1. 4

    An important cautionary note from the article:

    Two-factor authentication tokens (like FIDO U2F hardware devices) primary goal is to fight phishing attacks. Our attack requires physical access to the Google Titan Security Key, expensive equipment, custom software, and technical skills.

    1. 5

      tldr; we screwed up security the last few times, but we think we got it right this time.

      1. 5

        A bit more privacy than security, because, yes, privacy is a spectrum and folks are continuously trying to improve 🙂

        1. 3

          I do think it makes more sense than ESNI, which was just a patch. Encrypting the entire hello in retrospect simply covers everything.

        1. 2

          The sed exits after a thousand lines and closes the pipe that generate is writing to, generate gets SIGPIPE and by default dies, and suddenly its exit status is non-zero, which means that with pipefail the entire pipeline ‘fails’

          Could this be better handled by generate? That is, if generate handled SIGPIPE and didn’t error, the whole pipeline would work as expected.

          By example, trapping SIGPIPE and exiting in Python seems to work:

          $ ./generate | head -n 3
          1
          2
          3
          $ echo $?
          0
          

          Whereas without the signal handler it errors:

          $ ./generate | head -n 3
          1
          2
          3
          Traceback (most recent call last):
            File "./generate", line 21, in <module>
              raise e
          IOError: [Errno 32] Broken pipe
          $ echo $?
          1
          
          1. 2

            Could this be better handled by generate? That is, if generate handled SIGPIPE and didn’t error, the whole pipeline would work as expected.

            Yes generally if your command is supposed to be able to be used with head or grep or whatever, you ought to exit 0 on SIGPIPE, to avoid exactly this issue. If that doesn’t occur, it’s almost certainly a bug and should be filed and fixed.

            1. 1

              Sure, but ./generate might not be under your control. You might be able to wrap it, of course.

            1. 40

              Boring prediction: TypeScript. By the end of 2021 TypeScript will broadly be seen as an essential tool for front-end teams that want to move faster without breaking stuff.

              The alternatives which launched around the same time (Reason, Elm, Flow, etc…) have all fallen by the wayside, and at this point TS is the clear winner. The investment is there, the ecosystem is there, the engineers (increasingly) are there. The broad consensus isn’t quite there in wider world of all Javascript engineers, but I think it’s coming.

              Eventually good engineers will leave teams that won’t switch to TypeScript, ultimately hobbling those companies. Their lunch will be eaten by the competitors who’re using TypeScript. But there’ll be money to made dealing with legacy messes of JS / Coffeescript, Backbone, jQuery etc, for the people who’re willing to do it. It’ll be a long-lived niche.

              Knock-on effects will include decreased use of Python in an application / API server role (I know there’s MyPy, but I think TypeScript is ahead) except where it’s coupled to data-sciency stuff. I think something similar will be seen with Go. I don’t know how big these effects will be.


              Unrelated prediction: Mongo will make a comeback. I’ve really disliked working with Mongo, but I was completely wrong about the price of Bitcoin this year so I assume Mongo’s comeback is inevitable.

              1. 9

                Eventually good engineers will leave teams that won’t switch to TypeScript, ultimately hobbling those companies. Their lunch will be eaten by the competitors who’re using TypeScript. But there’ll be money to made dealing with legacy messes of JS / Coffeescript, Backbone, jQuery etc, for the people who’re willing to do it. It’ll be a long-lived niche.

                This is quite the prediction. I think I can see it happening. Working with a large, untyped JS codebase is a nightmare and can eat through morale quickly.

                1. 9

                  I work in a place with a lot of Node JS, but it’s not my day to day. I quickly went from enjoying javascript to hating it. Recently I have been enjoying doing some small stuff on my own again. I think I’ve decided that hell is other people’s javascript.

                  1. 5

                    I’ve decided that most new JS code I write actually should be TypeScript these days. The tooling around the language is too nice.

                    1. 4

                      As a hobby I write Ableton plugins in Max MSP. It has JS support, but only ES5, that’s from 2009, and gross. Turns out the best modern transpiler to target that is TS! I was so happy when I found out.

                      1. 2

                        I should probably give TypeScript a go. I was pretty annoyed with JS for a while so I didn’t want to spend my spare time learning TypeScript. Unfortunately, the bits of Javascript that I tend to touch are largely agreed to be the worst in the org and there isn’t a lot of energy to move them over to TypeScript. C’est la vie.

                    2. 1

                      yep. I’m in the midst of a large feature-add to an angular 1.5.5 site. I’m a bit envious of other teams working with new angular and Typescript.

                      I think vosper is right - there’s going to be plenty of work available to those who are willing to maintain older frontend tech.

                    3. 7

                      Eventually good engineers will leave teams that won’t switch to TypeScript

                      Any engineer who will leave purely because the company doesn’t switch to $my_favourite_tech_choice is, by definition, not a good engineer. We’re supposed to professionals for crying out loud, not children insisting on our favourite flavour of ice cream.

                      1. 14

                        I’d argue switching companies in order to use better tech is what a professional engineer does. Strong type systems are equivalent to constraints in CAD for mechanical engineering or ECAD for electrical engineering. They are absolutely crucial for proper engineering.

                        A mechanical engineer that wants to use something like Solidworks or Onshape at a company using TinkerCAD would not be looked down upon. Engineers need to use the right tools to actually engineer things.

                        So yes, switching companies to use and practice with proper tooling is a damn good engineer.

                        1. 3

                          I interviewed a bunch of professional engineers a couple years back. Most of them were stuck on using Excel spreadsheets. One was yelled at by his boss for using python scripts.

                          1. 1

                            I mean, Excel is a battle-tested functional programming environment which has intermediate states easily visualized and debugged! It has its faults, but I’d imagine it was being used for something like BOM inventory management? In that case it is definitely the right tool compared to Python.

                            In any case, yes there are many engineering jobs like that in other engineering fields, but there are also many software engineering jobs which deal exclusively with k8s yaml files, which I’d argue is similar but worse.

                            1. 2

                              In that specific interview it was for finite element analysis.

                          2. 2

                            They [Strong type systems] are absolutely crucial for proper engineering.

                            Says you. The rigor and engineering approaches “crucial” to systems depends HEAVILY on the domain, but I’m not sure I can identify ANY domain that “requires” strong typing (which is how I interpret “crucial”). Plenty of critical software has been and is being built outside of strong type guarantees. I’m not prepared to dismiss them all as bad or improper engineering. There may be a weak correlation, or just plain orthogonal - hard to say, but your staked position seems to leave no room for nuance.

                            I think your analogy muddles the conversation, as most software engineers are not familiar enough with those fields to be able to evaluate and understand the comparison beyond taking your statement as true (maybe it is, maybe it isn’t).

                            Defining “a good engineer” and “proper engineering” seems heavily rooted in opinion and personal experience here. That’s not to say it’s fundamentally un-study-able or anything, but I’m not sure how to make any headway in a conversation like this as it stands.

                            1. 1

                              Says you. The rigor and engineering approaches “crucial” to systems depends HEAVILY on the domain, but I’m not sure I can identify ANY domain that “requires” strong typing (which is how I interpret “crucial”). Plenty of critical software has been and is being built outside of strong type guarantees. I’m not prepared to dismiss them all as bad or improper engineering. There may be a weak correlation, or just plain orthogonal - hard to say, but your staked position seems to leave no room for nuance.

                              Sure, no domain “requires” strong typing. No domain “requires” a language above raw assembly either. We use higher level languages because it makes it significantly easier to write correct software, compared to assembly. A strong type system is a significant step above that, making it much easier to write correct software compared to languages without it.

                              Having worked at companies using languages such as Python, Javascript and Ruby for their backends, and having worked at companies that have used C++, Java, and Rust for their backends (even given the faults and issues with Java and C++‘s type systems) the difference between the two types of companies is night and day. Drastic differences in quality, speed of development, and the types of bugs that occur. Strong type systems, especially the ones derived from ML languages, make a massive difference in software quality. And sure, few domains really “need” good software, but shouldn’t we strive for it anyway?

                              I think your analogy muddles the conversation, as most software engineers are not familiar enough with those fields to be able to evaluate and understand the comparison beyond taking your statement as true (maybe it is, maybe it isn’t).

                              I mean, if we can’t pull lessons from other engineering fields what is the point of calling it software engineering? I don’t really know how to respond to this point, because clearly we have different opinions on this topic, each derived from our past experiences. My point is no less strong because you or others are unfamiliar with a domain.

                              I encourage you to try out various CAD tools, TinkerCAD and Onshape are both free to use and online available, so there isn’t even a need to download software. I think you will very quickly see the difference between the two, TinkerCAD you will master in a few minutes, and Onshape will likely be unapproachable without tutorials. But if you look at the examples, Onshape is used to produce production, intricately designed mechanical parts. And simply without the tools and constraints that Onshape provides you can’t do proper mechanical engineering.

                              And I really want to highlight that I don’t mean to say that TinkerCAD is bad, or worse in any way. It is incredible for what it is and for opening the door to the world of mechanical design to those who aren’t familiar with it. It is simply not an engineering tool, while Onshape is.

                              My analogy really stems from how each tool is used. TinkerCAD you just build the thing you want, using the shapes and manipulation tools it provides. Onshape is different, everything has to be specified. You have to set lengths of everything. You have to specify what the angles of things are. Certain things are really hard to do, especially organic shapes, because everything has to parameterized. I hope you’ll agree this is nearly identical to programming languages with and without strong type systems!

                              Defining “a good engineer” and “proper engineering” seems heavily rooted in opinion and personal experience here. That’s not to say it’s fundamentally un-study-able or anything, but I’m not sure how to make any headway in a conversation like this as it stands.

                              Of course it is rooted in opinion, at least in the US. I believe some other countries have licensed engineering which makes it more of a distinction. Personally I think it is extremely unfortunate that engineering is not a protected term, because I genuinely really think it should be. The state of software engineering feels very similar to the situation of doctors before modern medicine, where the majority were hacks and frauds besmirching the industry as a whole.

                              1. 2

                                I mean, if we can’t pull lessons from other engineering fields what is the point of calling it software engineering? I don’t really know how to respond to this point, because clearly we have different opinions on this topic, each derived from our past experiences. My point is no less strong because you or others are unfamiliar with a domain.

                                That’s the thing: we shouldn’t be pulling lessons until we learn what those lessons are. I had very strong opinions about what software engineering was supposed to look like, then I started interviewing other engineers. Most of what we think “engineering” looks like is really just an ultra-idealized version that doesn’t match the reality. In some ways they are better, true, but in some ways they are much worse.

                                EDIT: I just checked and it looks like you used to be a professional electrical engineer? If so then my point about “most people talk about engineering don’t understand engineering” doesn’t apply here.

                                Of course it is rooted in opinion, at least in the US. I believe some other countries have licensed engineering which makes it more of a distinction. Personally I think it is extremely unfortunate that engineering is not a protected term, because I genuinely really think it should be. The state of software engineering feels very similar to the situation of doctors before modern medicine, where the majority were hacks and frauds besmirching the industry as a whole.

                                Several of the people I interviewed called out the US system as being much better than the European, a sort of “grass is always greener thing”. The only country I know of with ultra-strict requirements on who can be called an engineer is “Canada”. In pretty much all other countries, you can call yourself whatever you want, but only a licensed engineer can sign off on an engineering project. This means that most professional engineers don’t need to be licensed, and many aren’t.

                                1. 1

                                  Do you have a write-up of your interviews anywhere? I would be really interested in reading it! You are right I used to be an electrical engineer, and still tinker on the side, but went into software simply because the jobs in electrical engineering are not very interesting. I think there is a lot that software does better than other engineering fields (although I wonder if that is simply due to how new the field is, and that it will inevitably end up with the more bureaucratic rules eventually), but the extreme resistance to strong typing by so many software engineers feels extremely misguided in my opinion and not something you see in other engineering fields.

                                  Canada was the primary place I was thinking of, but I’m not particularly familiar with the details of it all. I know the US has some licensing requirements for civil engineering projects (and most of those requirements are written in blood unfortunately). It is almost certainly a “grass is greener,” and I should certainly educate myself on some of the downsides of other countries systems. If you have any resources here I’d appreciate it.

                                  1. 2

                                    Working on it! I’m in the middle of draft 3, which will hopefully be the final draft. Aiming to have this done by end of February.

                                2. 1

                                  if we can’t pull lessons from other engineering fields what is the point of calling it software engineering? […] My point is no less strong because you or others are unfamiliar with a domain.

                                  Fair. Your expanded explanation here helped clarify a lot, I appreciate that. One point of interest in your explanation was

                                  Certain things are really hard to do, especially organic shapes, because everything has to parameterized

                                  Doesn’t this seem an admission of there existing domains where - according to analogy - strong type systems might be less suitable? Or would you consider this a breakdown in the analogy?

                                  As far as the meaning of “engineer” I take that as a very different conversation. I do think that’s murky territory and personally would be in favor of that being a more-regulated term.

                                  I’ve been doing software development myself for 20 years, and have worked in both strong typed and duck typed. I think they’re both good - there’s trade offs. Rather than wholesale dismissing either, I think discussing those trade offs is more interesting.

                                  Drastic differences in quality, speed of development, and the types of bugs that occur

                                  I agree with this statement. I don’t think it implies a clear winner for all development though. While a strong type system guarantees a certain kind of error is not possible, in my practice those kinds of errors are rarely a significant factor, and in fact the “looseness” is a feature that can be leveraged at times. I don’t think that’s always the right trade off to make either, but sometimes creating imperfect organic shapes is ok.

                                  I would also offer that there can be approaches that give us “both ways” - ruby now has the beginnings of an optional type system.

                                  I’m tapped out for this thread.

                                  1. 2

                                    Fair. Your expanded explanation here helped clarify a lot, I appreciate that.

                                    Yes, sorry about not expanding in my original comment. As you can probably tell, I’m extremely passionate about this idea, and my original comment was made in a bit of haste. I’m glad my expansion was helpful in clarifying my points!

                                    Doesn’t this seem an admission of there existing domains where - according to analogy - strong type systems might be less suitable? Or would you consider this a breakdown in the analogy?

                                    I completely agree there are domains where strong type systems are less suitable. Especially the more exploratory areas, such as data exploration and data science (although Julia is showing that types can be valuable there as well). I think my distinction is that there is a difference between domains where strong types are not as suitable, like prototyping, and production engineering systems where I think strong types are extremely important.

                                    As far as the meaning of “engineer” I take that as a very different conversation. I do think that’s murky territory and personally would be in favor of that being a more-regulated term.

                                    I’ve been doing software development myself for 20 years, and have worked in both strong typed and duck typed. I think they’re both good - there’s trade offs. Rather than wholesale dismissing either, I think discussing those trade offs is more interesting.

                                    It is truly a murky term, which I think leads to a lot of the communication issues in this area of discussion. I should probably start future conversations like this with a clear definition of what I mean in terms of “engineering,” because I mean it more in terms of production engineering, rather than prototyping engineering. (Unfortunately not a distinction in software, but is in all of the other engineering fields. Prototyping engineering values malleable materials, like 3D printing, while production engineering is what is shipped to users and its very particular about materials used which minimize cost and maximize strength. Different fields, different requirements, and oftentimes different tools used to even CAD/design).

                                    So using the production engineering vs prototyping engineering distinction, I would completely agree that there are trade-offs between strong typed and duck typed languages. I think one is fantastic for prototyping, while the other is fantastic for production. And similar to say 3D printing and injection-modling processes, the two can bleed into each other’s fields given the right opportunity. I should not have used “proper engineering” in my original comment, and I should have clarified I meant “production engineering.”

                                    However, the number of companies that I’ve been at that have actually treated the two types of languages as different parts of the development life-cycle is exactly one, my current company, and that was after fighting to use Python for a prototype project. (Of course, when the prototype was successful, there was then reluctance to rewrite it in a strongly typed language because “its already built!”)

                                    Similar to how you would feel frustrated if the new computer you bought had all of its internals built with 3D printed parts and breadboards, even if it worked identically to a computer with injection molded parts and PCBs, that is how I feel about using duck typed languages in production systems used by real users. Sure it works, but they are inherently less reliable and I think its poor engineering to ship a system like that (although, of course, there are situations where it is applicable, but not to the extent of the software world today).

                                    I agree with this statement. I don’t think it implies a clear winner for all development though. While a strong type system guarantees a certain kind of error is not possible, in my practice those kinds of errors are rarely a significant factor, and in fact the “looseness” is a feature that can be leveraged at times. I don’t think that’s always the right trade off to make either, but sometimes creating imperfect organic shapes is ok.

                                    I would also offer that there can be approaches that give us “both ways” - ruby now has the beginnings of an optional type system.

                                    Fair enough, although my experience with errors in duck typed languages is certainly different! The jury is still out on the optional type systems, and I’m certainly curious how that effects things. I have a hard time believing they will make a significant difference, simply because the style of coding varies so drastically between the two. With strong types I design type-first, whereas with optional/incremental type systems its the other way (unless started from the get-go, but at that point what is the purpose of using a duck-typed language?).

                                    I’m tapped out for this thread.

                                    I completely agree here. This is an exhausting topic to talk about, probably because everyone has strong opinions on it and so many of the arguments are based on anecdotal data (of which I am definitely guilty sometimes!). In any case, I appreciate you taking the time to go back and forth with me here for a bit. I’ve certainly learned that in order to properly discuss this topic its important to be very careful with language and definitions, otherwise its just a mess. I guess the English language could use some strong typing, but then poetry would suck huh? :)

                            2. 4

                              Start caring about that when everything else about the company makes you happy. Your happiness is more important than being a “good engineer”.

                              TS has evolved from a flavor to simply being a better version. The switch to TS is so easy there’s no reason not to. There’s a difference between a challenge and intentionally handicapping yourself.

                              1. 5

                                I was under the impression that my job is to solve problems for customers, not to “be happy”. And of all the things that make me happy or unhappy at the workplace, something like this is pretty far down the list; using JavaScript is hardly some sort of insufferable burden.

                                TypeScript may very well be better; but the last time I used it I found it came with some downsides too, such as the code in your browser not being the same as what you’re writing so the REPL/debugger is a lot less useful, hard to inspect Typescript-specific attributes (such as types) since the browser has no knowledge of any of that, a vastly more complicated build pipeline, and I found working with it somewhat cumbersome with all the type casting you need to do for the DOM API (i.e. this kind of stuff). And while the wind has been blowing in the statically typed languages in the last few years, let’s not pretend like the good ol’ “dynamic vs. static languages” debate is a done and solved deal. I like typing, but dynamic languages do come with advantages too (and TypeScript’s typing may be optional, but if you’re not using it much then there’s little reason to use it at all).

                                Perhaps there are some solutions to these kind of issues now (or will be soon), but about a year and a half ago I found it all pretty convoluted and decided to just stick with JS for the time being.

                                In the end, I understand why it exists and why it’s popular, but like much of today’s frontend I find it hacky, cludgy, and a very suboptimal solution.

                                1. 5

                                  You’re more than your job, you are a human being first. As engineers we have the huge privilege of being able to quit a job and find a new one easily. Happiness is a completely valid reason to do this.

                                  JS vs TS is a minor point, too small compared to other unknowns in switching companies. But OP said “leave teams”. I actually did just that, we have multiple teams at my company and one started using TS, so I switched. A year later the JS team now solely does bug fixes and no-one is willing to write new JS code. At first management thought it was like when Coffeescript happened but dev response was so much bigger that even they understand it is different this time.

                                  1. 4

                                    You’re more than your job, you are a human being first. As engineers we have the huge privilege of being able to quit a job and find a new one easily. Happiness is a completely valid reason to do this.

                                    Sure, but if you’re made deeply unhappy because you have to write JavaScript instead of TypeScript then you are either in a position of extreme luxury if that’s a problem that even rates in your life, or there seem to be some rather curious priorities going on. I think all of this is classic programming self-indulgent navel-gazing.

                                    Is TypeScript a better tool? Probably. Would it be a good idea to start a reasonable percentage of new projects in TypeScript? Also probably (depending on various factors). Should we drop all JavaScript projects ASAP just so that we rewrite everything to TypeScript? Ehh, probably not.

                                    I don’t have any predictions for 2021, but I’ll have one for 2026: we’ll be having the same discussion about WhatNotScript replacing boring old TypeScript and we should all switch to that. And thus the cycle continues.

                                    1. 2

                                      “no-one is willing to write new JS code.”

                                      until something goes very wrong. Not taking a side here, just “no-one is willing” struck me as an odd statement. Who has the unhappy chore of taking care of all that old boring JS?

                                      1. 2

                                        We still do bug fixes. But even then it’s often an opportunity to write TS. The nature of TS makes it so that you gradually port your application. Lots of JS is valid TS and if it isn’t then that’s usually easy to split up or refactor to become valid TS, and TS will help with that refactoring even. JS IDEs provide hints by pretending it’s TS anyways.

                                    2. 4

                                      We’re supposed to professionals for crying out loud, not children insisting on our favourite flavour of ice cream.

                                      I was under the impression that my job is to solve problems for customers, not to “be happy”.

                                      This is a red herring. You are an economic agent making decisions about your employment to maximize your own utility function, and trying to get what you can out of the market. Some try simply to maximize earnings. Some maximize some combo of earnings and hours worked/stress. Others care about finding meaning in their work. And others care about working with specific technologies, or at least not working with ones they hate.

                                      All of these things are orthogonal to the concept of “being a professional.”

                                  2. 2

                                    I generally strongly agree with your sentiment, and am not a fan of the degree to which developers place their identity in one particular technology over another.

                                    But in this specific case I imagine OP is associating untyped JS projects with tech debt and difficulty of maintenance that all too often can contribute to low morale. I’ve definitely been there before when it comes to large codebases with foundational technical debt and no type system to help one find their way around. There’s something uniquely frustrating about e.g. a poorly formatted stack trace coming back from a bug monitoring tool due to broken or buggily-implemented sourcemaps. We can definitely debate whether language choice vs other factors (bad processes, low technical budget) contribute more to system quality. My guess is that language is not one of the largest factors, but it’s probably nonetheless significant. Otherwise we wouldn’t hear about stories where people left their jobs due to being sick of the shop tooling.

                                  3. 4

                                    Agreed. Although TypeScript is a bit OO for my taste, JavaScript libraries have grown sufficiently complex as to warrant strong typing. The adoption rate is undeniable. Vue, Deno, Babylon… When your stack is written in TypeScript, the cost/benefit scale tips in favor of adopting it downstream.

                                    Also, Cosmos is heating up, so you could make a case for Mongo’s revival by extension.

                                    1. 6

                                      At Notion we have some OO-as-state-encapsulation Typescript on the front end, but we have even more functional Typescript, and plenty of code somewhere in-between. We use the advanced Typescript types like as const inference, mapped types, and conditional types much more than we use inheritance or implements interface.

                                      Honestly writing a large from-scratch codebase in Typescript focused on type correctness and make-invalid-states-unrepresentable has been very fun and productive. Our biggest issue with the language is error handling - dealing with all the errors from external libraries, the DOM, exceptions vs Result<S, F>, etc is the most annoying and error-prone aspect of our codebase. Shoehorning optionals into our style has left me paining for Rust’s try features… and I’ve never really written rust either…

                                      1. 6

                                        Some stuff we’ve done:

                                        • write third-party types that basically force you to pass values through validators by saying “this actually returns an opaque InvalidatedResult style thing”
                                        • remove functions we deem “bad” from the type signatures
                                        • codegen definition files
                                        • heavy usage of stuff like never

                                        I think it’s actually pretty easy to wrap third-party libs for the most part, and it’s basically the “real way” to do most of this. Too many people hem at this idea but it resolves a lot of stuff come “oh no this lib is actually totally busted” o’clock.

                                        1. 1

                                          That sounds amazing! Have you or Notion written any articles describing this setup in more detail? Are there any by others you recommend?

                                          1. 1

                                            Unfortunately when I go looking for Typescript advice on the internet, I find mostly shallow blogspam tutorials. I have an idea to take notes whenever I use an advanced TS feature and write an article called “Applying Advanced Typescript Types” — but that’s remained just an idea for a couple of years.

                                            1. 1

                                              I’ll keep an eye out for your article in the lobste.rs feed 😉.

                                        2. 2

                                          Although TypeScript is a bit OO for my taste

                                          My limited experience with TypeScript is that it’s only as OO as it would be if you were writing plain JavaScript. Not sure if that makes sense - another way of saying it would be: JS has adopted some OO trappings, like class, but if you aren’t using them in your JS then TypeScript isn’t going to push you in that direction - you can write functional TS to the extent that you could write functional JS; and OO TS to the extent that you could write OO JS.

                                          Unless you’re refering more to the naming of new keywords, like interface? I see how those could be associated with popular OO languages, but really there’s nothing making you write actual OO code.

                                          1. 3

                                            My limited experience with TypeScript is that it’s only as OO as it would be if you were writing plain JavaScript.

                                            Anecdotally, after working at a Java and C# shop that picked up TypeScript, everyone’s happy having things work more like those languages (well, mostly C# ;) than like JS. I just wish TypeScript would get typed exceptions already.

                                            1. 2

                                              Yes, it is possible to write non-OO TypeScript. And yes, I’m pointing out its emphasis on interfaces and other OO features like class property modifiers.

                                              I realize that the choice to make TypeScript a superset of JavaScript means that its roots in Scheme are still present. I also realize that typing a Scheme-ish language makes it (if one squints hard enough) an ML-ish language. Nevertheless, we should not be surprised if most TypeScript in the wild looks a lot more like C# and a lot less like fp-ts.

                                              1. 1

                                                Nevertheless, we should not be surprised if most TypeScript in the wild looks a lot more like C# and a lot less like fp-ts.

                                                Makes sense. Perhaps some of this is also due to TypeScript being palatable to people who are comfortable in languages like C# and Java; maybe they’d have stayed away from vanilla JS before (especially if they were exposed in the pre-ES6 days) but might be willing to write TypeScript today? That’s total speculation, though, and I’ve no idea how many people like that there are.

                                        1. 2

                                          This is quite interesting to me. After going through the process to relicense a project with a previous employer (who I definitely do not speak for) I wanted to write up some thoughts that would’ve started the exact same way:

                                          Many people don’t understand:

                                          • copyright law,
                                          • and GPL.

                                          What I’ve learned is that while we might have good basic intuitions about copyright law and the GPL, we (read: software devs) do not understand it. We can claim to, but a lot of it hinges on case law/prior art/and what lawyers will and will not go after (see also: how much money you have).

                                          1. 3

                                            Something I’ve noticed is that a lot of software people want the law to work like source code. They read the thing and try to imagine some kind of machine that will execute the legal code within it. They look for logical implications and contradictions and deductions they can arrive to by reading the license text.

                                            Of course, though, the law is interpreted by the whims of judges and sometimes juries, with its own peculiar culture that outsiders might not be familiar with. It’s more like how early web browsers did whatever they wanted with HTML than what ghc does with Haskell. :)

                                            Also, there’s often this certain uninformed “folklore” of how the law works (like those no “no copyright intended!” messages in fan-made YouTube music uploads) that is even worse.

                                            1. 1

                                              Also, there’s often this certain uninformed “folklore” of how the law works (like those no “no copyright intended!” messages in fan-made YouTube music uploads) that is even worse.

                                              Yeah, and this is one of the reasons I don’t quite enjoy discussions around the GPL :)

                                              A lot of what people think about the GPL is what they want the GPL to say but that it doesn’t quite say or intentionally talks around. My particular hobby horse: “what is a derivative work?” The GPL doesn’t define it. There’s some US case law that has decided particular things. There’s some examples in the FAQs but they’re not exhaustive. There’s endless discussions about what is/isn’t a derivative work on the internet. But nobody knows until they’re in a courtroom.

                                              While few people understand licenses, the GPL is one of the few license people don’t even read. It’s often just carted around and used because tradition.

                                              Edit: s/people even read/people don’t even read/

                                              1. 3

                                                While few people understand licenses, the GPL is one of the few license people even read. It’s often just carted around and used because tradition.

                                                It doesn’t help that it’s not a very well-written document (as well as needlessly long including quite a few bits that probably aren’t really needed).

                                                For example, let’s take this paragraph from the GPL 3:

                                                A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work.

                                                I had to read this several times and out loud to really understand what’s being meant here, which is “Object code whose source is not part of the GPL licensed code does not need to have their source made available”. I think so, anyway. It’s not hard to see how this could be phrased in a much clearer way. This isn’t even about “legalese language is hard”, it’s just bad writing IMO. I’ve managed to read things like SCOTUS decisions or EU laws without too much trouble, but I struggle with the GPL.

                                                For this reason alone, I think the EUPL is an infinitely better copyleft license.

                                                1. 2

                                                  It’s not hard to see how this could be phrased in a much clearer way. This isn’t even about “legalese language is hard”, it’s just bad writing IMO.

                                                  Oh! Another thing this reminds me about is how the GPL and its FAQs reference things like static and dynamic linking and object/machine code. While I respect that the license made sense at the time, these distinctions become harder to make with each passing day. A lot of things are bundled together in a way that makes them singularly executable (e.g. .app files on macOS, Docker images, concatenated scripts for interpreted languages) but aren’t static linking in the original sense—how does all of that come into play? Who knows.

                                                  1. 3

                                                    As mentioned elsewhere in this discussion: no one knows anything until in a court room. The GPL itself isn’t interested in linking and even the FAQs mention it mostly to make certain binary requiremnts more clear in cases they make sense (more for LGPL than GPL). The maim hinges are legal terms of art like “derivative” and what a judge would think is anyone’s guess.

                                          1. 1

                                            I have yet to read a useful post about licenses, given that I know basic info: MIT/BSD - good, GPL - bad =)

                                            1. 7

                                              GPL good. It’s our only legal defense against corporate open source, where huge companies take all the software and give back none of the freedom. Tech empires are being built on the backs of hobbyists giving their software away. The GPL prevents this: no taking without giving back. It levels the playing field.

                                              Weak licenses have enabled situations where we have all of this open source software and yet our phones and websites are tracking our every move and spying on everything we do.

                                              1. 5

                                                GPL good. It’s our only legal defense against corporate open source

                                                GPL is not the only copyleft license. Tabling the discussion about whether the concept of copyleft is good or bad, the GPL is a terrible implementation of it IMHO, starting with the poorly written text as I mentioned in my other comment, but I also don’t really care for the organisation/people behind it; in particular the shenanigans surrounding the GPL3 left me with a serious distrust and dislike over the GPL specifically (independent of the idea of copyleft). Torvalds explained this fairly well.

                                                So, perhaps somewhat pedantically, the GPL is not “out only legal defence”. Copyleft perhaps is, but GPL and copyleft are not synonyms.

                                                1. 3

                                                  What are other “good” copyleft licenses?

                                                  1. 4

                                                    @arp242 mentioned the EUPL in another comment, which I agree seems more relevant to modern software. It is also really neat in that it has official non-English versions and is written by an actual governing body.

                                                    The Open Software License (OSL) is also interesting in that it was written by a lawyer/member of a law firm and is quite readable. I personally like a license that I can read and expect others to read.

                                                    1. 2

                                                      A note on the EUPL. Copyright law that follows EU tradition includes a moral rights component that is entirely ignored by the GPL (both version 2 and 3) and does to my knowledge not even exist in US law. The EUPL addresses it and tries to waive it to the most extend possible. This might not be at all what you want. Even if you fully stand behind the copyleft concept, you might still want to retain moral rights. The EUPL has this clause probably because it is designed to be used for code written by EU institutions, but it does not really fit code written by natural persons.

                                                      The GPL has improved over time. While GPLv2 had only considered US law, the GPLv3 has been designed to be much more friendly to other jurisdictions. It does not recur to specific US concepts anymore and uses wording that is distinct from traditional US copyright wording for that very reason. It is quite a bit easier to fit the GPLv3 into European jurisdictions than the GPLv2. The notorious “derivative work” has been erased from the text and replaced with a clause that makes its GPLv3 equivalent depending on what the active jurisdiction requires the copyright holder’s consent for. A nice and elegant solution from a jurist’s view.

                                                      1. 1

                                                        The biggest issue I have with the OSL is the “reasonable effort” clause:

                                                        If You distribute or communicate copies of the Original Work or a Derivative Work, You must make a reasonable effort under the circumstances to obtain the express assent of recipients to the terms of this License.

                                                        So what does that mean for apt-get install osl-project?

                                                      2. 3

                                                        I like the EUPL, but there are others as well. I didn’t do a full review/comparison of all licenses, but I wrote a little bit about it over here last year.

                                                1. 1

                                                  Cloudflare has a site to check if you’ve configured DoT/DoH correctly: Cloudflare ESNI Checker

                                                  1. 28

                                                    Before jumping on the “don’t be evil eh” bandwagon, here’s what reading the post and the next two emails in the thread would have clarified:

                                                    1. Any browser that meets a series of guidelines (like, not headless, supports JavaScript, not based on Node.js, …) is allowed
                                                    2. There is a header to check in advance, and they did, and WebKit still works (https://lists.webkit.org/pipermail/webkit-dev/2020-November/031606.html)
                                                    3. It looks like this might affect specifically OAuth flows

                                                    This change makes perfect sense to me. I always cringe when an app pops open an embedded browser and asks me to login with Google because:

                                                    1. I have to trust they did not fuck up certificate verification
                                                    2. There is no address bar to check where the hell I’m typing my password into
                                                    3. I am already logged in from my main browser why are you making this harder and less safe for me!

                                                    Disclosure: I work for Google on completely different stuff.

                                                    1. 8

                                                      Yeah, the next message (by thread): [webkit-dev] Starting January 4, 2021, Google will block all sign-ins to Google accounts from embedded browser frameworks:

                                                      Oh, I missed a very important point. There is a header we can use to 
                                                      test: Google-Accounts-Check-OAuth-Login:true. I will try to figure out 
                                                      how to hack up the libsoup backend to send that header with all 
                                                      requests and see what happens....
                                                      
                                                    1. 43

                                                      To echo my thoughts: I think this change is welcome. As I see it, there’s no downside to changing this default.

                                                      1. 55

                                                        I consider the imposition of a distributed cost across the entire git-using ecosystem a downside. This is not a one-sided tradeoff.

                                                        1. 26

                                                          I know I’ve personally hard coded the word “master” in at least a few scripts. Fixing those scripts won’t just be a matter of changing “master” to “main” either; I’ll have to add a bunch of logic to figure out what the default branch name is for a particular repo. It’s also not clear what to do with old repos; do I keep the name “master” for old repos and adapt the word “main” for new repos? Or do I rename the master branch to “main” for all my old repos and possibly break things?

                                                          I’m not really opposed to the change. I’m usually happy to change language to move society into a less casually racist/sexist/whatever direction. But this change will make things quite a bit more difficult, on a technical level, for millions of users, so I sure do hope the benefit is worth it. (Which, to be clear, it might. I’m in no position to judge. In my native language, our word for “master” doesn’t have history it apparently has in the US.)

                                                          1. 25

                                                            change language to move society into a less casually racist/sexist/whatever direction

                                                            I agree, getting rid of casually racist/sexist/asshole terms is a good thing. But, this whole situation implies that the word ‘master’ is inherently racist, which it is not. To illustrate, let’s make the exact same argument about the word ‘blanket.’ I’m Native American, many of my ancestors suffered and died to the disease smallpox, sometimes believe to be intentionally spread using infected blankets now known as ‘smallpox blankets’ 0. Now, intentionally spreading disease with the intent on decimating a population is extremely racist, bordering on genocide. Whether it actually happened or not is beside the point, it’s ingrained in popular culture (in the US) as something that probably did happen to some extent. Now, for some, the word ‘blanket’ can bring up “memories” of their ancestors suffering (or even their own ongoing suffering), but does that make the word ‘blanket’ racist?

                                                            our word for “master” doesn’t have history it apparently has in the US

                                                            It doesn’t here either. The word has many uses, most of which range from neutral to positive (master copy, masters of science, etc.). Referring to someone as a master in certain contexts, such as when a student of martial arts, is a sign of respect.

                                                            Frankly, I have enough garbage to deal with, adding another headache on top of it just to satisfy some ‘woke’ assholes doesn’t appeal to me. Censoring language is a bad mechanism for suppressing racism, and is IMO more detrimental to society than the problems it’s seeking to solve.

                                                            1. 12

                                                              “Master” is often paired with “slave” in CS and IT (busses, DB replicas, etc.), which is why it’s on the list of exclusionary terms. Git doesn’t use “slave” in relation to its master, but given the prevalence of “master/slave” wording, why continue using a term that makes some people uncomfortable?

                                                              1. 14

                                                                why continue using a term that makes some people uncomfortable?

                                                                Because the shift imposes a distributed cost on the entire git-using ecosystem. Examples: every forge site needs to build out this feature instead of others, everyone needs to check their scripts, etc. Imposing distributed costs needs to be done very carefully, because even a couple of hours × a lot of people = a lot of person-hours spent.

                                                                This is an expensive move to make. For it to be worth doing, the benefit of the change needs to be worth the effort spent and I have seen no serious attempt to quantify this.

                                                                1. 20

                                                                  Does it actually make people uncomfortable? That’s besides the point of my argument, which is that words have flexible meanings and are extremely context dependent. Censoring a word because when used in a specific context (in this case, specifically human slavery) it can have a negative meaning simultaneously erases innocuous uses of the word, and strengthens the negative connotations. By actively trying to suppress usage of a word, you make the word more powerful in it’s negative usage.

                                                                  But really, all you need to do is actually read the last paragraph to know why I disagree with this. Changing 15 years of convention for something like this is needless headache.

                                                                  1. 5

                                                                    If it makes people uncomfortable, we could probably confirm that over in music performance and production, where “master” (master recording, remastered) is a frequently-used term and racial diversity is slightly less of an issue. My mediocre research skills haven’t found anything either way yet. Maybe we should just ask some Black artists.

                                                                    1. 5

                                                                      No one is suppressing anything. You can still use whatever name you want for your branch. Don’t blame software developers for adapting to a more inclusive culture. Especially when you are not part of the people affected by it.

                                                                      1. 15

                                                                        Until you end up being publicly shamed by thousands of “inclusive” virtue-signalling bullies.

                                                                        1. 3

                                                                          If you wanna complain about Twitter bullies, do that. However, “this move from the git project is bad because other people may eventually be assholes” isn’t… the greatest argument I’ve heard.

                                                                          1. 1

                                                                            Shamed for what reason? I’ve seen many people arguing against initiatives like this one and no one cares. Someone even started a petition on change.org to not change it and no one cares.

                                                                            1. 14

                                                                              If this takes, I give it a couple of years at most until someone starts yelling about a project that did not switch or even worse - gasp - started with the master branch instead of main. How insensitive and unwelcoming!

                                                                              A venue enabled by buying into this virtue signalling crap and actually making it a thing.

                                                                              1. 1

                                                                                Right. So you went from a thousand people publicly shaming to someone yelling.

                                                                                1. 11

                                                                                  From what I’ve seen, one person yelling leads to a tweet, leads to the eventual Twitter mob.

                                                                                  1. 1

                                                                                    Sure, but for saying what? @mordae is saying that would happen because someone decided to use “master” instead of “main”. Which seems farfetched.

                                                                                  2. 4

                                                                                    I remember Stallman.

                                                                                    1. 2

                                                                                      I think that was a bit more complicated than just naming a git branch.

                                                                          2. 1

                                                                            Does it actually make people uncomfortable?

                                                                            Yes. Yes it does … there is no use of the word as it relates to version control that doesn’t derive from human slavery, specifically.

                                                                              1. 1

                                                                                Fine, edited for additional clarity, though all those meanings derive from the PIE meaning of “one who has greater power”.

                                                                      2. 8

                                                                        I’ll have to add a bunch of logic to figure out what the default branch name is for a particular repo.

                                                                        What is a default branch? When I create a new repo, Git gives me a default branch, sure, but the moment after that command completes there’s never been a guarantee that the master branch exists.

                                                                        I know I’ve personally hard coded the word “master” in at least a few scripts.

                                                                        Unfortunately this was never quite correct, technically. My personal workflow is to always remain in a detached HEAD state and to not have any sort of “main”/“default” branch locally, so these scripts don’t quite work for me. If they were only supposed to support your workflow, you can keep using the old config setting without issue.

                                                                        1. 9

                                                                          What is a default branch? When I create a new repo, Git gives me a default branch, sure, but the moment after that command completes there’s never been a guarantee that the master branch exists.

                                                                          Here’s a concrete example.

                                                                          At work, we use this build system called bitbake, together with the yocto project, to build an embedded Linux distribution. The idea is that you build recipes which describe where to fetch some source code (usually in the form of a git URL + a commit hash + an optional branch) and how to compile and install the source code, and bitbake handles the rest.

                                                                          I threw together a script to go through all of our recipes and figure out which recipes are outdated. To do this, it fetches the repo and checks if there are commits since the commit hash specified in the recipe. This is no problem if a branch is specified in the recipe, but what do I do if it isn’t? Instead of looking deep into the guts of bitbake and figuring out how exactly its logic for figuring out what the “default” branch is, I just defaulted to “master”.

                                                                          There are obviously ways to do it “correctly”, and hopefully tools like bitbake, which are actually seriously and actively developed as a kind of product, do it the right way. However, there are loads of scripts which do things the easy way instead of the 100% correct way; essentially scripts which automate the steps which the author would’ve gone through manually just to make life a bit easier. Most likely, the solution in the case of the aforementioned script is to just keep track of whether a branch is specified, and, if it’s not, just omit the branch argument. My point isn’t that fixing these scripts is hard, but that there are loads of these scripts which will have to be fixed.

                                                                          1. 4

                                                                            I’m not the OP, but I think it’s reasonable to have, for example, a script that deploys master to an environment and is SHA-agnostic.

                                                                          2. 1

                                                                            I’ll have to add a bunch of logic to figure out what the default branch name is for a particular repo

                                                                            I thought so too, but I got away with just using HEAD everywhere. It’s an alias for the actual main branch, whatever it’s called.

                                                                            1. 4

                                                                              HEAD is not an alias for a branch. If you do git checkout alt-branch, HEAD will point at the last commit of alt-branch. If you again do git checkout main-branch, HEAD will point at the last commit of main-branch. If you’re in the middle of an interactive rebase, HEAD will point at a commit that in general won’t be the last commit of any branch. You can do a git checkout commit_hash which will detach your HEAD from any branch and it will only point at this particular commit. Generally, HEAD points at the commit that you have checked out locally at the moment, the one that will be the parent of the next commit you make.

                                                                              1. 3

                                                                                Works well enough for remote HEAD.

                                                                                1. 1

                                                                                  Right, so in practice (found this with a quick search):

                                                                                  • If you clone a fresh repo in your script, HEAD should point to the default branch, until you switch branches. This might work for some scripts, depending on the situation.
                                                                                  • If you want to know which branch is the default, it looks like git symbolic-ref refs/remotes/origin/HEAD | sed 's@^refs/remotes/origin/@@' does the trick.
                                                                                  • If you want to know the default branch on a remote, you can do git remote show [your_remote] | grep "HEAD branch" | cut -d ":" -f 2.

                                                                                  These all feel like somewhat of a hack. With git changing this default, I wish there would also be some new built in commands. For example they could provide the default branch locally and on a remote directly, without needed to use sed or cut. Personally I’ve never written a script that needs to know the default branch name, but it sounds like some people have.

                                                                                  1. 4

                                                                                    I think that the entire issue rests with misunderstanding of git. In git, “default branch” is a matter of policy, not mechanism. It’s entirely up to the user. There is something like an “initial branch”, but that’s all. Git doesn’t mandate that a branch named so-and-so should have any special significance. So scripts trying to detect a “default branch” get it all wrong, because there is no such thing for all uses of git. Your organization may use git in one particular way where some branches have special significance and in this case, the policy of your organization should be hardcoded into your scripts. But those scripts won’t work for others. There are things like push and pull targets that may have some overlap with what people are looking for really.

                                                                                    1. 1

                                                                                      That makes sense, that’s a good description. I have never personally written a script that hard codes master, I just hear about other people doing it.

                                                                            2. 3

                                                                              OTOH I’ve seen developers notice they’ve been using hardcoded master where they should have been using HEAD, and fixed their code. master was always just a default, never a requirement, so code that assumed this particular name wasn’t robust.

                                                                              1. 0

                                                                                you can always use an alias in your shell

                                                                                1. 10

                                                                                  This is literally an instance of the “imposing a distributed cost” that I was talking about.

                                                                                  1. 2

                                                                                    Okay I understand and I am sorry I was not clear with my statement. I believe this is a direct cost of time and effort to mitigate, which in my humble opinion is an arbitrary and unnecessary syntax change to established code. However, I only meant to point out that a shell alias could be used to make it a less of a hinderance.

                                                                                    1. 2

                                                                                      I appreciate the apology, thank you.

                                                                            1. 2

                                                                              Having studied in St. Johns on Newfundland, I appreciate the list of vaguely rude places quoted at the end ;).

                                                                              It’s covered in the hiding, but an interesting example: Mannheim in Germany has a grid inner city, which is addressed by coordinates and numbered around the block. An address might be “N4, 15”. I had a number of forms failing there.

                                                                              1. 1

                                                                                Living in St. John’s, NL (👋🏽) is a constant reminder of how broken a lot of software is. Sometimes sites don’t like the quote and I’ll use “St. Johns”, or they’ll not recognize “St.” and want “Saint John’s”, and in the worst case they’ll exhibit both behaviours and want “Saint Johns” which is most wrong and much too similar in name to “Saint John” that they’ll autofill New Brunswick for the province.

                                                                                1. 1

                                                                                  Damn, autocorrect. For once, I forgot the apostrophe in “John’s”. The New Brunswick situation was so annoying that Memorial University even included in their acceptance papers that I should double check to book the flights for the right location.

                                                                                  It’s a place I’d like to go back to, also, I found my love for theoretical Computer Science there.

                                                                              1. 21

                                                                                This is how youtube-dl ended up inside the github/dmca repo.

                                                                                1. 3

                                                                                  I understand the situation in the OP, but why is this happening?

                                                                                  Edit: ah, someone forked that repo and pushed the full source. It is the same situation as the OP.

                                                                                1. 15

                                                                                  I don’t think this was intentionally placed by the Canadian government’s developers, but it shows how much is wrong with the current system of surveillance capitalism. Many software frameworks/libraries have pretty harmful defaults and are keen on using services by and submitting data to Google and other companies (AWS, etc.) without giving it much thought and only thinking about convenience.

                                                                                  Other good examples are Google Fonts, Google Hosted Libraries, Microsoft Ajax CDN, CDNJS (Cloudflare), jQuery CDN (MaxCDN), jsDelivr (MaxCDN), Yandex CDN, Baidu CDN, Sina Public Resources and UpYun Libraries, just to name a few.

                                                                                  Start hosting your own stuff so you can remove those shackles and actually demonstrate that you care about privacy.

                                                                                  1. 1

                                                                                    You raise a good point, but at the same time hosting any moderately successful software project is extremely costly (bandwidth alone). It’s not a coincidence that the easy examples are CDNs: most hosting providers overprice their outbound bandwidth.

                                                                                    And when I say “moderately successful” I’m definitely talking more about access/popularity which doesn’t easily translate into income. Which is to say: just because a site gets a lot of views doesn’t mean it makes any money to pay for hosting.

                                                                                    1. 7

                                                                                      A VPS with 10TB of traffic and 20 GB of storage costs roughly 3€/month at Hetzner, and they offer very good hosting in multiple countries, if you are inclined to offer a CDN (which makes no sense most of the time, see below). Is that too expensive? I know of some downsides of VPS’s, but it fits 95% of cases, and people should stop thinking they need Google-scale-solutions for their projects.

                                                                                      Most importantly: 10TB can get you a long way if you don’t overbloat your websites into megabyte-behemoths.

                                                                                      People are always talking about efficiency, green energy and climate change, but they don’t seem to relate it with obvious things like not serving 1.5MB of JavaScript and 2MB of CSS for each page. Sending less data also has a much greater impact on page loading speeds than the benefit of a CDN, with exceptions of course.

                                                                                      People throwing more hardware/CDNs/etc. at the website obesity problems are like those recommending headphones as a remedy for fan noise or nose-clips as a remedy for a lack of personal hygiene.

                                                                                      1. 3

                                                                                        Maybe developers would be less keen to using those massive frameworks if they had to pay for sending out those bytes.

                                                                                        1. 1

                                                                                          What massive frameworks? I don’t see any relation between using a framework like React and the size of your page. My simple react app uses 145 kB of JavaScript resources. And that’s thanks to the tools the JavaScript ecosystem provides to reduce the size of JavaScript ;)

                                                                                          The frameworks aren’t the issue, Developers should be aware of the cost of the data they are sending.

                                                                                    1. 20

                                                                                      I’ve recently been moved to a Django shop and I definitely miss the sense of “It doesn’t do much more than that.” Django seems like a wizard that you only interact with through a tin-can phone. You trust because you see things happens and because everyone else also talks to the same wizard, but you can’t help but feel a fool.

                                                                                      While the boilerplate-y nature that I stumble upon in many Flask projects is something I don’t like, nor as the the author mentioned, configuration, I do appreciate the grounds-up approach, the you know exactly what’s going on because you wrote it. That sense of ownership I don’t feel with Django projects.

                                                                                      1. 10

                                                                                        While the boilerplate-y nature that I stumble upon in many Flask projects

                                                                                        I’ve come to see boilerplate as a side-effect of being explicit. I see the same argument made for/against Redux (the JavaScript state management library) and its surrounding ecosystem. I too don’t like boilerplate but 9 times out of 10 I’ll happily trade a lot of boilerplate for being explicit about what’s going on (and often static analysis).

                                                                                        1. 6

                                                                                          I felt like that about Django for the first year or two, but it went away once I’d spent enough time spelunking the Django code. None of it is magic, but there is a lot of it.

                                                                                          1. 2

                                                                                            This has been a common complaint about Django for many years, so I made mini-django[0]because I too started to enjoy Flask’s simplicity, but every. single. time. my Flask projects bloated in to a frankenstein of semi-supported apps with little consistency between them. Now I can have a single file Django “function” that can use as much or little of Django as needed. Just look at the source of mini-django/mini_django.py.

                                                                                            [0] https://github.com/readevalprint/mini-django

                                                                                            1. 1

                                                                                              http://padrinorb.com/ tries to be a django-inspired framework built out of flask-like components (sinatra). I used to be involved in it and really liked that it had a story of growth. You would start with a one-line project and could evolve it along into new and new structures until it could look similar to the size of a Rails project, which I find appropriate for huge projects. I agree with you that following along with that story gives you a ton of ownership into the project. You know why each component is there, because you chose it.

                                                                                              The disadvantage is that there’s another ton of work to do on the project side to explain that philosophy, why it’s worth it and how and when people should move along that story. It needed a lot of resources to maintain that.

                                                                                            1. 4

                                                                                              I would be less sad if Microsoft had chosen Gecko/Servo here but I’m not too sad all the same. I don’t (yet) understand what rendering engine/JavaScript VM diversity really gave web developers. I can get behind browser diversity but it seems like what’s beneath the surface doesn’t matter anymore. I’d point to iOS as an example of this—Safari vs. Chrome is a worthwhile debate but it’s all WKWebView under the hood, and because of that iOS users can all benefit from the performance/battery life and site compatibility.

                                                                                              1. 4

                                                                                                What plurality amongst engines gives is an insurance that the web will be developed against actual standardized behavior rather than just the implemented version of the majority engine.

                                                                                                There are lots of examples of eg. optimizations that assume that all browsers work like browsers with a WebKit origin does, but such optimization may not at all help in eg. Gecko or even make it worse there.

                                                                                                1. 2

                                                                                                  There are 2 ways to address this: having even more browsers with substantial marketshare or having just one open source rendering engine that is used by all.

                                                                                                2. 2

                                                                                                  And all sites running anywhere on iOS as a consequence suffer from WebKit’s poor and generally laggard support for newer standards.

                                                                                                1. 10

                                                                                                  So it was true – Edge will move to Chromium and the web will have yet another major browsers that have WebKit origins – a sad day for the web.

                                                                                                  Now only Gecko/Servo remains as alternatives of other origins.

                                                                                                  Things I haven’t yet understood:

                                                                                                  Will Microsoft also use V8 rather than Chakra? And if so, will they as a consequence also drop official development on Chakra and on the Chakra-based Node.js?

                                                                                                  1. 5

                                                                                                    There’s now one less closed source browser, I’m not sure how that’s a sad day for the web? If anything the web is more open since all major browser engines (Blink, WebKit, and Gecko) are open source projects and take outside contributions.

                                                                                                    1. 12

                                                                                                      Plurality is losing, open implementations are gaining. The open web standards are hurt by a lack of plurality, so even if it’s a win from an implementation perspective, it’s a loss from a standards perspective - and I would say that the loss in the standards perspective outweigh the win of the implementation perspective in this case, in an open web regard.

                                                                                                      1. 5

                                                                                                        If you wanted to write your own browser, you might try implementing various standards. However, your success depends on whether other people follow those standards as well. If there are many implementations, even proprietary, then people will make web pages that aim towards the center. If there is only one, then standards won’t matter.

                                                                                                        1. 1

                                                                                                          To be fair though, the amount of effort required to write a useful browser from scratch in 2018 is so insanely high than even a corporate behemoth like Microsoft with $$$ oozing out of its ears can’t stomach it. Is that really a use-case worth addressing? Would we really be worse off if there was just a single open source engine that everybody used? Kinda like Linux has become the universal kernel for running native binaries in the cloud…

                                                                                                          1. 4

                                                                                                            This problem only worsens when the corporate behemoths consolidate. What are the chances that MS pushes back on a new feature that’s too complex now that they don’t have to implement either?

                                                                                                            1. 1

                                                                                                              Complex for browser developers or web developers?

                                                                                                          2. 1

                                                                                                            The new “living standards” make this much, much harder. It is like building on quicksand: you can’t target a stable version of these standards. There’s also no sane changelog to speak of, as far as I know. The RFC standards we used to have were quite sane, but all formalisms are slowly being removed, which makes interoperability unnecessarily hard.

                                                                                                        2. 2

                                                                                                          I feel like the Node.js on ChakraCore effort was dead-on-arrival. The Node.js/JavaScript ecosystem already has a hard enough time with native interop that trying to abstract it away was premature. It’s still possible that the ABI Stable Node API work takes off but, sitting here speculating, it doesn’t seem to have enough of a benefit to developers to warrant packages switching.

                                                                                                        1. 6

                                                                                                          “Geospatial” or “geo” might be less-cryptic tags but I agree with the recommendation!

                                                                                                          1. 1

                                                                                                            Geospatial would be the better of those two options, I think

                                                                                                          1. 1

                                                                                                            macOS Safari didn’t like that link either

                                                                                                            Safari:

                                                                                                            Version 11.1.2 (13605.3.8)

                                                                                                            macOS High Sierra:

                                                                                                            10.13.6 (17G65)

                                                                                                            1. 12

                                                                                                              Despite having the console open in another tab, having used it recently, this was the hardest quiz I’ve taken in a while.

                                                                                                              1. 1

                                                                                                                I guess that many people don’t even use the console (by using terraform or Amazon’s equivalent), that would explain the results.

                                                                                                              1. 6

                                                                                                                I really like Stack Overflow.

                                                                                                                Based on anecdotes and internet comments I feel like I joined the site just as it was becoming more “difficult to get into” and “difficult to earn reputation on” and certainly before it became particularly “aggressive” with duplicates and low-quality questions. I’ve also had quite a bit of luck with silly questions getting a good number of upvotes (and I’ll even go as far as to say that they aren’t good questions if I’m honest). That’s all to say that I very well don’t really understand what new users go through nowadays.

                                                                                                                It makes me sad when someone get downvoted for posting a duplicate. We should better surface them in the posting flow, but it’s not reasonable to expect askers to find dupes consistently. Users aren’t “too lazy” to search; searching takes less work than posting.

                                                                                                                One trope that grinds my gears though is the “Stack Overflow closes everything as a duplicate”. I don’t really see it. A lot of people won’t bother searching and I do think that searching for a duplicate is more work than just posting a new question, especially when someone new to programming doesn’t know all the weird terminology.

                                                                                                                And little makes me sadder than comments on answers saying, “Don’t answer questions like this – it encourages them.” Now, some questions are off-topic. (I’m genuinely sorry, but we simply can’t explain how a glass pitcher can smash through a brick wall with no apparent injuries; we are a programming site.) But it’s totally cool to answer questions without giving a grilled poop sandwich about exactly what’s allowed. It’s fine to volunteer in one way without being expected to read and enforce every rule and meta discussion since forever.

                                                                                                                I’ll be the first to admit that I was on this bandwagon for a brief bit of time. A lot of questions posted to the site from users with 1 reputation (a sign they’re new) are an error message asking “why?” and I felt (and still feel?) that rewarding that sort of behaviour in a learner does them a disservice. I’d love to hear folks’ thoughts on this: what’s the best way of answering questions online without a million comments back-and-forth (something that SO doesn’t really facilitate)?


                                                                                                                I’ll just plug the link hidden at the bottom of the article again: Stack Overflow Inclusion Project

                                                                                                                We’re looking for volunteers to share their experiences in chat with us and help us prioritize what to work on first. Whether you’re an active user, or someone who isn’t comfortable participating, if you’d like to help, please fill out this one-minute survey.