1. 1

                                              This is a perfectly valid approach. If you can’t make your tooling do the job with that software then drop support for it.

                                              1. 2

                                                This works for Go, but does not work for Rust, because GNOME C libraries are starting to depend on Rust and distributions don’t want to drop support for GNOME.

                                                1. 1

                                                  Then I guess in the case of GNOME it is by definition not too onerous. It is not the case that you can’t package and ship updates for the software. It’s just harder and more complicated. But that’s why we write tooling. I don’t get to complain when my business wants a feature that requires me to write complicated hard code. I just role up my sleeves and start designing/typing. This is no different.

                                    1. 2

                                      As a user and software developer I am glad I don’t use Gentoo after reading this blog post. Complete lack of understanding of users and people writing the software he maintains.

                                      1. 3

                                        Do not believe that this attitude is constrained to Gentoo. Every Linux distro is pulling the same shit.

                                      1. 1

                                        The way the author describes assemblers as pure functions doesn’t take into account how assemblers have the side-effect of polluting their environment.

                                        I also wonder how one would model the fact that assemblers can then in turn be damaged by aliens. Would that count as un-defining the function at runtime, therefore mutating global state?

                                        1. 10

                                          fzy - not so bloated and written in C.

                                          1. 4

                                            Thanks for the pointer, it looks lean. Pardon my ignorance, but I’m not sure what “written in C” means as an advantage over fzf here - as a shell-level user of fzf which seems plenty fast enough for me, what does this imply for me?

                                            That said, icy makes a good point in reply to this, too, relating to the Unix philosophy.

                                            1. 2

                                              For one the binary is about 100x smaller..

                                              1. 8

                                                Not to be rude, but who cares? fzf is 2.3mb on my system, that’s basically nothing. In fzy’s readme under “Sorting”, fzf gives the same results as fzy, except for file over filter (admittedly yes, fzy is better on that one specific case). fzy claims to be faster but there are no benchmarks. fzf is already near instantaneous. fzf also has extended search syntax for exact match/inverse/prefix/suffix. What you call “bloat” others call “features”.

                                            2. 3

                                              +1 for fzy! It’s just enough. fzf does one too many things.

                                              1. 3

                                                Yeah there are many like this. skim, selecta are others. I found fzf to provide very responsive UI with extremely large input. Like, even if search takes a few seconds the UI still processes keystrokes. I can’t say the same about every simplified version out there. That said I haven’t tried fzy.

                                                1. 2

                                                  thanks for sharing this, I’ve effectively replaced fzf!

                                                1. 47

                                                  If you think pulling apt sources is telemetry then it means apt should send less data about you. You have the same problem with any mirror: Those cannot be trusted all that much and may retain any metadata. I know for sure I don’t really trust my ISP’s package mirror when it comes to privacy, it just happens to be very fast and reliable.

                                                  There is always a trust issue when unwanted software and gpg keys are installed secretly, which is the main issue

                                                  Not sure if I understand the issue correctly, but if adding Microsoft’s repo to apt requires installing a GPG key that is trusted for signing arbitrary packages even if installed from other repos then that’s for sure a problem with apt too.


                                                  Overall, can’t help but also roll my eyes on this. User complains that the image isn’t lightweight enough but clearly the stock image of RbPI is not sharing this kind of goal. Might as well complain that it doesn’t come with Alpine.

                                                  BTW this article adds nothing over the reddit thread. Not that I really sympathize with either.

                                                  1. 23

                                                    Unless there is something special about Microsoft’s repository, this is pure prejudice against Microsoft.

                                                    Microsoft has thankfully provided their software in a convenient repository, and the RPi Foundation chose to include it by default – nothing wrong with that.

                                                    Software providers should be judged on merit … oh well, the prejudice is somewhat deserved, but my point is that recent merits should weigh more than old.

                                                    1. 8

                                                      You mean like the way Windows 10 keeps installing random applications (Cortana, Skype, Spotify) without my ever asking for them? Or the constant whack-a-mole required to turn off telemetry in their flagship operating system?

                                                      They remain as hostile to user control as ever, but have learned to be a data vacuum too.

                                                      1. 4

                                                        recent merits should weigh more than old.

                                                        Linking to a wikipedia article on EWMA doesn’t really justify what you said. Many of us are old enough to remember the bullshit, destructive behavior of Microsoft, and are (rightfully so..) highly skeptical at Microsoft’s abrupt change of heart.

                                                        Why do you feel that EWMA applies to human behavior, and and to corporate/business strategy?

                                                        1. 2

                                                          Exponential decay is simply the nullhypothesis of decay (including perception of the past, I argue), because it makes the least amount of assumptions. Adding constraints, such as human lifetime, is a liability.

                                                          For starters, if you argue that people have a long memory, and businesses don’t change overnight, you are merely arguing for a long half-life of those exponential weights on which to perceive the past – perfectly within the model!

                                                        2. 4

                                                          Microsoft has recent merits?

                                                        3. 20

                                                          Yeah, this really feels overblown. They really think MS would bother linking your apt updates to your IP for advertising purposes? And so it makes it “ironic” that Pi-Hole would use it? Mountains out of molehills.

                                                          1. 13

                                                            bother linking your apt updates to your IP for advertising purposes

                                                            Who knows what they will use it for, but yes, absolutely. All of this data will end up in their lake and be joinable by what ever additional data they have on hand. They also have all of your github activity. I’d personally love to have all the IP addresses of someone running a raspberry pi.

                                                            This absolutely should have been opt-in.

                                                            1. 13

                                                              IP addresses are a lot less useful than people would think; they’re often cycled, and the increased prevalence of carrier-grade NAT makes it pretty much impossible to single out individuals. For consumer addresses it’s very hard to have insight about whether an IP from yesterday refers to the same person as today. You can’t “just join” it.

                                                              At any rate, using this information in these ways would be illegal. Doesn’t mean they can’t do it, but if the NSA can’t keep their secret data collection a secret, then I don’t think Microsoft can either. Secret cabals are hard to keep a secret, especially for long periods of time.

                                                              These large corporations are also a lot less monolithic than people seem to assume; I wouldn’t be surprised if the people in charge of Windows have hardly ever (or never!) spoken to the people in charge of GitHub. It’s not like they have regular meetings filled with moustaches twirling, diabolical laughter, and hatching of evil plots.

                                                              1. 6

                                                                Both my IP address and my parents’ IP address rarely changes. I have been sshing from the outside for years without dynamic DNS. I don’t know what you mean by “it’s very hard to have insight,” but in practice IP addresses carry a lot of information that can be exploited. There is a tendency to overlook this and emphasize that the mapping is not perfect, as if this offers some degree of privacy protection. At best it offers some slight plausible deniability, but this does not prevent a data collector from having a very good guess of who an IP address corresponds to.

                                                                This is especially true in cases where the data sent from your IP address is relatively uncommon. How many people in a given household or neighborhood are likely to be running a Raspberry Pi with Raspberry Pi OS? The same issue arises with Signal which falsely claims to protect the identity of the message sender.

                                                                At any rate, using this information in these ways would be illegal. Doesn’t mean they can’t do it, but if the NSA can’t keep their secret data collection a secret, then I don’t think Microsoft can either. Secret cabals are hard to keep a secret, especially for long periods of time.

                                                                So… we know that Microsoft is handing user data to the NSA? Hardly reassuring.

                                                                Besides, the last window into the illegal NSA data collection operation (featuring Microsoft!) was in 2013. You don’t suppose there have been any developments since then? A sparse scattering of past leaks does not mean any current illegal program would’ve been leaked already.

                                                                It’s not like they have regular meetings filled with moustaches twirling, diabolical laughter, and hatching of evil plots.

                                                                If you’ve ever been to a coffee shop in Redmond, the moustache twirling is not as far fetched as one might think.

                                                                1. 7

                                                                  If you’ve ever been to a coffee shop in Redmond, the moustache twirling is not as far fetched as one might think.

                                                                  … What? I have been to several coffee shops in Redmond and have no idea what you’re talking about

                                                                  1. 1

                                                                    ohh yeah i forgot redmond is a clean shaven oasis

                                                            2. 9

                                                              IMHO in light of what they’ve done with the (immutable) telemetry, privacy dark patterns, and non-removable apps in Windows 10, which I consider user abuse, Microsoft has lost the right to the benefit of the doubt. I respect people who opt for a more charitable view, maybe I’m just cynical.

                                                              1. 3

                                                                The author entirely misses the real concern here with this move: by using microsoft repos, microsoft controls the software you install. You want to apt install some application? Well, you’re going to get that application as it is distributed by microsoft, and (the real kicker) potentially modified by microsoft. Things might be rosey now, but the opportunity here for microsoft is likely too great for them to “ignore” for long.

                                                            1. 5

                                                              I think I’m going to bookmark this, just in case I have to link to something next time someone challenges the ideas that tech workers are entirely tone deaf to the difference between features of software and political actions and consequences.

                                                              1. 15

                                                                The context here is that Daniel has been confronted by randos on Twitter just for using a proprietary platform (and nothing else) and this is the concern he’s trying to address.

                                                                Aside, I find people tone-deaf who offload corporate responsibility onto consumer choices. What exactly are you achieving by confronting a user of GitHub for GitHub’s choice to contract with the US govt?

                                                                1. 2

                                                                  Twitter is exactly as proprietary as Github is, and both companies are run by people with broadly similar political ideologies that inform what users they would be prone to deplatforming on political grounds. Personally, I think this implies that the case for not using Twitter is as good or better than the case for not using Github.

                                                                  No matter which service we use, there’s always a risk that they will turn off the light one day and not come back – or just change the rules or licensing terms that would prevent us from staying there. We cannot avoid that risk. But we can make sure that we’re smart about it, have a contingency plan or at least an idea of what to do when that day comes.

                                                                  This is actually a pretty reasonable point - any other entity’s platform can potentially deplatform you for any number of reasons, and everyone using such platforms should have such a contingency plan. Git hosting is actually unusually easy to switch to another provider, especially if you are taking steps to back up non-code related artifacts like bug reports, which it sounds like the curl project is doing. So using Github at the moment, while treating it as a piece of infrastructure that could in principle fail at any time, is a reasonable step to take.

                                                                  1. 2

                                                                    I agree that in an ideal world, neither Twitter nor GitHub would have anywhere approaching the level of structural power they presently enjoy.

                                                                2. 23

                                                                  You know what. Daniel has been writing Open Source software and giving it away for free for 20 years. There’s probably 2 million dollars worth of his time[1], that he has given away to you for free, only because of his personal political beliefs.

                                                                  But that’s OK, you go ahead and accuse him of being politically tone deaf and valuing other stuff over political considerations.

                                                                  [1] based on $100k/yr for 20 years, and that’s really lowballing it

                                                                  1. 9

                                                                    Thanks for validating my point? I’ll add it to the same bookmarks. I smashed out a pretty long followup but I don’t feel like bludgeoning lobste.rs with walls of text.

                                                                    tl;dw: the conflation of different value systems and the inability to talk across different value systems is the problem that both sides are equally poor at here. This topic doesn’t involve any conflict if both sides can talk across that gap, but that’s hard if you can’t or if you’re unconsciously or purposely conflating two or more values. TFA is tone-deaf about politics but I don’t make a judgement that that’s specifically good or bad; I’m sure we’d find in the same way that the original challenge was similarly unable/unwilling to bridge the value-gap and so failed equally (or worse, as the instigators) in whatever they were trying to communicate.

                                                                    It is necessary to be able to separate out different kinds of values and to be comfortable with questioning one type of value or effect in the world whilst recognising the benefit of another. You can understand and work on technical and economic value whilst choosing not to engage or not acknowledging your political or social value, or acknowledging that you have different ways of quantifying those values.

                                                                1. 17

                                                                  Looks like people more and more people are realising that the next usability iteration on terminal is seeing the result as you type. More applications keep implementing this workflow, probably shells will implement it in a general fashion in years to come.

                                                                  Some years ago I hacked together a small curses program that accepted a command with a placeholder and presented a prompt that would re-run the command with the new input on each krypress. I never published it because it was very hacky and quite dangerous if you’re not careful.

                                                                  1. 7

                                                                    This is very true for text editors as well IMO, which is why I use kakoune which shows the incremental results as you preform complex combinations of actions or select based on a regex.

                                                                    1. 3

                                                                      I think you can sort of do this with https://github.com/lotabout/skim#as-interactive-interface – perhaps even integrate that into the shell itself

                                                                      fzf may have a similar option

                                                                      the problem is with process spawning overhead in my opinion – doing it for every keystroke needs debouncing and at that point the UI starts to lag. If apps have native support for it they can do something more efficient

                                                                      1. 1

                                                                        Yes. It did essentially that that you linked. The UI doesn’t need to get unresponsive, text input is decoupled from external process execution.

                                                                        1. 2

                                                                          I don’t mean that the textbox itself becomes unresponsive but rather that the preview will have to endure the cost of process startup and starting from scratch and depending on the operation that is previewed that can be expensive. I have had this experience with the exact ag example… ag takes time to search things, but depending on previous preview it may not have to search the entire space again.

                                                                          st is very good at dampening the impact but things can be better with a different architecture

                                                                      2. 2

                                                                        I’m interested to see what kinds of things Jupyter might inspire in shells. The notebook workflow mostly fits tasks with requirements halfway between an interactive shell and an executable file (as in exploratory data analysis and the like), but the concept has already made its way over to the text editor side (in VSCode you can use a magic comment command to delineate and execute individual code cells within a file to view output while still editing, as if it were a notebook). I wonder what that might conceptually look like if taken to the shell side instead of the editor side.

                                                                        1. 0

                                                                          Aren’t you describing fish? :)

                                                                        1. 2

                                                                          I think there’s quite a difference between making the user feel empowered and actually empowering the user. Also users have different needs so empowerment (as well as feeling empowered) looks different for everybody else.

                                                                          My notion of empowerment is when the computer assists me in doing the task I set out to do, and then reliably so. I have nothing from an infinitely customizable UI and cutesy non-features when I can’t connect my bluetooth headphones or can’t get graphics to work reliably. That sounds like a false dichotomy, but my experience has been that software that allows you to turn less knobs works more reliably in its core functions. That also intuitively makes sense to me as a developer.

                                                                          Dark mode, to me, is also not in any way related to themeability, it’s an accessibility feature. The difference being that you only allow the level of customization that people with varying needs need to have to be able to read things better. Not as a means of self-expression.

                                                                          I feel the same level of nostalgia towards old computers the OP feels, but I did not feel more empowered back then than I do now, just perhaps more excited and entertained. I dare you to install any of those old things in a VM and attempt to use them. I have done this and the anticipated sense of empowerment fades very quickly. It’s a good way to validate your memory too.

                                                                          1. 1

                                                                            https://twitter.com/puffnfresh/status/1352203388759453697

                                                                            I use Haskell lens instead of jq, jq, xmlstarlet, etc. I’d love to see this with an integration to GHCi.

                                                                            1. 1

                                                                              For anybody curious, I had to look a bit but found https://github.com/danidiaz/lens-aeson-examples/blob/master/src/Data/Aeson/Lens/Examples.hs#L118

                                                                              Doesn’t seem too inviting for people not using Haskell in other areas… a case could be made that a person familiar with Python likely would use python -c for this too

                                                                            1. 13

                                                                              I’ve really enjoyed reading this blog over the last few weeks. He has a great perspective and explains the legal side well. Seems like there is an “Open Source Industrial Complex” where lots of money is made selling products and having conferences about “open source”.

                                                                              1. 5

                                                                                You’ll hear people who work in the field joke about a “compliance-industrial complex”. I think that started back in the early 2000s, after big companies started permitting use of open source in masse. Salespeople for nascent compliance solutions firms would fly around giving C-level officers heartaches about having to GPL all their software. My personal experience of those products, both for ongoing use and for one-off due diligence, is that they’re way too expensive, painful to integrate, just don’t work that well, and only make cost-benefit if you ingest a lot of FUD. Folks who disagree with me strongly on other issues, like new copyleft licenses, agree with me here.

                                                                                That said, I don’t mean to portray what’s going on in the open source branding war as any kind of conspiracy. There are lots of private conversations, private mailing lists, and marketing team meetings that don’t happen in the open. But the major symptoms of the changing of the corporate guard are all right out there to be seen online. That’s why I walked through the list of OSI sponsors, and linked to the posts from AWS and Elastic. It’s an open firefight, not any kind of cloak-and-dagger war.

                                                                                1. 7

                                                                                  Agreed. I’m getting increasingly tired by some communities’ (especially Rust’s) aggressive push of corporate-worship-licenses like BSD, MIT (and against even weak copy-left licenses like MPL).

                                                                                  1. 17

                                                                                    I’m saying this with all the respect in the world, but this comment is so far detached from my perception of license popularity that I wanna know from which niche of the tech industry this broad hatred of Rust comes from. To me it seems like one would have to hack exclusively on C/C++/Vala projects hosted on GNU Savannah, Sourcehut or a self-hosted GitLab instance to reach the conclusion that Rust is at the forefront of an anti-copyleft campaign. That to me would make the most sense because then Rust overlaps with the space you’re occupying in the community much more than, say, JavaScript or Python, where (in my perception) the absolute vast majority of OSS packages do not have a copyleft license already.

                                                                                    1. 3

                                                                                      Try shipping any remotely popular library on crates.io and people heckle you no end until they get to use your work under the license they prefer.

                                                                                      Lessons learned: I’ll never ship/relicense stuff under BSD/MIT/Apache ever again.

                                                                                      1. 2

                                                                                        this broad hatred of Rust comes from

                                                                                        Counter culture to the Rust Evangelism Strike Force: Rust evangelists were terribly obnoxious for a while, seems like things calmed down a bit, but the smell is still there.

                                                                                        1. 1

                                                                                          I think it’s beneath this site to make reactionary nonsense claims on purpose.

                                                                                          1. 2

                                                                                            How is criticizing a (subset) of a group for their method of communication “reactionary”?

                                                                                            1. 1

                                                                                              I’m saying soc’s claim about Rust pushing for liberal licensing is nonsense and probably reactionary to the Rust Evangelism Strike Force if @pgeorgi’s explanation is true. My point is that “counter culture” is not an excuse to make bad arguments or wrong claims.

                                                                                              1. 2

                                                                                                OK, that makes a bit more sense.

                                                                                            2. 2

                                                                                              reactionary nonsense claims

                                                                                              like talking about some “broad hatred of Rust” when projects left and right are adopting it? But the R.E.S.F. is really the first thing that comes to my mind when thinking of rust, and the type of advocacy that led to this nickname sparked some notable reactions…

                                                                                              (Not that I mind rust, I prefer to ignore it because it’s just not my cup of tea)

                                                                                        2. 7

                                                                                          I won’t belabor the point, but I’d suggest considering that some of those project/license decisions (e.g. OpenBSD and ISC) may be about maximizing the freedom (and minimizing the burden) shared directly to other individual developers at a human-to-human level. You may disagree with the ultimate outcome of those decisions in the real world, but it would be a wild misreading of the people behind my example as “corporate worshipping”.

                                                                                          As I have said before: “It’s important to remember that GNU is Not Unix, but OpenBSD userland is much more so. There isn’t much reason to protect future forks if you expect that future software should start from first principles instead of extending software until it becomes a monolith that must be protected from its own developers.”

                                                                                          Not all software need be released under the same license. Choosing the right license for the right project need not require inconsistency in your beliefs about software freedoms.

                                                                                          1. 6

                                                                                            The specific choice of MIT/Apache dual-licensing is so unprincipled and weird that it could only be the result of bending over backwards to accommodate a committee’s list of licensing requirements (it needs to compatible with the GPL versions 2 and 3, it needs a patent waver, it needs to fit existing corporate-approved license lists, etc). This is the result of Rust being a success at all costs language in exactly the way that Haskell isn’t. Things like corporate adoption and Windows support are some of those costs.

                                                                                            1. 3

                                                                                              I can’t speak directly to that example, as I don’t write Rust code and am not part of the Rust community, but it would not surprise me if there were different and conflicting agendas driving licensing decisions made by any committee.

                                                                                              I do write code in both Python and Go (languages sharing similar BSD-style licensing permissiveness), and my difficult relationship to the organization behind Go (who is also steward of its future) is not related in any way to how that language has been licensed to me. Those are a separate set of concerns and challenges outside the nature of the language’s license.

                                                                                      1. 28

                                                                                        Any of y’all want me to throw my hat in the ring?

                                                                                        Another time. :)

                                                                                        Okay fisch. I’ll try. If enough folks are interested I’ll shoot an app in.

                                                                                        1. 41

                                                                                          friendlysock is pretty much the only user who I have mentally flagged as consistently antagonistic and obnoxious, generally to the detriment of friendly and civil discussion. Other users may have particular topics which they feel sufficiently strongly about that they occasionally get a little antagonistic responding to criticism. With friendlysock, I see unnecessarily inflammatory comments often enough that I now mentally think, “ugh, I won’t bother reading this comment chain, it looks like another friendlysock spat”. If you can’t moderate your own comments, I don’t think you’d be good at moderating other peoples.

                                                                                          So if you really want our opinions, no, I do not want you to throw your hat into the ring.

                                                                                          1. 24

                                                                                            Strong disagree. friendlysock consistently engages in civil and friendly discussion, even when finding himself on the other side of an argument with someone whose political convictions make them feel they shouldn’t even attempt to be civil and friendly. I’ve never seen him make a comment I think could fairly be called unnecessarily inflammatory (and I say this as someone who has disagreed with him in the past). I generally enjoy seeing his posts and think he’s a good contributor to the site.

                                                                                            1. 31

                                                                                              You’re painting a picture where angersock is the civil one who just so happens to be constantly surrounded by people mad at him.

                                                                                              That’s wrong: angersock frequently accuses others or entire communities of bad faith and assumes a position of authority he doesn’t have when saying content doesn’t belong here (do I even need to link that one?).

                                                                                              I’ve rarely seen anybody argue with angersock twice. That alone should be pretty damning: The only constant in arguments involving angersock is he himself.

                                                                                              One can be inflammatory, incite flamewars and toxic communication while saving face by “remaining civil”. I’m not sure how much of it was intended in /u/Thra11’s post, but to me the point is that angersock remains civil, but brings incivility.

                                                                                              That is not to say that he doesn’t try his best, and I don’t think he does any of this on purpose (though I am really not sure). But I really don’t think he is cut out for this job, and given the comment ratio on his top-post vs the rest of the thread, I think he would be quite a controversial mod to say the least.

                                                                                              1. 14

                                                                                                It’s also missing the point: One can be inflammatory, incite flamewars and toxic communication while saving face by “remaining civil”.

                                                                                                That form of trolling is called Sea-lioning. http://wondermark.com/1k62/

                                                                                                1. 12

                                                                                                  I strongly disagree that how friendlysock has been showing up here can be seen as a form of sealioning.

                                                                                                  1. 7

                                                                                                    It still blows my mind that not only do some people think the woman rather than the sea-lion was the sympathetic character in that comic, but that there are enough such people for “sea-lioning” to have become a meme.

                                                                                                    1. 7

                                                                                                      I suspect it’s because many people use public social media for private conversations with their friends (as they would speak while walking about town). A stranger injecting themselves into the conversation to demand your time and attention (regardless of how righteous they are) is unwanted and weird.

                                                                                                      1. 5

                                                                                                        I was puzzled by that as well. There were enough of us that the author wrote a three paragraph clarification on the errata page. It’s possibly worth reading the explanation there. I’d summarize it as “the sea lion is a stand-in for people who behave a certain way and the woman’s objection is based on that behavior”.

                                                                                                        1. 5

                                                                                                          It’s pretty fitting, I think. Most people who cry “sea lioning” are just upset that someone responded to their public statements.

                                                                                                        2. 6

                                                                                                          I only have this comic as reference for as to what sealioning means, but the situation I see with angersock is not one where he actively seeks out people to engage in stupid arguments with. Maybe the term has evolved beyond that specific example, but then, without a new real definition, it has lost its meaning.

                                                                                                          1. 3

                                                                                                            The term has not lost its meaning, it has always been used to refer to people who make unwelcomed responses to publicly made statements.

                                                                                                        3. 9

                                                                                                          My own interactions with ‘sock have actually been pretty good, even in cases where we disagreed (as in this thread), and I don’t off-hand recall seeing and recent(ish) comments where I was “sjeez ’sock, relax mate”.

                                                                                                          But I also skip most Rust stories, as I don’t have a lot of interest in Rust (not at the moment anyway), and that link is indeed very much a “sjeez ’sock, relax mate” type of conversation.

                                                                                                          Point being: I guess people have a limited/biased view of ’sock (or any other members, for that matter) based on which stories they read and comment on. I certainly do, because I never would have seen that comment if you had not linked it here.

                                                                                                          1. 2

                                                                                                            do I even need to link that one?

                                                                                                            Would be helpful for people like me who aren’t as deep in the day-to-day of lobste.rs.

                                                                                                            1. 4

                                                                                                              It appears lobste.rs has some sort of retention on the index of comments per user, but here’s the most recent examples (not the best ones):

                                                                                                              All of those assume a place of authority and tell others how to use the site.

                                                                                                          2. 4

                                                                                                            In all fairness, this was not always the case (see also why I’m friendlysock instead of angersock), and even as recently as that Rust thread a few days ago I can still be more inflammatory than is helpful (less charitably: I can be a shithead). I’m no saint.

                                                                                                            1. 4

                                                                                                              and yet, gestures frantically below

                                                                                                            2. 6

                                                                                                              I would have to concur with this

                                                                                                            3. 34

                                                                                                              I personally would prefer not to have a moderator who thinks having Nazis participating is a fine idea (https://lobste.rs/s/nulfct/problem_with_code_conduct#c_dwa6s5). “You could exclude neither [Nazis nor the target of Nazis], and let them sort it out themselves elsewhere. Indeed, seeing each other in a context that doesn’t constantly reinforce their ideology might serve to build bridges and mellow both sides.”

                                                                                                              Seeing as my grandmother was almost murdered by Nazis the “mellowing both sides” bit did not go over well with me.

                                                                                                              1. 23

                                                                                                                It’s taken me quite some time to form a response.

                                                                                                                Here in Bloomington, IN, last year and the year prior, we had to deal with a real Nazi problem in our city. It was BAD. https://www.nytimes.com/2019/08/18/us/indiana-farmers-market-white-supremacy.html

                                                                                                                We have had a city govt run farmers market near the city square. It was on the largest walking/biking/running trail the city has.. It really was an amazing market.

                                                                                                                Then, the Unicorn Riot discord hack happened. Normally, this would oust Nazies and similar ideology. Except this time, it ousted a lady by the name of Sarah Dye, a farmowner and a stall vendor at the farmers market. It only outed the first name in the general vicinity and owned a farm - I was the one who found her account on Youtube by the name of Volkmom, and got her banned from the other 2 farmers market boards she was on. I forwarded the videos to their boards. They compared her voice to her damning videos.

                                                                                                                However, Bloomington IN doubled down, claiming 1st amendment concerns. Peaceful protests to Dye and the city were done… And the cops arrested the peaceful protesters, up to and including the president of low barrier homeless shelters - dressed as a purple unicorn ( https://www.thedailybeast.com/unicorns-arrested-at-protest-of-white-supremacy-at-bloomington-indianas-farmers-market ).

                                                                                                                And since Dye was being defended by the city, we had other undesirables show up. Other neonazies did. So did the 3 percent’ers. But when the 3%ers showed up, they were armed to the teeth, with AR15’s strapped to them, handguns (plural), zipties, and more. There was no question - they were not peaceful. They wanted to make a show of force that they were present to support their kind. Having them all show up shat on the very idea of the farmer’s market of inclusivity and coming together over shared food.

                                                                                                                We (public) finally solved this by deprecating the city run market, and a new market was made by a non-profit org. All the vendors showed up here, with exception of Sarah Dye and her stall. And unlike the city market, visible weaponry wasn’t allowed. And being in Indiana, people will pack heat; but it can at least be diminished.

                                                                                                                When nobody knew she was a Nazi and she didn’t do anything suspicious publicly, it was uneventful and peaceful. People just bought their groceries and all was good. The moment it was known, all the dregs, white nationalists, neonazies, kkk, and similar moved in to support “their kind”. We all literally had to abandon and regroup to get them to stop.

                                                                                                                If you don’t strongly deal with white nationalist groups, they’ll eat you out of house and home, run everyone off, and leave you with a shell of a community. I’ve seen it happen locally how it progresses in real life… and damned if I’ll let it happen to communities I’m currently a moderator of.

                                                                                                                1. 21

                                                                                                                  Forgive me for being dense, but my reading of this is that everything was quiet and peaceful until you went out of your way to dox a Nazi and get her kicked out, and then people decided to protest a lawful application of the 1st Amendment, and then counter-protests happened, and a bunch of ugliness occurred, and then after all this you got the original market back less one Nazi.

                                                                                                                  If this is an accurate reading (and it may not be!), how could one not conclude that everything was fine until you got a bee in your bonnet about somebody being a Nazi in their free time? How is everything that followed not your fault? That being the case…how is all of the following ugliness not the result of the efforts to purge a secret Nazi?

                                                                                                                  My desire to follow rules of topicality and civility is very much due to a desire to avoid that sort of protest-counterprotest stuff that harms communities more than it helps.

                                                                                                                  1. 23

                                                                                                                    how could one not conclude that everything was fine until you got a bee in your bonnet about somebody being a Nazi in their free time? How is everything that followed not your fault?

                                                                                                                    Who escalated to violence? The white nationalists did. Arguing that the exposers of secret Nazis are at fault is the argument employed by domestic abusers. “Woman, why do you make me beat you? Why do you do this to me?”

                                                                                                                    I know you’re arguing in good faith. But please do not try to justify violence from this crowd. They proved that they weren’t standing on moral high ground when they showed up with firearms and zipties.

                                                                                                                    The violent response from white nationalists to nonviolent protests should prove just how much of a charade their pearl-clutching about “muh free speech” really is.

                                                                                                                    1. 13

                                                                                                                      Forgive me for being dense, but my reading of this is that everything was quiet and peaceful until you went out of your way to dox a Nazi and get her kicked out, and then people decided to protest a lawful application of the 1st Amendment, and then counter-protests happened, and a bunch of ugliness occurred, and then after all this you got the original market back less on Nazi.

                                                                                                                      More specifically, there was already an anti-nazi campaign locally going against her with what I considered shaky proof. Many of us were very hesitant to engage in protests in person or online, without solid proof. I used my OSINT skills and was able to positively identify that it was her. Had it not been, I would have also said so. I’m not going to engage in a protest against an individual unless I’m damned sure I can prove it… And I proved it beyond a reasonable doubt.

                                                                                                                      Speaking to “and then people decided to protest a lawful application of the 1st Amendment, and then counter-protests happened”…

                                                                                                                      The problem was that the city was supporting the nazi speech AND show of force, while arresting peaceful (non-weapon-possessing) protestors. If the city had applied equal force to both sides, there would have been less of an issue with respect to 1FA.

                                                                                                                      If this is an accurate reading (and it may not be!), how could one not conclude that everything was fine until you got a bee in your bonnet about somebody being a Nazi in their free time? How is everything that followed not your fault? That being the case…how is all of the following ugliness not the result of the efforts to purge a secret Nazi?

                                                                                                                      You’re extrapolating and assuming when you don’t have the information.

                                                                                                                      My desire to follow rules of topicality and civility is very much due to a desire to avoid that sort of protest-counterprotest stuff that harms communities more than it helps.

                                                                                                                      This sort of civility is similar to Sea-lioning ( http://wondermark.com/1k62/ ).

                                                                                                                      Simply put, there is no civility when discussing people who want to murder people (and have done so) who differ only in race, skin color, or sexuality.

                                                                                                                      1. 20

                                                                                                                        Over and over and over again the same “both sides are at fault” message, Nazis and their victims. You simply cannot get yourself to say “let’s leave Nazis out”, huh.

                                                                                                                        1. 12

                                                                                                                          A few questions to make sure I understand your arguments:

                                                                                                                          • Assuming Lobste.rs vows to leave the Nazi out, who is going to decide which user is a Nazi? What is the definition of a Nazi?
                                                                                                                          • Since we’re bound to leave the Nazi out, how can we ensure that there won’t be a “leave the Y out”, where “Y” can be muslim from Saudi Arabia, Palantir developers (are they morally superior to Nazis?), Steven Pinker, Noam Chomsky and everyone else group X doesn’t like ?

                                                                                                                          ps. This discussion is not new by any means. It is a hard discussion, Karl Popper wrote extensively about this exact issue.

                                                                                                                          1. 8

                                                                                                                            Thank you for your observation.

                                                                                                                            For me, I can’t help but notice that even if we say “Okay let’s get rid of the Nazis”, we still have the question of who is a Nazi?

                                                                                                                            Form a practical standpoint: half of my country (US) voted for Trump, for whatever reason. That makes them some flavor of Republican–or worse. It is not a stretch (and is pretty common in various circles) to see any affiliation with Republicans as basically being a Nazi.

                                                                                                                            If half of Lobsters is from the US, this means that like a quarter of the users–based on back-of-the-envelope calculations–are Nazis and should be banned, for being Nazis.

                                                                                                                            If we just ban based on civility and topicality, we get to sidestep this issue.

                                                                                                                              1. 7

                                                                                                                                Any of the comments that article references are clearly outside decorum and, if posted here, would warrant administrative action.

                                                                                                                                1. 8

                                                                                                                                  Weev is a public figure. Weev was banned from gab. Weev could participate anonymously on lobsters. If weev wants to post here as weev, is that OK?

                                                                                                                                  1. 8

                                                                                                                                    Why wouldn’t it be, if he follows the rules and isn’t an asshole and contributes to on-topic discussion?

                                                                                                                                    It being weev, I imagine it would be less than an hour before he gets banned for saying stupid Nazi shit, but might as well give the fellow a chance.

                                                                                                                                    Our purpose here isn’t to punish people for actions in other communities; our purpose is to discuss technology.

                                                                                                                                    1. 5

                                                                                                                                      Weev is a public figure known for being a Nazi. For weev to be named as weev, it’s the same as https://lobste.rs/u/neonazi .

                                                                                                                                      Weev could go by a different name to participate in lobsters.

                                                                                                                                      1. 0

                                                                                                                                        Pretty sure there are many internet users with that nickname - most probably are unaware of some rando from US. To be honest I never heard about that guy until today. If he would have an account here I would judge him by what he writes here without crosschecking him across other sites. Who does that?!

                                                                                                                          2. 7

                                                                                                                            I won’t say it because I don’t believe it.

                                                                                                                            I would rather have a polite Nazi talking to me about technology than either a rude not-Nazi talking about technology or a polite not-Nazi talking about not-technology. As somebody mentioned above re: the Nazi variant of the Turing test…a sufficiently polite and topical Nazi is indistinguishable from a normal user, because they’re presumably not talking about Nazi shit and picking on Nazi victims.

                                                                                                                            If they are, the rules of civility and topicality give a handy way–and a more uniform way–of dealing with them. Even better, it gives a way of dealing with them that doesn’t give them the recourse of saying “Well you’re just doing this because you hate Nazis”, or “You’re just doing this because you support SJWs”, etc. I can point at the rules and say “You were off-topic and being uncivil. I don’t need to believe anything about Nazis or your relationship with that ideology to get rid of you.”

                                                                                                                            1. 22

                                                                                                                              Apparently you definition of civility includes telling me and other Jews to “mellow out” about people wanting to murder us. No thanks.

                                                                                                                              1. -9

                                                                                                                                Do you want to murder them, given that you (by my reading here) believe they are a clear and present danger to you and yours?

                                                                                                                                1. 17

                                                                                                                                  This is too far. There are diminishing returns now on this conversation and also both of you seem to have lost perspective that this post is about finding new moderators because pushcx might be under huge moderator load - you’re not helping. At the least, take this to a different venue or to personal chat to hash it out and bring back here any positive results.

                                                                                                                                  @itamarst You are talking about a subject which is understandably extremely sensitive and important to you. I think everyone can and would acknowledge the pain that you and your family must have gone through, and it is a failing of people in this conversation that that is not the first and most obvious point to be reiterated and repeated without fail. We all must acknowledge that terrible things have happened and that we want to take positive actions to prevent them happening again. That being said you are grossly not applying good faith in a situation where one person’s actions seem to have been offensive to you, and you are bringing a subject that is most definitely off topic for lobste.rs into this space. In relation to the former, you could have chosen a much more amicable way of bringing your point forward such as: Quoting friendlysock, explaining how you reacted to and felt when you read his comment and asking friendlysock to confirm if that was his intention and to clarify his meaning if it was. You definitely could have done that constructively inside the context which was friendlysock applying to be a moderator, so you could have phrased your question in a way relevant to this topic. No one would ever question your pain or your discomfort at seeing discussions of a group of people that brought great harm to your family and by extension pain to you; you do not have to not be angry, or not be in pain; but having the expectation that you can bring this up in this way in this space and the outcome be constructive is poor judgement: whether or not this was a motivation, you are not going to get personal resolution to political issues that cause you pain on lobste.rs.

                                                                                                                                  @friendlysock Whatever your position you are grossly failing to take a step back and acknowledge itamarst’s point where he is now, not where you think he should be or how you think his point relates to lobste.rs. If you keep doubling down on your position, itamarst has to double down on his. This does not seem like rocket science. Whether this is on topic or not, when someone has gone to the effort and made themselves vulnerable by presenting something they are angry or in pain about, particualrly if it’s such a HUGE subject as this with so much emotion attached, step 1 is acknowledge that and consider your position in relation to what they said. You have no idea how they feel and you can not begin to understand their position so if they are offering you this level of confrontation the most you can do is acknowledge and listen. You don’t have to take responsibility for having caused their pain - no one is calling you a nazi or accusing you of murdering people, but you do have to acknowledge that they felt a particular way after reading what you wrote, and if you want to, you can explore that, but with about 1000 times more sensitivity. Acknowledgement and reiteration of your fundamental positions as they relate to lobste.rs, or moderation on lobste.rs would perhaps be a way to frame your position, if you’re interested in doing that.

                                                                                                                                  1. 16

                                                                                                                                    “Good faith” only goes far when some spends so much effort explaining how important it is we include Nazis in our discussions. Especially when they want to be a mod.

                                                                                                                                    And really the whole point of the exercise is mod policy. As I’ve said before, in other discussions, you gotta pick a side. And the clearer friendlysock’s opinions, the clearer the choice pushcx has to make.

                                                                                                                                  2. 13

                                                                                                                                    Enough is enough. You are bullying itamarst with repeated emotional manipulation by way of a topic that has violently effected them, apparently so that you can get them to call for killings on a thread in which you nominated yourself to moderate the community in pursuit of civility. Are you done trolling yet?

                                                                                                                                    1. 6

                                                                                                                                      Do you want to murder them

                                                                                                                                      Come on, this is too much.

                                                                                                                                      1. 6

                                                                                                                                        No, of course not.

                                                                                                                            2. 32

                                                                                                                              no offence, but I find that “mellowing both sides” is a very legit goal. seeing as I’ve spent most of my life in a warzone, this goes very well with me. I’m not jewish, but I’ve had multiple run-ins with Neo-Nazis due to the way I look and where I escaped the war to. I used to hang out in this bar that was split in half, one of it was extreme leftists, and the other were staunch Nazis, some not even Neo. we were all fucked, so we just drank together in a weird peace of sorts. one of the Neo-Nazis never liked the fact that I started hanging out there, and was constantly hostile, and due to past experiences I had to often stay alert and make sure to be ready for whatever may come, but the beer was cheap mind you and the weed was good.

                                                                                                                              one of the Neo-Nazis in particular was this big guy who had it so clear in his eyes that he’d like to beat the shit out of me to prove his worth or whatever. I didn’t care as this was the least of my worries (at that time). one of the old men I used to hang out with was a programmer as well, so we’d get high and discuss all sorts of computer things. one day the convo came to Blender and 3D modelling, and all of a sudden this big guy who never wanted to exchange a word with me and rather punches came and started talking about Blender with love in his eyes instead of hate, after a couple of hours of that he threw the shittiest but unfortunately the most fitting line of all:

                                                                                                                              “your people aren’t too bad after all.”

                                                                                                                              we actually continued conversing after that and went through a couple of his traumas and why he ended up on the path he ended up on. I by no means expect everyone suffering from oppression to engage in such antics with their oppressors, but I’d rather the ones who can’t, let the one who can, do what they gotta do.

                                                                                                                              at the very least, you can try to not monopolize suffering under your own school of thought, and within only your own context.

                                                                                                                              this is probably my last comment here for a while, so feel free to PM if you wanna discuss this further. I am also very sad to hear about your grandma, it sucks to be almost murdered, it sucks to see people you love get murdered, and it sucks to see people you love commit murder, but that shit happens on all sides of aisle.

                                                                                                                              dehumanize one, and you dehumanize all, I find.

                                                                                                                              fucking hell, I need a beer.

                                                                                                                              1. 26

                                                                                                                                Thank you for sharing! I think that’s slightly missing the point, though:

                                                                                                                                1. The issue was with “both sides”. Why do I need to “mellow” if someone wants to murder me?
                                                                                                                                2. You are describing a truce backed by violence. And that might work for some, but the more common case is people not going into the bar at all, because they don’t feel safe.

                                                                                                                                I’m sure many Nazis have reasons for how they ended up where they are (though in the US a lot of them aren’t suffering at all, they’re upper middle class or rich). Maybe hanging out with Nazis will make them change their mind. I doubt it, but it’s possible.

                                                                                                                                But given the choice between making a safe environment for everyone, and letting some Nazis in in the vague hope they will learn something and lots of other people choosing not to participate, I’d rather choose the latter former.

                                                                                                                              2. 10

                                                                                                                                You know, I can sympathise with your viewpoint here, especially as a Muslim in the current global climate, but the problem I see is that this seems to be leading to such extreme echo chambers, that it makes people say things like what one user in the thread you linked said:

                                                                                                                                Feminists believe that women are as human and as entitled to agency and dignity as men are; MRAs believe that women are inferior to men and should be enslaved.

                                                                                                                                This is such an absurd statement to make without backing up and so patently false; the only way someone can believe this is by being fed a constant diet of lies people who really hate MRAs instead of just speaking to MRAs directly.

                                                                                                                                Suddenly, we’re not just banning Nazis who want to kill you and me and our entire family trees, we’re banning practicing religious people who aren’t willing to rewrite their holy scripture or reinterpret it to suit people’s desires, we’re banning critics of said religious folks who believe baby penises should remain intact — hey, they’re MRAs, right?; whatever, they must be islamophobes or antisemites either way — we’re banning critics of affirmative action, we’re banning all manner of people with valid and not so valid positions or arguments.

                                                                                                                                We don’t discriminate on truth, we discriminate on whether it’s comfortable or not to a select group of people. People who can’t discriminate between a belief like, “men and women have roughly equal average IQ, but the distribution is wider for men, so the ratio of men to women at Google is roughly what we’d expect if Google were selecting for such and such IQ” — responding with such inanity as “do the women at Google not belong there, then?” — and a belief like, “women are inferior to men and so should be enslaved to them”.

                                                                                                                                1. 20

                                                                                                                                  I think that if I were on a rocketry forum I’d be interested in hearing what Wernher von Braun had to say (not merely a Nazi, but an officer in the SS). If I were on a forum about filesystems, I’d be happy to talk to Hans Reiser. If I were given the opportunity, I think that Konrad Zuse (not a Nazi, but certainly a collaborator) would have interesting things to say about electromechanical computer design.

                                                                                                                                  I’d be more than happy to throw any of them out if they start going into politics or murder, but if they have useful expertise and follow the rules of decorum, they should have a place.

                                                                                                                                  1. 15

                                                                                                                                    Let me put it like this: if Hans Reiser would join a forum where Nina Reiser’s brother (or sister, close friend, etc.) would also participate, would you think it’s reasonable if they would object to this?

                                                                                                                                    It’s not hard to see how this would also extend to neo-Nazis (as in, literal neo-Nazis, who looked at the Holocaust and thought that all of that was just a spiffing good idea); would you enjoy interacting with someone who literally wants to kill you and everyone like you and worships an attempt to do exactly that? Are many people not a victim of these people’s actions just as much as Nina’s Reiser’s brother is? Would you happily discus webdesign best practices with the person running StormFront or some other neo-Nazi website?

                                                                                                                                    I’m not so sure if “it’s limited to just technical conversation” is really all that important, never mind that this is too limited of a view of Lobsters IMHO, as it’s a community centred around technical topics.

                                                                                                                                    For all we know Reiser or the StormFront maintainer are already participating on Lobsters anonymously. We can’t really prevent that because the only alternative would be to actively vet members. But if you know you’re talking to the StormFront webmaster then … yeah, I’d rather not.

                                                                                                                                    I’m not suggesting that we implement some sort of wrongthink policy or anything of the sort; you put forth the extreme scenarios so I’m replying to those, and in more realistic scenarios things tend to be some shade of grey. If someone on Twitter said “I don’t like people of religion/ethnicity/identity X” then that would probably be okay; as in, I won’t like them more for it, but I see no reason to ban them here for just that. But I do think all of this is a bit more complicated than you put forth.

                                                                                                                                    1. 18

                                                                                                                                      Would you happily discus webdesign best practices with the person running StormFront or some other neo-Nazi website?

                                                                                                                                      Let’s apply a variant of the Turing Test to this: if people from the interactions alone cannot tell whether they are made by a regular person or a Nazi, then the poster/commenter can be regarded as worthwhile talking to as any other normal person.

                                                                                                                                      1. 5

                                                                                                                                        Yes. Nobodies forced to use real names on lobsters. If someone posts anonymously, respect it. Don’t dox.

                                                                                                                                        It’s not the same if he/she uses their neo-Nazi name. Lobsters has no moral obligation to be known as the place where neo-Nazis hang out.

                                                                                                                                        1. 10

                                                                                                                                          Yeah I think there’s a bit of a straw man being thrown around in some of these discussions about being randomly chosen as the target of doxxing. It’s pretty easy to be anonymous on this website.

                                                                                                                                          To even be perceived as a member of a hate group on a site like this would require affirmative signaling to one’s peers that they hold hateful views towards other members of the community for their birth-given human characteristics, which seems like a good enough reason to remove such a user in the first place.

                                                                                                                                          1. 3

                                                                                                                                            Yes. Nobodies forced to use real names on lobsters. If someone posts anonymously, respect it. Don’t dox.

                                                                                                                                            Yes, I pretty much said as much later on: “We can’t really prevent that because the only alternative would be to actively vet members” (that this isn’t feasible isn’t stated explicitly, but it’s pretty clear to everyone that it’s not).

                                                                                                                                            I think both you and @ewintr have missed the point of my reply; this entire discussion is fairly hypothetical because of course no neo-Nazi is going to link to their StormFront account on their Lobsters profile (or Gab, or wherever these people hang out these days). I just wanted to point out why having known neo-Nazis on Lobsters is something that people would object to, and why some people would choose not to visit Lobsters if this were the case.

                                                                                                                                            1. 3

                                                                                                                                              No. You’re wrong. It won’t remain hypothetical. Look at how many people got caught from the 6th based on social media.

                                                                                                                                        2. 6

                                                                                                                                          would you think it’s reasonable if they would object to this

                                                                                                                                          I totally would understand why they might object to this. Then again, dude was put into prison and served his time. According to the law, he has received his punishment. Anything further is just extrajudicial retribution–understandable but not lawful.

                                                                                                                                          would you enjoy interacting with someone who literally wants to kill you and everyone like you and worships an attempt to do exactly that?

                                                                                                                                          If they were polite and solved my problem, sure. It’d be weird, but I’d rather have the help than not. The second they started going on about that other stuff, I’d report them cheerfully.

                                                                                                                                          For all we know Reiser or the StormFront maintainer are already participating on Lobsters anonymously.

                                                                                                                                          Exactly. For the dedicated opposition, this kneejerk intolerance serves no real obstacle–and can even be really useful as a leveraging point to disrupt a community. It’s like people have never played Among Us.

                                                                                                                                          but I see no reason to ban them here for just that.

                                                                                                                                          The problem is, several Lobsters I believe would be more than happy to do that, and would want it in a CoC. Further, where do you draw the line? How much Nazi is too Nazi? How little pedophilia is acceptable? I don’t want to make those calls–I’d rather focus on the (much simpler) tests of a) has this user treated other users respectfully in this space and b) has this user stayed on-topic. If followed, I believe those two rules are sufficient to guarantee a good time for everybody.

                                                                                                                                          But if you know you’re talking to the StormFront webmaster then … yeah, I’d rather not.

                                                                                                                                          As an aside, the world-wide experts in decentralization are about to all be, or keep company with, some really distasteful people. Ignoring their experience because they’re icky strikes me as a waste.

                                                                                                                                          1. 4

                                                                                                                                            The Reiser case is a bit more complicated, as I agree criminals should be given a second chance. However, it’s not unreasonable for victims of the crime to still harbour (strong) feelings of animosity; I don’t think that’s “extrajudicial retribution”. I don’t think that many people would happily chat with their sister’s murderer about filesystems after they served their time.

                                                                                                                                            At any rate, I only mentioned Reiser to illustrate the perpetrator/victim relationship, as it’s so clear in this case. I was tempted to leave that out entirely as it’s quite a different case from neo-Nazis.

                                                                                                                                            would you enjoy interacting with someone who literally wants to kill you and everyone like you and worships an attempt to do exactly that?

                                                                                                                                            If they were polite and solved my problem, sure. It’d be weird, but I’d rather have the help than not. The second they started going on about that other stuff, I’d report them cheerfully.

                                                                                                                                            Alright, fair enough. But it’s not hard to see how other people would make a different choice here.

                                                                                                                                            where do you draw the line? How much Nazi is too Nazi? How little pedophilia is acceptable?

                                                                                                                                            I don’t have clear answers to that; but this is a kind of reasoning I don’t really like. Maybe there’s a better name for this, but I like to call the “it’s hard fallacy”, which goes like: “it is hard to draw a line, therefore, we should not draw a line at all”.

                                                                                                                                            I’ve seen the same type of reasoning in conversations about civility. It can be really hard to draw a clear line about what is or isn’t acceptable, but that doesn’t mean we shouldn’t try at all. Clearly there should a line somewhere otherwise people replying with just “you’re a cunt” would be “acceptable”, and I think we can agree that it’s not. You can also see this fallacy in some other (political) topics.

                                                                                                                                            I’m not actually in favour of banning people for off-site behaviour unless it’s particularly egregious, such as active neo-Nazis, and even then I’d have to carefully look at the specific case at hand. In general I think the bar should be pretty high for this, but I do think there is a bar … somewhere.

                                                                                                                                            I mean, do you really expect black people or Jewish members to happily interact with people we happen to know are neo-Nazis or KKK members? If someone in your local soccer club is a great bloke and fun to hang out with, and then you discover he’s a Grand Hobbit Ghoul in the KKK (or whatever ridiculous ranks they have) then you would continue that relationship as-if nothing happened (and before you answer “yes I would”, would you expect everyone to do so, including your black teammates?)

                                                                                                                                        3. 16

                                                                                                                                          The problem, of course, is that then you lose all the people who don’t want to hang out with Nazis, or with people (like Hans Reiser) who murdered their wife.

                                                                                                                                          1. 25

                                                                                                                                            In an online forum for talking about X, I’d much rather have a room full of people who may be assholes elsewhere talking politely about X than I would a room full of people who might be lovely elsewhere being assholes in my forum because of something completely unrelated to X.

                                                                                                                                            1. 7

                                                                                                                                              Thank you for this succinct explanation.

                                                                                                                                            2. 12

                                                                                                                                              On the internet, no one knows you’re a dog.

                                                                                                                                              Who’s to say what someone’s intentions are? If people start causing problems, by all means remove them. The alternative is doxxing everyone who joins lobsters or digging up dirt, is that somehow a better alternative?

                                                                                                                                              I get it, no one wants to share a board with Nazis or murderers. I don’t either. But this social equivalent of a preemptive strike has the potential to be way worse.

                                                                                                                                              1. 11

                                                                                                                                                A good rule of thumb, in programming and elsewhere, is to always consider at least three solutions to any problem. There are in fact other solutions beyond the false dichotomy “doxxing everyone” and “accepting everyone”, one common one being a Code of Conduct. Personally I would go with “you must pass this very bar to participate”.

                                                                                                                                                1. 7

                                                                                                                                                  Just because a comparison of two solutions are presented doesn’t mean you have to jump to “this is a false dichotomy.” Also, I thought we already had that with the lobsters rules? How does a code of conduct actually differ?

                                                                                                                                                  1. 15

                                                                                                                                                    Well, friendlysock apparently can compare Nazis as somehow equivalent to their victims (both sides apparently need to “mellow”). Most CoC would involve kicking him out for that.

                                                                                                                                                    1. 6

                                                                                                                                                      I don’t agree with the comparison and I don’t think friendlysock would be a good mod based on the fact that he could draw it. I just want to put this out there though - if there was a felon, Nazi or other unsavory person who could provide some insight into problems I’m trying to solve then I would still have an open ear so long as they stay on topic and don’t bring up their unrelated interests. Not doing so seems short sighted.

                                                                                                                                                      Most Codes of Conduct are pretty crappy btw. Ruby has a good one, nearly all of the others are too suffocating.

                                                                                                                                                      1. 3

                                                                                                                                                        I think both you and @itamarst may be missing something in how I wrote that–and that’s on me for articulating incorrectly.

                                                                                                                                                        My point was not to draw equivalence between those groups. My point was that everybody has some outgroup that they would prefer to see kicked out.

                                                                                                                                                      2. 4

                                                                                                                                                        Maybe you should resolve that with friendlysock, then. Not going to fan these flames anymore.

                                                                                                                                                  2. 9

                                                                                                                                                    How is it “pre-emptive strike” to just not want to hang out with people you don’t like?

                                                                                                                                                    This isn’t like…. the seat of government. This is a place to talk with people. Absolutely nobody is under any obligation to listen to people (short of mods basically “kicking people out”). There is zero moral requirement to listen to “varied viewpoints” or have an open mind.

                                                                                                                                                    EDIT: And pointing to a previous declaration of moderation wishes as “digging up dirt” in a conversation about mod applications is rich. Are we supposed to just treat every conversation in some weird vacuum even when it comes to something so obviously relevant? I know you’re saying this in good faith but how is that not fair game?

                                                                                                                                                    And like… you know what? These people that get doxxed or whatever? They are the ones that are vocal about their opinions. That’s how you even know that they are these kinds of people. If they kept their mouth shut we wouldn’t even be able to know!

                                                                                                                                                    I’m tired of being lectured about how I’m the bad person for not wanting to deal with people who not only are (IMO) morally bad people, but also don’t have the social IQ to keep it to themselves.

                                                                                                                                                    1. 10

                                                                                                                                                      These people that get doxxed or whatever? They are the ones that are vocal about their opinions.

                                                                                                                                                      Alright, where does the dirt digging stop, then? Everyone that’s somehow associated as commenting in this thread, supportive or otherwise? Because they may somehow have an agenda too?

                                                                                                                                                      Dude, you’re not the bad person. No one’s saying you are. I’m just done with communities that engage in shit slinging, doxxing, and public shaming rather than actual discussion in good faith.

                                                                                                                                                      Anyway, peace out, lobsters. N-gate was right about you.

                                                                                                                                                      1. 4

                                                                                                                                                        I had someone PM me with personal details about myself while using a randomized username on reddit a few years back because I said that I didn’t think Ohio State was very good that year. People dox and dig up dirt for varied reasons. The nazi thing is an extreme example of that, but it happens for all sorts of other strange reasons as well.

                                                                                                                                                        I no longer use Reddit because of that event, and now I try to stick to a minimal set of social sites (like this one) where it’s obvious who I am if you search my username or look at my profile.

                                                                                                                                                        I don’t think you should feel obligated to listen to someone’s viewpoint if it’s non-technical (or even if it is technical really), but in this forum, the less I know about people, the better. I like hearing opinions or thoughts on tech without knowing who they are. I can’t control how they think or feel otherwise.

                                                                                                                                                    2. 5

                                                                                                                                                      Are you asking for Lobsters (and its mods, etc.) to:

                                                                                                                                                      • Explicitly condemn Nazism, white supremacy, and murder
                                                                                                                                                      • Ban anyone who publicly espouses these ideas, on or off our site
                                                                                                                                                      1. 23

                                                                                                                                                        You write as if that would be some kind of absurd idea, when it seems quite sensible to me..?

                                                                                                                                                        1. 9

                                                                                                                                                          thank you for objecting to that.

                                                                                                                                                          reductio ad absurdem requires absurdity, and I’m not used to seeing “explicitly condemn Nazism” held forth as obviously absurd.

                                                                                                                                                          1. 5

                                                                                                                                                            It seems absurd to me because it’s kind of a given. Not every site needs to say “hey don’t murder people” for me to feel good about using it. It’s a general human sentiment that murder is bad. Explicitly stating it and only targeting those viewpoints makes me wonder why we aren’t explicitly denouncing every type of supremacy, nativism, genocide, rape, etc.

                                                                                                                                                            But I do think banning people who espouse any of those views (spoken or unspoken) on the site is not only warranted, but should also lead to a probationary period for the person who invited them.

                                                                                                                                                            1. 6

                                                                                                                                                              I don’t think we need to make a list of things we don’t agree with. But I do think that we should be clear that people who are known for their malicious activities (e.g. support for murder or racism) are not welcome here.

                                                                                                                                                            2. -1

                                                                                                                                                              Putting this bluntly, the second one is stupid and anyone who argues for it is stupid. On or off our site? What the hell. Maybe in person I could logic my way into thinking that it’s ok but online? Thousands of miles away with no immediate threat to my wellbeing?

                                                                                                                                                              Online there’s always going to be that one jerk who doxes someone else for wrong-think and it’ll start with this.

                                                                                                                                                              1. 12

                                                                                                                                                                Thank you for proving your commitment to the cause of rational discussion by calling me stupid.

                                                                                                                                                                The thing is, we want Lobsters to be a place where all people are welcome. If we allow known neo-nazis to hang out with us, then people that feel threatened by those neo-nazis won’t come here. Sure, it’s not a threat to them per se, but why would you want to spend your free time talking to people that literally want you dead?

                                                                                                                                                                Being a neo-nazi is a choice. Belonging to a minority group isn’t. We should give the neo-nazis the boot and welcome the members of minority groups.

                                                                                                                                                                1. 5

                                                                                                                                                                  why would you want to spend your free time talking to people that literally want you dead?

                                                                                                                                                                  Because they have information I want and are capable of staying on topic for the site I’m on. I do not care what they do anywhere else. It is incredibly vexing that people are making me defend the scum of humanity.

                                                                                                                                                                  I believe all people are welcome on lobste.rs if they’re not talking about tons of off-topic stuff and spewing out hate while they’re here.

                                                                                                                                                                  1. 13

                                                                                                                                                                    Do you also want information from people who, for example, would feel uncomfortable sharing a discussion forum with neo-nazis?

                                                                                                                                                                    This isn’t value-neutral, we have a choice to make: either we welcome the neo-nazis, or we welcome the people-who-don’t-want-to-talk-to-neo-nazis. I know who’s getting my vote.

                                                                                                                                                                    1. 5

                                                                                                                                                                      This isn’t value-neutral

                                                                                                                                                                      I reject that premise.

                                                                                                                                                                      The nazi stuff should not enter the flow of conversation for nearly any thread on lobste.rs. The only reason we’re discussing it now because this is a meta thread and it was brought up by itamarst. If he hadn’t then we’d not know and not care.

                                                                                                                                                                      So I think that if we actually talk about the things that we thought we were going to talk about when we were invited in the first place there won’t be any issues with your first sentence.

                                                                                                                                                                2. 7

                                                                                                                                                                  Please don’t call other users or standpoints stupid. It’s okay to disagree, it’s even better to providing reasoning, but name-calling never helps.

                                                                                                                                                            3. 6

                                                                                                                                                              You only lose the people who care more about Nazi status more than technology–and they’d doubtless be happier elsewhere, in a community that puts ideology and identity above knowledge and civility. I’ve made my peace with that.

                                                                                                                                                              I don’t think that you can fundamentally ensure that people always feel welcome, and there is no surer road to ruin than to cater to everybody’s exclusionary preferences. Everybody has a reason to hate Nazis, or furries, or Republicans, or women, or whatever–the only way a community grows and flourishes is by providing people the space and protocols to interact without requiring alignment on those things.

                                                                                                                                                              Don’t want to take up more space here on it, but am happy to continue discussing in DMs with whoever would like to.

                                                                                                                                                              1. 33

                                                                                                                                                                The fact that you seem to define “civility” as - roughly speaking - some sort of shallow politeness enabling us all to chum it up with nazis so long as we’re speaking about computers, rather than as good citizenship and strong community built on respect for one’s peers suggests to me that you’d be a terrible moderator.

                                                                                                                                                                1. 19

                                                                                                                                                                  Agreed, that kind of response seems like it comes from a place of privilege. As in, “this doesn’t concern me too much, what’s the big idea?”

                                                                                                                                                                  It’s been interesting to see convos here and elsewhere around accepting views that are rooted in hate but somehow we should all just suck it up because that’s “fair.” I’m often the only Black person in cis-White male dominated spaces so this is nothing new to me. Just…interesting to see this play out in the open for the first time.

                                                                                                                                                                  Confronted with the knowledge of one’s privilege blinding oneself to what the disenfranchised has known to be true for eons is fascinating to watch/read.

                                                                                                                                                                  1. 5

                                                                                                                                                                    I’ll politely point out that my view would extend, were the conversations civil and on-topic, to folks like Malcolm X or Newton or Seale–not just stuffy old white dudes.

                                                                                                                                                                    I think that, as John Perry Barlow observed, we here in cyberspace have the opportunity to transcend the strife we were all born into. Part of that means evaluating people based on their behaviour and not on what we think about their beliefs.

                                                                                                                                                                    Edit: fixed rather embarrassing misattribution.

                                                                                                                                                                    1. 11

                                                                                                                                                                      (Davos is a place in Switzerland. That piece was authored by John Perry Barlow. I recommend the movie Hypernormalisation, there’s a very interesting part featuring Barlow and the other technolibertarians, discussing the connections to the counter-culture movement in the 60s)

                                                                                                                                                                      I cannot help but find this sort of cyber-utopianism incredibly naïve. Things that happen on the internet can and do have effects on people in the real world. It’s been a long, long time since “just walk away from the screen, just close your eyes” was a genuine take to have.

                                                                                                                                                                      1. 4

                                                                                                                                                                        Thanks for catching that, still waking up.

                                                                                                                                                                        It’s a naive approach, but that’s kinda the point right? Like, should we not strive to live in that more ideal, simpler, better world?

                                                                                                                                                                  2. 2

                                                                                                                                                                    good citizenship

                                                                                                                                                                    What do you mean by this?

                                                                                                                                                                    I agree btw.

                                                                                                                                                                  3. 18

                                                                                                                                                                    Everybody has a reason to hate Nazis, or furries, or Republicans, or women, or whatever

                                                                                                                                                                    I think you may be lumping together several dissimilar attitudes here.

                                                                                                                                                                    I do not think lobste.rs is suffering from including “the wrong people” or anything like that. We probably do have some people with terrible opinions, but it doesn’t leak into our usual discussions.

                                                                                                                                                                    However, I do think it would be bad to have a mod to express the attitude that “some people hate Nazis, some people hate women. A pox on both their houses!”

                                                                                                                                                                    I say “express” because I am not saying what you really think is “hating women is equivalent to hating Nazis”. But a mod has to be careful.

                                                                                                                                                              2. 6

                                                                                                                                                                Why stop with Nazis? If anyone shows any Nazi propaganda, they should be out. But let’s extend it to all other groups that cause harm to others. Any member of US army should be gone, heck, they didn’t try to kill my grandma, they killed my relatives, which were civilians (and they are still killing others in my country due to depleted uranium that was used in bombings). Also all the members of tech companies that help these strikes (looking at you, Microsoft et al).

                                                                                                                                                                Obviously, I’m exaggerating here to show a point that if we only look at membership of a group to exclude someone, we might also start extending the groups, as various people can/are affected. Personally, I don’t care which group people belong to, as long as they are not a threat to my family and are trying to help (or are just plain neutral) — which I think plenty of people here are, and that’s the main reason I come to this site.

                                                                                                                                                                1. 8

                                                                                                                                                                  We did exactly this when a Palantir showed up to show a neat thing. It was one of the most shameful things I’ve seen in my time here.

                                                                                                                                                                  1. 5

                                                                                                                                                                    You are not exaggerating at all.

                                                                                                                                                                    1. 2

                                                                                                                                                                      This reads like the opposite-day version of “First they came…” by Martin Niemöller.

                                                                                                                                                                      1. 1

                                                                                                                                                                        That is a great poem that I have only heard so far paraphrased. Thanks for sharing! However, it has been a rough week for me, so I don’t get the “opposite-day version” part, could you elaborate?

                                                                                                                                                                    2. 4

                                                                                                                                                                      Circumstances under which I would be OK with an Actual Nazi participating (both conditions must hold):

                                                                                                                                                                      1. User does not reveal themselves to be a Nazi on the site, either by explicit statement or in the way they act, and
                                                                                                                                                                      2. User is not notoriously a Nazi externally to the site, either for having done something terrible or by making themselves a “public figure” wrt their viewpoints.

                                                                                                                                                                      If someone behaves themselves on the site, and their behavior on the site does not create distress for others, I don’t see why people should be encourage in shitstirring. (If it is inevitable that someone’s presence will create distress, regardless of the behavior of anyone on the site, I would strongly suggest they use a pseudonym.)

                                                                                                                                                                      “Nazi” is an unlikely and hyperbolic example, but I’ve seen people go and seek out damning information of one sort or another about a member of a community (including doxxing them), and then make it a thing. It wouldn’t have been a thing, and wouldn’t have caused stress to members of oppressed populations, if they didn’t do that! By digging, they’ve actually caused harm. So my rule would be that the notoriety has to originate externally or via direct actions on the site, or you just incentivize this ugly community antipattern.

                                                                                                                                                                      (Some of my ancestors were murdered by Actual Nazis or had to emigrate to avoid them, in case you need that for my opinion to be valid.)

                                                                                                                                                                      ((EDIT: I don’t want to be a mod, though.))

                                                                                                                                                                    3. 8

                                                                                                                                                                      Maybe don’t apply if you’re seeking to do if because you think it’s what people want you to do… Someone with that personality might be inclined to lose interest before their term is up if they think popular opinion is drifting away from them…

                                                                                                                                                                      1. 22

                                                                                                                                                                        My reasoning–and I’ve always held this position–is that anybody seeking such a position is either a lunatic, a tyrant, or both, and not to be trusted. Myself included.

                                                                                                                                                                        That said…

                                                                                                                                                                        Look, if we’re down to just one moderator, that’s a rough gig. That, plus the current state of the world, makes me worry for the site focus and discussion culture of Lobsters, and if I can help I’m happy to do so–and pushcx is welcome to shitcan and ban me (and will likely do so with great relish) at will should I fail in my duties.

                                                                                                                                                                        Asking for sufficient votes before appliying is me, in effect, getting a gauge of if the community would agree to abide. As we’ve seen in my country this year, the legitimacy of government ultimately stems from the consent of the governed.

                                                                                                                                                                        1. 11

                                                                                                                                                                          And as I’ve seen in my country (US) this year, it’s wise not to give power to folks who are in it for the attention :P

                                                                                                                                                                          1. 5

                                                                                                                                                                            I personally (and I have a decidedly average number of internet points) like the way your postings changed when your nick changed to friendly. That change shows an appreciation of your past and new styles that I would like to see in moderators.

                                                                                                                                                                          2. 2

                                                                                                                                                                            TBH asking to be upvoted seems like a bit of a conflict of interest with wanting to be a mod… as friendlysock said

                                                                                                                                                                          3. 7

                                                                                                                                                                            :(

                                                                                                                                                                          1. 3

                                                                                                                                                                            I’ve found dwm to be unworkable as patches always conflict with each other or cannot be applied to the latest dwm version, however I fail to see how this approach would not eventually converge towards a fork where everything is non-optional due to maintenance reasons.

                                                                                                                                                                            1. 3

                                                                                                                                                                              I don’t really see how that converging would be a problem. Why not have a ‘distribution’ or ‘flavor’ of dwm that has your favorite patches pre-built and ready for distribution?

                                                                                                                                                                              1. 2

                                                                                                                                                                                I don’t mess around with my WM all day. I have a couple patches I like, and have not changed my Wm setup in years.

                                                                                                                                                                              1. 8

                                                                                                                                                                                Elasticsearch belongs to its 1,573 contributors, who retain their copyright

                                                                                                                                                                                Point taken about not signing CLAs, but how many of those you think worked for Elastic? You can check the stats here… I don’t see much here that indicates elasticsearch was significantly community-run. And as another commenter already said, re-publishing code under a different license does not make the old code unavailable. It only applies to future patches, so to say.

                                                                                                                                                                                But if you choose to make it FOSS, that means something, and you have the moral obligation to uphold.

                                                                                                                                                                                I don’t think most people publishing open source software share the same ideals so please don’t hold them accountable to those. Quite honestly if FOSS mostly benefits existing monopolies I’d rather not have FOSS.

                                                                                                                                                                                1. 21

                                                                                                                                                                                  These statements annoy me:

                                                                                                                                                                                  Heck, if you ask some people, Rust is less secure than a GC’ed language for web apps if you use any crates that have unsafe code - which includes Actix, the most popular web framework, because unsafe code allows things like deferencing raw pointers.

                                                                                                                                                                                  I can’t help but think calling the unsafe keyword unsafe was a potential marketing error. Actually, within the rust community it helps to keep the portions of unsafe -marked code lower.

                                                                                                                                                                                  But many people short circuit to the conclusion that code with the unsafe keyword must be, indeed, unsafe. Maybe, they should think of it as expert or free code that relaxes some constraints (and by far not all, you have still more checks than in normal C++).

                                                                                                                                                                                  In terms of Rust unsafe, Java/ruby is full of unsafe code since some crucial safety guarantees in these languages are weaker. Obviously, there is a lot of unsafe rust code in the Rust std lib and especially in low level libraries. If this code is carefully vetted, this is all good. Rust allows you to focus extra attention on the small blocks of unsafe code.

                                                                                                                                                                                  Will I avoid unsafe code when I can? Yes. Should popular libraries make prudent use of unsafe if it results in large benefits? Absolutely. Is that dangerous? Not more than in other languages without these restrictions but yeah, it requires great care that you can avoid if you avoid unsafe.

                                                                                                                                                                                  1. 8

                                                                                                                                                                                    It’s an especially annoying considering that performance-critical parts can always be written in unsafe ways, GC’d language or not. A prime example is uwsgi for Python.

                                                                                                                                                                                    1. 5

                                                                                                                                                                                      @matklad Thank you for pointing out weak parts in my post. I wanted to post this as a separate reply to your reply but lobste.rs prevents me from multiple replies in short succession??

                                                                                                                                                                                      Having to mark certain snippets of code as unsafe is a great tool – that not all languages have. The less unsafe you use, the easier it is to achieve the security, of course, without being a genius or having lots of people helping out.

                                                                                                                                                                                      We agree that unsafe code should be avoided and carefully weight against advantages. I personally thing that well-reviewed libraries are a good place for unsafe code with huge performace benefits: crossbeam, …

                                                                                                                                                                                      To quote from async-std security:

                                                                                                                                                                                      Writing a highly perfomant async core library is a task involving some instances of unsafe code.

                                                                                                                                                                                      To clarify my remarks on the comparison to “GC’d languages”:

                                                                                                                                                                                      A) The quote compares safety of Rust to “GC’d” languages and says that Rust is maybe less unsafe because it uses “unsafe” code in its libraries.

                                                                                                                                                                                      I’d argue that there is no completely “safe” web app stack in any language that I am aware of. (and then you’d have to deal with compiler errors, operating systems, …)

                                                                                                                                                                                      If you look at NodeJS or Ruby on Rails, the interpreters and the HTTPS stacks contain lots of native code that isn’t verified by a smart compiler for safety guarantees. Correct me if my assumptions are wrong. I’d not be surprised if a Rust web app with actix contained a lot less “unsafe” code (in the Rust meaning) than an app built with these other stacks.

                                                                                                                                                                                      Of course, maybe more importantly, counting unsafe code lines is only a proxy argument because we cannot measure security: One line of unsafe code can destroy the safety of the whole application in crucial ways as can a compiler or std library bug. And a library like actix with six usages of unsafe could be completely secure. Or not.

                                                                                                                                                                                      B) I didn’t say what I meant with “crucial safety guarantees”, it was misleading. What I had in mind was more than only basic memory safety. The initial quote was about security. The argument was that Rust was less secure than “GC’d’ languages. I don’t believe that Rust code is usually less secure than that of GC’d languages and the expressive type system and guarantees that go beyond basic memory safety contribute to that.

                                                                                                                                                                                      I hope that makes sense. I wish I could make my point clearer in less words ;)

                                                                                                                                                                                      1. 5

                                                                                                                                                                                        Thanks for the clarification! I think we are in a broad agreement here. In a narrow sense, unsafe is a sharp tool, easily misused, and dangerous even in the hands of an expert. However, it does improve the overall system’s security.

                                                                                                                                                                                        I violently agree with your point about full-stack safety of web apps. On the one hand, Rust’s unsafe (unlike Python’s ctypes) is available to “application programmer”, and pulls in the less safe direction. On the other hand, safe Rust is available to “systems programmer” (which again is unlike ctypes), and this massively improves the safety of lower levels of the stack, which feels like a bigger deal.

                                                                                                                                                                                        I also agree that Rust’s other type-system niceties improve application level correctness (and hence security) in comparison to current crop of popular static or dynamic languages.

                                                                                                                                                                                        That being said, I expect in the web domain specifically, application-level security (csrf tokens, protection against SQL injection, not storing passwords in plain text, etc) is a relatively bigger issue than execution-environment security. And here I expect a lot depends on maturity. I am not an expert in web dev, and, at this point I think I’ll be able to develop overall more secure web app with Django, as that should be much more hardened against misuse by web-security-naive programmers.

                                                                                                                                                                                        1. 1

                                                                                                                                                                                          Interesting point about what is “available” to the “application programmer.” I guess the “available” is in terms of convenience and just writing unsafe somewhere is very convenient.

                                                                                                                                                                                          I, for myself, was never tempted to use unsafe but I neither wrote a low-level lib nor should I assume that I am the standard… I might be overcareful. And I can already shoot myself in the foot with misunderstanding atomic variables in safe code already ;)

                                                                                                                                                                                      2. 4

                                                                                                                                                                                        But many people short circuit to the conclusion that code with the unsafe keyword must be, indeed, unsafe.

                                                                                                                                                                                        The short-circuiting might be wrong, but I personally don’t disagree with the conclusion. Unsafe code is hard, even widely battle tested things like SmallVec get CVEs. So, in practice, rust with unsafe does have memory safety issues due to bugs (although it’s important to keep in mind that Rust CVE have a somewhat lower bar, as theoretical, and not only practical, unsoundness counts).

                                                                                                                                                                                        In terms of Rust unsafe, Java/ruby is full of unsafe code since some crucial safety guarantees in these languages are weaker.

                                                                                                                                                                                        I am not sure I exactly understand what you are saying here. I think I agree with the general idea, but I disagree with the specific wording. In the context of Rust, unqualified safe/unsafe refers to memory safety, and, in terms of memory safety, Rust, Ruby, and Java are roughly equivalent (roughly because there’s extensions/ffi/native runtime angle). Things like iterator invalidation are not covered by the safety terminology.

                                                                                                                                                                                        1. 9

                                                                                                                                                                                          Frankly, if we hadn’t had years of the Rust Evangelion Strike Force shitting on C and C++ for their use of unsafe pointers and whatnot, this might fly.

                                                                                                                                                                                          This charity wasn’t extended to references and some of the nice pointer types in C++ that solve memory safety issues, so why should we give unsafe a pass now?

                                                                                                                                                                                          Sorry your language doesn’t actually match its marketing.

                                                                                                                                                                                          1. 24

                                                                                                                                                                                            Your ax grinding is absurd. It is possible to entertain two different problems simultaneously:

                                                                                                                                                                                            • People get too excited about new technology like Rust and oversell its benefits by stating misleading things like “Rust can’t have memory safety bugs.” (I personally have been pretty consistent and vocal about clarifying this particular point.)
                                                                                                                                                                                            • People get too curmudgeony and undersell Rust’s benefits by pointing to existence of unsafe as proof positive that Rust is no better than [insert other language here].

                                                                                                                                                                                            Really, it’s not difficult to see how both of these problems can exist simultaneously. Just because the first exists doesn’t mean we can’t also talk about the second.

                                                                                                                                                                                            Your consistent anti-RESF ax grinding is really just as bad as RESF zealots, if not worse. And yours has been going on for years too.

                                                                                                                                                                                            1. 7

                                                                                                                                                                                              You didn’t say a damn thing when the user I replied to said “oh ho ho Rust is no less safe than Java or Ruby, if you just vet the code”. This is the same argument as neckbeards going “C is safe if you just write the code carefully!”. It’s pretty obvious when you give a pass to one but not the other.

                                                                                                                                                                                              Again, for context:

                                                                                                                                                                                              In terms of Rust unsafe, Java/ruby is full of unsafe code since some crucial safety guarantees in these languages are weaker. Obviously, there is a lot of unsafe rust code in the Rust std lib and especially in low level libraries. If this code is carefully vetted, this is all good.

                                                                                                                                                                                              Kettle meet pot, and you’re experienced enough (grats on ripgrep) that you should know when shilling is happening.

                                                                                                                                                                                              Anyways: my grinding has been consistent, for years, because the RESF has been obnoxious, for years.

                                                                                                                                                                                              I have observed no patterns of this behavior behind other C/C++ replacements. The D folks are underappreciated and chill. The Zig people don’t spam message boards and bug trackers asking to rewrite things in Zig. The Nim community, to my observation, don’t show up in every comment section to talk about how impossible is is to write safe software in C and how Nim is the answer, every time C shows up. Go people seemingly are too busy shipping useful utilities to even talk very much about Go being better than C–even at the height of Google’s shilling of it.

                                                                                                                                                                                              And every time this gets brought up, people like you show up to motte-and-bailey it and go “oh no no, who are those other ruffians, we’re just a kind and inclusive and loving community, oh we’d never say anything bad about another language, perish the thought!” This is a real problem, and just because y’all either can’t or won’t acknowledge it doesn’t mean the damage hasn’t been done to people outside your blessed tribe.

                                                                                                                                                                                              ~

                                                                                                                                                                                              The hell of it is, I think Rust is a neat language with some neat features. I think it has some cool things going for it, even though the Rust talking-point bingo is predictable (almost as much as Elixir bingo). I can list the ideas I like from it, and if my workflow looked like it needed Rust more than what I’m already doing, I’d be excited to switch.

                                                                                                                                                                                              I just don’t like a community whose evangelism seemingly requires pervasive and persistent propaganda and, at times, lying. It shows a lack of moral character and engineering rigor that makes me concerned for the long-term health of the ecosystem.

                                                                                                                                                                                              1. 11

                                                                                                                                                                                                You didn’t say a damn thing when the user I replied to said “oh ho ho Rust is no less safe than Java or Ruby, if you just vet the code”.

                                                                                                                                                                                                Because that isn’t a sensational thing to say? It’s nowhere near the same as the “neckbeard C programmer” you alluded to.

                                                                                                                                                                                                Kettle meet pot, and you’re experienced enough (grats on ripgrep) that you should know when shilling is happening.

                                                                                                                                                                                                Anyways: my grinding has been consistent, for years, because the RESF has been obnoxious, for years.

                                                                                                                                                                                                Is this some kind of joke? And you aren’t obnoxious? If that isn’t the kettle calling the pot black, then I don’t know what it is.

                                                                                                                                                                                                It’s one thing to respond and clarify things said by the “RESF” (and other claims made by zealots), but you go far beyond that and consistently engage in this meta flame war.

                                                                                                                                                                                                I have observed no patterns of this behavior behind other C/C++ replacements.

                                                                                                                                                                                                Well, what patterns of behavior have you observed among C/C++ programmers? The D, Nim and Zig communities aren’t nearly as big as Rust’s. And Go doesn’t really bring any new big ideas to the mainstream, so I really wouldn’t expect people to get that excited about it. That’s a feature of Go IMO. You also have immense pressure against talking about Go anyway, lest you be shouted down by PL zealots. (Zealots zealots everywhere, yet you seem to love to grind against one particular group in particular. How… obnoxious?)

                                                                                                                                                                                                And every time this gets brought up, people like you show up to motte-and-bailey it and go “oh no no, who are those other ruffians, we’re just a kind and inclusive and loving community, oh we’d never say anything bad about another language, perish the thought!” This is a real problem, and just because y’all either can’t or won’t acknowledge it doesn’t mean the damage hasn’t been done to people outside your blessed tribe.

                                                                                                                                                                                                Given that I’m a moderator in the Rust community and that I have shut down PL flame war discussions in official Rust spaces, it would be pretty weird of me to say that we never say anything bad about another language, now wouldn’t it?

                                                                                                                                                                                                And it has been acknowledged. That’s why I always do my best to clarify claims that are too bold. Do I get every single one? No. But then again, I don’t spend my time responding to every single one of your ridiculous comments either.

                                                                                                                                                                                                I just don’t like a community whose evangelism seemingly requires pervasive and persistent propaganda and, at times, lying. It shows a lack of moral character and engineering rigor that makes me concerned for the long-term health of the ecosystem.

                                                                                                                                                                                                This is a giant load of conspiracy-like bullshit. For someone who is so keen to call out bullshit and shilling, you sure do like to sling a lot of it yourself.

                                                                                                                                                                                                1. 8

                                                                                                                                                                                                  I’m not sure the community is actively funded to evangelize. Could it just be that using rust makes people want to share their enthusiasm?

                                                                                                                                                                                                  1. 2

                                                                                                                                                                                                    It’s certainly possible. Maybe people just really liked Java, C#, and Go too.

                                                                                                                                                                                                  2. 5

                                                                                                                                                                                                    You didn’t say a damn thing when the user I replied to said “oh ho ho Rust is no less safe than Java or Ruby, if you just vet the code”. This is the same argument as neckbeards going “C is safe if you just write the code carefully!”. It’s pretty obvious when you give a pass to one but not the other.

                                                                                                                                                                                                    I mean, yes? @burntsushi is a member of the Rust community, of course it’s going to bother him a bit more when someone like you is attacking that community vs someone in that community (politely!) making a debatable claim. That’s basic human social skills, not him being a hippocrite.

                                                                                                                                                                                                    Kettle meet pot, and you’re experienced enough (grats on ripgrep) that you should know when shilling is happening. […] And every time this gets brought up, people like you show up to motte-and-bailey it and go “oh no no, who are those other ruffians, we’re just a kind and inclusive and loving community, oh we’d never say anything bad about another language, perish the thought!” This is a real problem, and just because y’all either can’t or won’t acknowledge it doesn’t mean the damage hasn’t been done to people outside your blessed tribe.

                                                                                                                                                                                                    I know you’ve been trying to be less angersock and more friendlysock, so I’m just going to say this straight: you’re being an obnoxious jerk right now.

                                                                                                                                                                                                    1. 4

                                                                                                                                                                                                      Agreed. This is like mom and dad fighting. Both are respected members of the community. Obviously it’s okay to disagree, but I expect both to be examples of what it means to be a good citizen.

                                                                                                                                                                                                      I have a bias here. However my commentary should be applied broadly. Let’s demonstrate an eagerness to give each other the benefit of the doubt. Our community is known for being effective and compassionate regardless of disagreements. I’m committed to that because of lobster leaders like you have both demonstrated that it works here.

                                                                                                                                                                                                      Thank you both for being candid. I look forward to the constructive conversation this exchange will lead to.

                                                                                                                                                                                                      1. 2

                                                                                                                                                                                                        Yeah, again, sorry for setting a bad example. :(

                                                                                                                                                                                                      2. 2

                                                                                                                                                                                                        I know you’ve been trying to be less angersock and more friendlysock, so I’m just going to say this straight: you’re being an obnoxious jerk right now.

                                                                                                                                                                                                        Yeah, you got me there–fair point. I’ll go cool off.

                                                                                                                                                                                                  3. 1

                                                                                                                                                                                                    I totally agree. There’s more than a little bit of trying to have it both ways here, and observers are too smart for that.

                                                                                                                                                                                                  4. 1

                                                                                                                                                                                                    I can’t help but think calling the unsafe keyword unsafe was a potential marketing error.

                                                                                                                                                                                                    Isn’t there a comparison to unsafe in C#? The same arguments were made back in the early 2000s about that and it made for many tirades and comments.

                                                                                                                                                                                                    I think Rust user’s domain requirements might provide longevity to the use of unsafe, it has disappeared from discussions in the C# space. It’s to the point where many C# programmers would give you a puzzled look if you mentioned unsafe existed.

                                                                                                                                                                                                  1. 4

                                                                                                                                                                                                    That is kind of interesting, but not in the way I expected. Like the author, I can only speculate, but I wouldn’t be surprised if it wasn’t just the case that Steam felt TLS wasn’t secure enough but that someone thought it would be a fun project to harden login even further and because it’s Steam, why not?

                                                                                                                                                                                                    1. 9

                                                                                                                                                                                                      It protects the password from network level SSL (passive - an active MitM could provide a fake public key or serve a compromised rsa library) interception employed by AV tools and ad frameworks (like that Lenovo superfish cert a few years back)

                                                                                                                                                                                                      I have a feeling that Steam’s target audience lives in that dangerous group of people who are capable of installing whatever crap they want, who are also not versed in security enough not to do so and who have a very valuable asset (the steam account with all games)

                                                                                                                                                                                                      Any bit of additional protection helps at that point

                                                                                                                                                                                                      1. 1

                                                                                                                                                                                                        I’m not quite grasping the threat model you’re trying to show.

                                                                                                                                                                                                        Passive SSL MITM isn’t, someone has to encrypt with a new cert – either your network administrator because all your traffic goes through a MITM proxy, or software on your box. But for that to work your machine already has to trust a non-standard CA root, which means your adversary already did something arbitrary on your box.

                                                                                                                                                                                                        So in that world what does an extra layer of RSA get you?

                                                                                                                                                                                                        1. 1

                                                                                                                                                                                                          I imagine the point pilif was trying to make is that it’s not outlandish to consider users who’ve unwittingly allowed a malicious CA root and new cert on their machine. So, security in layers. That said, anyone who has done so is effectively vulnerable to mitm attacks on every website they visit and probably reuses their password, so their steam account might as well be considered compromised.

                                                                                                                                                                                                        2. 1

                                                                                                                                                                                                          That’s kind of a funny threat model, but why does Steam not just do CA or cert pinning like a lot of mobile apps do nowadays?

                                                                                                                                                                                                          1. 2

                                                                                                                                                                                                            They do. But they also offer a website where people can log in. And they offer OAuth “login with steam” services, all of which happening in browsers and not supporting cert pinning

                                                                                                                                                                                                            1. 1

                                                                                                                                                                                                              Ah right, the browser. I wonder if they’d have done this if Chrome was market leader back then.

                                                                                                                                                                                                      1. 4

                                                                                                                                                                                                        I vehemently disagree with this part:

                                                                                                                                                                                                        One approach is: “This tool has a lot of problems, but we’ll show you how to avoid them.” That can demotivate the learner: “Why am I learning this thing if it has so many problems?”

                                                                                                                                                                                                        I don’t know a single tool in information technology that professionals use that doesn’t have downsides. Everyone who claims their most beloved programming language is perfect and doesn’t have flaws (or at least isn’t suited to at least half the problems) either hasn’t used it enough or is in such a deluded state of mind that I wouldn’t trust their judgement anyway.

                                                                                                                                                                                                        This is the reality, and if the learner is looking for the perfect solution to all problems… well, good luck, might as well confront them with reality at the start. I’m not saying everyone needs to be a curmudgeon and paint everything black, but let’s stay realistic.

                                                                                                                                                                                                        1. 1

                                                                                                                                                                                                          Who are you disagreeing with though? The snippet you’re quoting is not what is being proposed in the end.

                                                                                                                                                                                                          1. 2

                                                                                                                                                                                                            Because not all of it always unfortunate, in a global sense. Maybe unfortunate for the student, but not all languages (or implementations) are equal and often there are indeed good reasons (or at least non-bad ones) for a thing.

                                                                                                                                                                                                        1. 6

                                                                                                                                                                                                          The part about HTTP protocols seems interesting enough, but everything after that is basically “yes we know our data and what we extracted from it is deeply flawed but here it is anyway”.

                                                                                                                                                                                                          The detection of used libraries: You might think it will undercount consistently (in a way that does not introduce too much skew), but I’d expect jQuery to be much more likely in globals than other libraries, particularly React which, judging from gut feeling is more likely to be found on a site that uses webpack. The fact that none of the popular component frameworks are in the list suggests this mostly crawled newssites and stuff like that.

                                                                                                                                                                                                          This linear regression thing: What does a negative regression coefficient mean then? That my site becomes faster when I add Zendesk? They put up a disclaimer saying “correlation does not equal causation”, then go on to suggest causation anyway by saying jQuery makes everything slower.

                                                                                                                                                                                                          I commend the effort but I don’t think the results here tell me anything except “linear regression can be used to tie two random numbers together to make a graph that looks like it says something”.

                                                                                                                                                                                                          1. 4

                                                                                                                                                                                                            This linear regression thing: What does a negative regression coefficient mean then? That my site becomes faster when I add Zendesk?

                                                                                                                                                                                                            Pages with Zendesk JS are likely to also be faster than average, is what that’s saying, which could very well be since a “support” page is fairly lightweight and the Zendesk JS is smart and asynchronous (I’m not sure if it’s true or not).

                                                                                                                                                                                                            Likewise re:jQuery, you could probably say that folks that care about render times are also likely to not use jQuery. Not that jQuery itself is necessarily bad – though you can certainly build some Lovecraftian horrors with it.

                                                                                                                                                                                                            1. 3

                                                                                                                                                                                                              Just to be clear: I understand what the data actually says, I’m criticizing their choice to frame it as a useful guide when removing dependencies, which they do right at the end of the blogpost.

                                                                                                                                                                                                          1. 3

                                                                                                                                                                                                            Was this done with warm or cold cache? Ideally it’d be done with and without.

                                                                                                                                                                                                            1. 7

                                                                                                                                                                                                              They argue that modern browsers will do cache isolation which to me is a fair enough argument to not bother with warm caches:

                                                                                                                                                                                                              There’s a handful of scripts that are linked on a large portion of web sites. This means we can expect these resources to be in cache, right? Not any more: Since Chrome 86, resources requested from different domains will not share a cache. Firefox is planning to implement the same. Safari has been splitting its cache like this for years.

                                                                                                                                                                                                              1. 1

                                                                                                                                                                                                                Depends on what fraction of traffic is repeat visitors. The second time you visit the site you are not downloading jquery again.

                                                                                                                                                                                                              2. 2

                                                                                                                                                                                                                Ooh it would be interesting to get both for each site. You could get statistics on what the loading gap is between returning & first-time users.

                                                                                                                                                                                                              1. 3

                                                                                                                                                                                                                I have this + an email address for git commits that automatically marks as spam if it receives an email. Very useful for training the filter on university surveys.