1. 9

    I self-host. Pretty easy with sovereign. Or if you want to use NixOS: simple-nixos-mailserver

    Definitely worth it, even just for learning how email works.

    1. 1

      what OS do you use for sovereign?

      I tried to apply it to Debian Stretch (with ansible 2.8) and it just would not even go (complains about setup module failures)

      1. 1

        Have you encountered any problems with sent mail being caught in spam? that’s one of the most common problems I’ve heard about with self-hosting.

        1. 1

          Yeah, but it’s not so bad after you setup the DKIM etc records properly. The sovereign README has instructions on how to do all that. The situation improves as the age of your domain increases too, I think.

      1. 12

        Kernelization has its disadvantages.

        Right now, Python is a terrific introduction language. It’s simple yet regular syntax makes it easy to teach, and the full-featured standard library provides much of what a new programmer could want. Maybe not the best and newest takes on various domains, but more than enough for a beginner with modest means. All this comes in a single package from python.org.

        The article suggests that we “kernelize” Python by removing a default “user space” of standard libraries and move those libraries like pip to an installer model.

        Teaching dependency management with pip and all its friends (venv? Peotry? Pipenv?) sounds fraught to me - and unfriendly to beginners when the ecosystem and best practices seem to be in such flux.

        We might also see that change will fragment Python - like Linux - into a myriad of competing distributions. There are already Python “distros” like conda out there, but a kernelized Python almost necessitates that everyone pick a distro. One more extra burden of choice and burden of research for a newcomer.

        This is a good take for technical experts (this crowd) but a poor one for learners and approachability. How much easier would Linux be to learn if there was Only One Way to do it?

        1. 4

          Agree 100%. One of Pythons greatest strengths is its decent standard library, and built in package manager:

          https://docs.python.org/library/ensurepip

          I am fine with slimming down standard library, but dont remove it. We dont want to turn Python into C, where the standard library has almost nothing. All it does it force novice users to create their own their own terrible solution, or send them hunting into a forest of thousands of packages. One of the biggest pain points for me with any language is finding something I consider “basic” not in the standard library, and trying to figure out what package to use. Dont put that hassle on the community.

          Deciding where to draw the line is a hard problem yes, but the alternative of no standard library is worse.

          1. 4

            Maybe the answer is two tier: core and stdlib. Core could be a narrow subset of modules that make up the base of the language and stdlib could be bootstrapped off of core (i.e., stdlib is all python code written using core or other stdlib). It would make it much easier to port stdlib to other pythons.

            Of course it would take rewriting stdlib in some subset of modules that are deemed core. Would take a lot of work I imagine.

          2. 2

            The article suggests that we “kernelize” Python by removing a default “user space” of standard libraries and move those libraries like pip to an installer model.

            As I read it (and here I’m speaking with the benefit of knowing the author, and also knowing the author of the piece he refers to in the intro), the article is being deliberately hyperbolic in mentioning the Kondo approach. The actual suggestion is:

            We need a “kernel” version of Python that contains only the most absolutely minimal library, so that all implementations can agree on a core baseline that gives you a “python”, and applications, even those that want to run on web browsers or microcontrollers, can simply state their additional requirements in terms of requirements.txt.

            A baseline set of modules significantly smaller than the current Python standard library is a provocative idea, but not necessarily new or even particularly radical; as Glyph points out, Linux distributions have a history of breaking up Python’s standard library across multiple separate distro packages, and while it’s been an annoyance for people who maintain things that depend on the standard library being shipped whole, it also seemingly hasn’t killed Python’s growth and adoption. And standardizing the minimal subset that gets to be called a distribution of Python would go a long way toward reducing the headaches imposed by distros’ current fragmentation of the standard library.

            Teaching dependency management with pip and all its friends (venv? Peotry? Pipenv?) sounds fraught to me - and unfriendly to beginners when the ecosystem and best practices seem to be in such flux.

            This I think is a bit unfair as a criticism, because most of the variation in workflows is on the producer side of packaging, not the consumer side. Consumers of Python packages don’t need to know or care what toolchain someone used to produce those packages. The main split on the consumer side is between users of pip and users of conda, which is is really more of a split between sub-communities working in different problem domains (a rough and grossly oversimplified description might be: if you’re writing networked applications you’re probably a pip user; if you’re doing numeric/scientific computing you’re probably a conda user).

            1. 1

              Would a ‘satellite’ language, let’s call it PythonBare – be an ‘in-between’ option ? it will be part of standard python distro, but could also be distributed without the main ’big Python.

              Just trying to draw analogies between BetterC (a subset of D) and this discussion. I think for purposes of D, to have a language with D syntax, that can directly leverage pre-installed C-libraries is a big deal.

              Although, thinking about it, not sure, to be honest, if the above analogy/benefit extends to Python world – because ‘PythonBare’ still can only use python libraries.

              On another hand if PythonBare could some how automagically import and leverage without any wrappers available C-libraries, then may be there is an advantage (similar to BetterC or Zig ).

              1. 2

                From my relatively uninformed viewpoint, it sounds like both RPython or Cython might be a suitable starting point for your BarePython idea.

                RPython is a restricted set of Python that’s used to implement the PyPy JIT runtime. Not all methods are available, and things like interators are simplified.

                Cython is a compiles extension language that easily inter-operates with C and Python. It’s not clear to me if Cython can use Python stdlib imports.

              2. 0

                It’s simple yet regular syntax makes it easy to teach

                I feel like this is becoming less and less true. Annotations are not particularly simple, how everything works together in Async is quite complicated actually (thats actually true for many things in Python), lots and lots of new syntax with only little use being introduced.

                Python seems to try to become everything for everyone but is not tackling the elephant in the room which is the terrible package management. As you say, better have a large stdlib of obsolete code than to refer beginners to the horror that are virtual environments and its managers. Which is sad, because node manages to get by with a rather small standard library since installing things using npm is feasible.

                I always felt that this whole easy_install, setuptools, pip, virtualenvwrapper, venv, pipenv, etc etc. stuff was only necessary because CPython has no good way of handling envirornments on its own so everybody just tries to get by with juggling PYTHONPATH. Implementing a better way of locating modules in CPython could make this pain go away.

              1. 4

                The article is written with sarcasm in mind :-) Probably even implying that that’s how medium.com is working these days ? :-)

                • Keep pestering web browser users that you have a mobile up
                • Keep reminding them that they can sign in
                • Block users from non US countries to avoid GDPR and other liablities
                • Block the ad blockers. …
                1. 1

                  I would be interested in subscribing to your bookmarks for a topic like this, since you know the subject :-)

                  Not saying that your ask is not valid, just if there is an option – I prefer to leverage a list curated by an expert in the subject.

                  Another question, would things like Discourse, Disqus, Matrix.org, ActivityPub clinent/servers qualify as cms?

                  [1] https://howlingpixel.com/i-en/Content_management_system

                  1. 2

                    Another question, would things like Discourse, Disqus, Matrix.org, ActivityPub clinent/servers qualify as cms?

                    I’d say for Matrix.org and ActivityPub the distributed tag works pretty well already.

                  1. 4

                    thank you for your work @aphyr.

                    You are like FDA, but for distributed databases :-) (and without the ‘F’ ).

                    As a suggestion to ‘consumerize’ your work more, if you will. Is to publish a news letter or a blog that will continuously maintain a table listing what tests were performed, what databases participated (version/vendor), and result within each cell.

                    Since your tests are standardized, having that comparative view, I think would be very useful.

                    1. 8

                      I don’t know a good rubric for comparing results yet, but I do maintain a table of analyses here: http://jepsen.io/analyses

                      1. 3

                        It would be great to see some of the cloud provider’s managed databases.

                        1. 4

                          That’s gonna be tougher–I don’t have a good way to inject faults into those systems. We can test the happy case, though!

                    1. 1

                      The hiring process for developer roles, especially better paid ones – is really multi-dimensional.

                      I think many companies who can afford to pay risk free 250+ K USD dev salaries, have over-designed negative filters (eg reasons why not to hire).

                      Some of those filters are for technical proficiency, some are not.

                      Most companies will not disclose which ones of the negative filters were triggered in particular job interview. Legal action by a rejected applicant, (with a demand to disclose how others faired against same filters) – is, probably, one of the reasons, there may be others.

                      On a somewhat positive side of things, I suppose, for companies that cannot afford to pay as much but looking for quality candidates, at least have a chance. Over time those companies, if successful, will be able to offer (via a raise or bonus) similar compensation to a candidate.

                      In my view, the bigger and, probably more unethical practice – is giving higher salaries for same job to new hires (often decorated with made up titles and made up responsibilities) – Compared to folks who performing similar jobs at same skills, but who have been with a business for a few years.

                      1. 8

                        Well, they must be listening to people who have way more money than me.

                        1. 3

                          I think the OP is most excited that Apple is listening at all.

                          1. 1

                            I am in the same boat as you are. It seems that Apple is listening to people who are are fine paying 3x premium for their branded hardware.

                            When the 3x premium is expected from parents of school kids… this seems even more out-of-line with reality.

                            On another hand, may be I am just a bit jealous that I am very far, financially, from being able to afford a couple of Iphone Xs and the new new desktop.

                            1. 1

                              Apple has always been the brand that forces you to pay a premium, but in the past the expectation was that things Just Worked and you got a fully vetted ecosystem that you could rely on.

                              Or that was the marketing anyway :)

                              1. 1

                                I agree, but now we’re talking one hell of a premium (e.g. 1000 USD for the Apple Pro Display XDR STAND!!!)

                                1. 2

                                  I’m considering a new laptop for (among other things) photo editing and frankly, there’s really no Windows-based machine that’s as (relatively) affordable as Macbooks - https://www.notebookcheck.net/The-Best-Notebook-Displays-As-Reviewed-By-Notebookcheck.120541.0.html

                            1. 7

                              I like D, it is more high level than C without becoming bloated like C++ or C#.

                              However what has kept me away is library support. For my use I must have an HTTP client, and I cant seem to find one thats workable. I tried Vibe, but it doesnt offer static library:

                              https://github.com/vibe-d/vibe.d/issues/2282

                              I tried Tango, but it doesnt seems to work with Windows:

                              https://github.com/SiegeLord/Tango-D2/issues/104

                              Finally I tried “std.net.curl”, but it doesnt offer a static library either:

                              https://issues.dlang.org/show_bug.cgi?id=15841

                              I am not totally averse to compiling my own static library, but it seems you have to manually edit the cURL source to do it?

                              https://wiki.dlang.org/Curl_on_Windows

                              I drew the line there, it just seems too painful currently to get what I want working, while other languages in this space have solved the problem:

                              1. Go https://golang.org/pkg/net/http
                              2. Rust https://github.com/hyperium/hyper
                              3. Nim http://nim-lang.github.io/Nim/httpclient
                              1. 5

                                I found requests to be a good one.

                                1. 1

                                  I think this request package will have same issue as vibe.d, It relies on dynamic OpenSSL library and does not have an option for a static library (which @cup is after, if I understand it right).

                                  it seems that static includes of these types of library is a higher-level packaging function, and unlikely to be solved by individual package maintainers, unfortunately.

                                  1. 1

                                    actually after some testing “requests” does create a single executable

                                    i think its because it uses std.socket by default instead of vibe.d for network IO

                                    https://github.com/ikod/dlang-requests#library-configurations

                                    but if thats the case why does it need vibe.d at all? hmm

                                2. 0

                                  You’ve had this complaint before but I don’t get it. What’s the problem with shipping a dll next to your exe?

                                  1. 2

                                    The point is I should be able to choose. I should be able to do nothing more than pass a compiler flag to get static or shared linking. But that’s not possible with some of the libraries as it seems they didn’t make a static build.

                                1. 6

                                  Thank you engagement @atilaneves !

                                  3 questions/topics from my side

                                  a) can BetterC be used to link/leverage large C++ libraries (eg QT or boost). That is, can BetterC be used as essentially C++ replacement (and without D’s GC, D’s standard library (Phobos), and any other D-run time dependencies) ? For example, can I build a QT or wxWidget based app for FreeBSD, Linux, Windows, MacOS using BetterC and QT only?

                                  b) Can you describe for, us, non-D folks, the DIP1000 (this seems to be a feature implementing Rust-like semantic for pointers… but it compare/contrast was not clear)

                                  c) Mobile app development – does D have roadmap/production ready capabilities in this area, and for which platforms

                                  Thank you again for your time.

                                  1. 5

                                    I don’t see how betterC helps with calling C++. D can already call C++ now, it’s just not easy, especially if they’re heavily templated.

                                    DIP1000 is D’s answer to Rust’s borrow checker. You can read the dip here. Essentially it makes it so you can’t escape pointers.

                                    There’s been some work done for Android, but the person doing that left the community. It was possible to run D there, but I’m not sure what the current status is.

                                    1. 3

                                      Thank you.

                                      WRT C++ D compatibility, I watched a video for this paper https://www.walterbright.com/cppint.pdf but, if I remember right, it was 2015 – and I could not figure out if, after D was officially included in GCC, there were any updates to C++ ABI compatibility feature.

                                      1. 1

                                        The ABI should just work. Otherwise it’s a bug.

                                  1. 1
                                    1. I use ansible NGINX role [1] to deploy a web server

                                    It automatically downloads and installs on target host an uptodate version of NGINX

                                    It allows me to me to specify where my site files are (usually in /var/www/

                                    It allows me to configure a bunch of settings (time outs, how to handle URL’s without www, and so on – all by passing arguments to that NGINX role)

                                    It allows to specify where your certificate/private keys files are (I usually put mine in /etc/letsencrypt/ )

                                    1. I created my own ansible role that I call ‘local_build’ that basically runs a build of my webapp, and deposits it into a predetermined location on my build machine.

                                    2. Finally, my 3rd ansible role copies certificates and then webapp files (from 2) onto the target host(s)

                                    so The playbook executes (1), (2), (3)… also I can manually execute just (3) (update certificate).

                                    The NGINX role works well on any of the Linux distros, there is also support for FreeBSD (and maybe OpenBSD), there will be some updates to the role – probably shortly to fix some issues on FreeBSD.

                                    I rarely have have a need to login into the target host, only if I need to debug (although we are pre-prod still).

                                    [1] https://github.com/nginxinc/ansible-role-nginx

                                    1. 1

                                      Pardon my ignorance, but isn’t this just saying you will need to invoke python3 deliberately instead of having 2 installed?

                                      1. 1

                                        I do not think so. It seems like article is saying that eve Python 3 will not be available in future versions of MacOS

                                      1. 17

                                        Interested in hearing other views. But I think what they are doing is reasonable.

                                        Can this be extrapolated into a ‘BLISS’ principle: ‘Buy License if SaaS’ (just came up with abbreviation :-) )

                                        “.. The one and only thing that you cannot do is offer a commercial version of CockroachDB as a service without buying a license. ..”

                                        They should probably provide some examples of what they consider a CockroachDB service, vs a service that’s using CockroachDB underneath.

                                        1. 10

                                          agreed. copying my comment over from hn:

                                          this seems like an excellent licence, clearly spelling out the intent of the copyright, rather than trying to fashion a one-size-fits-all set of rules. it reminds me of cory doctorow’s point that, intuitively, if some community theatre wanted to dramatise one of his works, they should be able to just do so, but if a major hollywood studio wanted to film it they should require a licence, and it is hard to draft a copyright law that does this properly.

                                          1. 13

                                            Can this be extrapolated into a ‘BLISS’ principle: ‘Buy License if SaaS’

                                            It can be. The question is not whether someone could do a thing, it’s whether they should do a thing.

                                            And the answer to that question is: Cockroach Labs itself wants to offer CockroachDB as SaaS, and they see it as absolutely necessary that they have the exclusive right to decide whether anyone else can do that and charge money for the privilege. Fair enough, they hold the copyright on the software (presumably) and can relicense it as they wish.

                                            But what happens to Cockroach Labs’ SaaS offering if every other component of the stack they run on adopts the same license and says “free but only if you’re not a for-profit SaaS”? If they have to pay dozens or, more likely, hundreds of separate license fees for the privilege of using all the other open-source components they depend on?

                                            The answer is Cockroach Labs would not be in the SaaS business for very long after that, because they wouldn’t be able to turn a profit in such a world. The categorical imperative catches up to people. And the real result would be everybody forking from the last genuinely open-source version and routing around the damage that way.

                                            1. 11

                                              But what happens to Cockroach Labs’ SaaS offering if every other component of the stack they run on adopts the same license and says “free but only if you’re not a for-profit SaaS”?

                                              but cockroachdb, as far as i can make out, is not doing this - they’re saying “free, unless you’re a for-profit cockroach-db-as-a-saas”, that is, if what you are selling is a hosted version of cockroachdb itself, rather than some other saas product that happens to use cockroach as a backend.

                                              1. 5

                                                Right. So assuming that Cockroach Labs offers no services except CockroachDB-as-a-service and a support line, Cockroach Labs would not have to pay for any additional licenses if all dependencies in their software stack switched to CockroachDB’s new license.

                                                I think very few companies would be harmed if this license became prevalent. (I make no statement on the worth of the services of the few companies that would be harmed by such mass relicensing.)

                                              2. 4

                                                But most of the deps of CockroachDB aren’t created by corporations who need to monetize them directly.

                                                1. 12

                                                  Exactly. I think different kinds of projects end up preferring different kinds of licenses, for good reasons:

                                                  • core infrastructure — libraries, runtimes, kernels, compilers — permissive and public domain-ish — because “stuff you were going to write anyway”, not written directly for profit, stuff you want to just exist and would love it if someone made a successful fork (because you wouldn’t have to maintain it anymore! — that’s most of my github projects) etc.
                                                  • end user / GUI / client software — desktop, mobile apps — copyleft — because someone else turning your app into a proprietary one sucks, you want user freedom for the end users
                                                  • SaaSable / Web Scale™ / serious business oriented server software — distributed DBMSes like this one — these “Buy License if SaaS” licenses — because reasons everyone discussed with the SaaS thing

                                                  Of course not everyone will agree with my philosophy here, but I think it’s good and much more productive than “I hate GPL” / “I hate permissive” / “the anti-SaaS stuff is destroying all FOSS ever”. You don’t have to attach yourself personally to a kind of license, you can adopt a philosophy of “different licenses for different kinds of projects”.

                                                  1. 1

                                                    core infrastructure — libraries, runtimes, kernels, compilers — permissive and public domain-ish — because “stuff you were going to write anyway”,

                                                    I don’t think that’s true given the value that great infrastructure can provide, esp with good ecosystem. The mainframe companies, VMS Inc, Microsoft, and Apple all pull in billions of dollars selling infrastructure. The cloud companies sell customized and managed versions of open infrastructure. The vendors I reference making separation kernels, safety-critical runtimes, and certifying compilers are providing benefits you can’t get with most open code. Moreover, stuff in that last sentence costs more to make both in developer expertise and time.

                                                    I think suppliers should keep experimenting with new licenses for selling infrastructure. These new licenses fit that case better than in the past. If not open, then shared source like Sciter has been doing a long time. I’d still like to see shared source plus paying customers allowed to make unsupported forks and extensions whose licenses can’t be revoked so long as they pay. That gets really close to benefits of open source.

                                                    1. 1

                                                      Of course there’s still companies selling specialized, big, serious things. But FOSS infrastructure has largely won outside of these niches. Linux is everywhere, even in smart toilets and remote controlled dildos :D Joyent has open sourced their whole cloud stack. Google has open sourced Bazel, Kubernetes, many frontend frameworks… Etc. etc.

                                                      shared source plus paying customers allowed to make unsupported forks and extensions whose licenses can’t be revoked so long as they pay

                                                      IIRC that’s the Unreal Engine 4 model. It’s.. better than hidden source proprietary I guess.

                                                      separation kernels, safety-critical runtimes, and certifying compilers are providing benefits you can’t get with most open code

                                                      I’ve heard of some of these things.. but they’ve been FOSS mostly. NOVA: GPLv2. Muen: GPLv3. seL4: mix of BSD and GPLv2. CompCert: mix of non-commercial and GPLv2.

                                                      1. 4

                                                        “ But FOSS infrastructure has largely won outside of these niches. “

                                                        Free stuff that works well enough is hard to argue with. So, FOSS definitely wins by default in many infrastructure settings.

                                                        “but they’ve been FOSS mostly. NOVA: GPLv2. Muen: GPLv3. seL4: mix of BSD and GPLv2. CompCert: mix of non-commercial and GPLv2.”

                                                        They’ve (pdf) all been cathedral-style, paid developments by proprietary vendors or academics. A few became commercial products. A few were incidentally open-sourced with one, Genode, having some community activity. seL4 may have some. Most seL4-based developments are done by paid folks that I’ve seen. The data indicates the best results come in security-focused projects when qualified people were paid to work on the projects. The community can do value-adds, shake bugs out, help with packaging/docs, translate, etc. The core design and security usually requires a from core team of specialists, though. That tends to suggest paid models with shared source or a mix that includes F/OSS are best model to incentivize further development.

                                                        “and remote controlled dildos :D “

                                                        There’s undoubtedly some developer that got laid off from their job shoving Windows CE or Symbian into devices that were once hot who dreamed of building bigger, better, and smarter dildos that showed off what their platforms had. The humiliation that followed wasn’t a smiling matter, Sir. For some, it may have not been the first time either.

                                                        1. 2

                                                          cathedral-style, paid developments by proprietary vendors or academics

                                                          Yes, the discussion was about licensing, not community vs paid development. For this kind of project, I don’t see how non-FOSS shared source licensing would benefit anyone.

                                                          1. 2

                                                            Individuals outside business context could use, inspect, and modify the product for anywhere from cheap to free. Commercial users buy a license that’s anything from cheap to enterprise-priced. The commercial use generates revenues that pay the developers. Project keeps getting focused work by talented people. Folks working on it might also be able to maintain work-life balance. If 40-hr workweek, then they have spare time and energy for other projects (eg F/OSS). If mix of shared-source and F/OSS, a percentage of the funds will go to F/OSS.

                                                            I think that covers a large number of users with acceptable tradeoffs. Harder to market than something free. The size of the security and privacy markets makes me think someone would buy it.

                                                  2. 3

                                                    They aren’t today.

                                                    But yesterday, CockroachDB was open-source software.

                                                    1. 6

                                                      Yeah people love free stuff and not paying for it.

                                                      1. 4

                                                        Well, most of the free stuff I have access to is reasonably priced.

                                                        1. 2

                                                          Ok, I meant to say not paying what it is worth (draining the producers).

                                                        2. 6

                                                          Yes, people love getting things for free.

                                                          Cockroach Labs likes getting things for free, but has decided that they don’t like giving things away for free. This is a choice they have the legal right to make, of course, but that doesn’t necessarily make it the right decision.

                                                          From a business perspective, it’s a very bad sign. A company suddenly switching from open source to proprietary/“source available” is usually a company where the vultures are already circling. And mostly it indicates a fundamental problem with the business model; changing the license like this doesn’t fix that problem, and in fact can’t fix it. If demand for CockroachDB is significant enough, other people will fork from the last open-source release and keep it going. If demand for it isn’t significant enough, well, they won’t. And either way, Cockroach Labs probably won’t make back what the VCs invested into it.

                                                          From a software-ecosystem perspective, it’s more than a bit hypocritical. Lots of people build and distribute permissive-licensed software, and Cockroach Labs has, if not profited (since they may not be profitable) from it, at least saved significant up-front development cost as a result. If what they wanted was a copyleft-style share-and-share-alike, there were licenses available to let them do that (which, from a business perspective, still would not have saved them). But that’s not really what they wanted (and by “they” I mean the people in a position to impose decisions, which does not mean the engineering team or possibly even the executive team). What they seem to have wanted was to be proprietary from the start, and therefore to have absolute control over who was allowed to compete with them and on what terms. There is no open-source or Free Software license available which achieves that goal; the AGPL comes closest, but still doesn’t quite get there.

                                                          And there simply may not have been a business model available for CockroachDB that would satisfy their investors, but Cockroach Labs was founded at a time when it already should have been clear – especially to a founding team of ex-Googlers – where the market was heading with respect to managed offerings for this type of software. They could have tried other options, like putting more work into integrating with cloud providers’ marketplaces, but instead they knowingly signed up to get their lunch eaten, and do in fact appear to have gotten their lunch eaten.

                                                          1. 9

                                                            Cockroach Labs likes getting things for free, but has decided that they don’t like giving things away for free.

                                                            You are hinting that Cockroach Labs are trying to act as freeloaders while ignoring the real elephant in the room: SaaS providers.

                                                            1. 0

                                                              You are hinting that Cockroach Labs are trying to act as freeloaders while ignoring the real elephant in the room: SaaS providers.

                                                              I’m pointing out the simple fact that Cockroach Labs wants to have the right to build a business on open-source software, but wants to say that other entities shouldn’t have that same right. That’s literally what this comes down to, and literally what their new license tries to say.

                                                            2. 3

                                                              Cockroach Labs likes getting things for free, but has decided that they don’t like giving things away for free.

                                                              That’s an unfair characterization. The code they use is made by people who like giving stuff away for free. If permissive, they’ve already chosen a license that lets commercial software reuse it without giving back any changes. If copyleft under GPL-like license, there’s already bypasses to sharing like SaaS that they’re implicitly allowing by not using a strong license. They’re also doing this in a market where most users of their libraries freeload. They then release the code under that license knowing all this for whatever reasons they have in mind.

                                                              And then Cockroach Labs, whose goal is a mix of profit and public benefit, uses some of the code they were given for free. They modify the license to suit their goals. Each party contributing code should be fine with the result because each one is doing exactly what you’d expect with their licenses and incentives. If anything, CockroachDB is going out of their way to be more altruistic than other for-profit parties. They could be locking stuff up more.

                                                              1. 1

                                                                They approve of the “take open-source software and build a business on it without financially supporting all the authors in a sustainable way” approach when it’s them doing it with other people’s software. They don’t approve when it’s Amazon doing it with CockroachDB. You can try to spin it, but that’s really what it comes down to.

                                                                And they want control over who’s allowed to compete with them and who’s allowed to use their software for what purposes. That’s fundamentally incompatible with their software being open source, and they’ve finally realized that, but it’s a bit late to be suddenly trying to change to proprietary.

                                                                1. 2

                                                                  I agree it won’t be open source software when they relicense it. I disagree that there’s any spin. I tell people who want to force contributions or money back to put it in their license with a clause blocking relicensing to non-OSS/FOSS. Yet, the OSS people still keep using licenses or contributing to software with such licenses that facilitate exactly what CockroachDB-like companies are doing.

                                                                  I don’t see how it’s evil or hypocritical for a for-profit company acting in self-interests to use licensed components whose authors choose knowing it facilitates that. It wasn’t the developers only option. There was a ton of freeloading and hoarding of permissively-licensed components before they made the choice. Developers wanting contributions from selfish parties, esp companies, should use licenses that force like AGPL or Parity. The kinds of companies they gripe about mostly avoid that stuff. This building on permissive licensing and relicensing problem has two causes, not one.

                                                                  Note: There’s also people that don’t care if companies do that since they’re just trying to improve software they and other people use. Just figured I should mention that in case they’re reading.

                                                                  1. 2

                                                                    I don’t see how it’s evil or hypocritical for a for-profit company acting in self-interests to use licensed components whose authors choose knowing it facilitates that.

                                                                    It’s not “evil”. But it is at least a bit hypocritical to decide that you’re OK doing something yourself, but not with other people doing it too.

                                                                    Given their intended business model, CockroachDB probably should have been proprietary from the start. Would’ve avoided this specific headache (but probably still wouldn’t have avoided the problem with the business model they chose).

                                                                    1. 1

                                                                      “But it is at least a bit hypocritical to decide that you’re OK doing something yourself, but not with other people doing it too.” “CockroachDB probably should have been proprietary from the start”

                                                                      “three years after each release, the license converts to the standard Apache 2.0 license”

                                                                      Amazon isn’t giving all their stuff away after three years under a permissive, open-source license. What we’re really discussing is a company that will delay open-sourcing code by three years, not just license proprietary software. Every year, they’ll produce more open-source code. It will be three years behind the proprietary, shared-source version everyone can use except for SaaS companies cloning and selling their software. You’re talking like they’re not giving anything back or doing any OSS. They are. It’s just in a way that captures some market value out of it.

                                                                      In contrast, the people making OSS dependencies usually aren’t doing anything to capture business value out of the code. If anything, they’re not even trying to. They’re directly or indirectly encouraging commercial freeloading with a license that enables it instead of using one that forbids it. So, CockroachDB doesn’t owe them anything or have any incentive to pay. Whereas, CockroachDB’s goal is to make profit on their own work. The goal differences are why there’s no hypocrisy here. It would be different if the component developers were copylefting or charging for CockroachDB’s dependencies with the company not returning code or pirating the components.

                                                                      1. 1

                                                                        but not with other people doing it too

                                                                        Have you heard anyone at Cockroach Labs say this? Wouldn’t they be able to offer their service based on 3 year old versions of every piece of OSS they use? It seems to me this license would work fine transitively, so there’s no hypocrisy involved.

                                                        3. 3

                                                          If they have to pay dozens or, more likely, hundreds of separate license fees for the privilege of using all the other open-source components they depend on?

                                                          Sounds good to me. They have had millions of dollars of funding, they can easily pay some money to people who deserve it.

                                                          1. 1

                                                            Or we’ll get something like ASCAP, but for software instead of music.

                                                            1. 6

                                                              As a long time ASCAP member, I hope we could do better.

                                                          2. 3

                                                            They should probably provide some examples of what they consider a CockroachDB service, vs a service that’s using CockroachDB underneath.

                                                            I believe I read somewhere that they considered the user having the ability to freely modify the schema as being “as a service”

                                                            Edit: found it

                                                            1. 2

                                                              The user of a “CockroachDB as a Service” company, that is (not just a user of CockroachDB in general)

                                                              1. 2

                                                                Thx @trousers @johnaj for clarification. I guess, for me this ‘muddied’ waters so to speak.

                                                                Say, hypothetically, I have a SaaS that allows my customers to upload logs from IoT devices, and schema (in my DSL) explaining the data, and some SQL-like (but can also be my DSL) queries about their data.

                                                                My service is to provide the results of the queries back to them via dashboards/PDFs etc. The hypothetical SaaS charges for that service (and hopes, in some distant future, to make net profit)

                                                                Underneath, I want to use CockroachDB.

                                                                When customer provides their data explanation in DSL, I actually translate it into CockroachDB schema, and create materialized and non-materialized views (I do not know if the DB supports this, let’s assume – it does). I do that so that customer’s queries can be translated to database statements more easily (and run efficiently).

                                                                So I have a SaaS service, and allow customers (although indirectly) to create schema specific to their data in my database.

                                                                Will I need license?

                                                                From what I am reading right now, I will.
                                                                This is not good or bad – but I hope, then, Postgres would never adapt BLISS.

                                                                May be I am wrong .. so hope to hear what others think.

                                                                1. 2

                                                                  Will I need license?

                                                                  No. I think anything that is indirect (they are not using the wire protocol or directly issuing queries) is not going to require a license.

                                                                  That said, I can see how your example is demonstrative of a possible problem – if Amazon created like a graphQL layer in front of it that just sort of translated to and from CockroachDB would that give them safety license wise – and I think it would.

                                                                  1. 3

                                                                    Right, there is ambiguity about the ‘type or class’ of layers that when added, will not require a license vs layers that will require a license.

                                                                    If I correctly understand the spirit and the intent of their license, I actually think CockroachDB should protect themselves, and specify that following layers:

                                                                    a) security + access control layers

                                                                    b) performance + scalability layers

                                                                    c) General (not domain specific) query meta language layers

                                                                    d) Deployment layers (eg ansible roles on top)

                                                                    e) Hardware layer underneath (eg optimized FPGA/GPUs)

                                                                    If a SaaS business added on top of their DB only the above layers in essense, and then sold as SaaS together with CocroachDB – they would need the BLISS license.

                                                                    Also, at the end of the day, their license may end up being, still, free for some businesses that fall under BLISS – but I think, CockrouchDB team and their investors, want to be in control of that decision…

                                                                2. 1

                                                                  Right. Good clarification.

                                                            1. 1

                                                              I was wondering, what benefit such analysis would bring (besides curiosity ). The paper explains some drivers at the end, and I think it makes sence:

                                                              “… 4.1 Developingx86-64ISATools Binary tools, such as emulators, binary translators, binary instrumentation tools, and decompilers, all operate on ISAs. While x86-64 is extremely complicated, as shown in the prior section, implementing every esoteric feature in the ISA isn’t necessary to run common applications. We leverage instruction importance to determine which instructions are essential (Figure 6-top). …”

                                                              1. 3

                                                                The changelog doesn’t read hugely exciting. Perhaps the new garbage collector is important?

                                                                • new generational mode for garbage collection
                                                                • to-be-closed variables
                                                                • const variables
                                                                • userdata can have multiple user values
                                                                • new implementation for math.random
                                                                • warning system
                                                                • debug information about function arguments and returns
                                                                • new semantics for the integer ‘for’ loop
                                                                • optional ‘init’ argument to ‘string.gmatch’
                                                                • new functions ‘lua_resetthread’ and ‘coroutine.kill’
                                                                • coersions string->number moved to the string library
                                                                • allocation function allowed to fail when shrinking a memory block
                                                                • new format ‘%p’ in ‘string.format’
                                                                • utf8 library accepts codepoints up to 2^31
                                                                1. 4

                                                                  Const variables are a pretty big change in my eyes. I’m not sure what a to-be-closed variable is.

                                                                  1. 9

                                                                    The docs

                                                                    A to-be-closed variable behaves like a constant local variable, except that its value is closed whenever the variable goes out of scope, including normal block termination, exiting its block by break/goto/return, or exiting by an error.

                                                                    Here, to close a value means to call its __close metamethod. If the value is nil, it is ignored; otherwise, if it does not have a __close metamethod, an error is raised. When calling the metamethod, the value itself is passed as the first argument and the error object (if any) is passed as a second argument; if there was no error, the second argument is nil.

                                                                    1. 1

                                                                      D’oh. Thanks.

                                                                      I guess it’s used for:

                                                                      local <toclose> f = io.open('file.txt', 'r')
                                                                      local contents = f:read('*a')
                                                                      

                                                                      I don’t see how that’s any better than:

                                                                      local f = io.open('file.txt', 'r')
                                                                      local contents = f:read('*a')
                                                                      f:close()
                                                                      

                                                                      Weird feature.

                                                                      1. 8

                                                                        I think difference is, you do not have to call :close. Why is it important, because in complex nested/multi-if statements you do not need to cover each path of block’s scope exit.

                                                                        Seems similar how one would do a deterministic resource management in C++.

                                                                        1. 1

                                                                          Yeah like I said it’s a weird feature. Not very Lua-like if you ask me.

                                                                        2. 4

                                                                          It’s the same as defer in Go it seems.

                                                                          1. 2

                                                                            Except without the weird thing where it’s done as a separate fundamental piece of syntax instead of being integrated gracefully with existing language mechanisms.

                                                                            1. 1

                                                                              Umm, but <toclose> also seems to be kinda new, separate fundamental piece of syntax, no? :) I don’t remember seeing it in previous versions of Lua…

                                                                              1. 1

                                                                                Oh, I misread it as being an example notation similar to $VAR but I see you’re right. It’s just a new kind of identifier instead of changing existing rules for how evaluation happens, so I would say it’s a much simpler extension, but yeah it is new syntax.

                                                                              2. 1

                                                                                Yes but take into account that Lua was first released in 1994, that’s around 20 years before go. Probably doesn’t make very much sense for them to redefine it at a fundamental level.

                                                                                1. 2

                                                                                  Lua was first released in 1994, that’s around 20 years before go.

                                                                                  Obligatory, “despite being released so recently, Go feels like it came from the 70s.”

                                                                                  1. 1

                                                                                    The heyday of it’s creators some things I do like I’m go others feels silly. Lua on the other hand have really nice concepts, is light and is just so much fun to code in. Trapped in js for the time being though but only since I want to Target web.

                                                                                    1. 1

                                                                                      Trapped in js for the time being though but only since I want to Target web.

                                                                                      Obligatory plug for https://fengari.io/

                                                                                      1. 2

                                                                                        I see from your blog thatt you’ve used löve framework, I’ve had so much fun with that one.

                                                                                        Have you worked on used fengari.io for any projects?

                                                                                        1. 1

                                                                                          Yes, although my code is rather simple.

                                                                                          The live in-browser repl on https://fennel-lang.org uses Fengari. I haven’t done any Javascript since 2005 or so, but I was able to easily and quickly integrate Fengari’s Lua VM into the page I had built and plug the Fennel repl directly into an <input> element; it worked much better than I had expected. The developer was very responsive and supportive too.

                                                                                          https://git.sr.ht/~technomancy/fennel-lang.org/tree/master/repl.fnl

                                                                                          ^ I’m using coroutines to create an interactive repl tutorial that proceeds thru a series of steps as the user enters input.

                                                                                          1. 2

                                                                                            hm very clever! I couldn’t help to notice from your webpage that you are creating keyboards as well, how is that going?

                                                                                            1. 1

                                                                                              It’s great; lots of fun to build things with your hands. I’m speaking on the topic at RacketCon in July: https://con.racket-lang.org/#speakers

                                                                                              Feel free to message me if you have any questions about the kit.

                                                                                              1. 2

                                                                                                Sounds interesting no way I’ll make it to salt lake City until then though!!

                                                                                  2. 2

                                                                                    I guess I was a bit unclear; I’m saying introducing separate syntax for something that can be cleanly expressed using existing syntax is tacky as hell; and I’m somewhat baffled why defer in golang was done the way it was. Lua’s way makes way more sense.

                                                                                    1. 1

                                                                                      ah I understand! Thanks for the clarification

                                                                              3. 2

                                                                                The feature is useful in case f:read() raises an error.

                                                                          2. 2

                                                                            Why change a winning concept? Would love to have more details on the garbage collector but dont have the time to research

                                                                          1. 11

                                                                            As the developer of a version control tool (Mercurial) and a (former) maintainer of a large build system (Firefox), I too have often asked myself how - not if - version control and build systems will merge - or at least become much more tightly integrated. And I also throw filesystems and distributed execution / CI into the mix for good measure because version control is a specialized filesystem and CI tends to evolve into a distributed build system. There’s a lot of inefficiency at scale due to the strong barriers we tend to erect between these components. I think there are compelling opportunities for novel advances in this space. How things will actually materialize, I’m not sure.

                                                                            1. 1

                                                                              I agree also , there is quite a bit of opportunity for innovation around this. I am thinking at a slightly different angle.

                                                                              There is an opportunity for creating a temporal aware file system, revision control, emulation environment, build system. All linked by same temporal time line. A snapshot, yes. but across all these things.

                                                                              take a look at https://sirix.io/

                                                                              Imagining a bit, but it could server as a ‘file system’ for the emulation environment. It could also enhance version control system, where the versioning/snapshotting happens at sirix.io level

                                                                              While I am not working with 100s developers these days, I am noticing that environment/build control is much easier in our Android development world – because we control a) emulator b) build environment

                                                                              So it is very reproducible: same OS image, same emulator (KVM or Hyper-V), same build through gradle (we also do not allow wildcard for package versions, only exact versions).

                                                                              Working on backend with, say C++ (or other lang that rely on OS provided includes/libs) – very different story, very difficult to replicate without introducing an ‘emulator’ (where we can control a standardized OS image for build/test cycle).

                                                                            1. 20

                                                                              I feel like I keep seeing articles recently about managing Docker in various ways and avoiding its pitfalls. Might I be so bold as to suggest ditching it and instead using Guix?

                                                                              Not only do you get reproducible builds, but with it you can build a Docker image, create a self-contained installation tarball, and run a container by itself (bypassing Docker entirely!)

                                                                              Now, I’ve not really used either in anger (for real systems), but from what I’ve read I have the feeling Docker should be invoked by other tools rather than people, as one of many build targets.

                                                                              1. 2

                                                                                It seem like with guix pack command one can create a relocatable-tar, a docker image, or a SquashFS installation. Which one would you recommend?

                                                                                Also my understanding was that Docker (like FreeBSD jails) allow services within container to bind to specific ports (or to one port and then masqueraded via iptables) … how does quick packaged format would do that?

                                                                                1. 1

                                                                                  It really just depends on how you’re deploying it. The plain tarball itself would be suitable for just dumping and running, and the others seem to be for manually loading in to Docker and Singularity respectively, should you be using them in that way.

                                                                                  As with port binding, I can’t really comment as I’ve only really played with localhost:8000, but guix pack is more about creating filesystem images rather than standalone (runnable) images.

                                                                                2. 2

                                                                                  While Guix is indeed impressive, it doesn’t seem used a lot or having many packages. It will still take a lot of time to get acceleration. In the meantime, docker is already here and handles the same (ok, similar) use case cross platform/devstack.

                                                                                  1. 1

                                                                                    Well, I see your point, but Guix is an entire operating system and package manager with its own goals; Docker interop is just a bonus. I’d personally just like to see fewer “How to run Docker without getting pwned” articles.

                                                                                    If you’re concerned about the number of packages, you can always add anything you’re missing. It’s easy!

                                                                                    1. 1

                                                                                      I am not concerned. I do bunch of packages atm for Chocolatey and I thought that supporting GNU is more along the lines of planet I want to live in, along with getting to know Scheme. So missing packages is no show stopper if I can automate the shit out of it.

                                                                                      I’d personally just like to see fewer “How to run Docker without getting pwned” articles.

                                                                                      Isn’t this mostly history nowdays ? Any recent links ?

                                                                                      1. 1

                                                                                        OK, I was being a little dramatic, there’s just this one recently. But every day it feels like there’s some kind of “how not to use Docker” on the front page.

                                                                                  2. 1

                                                                                    If I understand correctly guix only work with packaged python installation as such that don’t work fot most of pypi librairies.

                                                                                    1. 3

                                                                                      I don’t use Python or PyPI, but it has importers for many external package sources including PyPI, so you should be able to manage your entire dependency tree from Guix.

                                                                                      1. 1

                                                                                        Unless i mistake, it is a tool for helping build a package for guix, nothing solving the problem: i want to use pypi package that is not in guix now let’s go, which is what do docker file of OP

                                                                                        1. 3

                                                                                          That’s right, you import a package from PyPI and create a Guix package from it. Then you can forget about PyPI entirely because it’s available as a globally-installed system package, like with yum or apt. You don’t need requirements.txt at this point either.

                                                                                          1. 2

                                                                                            Is there a write up or something somewhere showing how to do this?
                                                                                            We use python @ $JOB a lot, and it would be nice to get out from under pypi and everything.

                                                                                            1. 1

                                                                                              Not that I know of, sadly. But the manual is very well-written!

                                                                                  1. 1

                                                                                    I wonder if it possible to create an idempotent ansible playbook (or using other tools) that can do upgrade of prod, after it has been tested outside of prod (or if somebody has created something like that for general use)

                                                                                    For example, we use Pyrseas [1] to do schema management, and that tool allows for Idempotent schema upgrade (meaning that it creates a difference between your full schema definition, and target, and then you to apply just the difference to target, automatically (which is what we do from an ansible playbook).

                                                                                    An ansible playbook for an idempotent PG binary upgrade, would have to involve:

                                                                                    a) detection on the target system,

                                                                                    b) what version of binaries to install,

                                                                                    c) un-installing previous binary (or changing alternatives such that previous bins are still available but not ‘active’) , and installing new binaries

                                                                                    d) then a merge of PG config files (assuming that the new version has new configs),

                                                                                    e) making a master copy, and testing that master copy was made correctly !

                                                                                    f) applying any changes to master, that might be needed (some time old capabilities that procs rely on, are deprecated), smoke test, and then, if successful, enabling master copy to be prod

                                                                                    [1] https://pypi.org/project/Pyrseas/

                                                                                    1. 1

                                                                                      Thanks for your feedback. As I replied before I’ve shared the process that I usually use in my local machine when I upgrade the Ubuntu version to a new version. It’s not intended for production system but only for development environment.

                                                                                    1. 2

                                                                                      there was a video with a presentation, posted a few months after the paper https://youtu.be/K3U5v9lplLQ

                                                                                      Also a curated list of libraries implementing HE (but not Alchemy language specifically), is here: https://github.com/jonaschn/awesome-he

                                                                                      A useful explanation for me, was, for example: implementing auction/betting use case. to figure out winning bet, nobody actually needs to know the sum offered, instead, we just need to know if one offer larger than the others.

                                                                                      Homomorphic encryption enables this type of algebraic comparisons without revealing the actual figures.

                                                                                      1. 1

                                                                                        Thanks for the list!

                                                                                      1. 1

                                                                                        for others, who like me were not familiar with the tool, I found this brief intro useful:

                                                                                        “… You can think of Peergos as a cross between Dropbox, email, Facebook, YouTube and Twitter, but fully end-to-end encrypted and decentralised to keep your data and social graph private. … “

                                                                                        http://book.peergos.org/

                                                                                        My questions for @ianopolous would be

                                                                                        a) can I use the technology without singing up for anybodys’s central service

                                                                                        b) can I host some content (eg my resume) on my mobile phone (android), and what would happen when phone is off (eg, is there caching?) , if not there yet – is that planned?

                                                                                        c)how can my resume (as example noted in b) can be discovered/searched by others

                                                                                        d) can it be deleted? forever?

                                                                                        e) I did not know fully understand appreciate the social network aspect – is that like mastodon or something else?

                                                                                        thank you for sharing

                                                                                        1. 1

                                                                                          Hi vladislavp,

                                                                                          Thanks for your questions. Yes you can self host Peergos and then your instance will be responsible for storing all your data. When you sign up you communicate with a global pki to claim your username. We chose the UX tradeoff there because that’s what people are used to.

                                                                                          Currently there isn’t any guaranteed caching (though if someone else views your file, ipfs should cache it on their instance temporarily. Longer term we hope to let you mirror your stuff on your friend’s nodes.

                                                                                          Only people who you grant access (read or write) to a file can see it. You can also create a public link to a file which anyone can use to view it, without needing to install or sign up to anything, e.g.: https://demo.peergos.net/#6MDZhRRPT4ugkJuUfcPPhf1US9u7FvRALmj42mJ6e3yDibnLtqfhchE6Frm6Lf/6MDZhRRPT4ugkJuUfcZdxu6JLKyrLBE36Kasxb4jix7An4dbeiekpDF6h2fDBM/HUja6zmXVs24zcRf15s1MWB7kfvyTCp2X9NF4EZqcw7/5Pf7SvCKyBYfP1vm5LfTSw8TMHtLWvJDLv1P4QtCXV8P2Zv8FwR

                                                                                          You can delete your files yes. That was a core requirement. It should behave like a global filesystem.

                                                                                          At the moment the social side is quite primitive, you can share files and folders (read only, or writable) with other peergos users who follow you (and revoke said access, which means rotating keys and re-encrypting). We plan to add many-to-many messaging ala Signal, and later a more traditional social feed as well. The whole thing is independent of DNS or the TLS certificate authorities (unless you choose to use a public web interface) so there’s no need to get a domain name and manage all that complexity if you want to run your own instance. (You can access your instance from elsewhere still without DNS or TLD using ipfs’s p2p streams which are E2E encrypted independently).

                                                                                          1. 3

                                                                                            Absolutely! reStructuredText, MediaWiki, and org-mode are also possibilities. Since pandoc can convert between various lightweight markup, the input source document format is not of huge importance. I’ve found it handy to pass along Markdown documents to people because Markdown is a little less imposing for the uninitiated than AsciiDoc or reStructuredText.

                                                                                            1. 1

                                                                                              incidentally, there was just a new entry posted on front page

                                                                                              https://lobste.rs/s/y1yn8m/from_python_numpy

                                                                                              This book looks good, really good, on the web.

                                                                                              It is written in reStructuredText (although I do not know how exactly math formulas are done) But the source code for the book and commands to generate html from it are also available (so good to learn from) https://www.labri.fr/perso/nrougier/from-python-to-numpy/#about-this-book

                                                                                              1. 1

                                                                                                Ive used Markdown for many years and I really think AsciiDoc is better, even for beginners. Markdown, if you look hard at it, I think isnt really good for anything save the most basic of READMEs or comment formatting. With any sort of proper typesetting Markdown fails horribly. AsciiDoc is not a perfect solution but its certainly closer.

                                                                                                1. 1

                                                                                                  To be clear, I use Pandoc-flavoured Markdown, which offers a lot more functionality than what’s specified at https://daringfireball.net/projects/markdown/. I agree that AsciiDoc is superior in many ways to Markdown.

                                                                                                  Do you have some examples where Pandoc’s Markdown cannot be typeset as nicely as AsciiDoc?

                                                                                                  1. 2

                                                                                                    I cant speak to Pandoc. I avoid it as GitHub doesnt use Pandoc, and I prefer a portable solution. GitHub uses CommonMark and AsciiDoc among others. CommonMark is crippled as I think you would agree.