1. 4

    I’ve always had mixed feelings about storing plaintext passwords on my personal computer. I suppose that there is nothing inherintly wrong with this, but something gives me the willies about opening a file and seeing my password in all it’s glory.

    1. 1

      What do you think about storing encoded, but not encrypted? Like docker stores registry passwords base64 encoded in .docker/config.json?

      1. 4

        It’s the same.

        The issue with storing password in plain text is that all the programs that you run can potentially grab and exfiltrate those password. It doesn’t matter if they are obfuscated or not.

        • any shell script or build system you git clone from github
        • most language-specific package managers like npm install run arbitrary code
        • any website that you visit if your browser suffers from file traversal attacks
        • if the HDD gets stolen and there is no full-disk encryption

        It’s better to have the passwords encrypted at rest inside of a key store. Or even better have the decrypt key stored on another device like a YubiKey.

        1. 1

          I’m going to 90% agree with @zimbatm on this one. For my use case, I definitely don’t get any additional benefit from it being encoded vs plaintext. That being said, I believe this stems from the fact that I generate my passwords randomly with a password manager. This means that I’m not using words/phrases from my native language. The situation where this would be the most helpful though is when:

          1. You are using passwords (or especially passphrases) that are composed primarily of native language phrases
          2. Your threat model is focused more on shoulder surfing than malware

          In that case, encoding does actually make a difference for the user, because now they can open that file, and the likelihood that someone shoulder surfing can memorize their password is dramatically decreased. I believe a non-trival number of people meet this criteria (even if they don’t actively know they fall into the second category).

          tl;dr: Don’t make people save their passwords in unencrypted files on the disk, but if you’re going to, add an option to specify an encoded (base64) password.

      1. 2

        I came to a similar conclusion than the author and created h.

        It goes one step further and automatically changes directory to the folder for you. That way I don’t have to know if the repository has been checked out or now.

        Type h <url> or h <owner/repo> and you get a local working directory with the code.

        1. 4

          Another interesting option in this space is Starlark, the python-like scripting language used in Bazel, Google’s open-source build tool. See https://github.com/google/starlark-go for the repo, and https://github.com/stripe/skycfg for an interesting existing application.

          I’m interested in adding Starlark to the performance comparison in the Tengo README.

          1. 2

            it seems like it was already added to the Benchmark table: https://github.com/d5/tengo#benchmark

            1. 2

              At my employer, we ended up writing Tcl bindings in Go. It was incredibly easy to do (libtcl is well-written, with great documentation), and the language is a real pleasure to work in. I’m working on getting it approved to release as free software, and also on cleaning up the bits in the code (it was a quick-and-dirty effort, so I wouldn’t be surprised to find a memory leak, a dereferenced NULL or some similar C-enabled bug), and of course writing some documentation.

              Performance was more than acceptable, but I’d need to benchmark Tengo et al. for a good comparison on the same machine.

            1. 3

              This is a fantastic interview. Pablo Santos articulates some features/advantages that Plastic SCM has compared to other tools. His vision for the role and future of version control is eerily similar to what is floating around in my head (I’m a contributor to Mercurial). He even talks a bit about the need for (version control) tools to be fast, get out of the way, and provide better features in order to avoid cognitive overhead, which impacts productivity and velocity. This is a must-listen for anyone who works on version control tools or cares about the larger developer productivity space.

              1. 2

                How realistic do you think it is for the Git to evolve to support big files?

                As I understand it the problem boils down to three issues:

                1. Every file is hashed completely before being stored as a Blob
                2. A git checkout checks out the whole tree, it’s not possible to checkout a subset
                3. There is no lazy-fetching of the Git objects. It’s possible to do a shallow fetch but then Git operations are limited.

                (1) means that even a 1 byte change will create a whole new Blob. I think that it could be improved by introducing a new “BlobList” type of object that can contain a list of Blob. Then the update would be only on the size of the Blob. Blob chunking heuristics can then be developed and used at insertion time.

                (2) means re-thinking a lot of the CLI operations to work on a subset

                (3) would have to re-design the database to lazily fetch objects upstream when they are missing

                1. 1

                  I couldn’t agree more. I always scratched my head thinking why version control, being the “operative system” of software development did not lead the Agile, DevOps… you name it, modern software development “movement”. In a way I see that the dominance of Git raised the bar so high, innovation was not required for a long time. On the other hand, being so generalist makes changes in roadmap of Git difficult to cover al the most innovative edge cases, right?

                  1. 1

                    Hey, Greg, you should get a hat!

                  1. 5

                    The more often you deploy code the more comfortable you get with your tools and your process. It’s better if you are in a position to push code changes at any time, and have confidence that the process won’t leave your app in a half-broken state.

                    Another thing that takes some pressure off is a good unit test coverage. Passing tests don’t guarantee everything will work perfectly, of course, but at least I can have some level of confidence that there are no big obvious blunders in the code I’m shipping.

                    1. 2

                      Continuous Deployment (CD) also has a nice feedback loop with tests.

                      Without CD, developers become more and more careful about deploying, until it becomes impossible to deploy without regressions.

                      With CD, the solution is to write more/better tests

                    1. 14

                      This does seem like a shame, not least because there are plenty of problems worth solving in the “make USB less of a security risk” space.

                      I think it’s probably bad news for small/hobbyist hardware makers and OSHW as well. The USB-IF has been unwilling to make any allowances over VID allocation. Seems like that can only get worse: http://www.arachnidlabs.com/blog/2013/10/18/usb-if-no-vid-for-open-source/

                      1. 3

                        It’s also quite bad that DigiCert will have the monopoly on issuing certificates.

                        I wonder if the certificates will have expiration dates. Imagine the $brand phones that all stop charging at the same time.

                        1. 1

                          “Sorry, your device is End Of Life”

                        2. 1
                          1. 1

                            Right. There are a few of these (openmoko, etc), but the point is that the USB-IF has expressly said they are not OK with them. Until now they’ve had no technical way to enforce their not-OK-ness, but this could change.

                        1. 8

                          I’ve selfhosted for twenty years now. I currently use a rented server and run debian on it. Actually it runs devuan, systemd is more trouble than it’s worth IMO, particularly on a server.

                          The server itself runs very little software, mostly qemu/kvm, unbound and mdadm. A virtual host inside runs the stable software I want to run, mostly deb… oops, devuan packages, for my blog, mail, that sort of thing. I can spin up more virtual hosts if I want; that’s the first thing I made sure of. If I want to run anything that is not connected with the stable services, I spin up a temporary virtual host; I have a script for that. I haven’t bothered with docker or anything, what would be the point?

                          It took days to get working at first, but works very well.

                          1. 1

                            What is your backup/restore strategy?

                            1. 2

                              I back up to my NAS at home using rdiff-backup; every night for some things, every week for some. My home ISP provides IPv6, my fritzbox could be persuaded to allow port 22 through to the NAS, and I have a crontab that makes sure the NAS’ hostname is updated with the right IPv6 address, so rdiff-backup can open an SSH connection over IPv6 directly to the NAS.

                          1. 17

                            I’m missing some context: what are the shortcomings of Markdown and/or LaTeX that this proposal will fix. Thanks.

                            1. 4

                              Same here, it was not really clear to me what problem the new format is trying to solve.

                              It looks like a literate programming language specialized to output HTML. Does it mean that a new interpreter / compiler / stdlib has to be written?

                              It looks like a prerequisite to understand this text is to read up on all the bullet points presented in the “Summary of inspiration” section.

                              The control character codes are reused because they are hardly used with web and HTML

                              this was my main clue and it’s quite late in the document

                              1. 2

                                It’s better to turn it upside down and think that we can improve upon Markdown. We definitely have to support and work with it quite some while, just like other common formats that we have now.

                                I’ve used markdown every week, so I am well-aware of how it works for me and against in writing text.

                                Markdown assigns meanings to character sequences: '#', '=', '-', '**', '_', '~~', '*', '1.', '+', '[', ']', '(', ')', ']:', '![', '>', ...

                                The implementations parse these by block processing over the text with regular expressions. You can escape those sequences when you use them in the text, but it means that you got to stay on your toes when introducing these elements. Usually you catch it in previewing your message. There’s small differences in how different markdown implementations parse text that will cause inconvenience when switching among them.

                                Markdown’s grammar of things it understands is fairly small. You get headers, links, few ways to mark text, images, quotes, lists, tables. You fall back to html when it doesn’t understand things, but it results in a weird, html-specific document. Extensions to markdown are implementation-specific and do not translate between them. This can result in the texts being monotonic as you tend to stick into what markdown offers.

                                Formatting-characters trip ordinary users and frustrate them. This happens no matter how many there are of them. The proposal removes the need for this, as well as for the use of escape-characters. The idea would be to produce a form of rich-text editing that augments, but doesn’t obscure the existing structure of a text document.

                                I’ve left open the choice of a meta-language, thinking that you’d use this interleaving existing programming languages and plain text together. In the web you’d restrict this to some nice, constrained, standardized declarative language that has the amount of annotations you prefer to allow.

                                1. 7

                                  To me the attraction of markdown (and latex) is that its really just plain text. What I understand is that documents in your proposal are binary documents readable in the same way Microsoft word documents are readable: islands of text interspersed by encoded formatting directives.

                                  1. 1

                                    I cleaned up the demo that I did and pasted the files into the github. I used it in gvim, but also tried in vim. Probably from the vim it doesn’t do clean pastes without any help from the terminal.

                                    https://gist.github.com/cheery/2a34769a2398a345ad77235e8d1c3693

                                    I guess microsoft word documents are harder to read as plain-text without a dedicated editor.

                                    1. 2

                                      Some thoughts that come to mind

                                      1. Is the formatting going to be restricted to one or a few characters, or could we have strings of characters representing particular formats, like highlighting, colors, styles etc.
                                      2. Will there be complexity like macros, with variables (i.e. a DSL behind it)

                                      Depending on how this is setup I fear you will end up reinventing one of the document formats from the 1990s and 2000s and on (e.g. Microsoft doc format). You’ll need a particular piece of software to view the document as intended. Without this software, depending on the complexity of the intent of the formatting code the text part of the document could become unreadable. Pretty soon there will be viruses masquerading as such documents and so on and so forth.

                                      I guess I haven’t understood enough of this scheme to be convinced that we haven’t visited this before and found it as unsatisfactory as anything else, if not more.

                                      1. 2

                                        I guess that if you stretch it, you could have something like [i color=red:This text is red], but it’s probably something I wouldn’t like to add. I would prefer that the occurrences of structures may be indexed and then referenced in the program text portion to attribute into them.

                                        For example, if you used a Prolog-like language in the program portion, it might look something like this in the text editor:

                                        Hello [span.marked:Word]
                                        $ color(span.marked, "red"). ¤
                                        

                                        It’d probably take some time for people to hack the support for the format into their languages.

                                        There’s real concern for what you’re saying though. I can imagine how this could turn into something that can be no longer properly read with a text editor. I’m convinced that an eager enough person, not ready to sit down and think, would easily turn this into yet another wysiwyg. We’ve got numerous records of similar disasters. :)

                                        I did look at the .doc format from the 1990s. It’s been divided into 128-byte sized blocks with the text dropped somewhere in the middle. It looked like you’d be perhaps able to leak information with it. But also you couldn’t pop it open in a text editor and expect to be able to edit it without corrupting the file.

                                  2. 5

                                    Markdown was never meant to be something like {SG/HT/X}ML, it was meant to be a lightweight markup language for stuff like comments and blog posts. The fact that you can fall back to HTML is great in my opinion, it means I can integrate those features into my writing quite seamlessly (mostly anchor links and tables).

                                1. 3

                                  Maybe Mozilla should put more effort into making it easier to use their engines.

                                  Microsoft had a choice and could have also used the Firefox engine but for reason decided to use Chrome.

                                  1. 2

                                    The reason could be as simple as a combination of not caring and externalizing most of the financial risk to the Goog.

                                    And maybe a dash of past animosity from the Netscape days for tinfoil value.

                                  1. 7

                                    I wholeheartedly agree with the premise of the article. Follow are some nitpicks:

                                    Static assets must be hosted at locations that are unique and independent of the web application environment(s).

                                    It’s not really clear until the very end why this is a good thing. The main reason is to use a store that also keeps all the previously published versions. The fact that it’s a separate service doesn’t really matter.

                                    index.html must never be cached

                                    this is only true because Google Chrome is so aggressive with caching unfortunately. If it was respecting the spec then the cache could be revalidated with If-Modified-Since/Etag headers.

                                    type=“text/javascript”

                                    is this still necessary?

                                    Versioned assets are published to a unique location in an AWS S3 bucket.

                                    The important part is that they are unique. Maintaining a versioning scheme is unnecessary overhead when the application is tightly coupled with the code. Especially SemVer which just doesn’t apply in this context. Instead, use the sha256 of the content as the key of each asset so it’s one less thing to think about.

                                    1. 4

                                      Hey, author of the document here!

                                      Thanks for the great feedback. I agree with a lot of it. The tone of the document is maybe too dogmatic about some of the details, mostly just to reinforce the underlying principles.

                                      • There are cases and projects where index.html can cached by the browser. For example, if it is ok that all clients do not need to be running the same version at the same time and there is no need for instantaneous rollback you could add max-age.

                                      • I agree that using a fingerprint of the content in the filename is a better way of achieving uniqueness, so long as you have a mechanism to indicate which assets work together for each version of the app. We have been creating immutable index.html templates that we version and publish. They group together all of the related, fingerprinted assets. A deployment renders index.html from a from json configuration that contains a link to the template and the environment variables and then publishes the index.html.

                                      • I don’t mean to advocate for keeping all previous versions of the app. Just enough to safely rollback in case of an incident. I do intend to advocate for publishing future versions of the app, so that you can test them where they live before doing a live release.

                                    1. 6

                                      SirCmpwn, you are a hero sir. I am writing this from within Sway and it’s been fantastic. And now I am discovering that you have been working on sr.ht as well. Incredible.

                                      1. 2

                                        Thank you so much :)

                                      1. 1

                                        The NixOS project has benefited from their free v1 Discourse offering and it has been great for us. I can only recommend.

                                        1. 3

                                          It looks interesting.

                                          How does it compare with Dhall? I was expecting to get a reason in the README since both come from the Haskell world and I assume Dhall is well known at that point.

                                          1. 1

                                            I brought Dhall up at the meetup, but nobody seemed to know of it :(

                                            Unfortunately, dhall doesnt do any type inference so row polymorphism would be a hell of a lot harder to implement.

                                            1. 1

                                              That’s what I thought too, row polymorphism was the reason for Expresso to exist. It’s just not explicitly mentioning Dhall.

                                              Related, I saw this in my timeline a while ago: https://twitter.com/shajra/status/1040107159722360834

                                          1. 8

                                            I just looked at the docs and I liked a lot of the ideas (the interface (ish) class based views, for instance), but the idea of passing mutable request and response objects and not returning anything really rubes me the wrong way, for some reason I can’t properly explain yet.

                                            I also like how it supports async, though, and has a built-in solution to production deploy as well.

                                            1. 4

                                              A lot of HTTP framework start with the end-point taking a request as input and return the response. This works beautifully until streaming responses need to be used.

                                              In reality a HTTP request looks more like this (read headers) -> (maybe read request body) -> (send headers) -> (maybe write response body). If the response object is returned it’s hard to control what is going into the body. It could be a long-poll for example. Or streaming from another data source and with a cancel event. There are a lot of scenarios here.

                                              1. 2

                                                I’m generalising, but fewer of your endpoints are going to need streaming so why would you hurt the common case in favour of an uncommon one?

                                                In molten I’ve implemented streaming via generators, which is exactly the opposite approach: all endpoints are functions of a request that return a response and streaming endpoints are just a special case over response types.

                                                1. 1

                                                  If it’s a “HTTP Service Framework” I expect it to handle more complicated things than render HTML pages.

                                                2. 1

                                                  Hmm, I see. Makes sense. So, probably the request object is not fully loaded, then? As in, the body hasn’t been read, it will be read only on demand?

                                                  Anyway, now I’m curious to see how this could play with async/await =)

                                                  1. 1

                                                    I’m curious too, I am mainly reflecting my experience of using Go

                                                  2. 1

                                                    This works beautifully until streaming responses need to be used.

                                                    It can work well even then. You just need to have a mechanism that allows attaching a generator function as the response body (framework checks response body for callable perhaps?).

                                                    psuedocode-ish:

                                                    @api.route("/hodor")
                                                    def get_hodor(req):
                                                        def somefunc():
                                                          for x in range(1,100):
                                                            yield "hodor"
                                                            sleep(1)
                                                    
                                                        resp = make_response()
                                                        resp.body = somefunc 
                                                        return resp
                                                    
                                                      1. 1

                                                        Sure it can work but it becomes quickly awkward when mixing multiple streams together in my opinion. Now half of the handler logic is running in another function. I prefer to handle all of the logic in the handler body, this also allows for better destructor (close) handling.

                                                        Let’s say I want to implement a Server-Sent Event endpoint. It needs to handle the following cases:

                                                        • subscribe to a redis channel, if another request is already using that channel, share the subscription
                                                        • if the redis connection gets disconnected, re-connect without losing the client
                                                        • unsubscribe if all clients are gone
                                                        • send keep-alive if no message has been sent for 60 seconds
                                                  1. 9

                                                    I’m using this terraform script: https://github.com/dmathieu/byovpn When I need a VPN, I just apply the changes, and can destroy whenever I don’t need it anymore. That’s basically the same thing, but automated.

                                                    1. 5

                                                      That’s what I was thinking when reading the article. Even shorter when using sshuttle:

                                                      $ brew install sshuttle terraform
                                                      $ terraform apply
                                                      $ sshuttle --dns -r [user@]sshserver 0.0.0.0/0
                                                      
                                                      1. 4

                                                        yeah exactly. I did the same to learn terraform and that’s definitely the way to go. Note that you need ssh access so if you’re on a public wifi such as in a cafe, it may fail if port 22 is blocked. I usually spin my vpn from an lte network, and once credentials are ready, I configure my vpn and then I use the public wifi.

                                                        It’s much more efficient than doing all of this manually 👍

                                                        1. 1

                                                          I wanted to rewrite my vpn setup to improve my terraform skills. Here is the project: https://github.com/GabLeRoux/terraform-aws-vpn

                                                          Key features:

                                                          • Runs in its own VPC
                                                          • Only a few commands to get started
                                                          • Has start, stop and status scripts
                                                          • Supports different regions
                                                          • It’s well documented
                                                          • It’s MIT

                                                          Have fun 🎉

                                                        2. 4

                                                          I’ve been working on a similar project using terraform and ansible: bovarysme/infrastructure. It’s usable even if still a bit rough around the edges (e.g. I have to manually update the ansible inventory after each deploy). Running an OpenVPN server on port 443 TCP has been helping me bypass most port blocking and firewall shenanigans I’ve encountered so far.

                                                          1. 2

                                                            Your script looks very interesting. I just wanted a simple approach that anyone could follow without installing packages etc which is why I used TurnKey.

                                                          1. 2

                                                            I’m curious about choosing AWS. Don’t they charge traffic?

                                                            1. 3

                                                              In the article he mentions that it’s just to browse some gov / bank websites and avoid triggering IP warnings (which doesn’t always work as Cloud provider IPs are also classified due to scraping). Traffic is only expensive when watching BBC / Netflix.

                                                              1. 3

                                                                Yes AWS charges for traffic, that is actually covered in the “So… What Does It Cost?” section. Is the post tl;dr?

                                                                1. 1

                                                                  We do but for a low usage VPN it’s trivial to the point of fading into the white noise. I ran an Algo VPN in EC2 and used ot extensively for all my personal work for a few months and the costs incurred are negligible. (I don’t speak for my employer, yada. yada.)

                                                                1. 6

                                                                  How much work is it to produce a polished experience like that?

                                                                  I would love to rebase elementary on top of NixOS or have another similarly-polished DE available as a default for NixOS users.

                                                                  1. 4

                                                                    As much as I liked Keybase initially I basically stopped using it.

                                                                    For key lookup I use gpg --locate-key $EMAIL. That will fetch the key by e-mail using HTTPS via Web Key Directory protocol (e.g. kernel.org keys are available like that).

                                                                    Social proof system seemed nice at the beginning but later became just stamp collection. If someone is really using PGP they would list the key fingerprint at their page/profile. (For the record there is social proof system implemented purely in OpenPGP - Linked identities implemented e.g. in OpenKeychain).

                                                                    Additionally, as far as I can see, Keybase doesn’t allow storing keys on hardware tokens (e.g. Yubikey).

                                                                    1. 3

                                                                      The Keybase model is one key per device. So if a Yubikey is used they issue a new sub-certificate to be used on the machine. This makes it impossible to use the key as a 2FA: https://github.com/keybase/keybase-issues/issues/1946

                                                                      1. 1

                                                                        Yep, I’ve seen lvrick’s comment previously on HN about this but I didn’t want to comment that strongly here on Lobste.rs, although lvrick clearly has a point.

                                                                    1. 21

                                                                      That’s a good question! Here is a quick braindump, happy to provide more information on all of these points.

                                                                      Basic physical needs

                                                                      IQ and focus are affected by these things:

                                                                      • get enough (~8h) sleep every day
                                                                      • stay hydrated
                                                                      • exercise cores / cardio a bit
                                                                      • (personal) meditation to improve focus / self awareness
                                                                      • (if possible) find a good work environment
                                                                      Disciplin

                                                                      creating good automatism allows to go faster and not break out of the flow

                                                                      • comfortable dev environment, that’s very personal
                                                                      • logical git commit
                                                                      • do one thing after the other. multi-tasking gives the impression of work but is very inefficient.
                                                                      • use a binary search approach for debugging
                                                                      • learn to say no nicely (some people try to push their work onto you)
                                                                      • learn to create focus times in the day with no interruptions
                                                                      Knowledge

                                                                      Learn how things work to be able to think on first principles. StackOverflow doesn’t have answers for everything.

                                                                      1. 5

                                                                        This is a great post and the advice here is greatly underrated in our industry. The difference in my quality of work on a day where I’ve had 8 hours of restful sleep vs. a day where I had 6 hours of sleep and am dehydrated, or have a lingering cold, or something similar is dramatically more than you’d expect. Everyone sort of accepts that if you have a migraine, or the flu, your work will suffer. But even the littler things make a big difference when you get to the (for me anyway) very high-level intellectual utilization that programming demands.

                                                                        As a process thing, whenever possible I like to create a personal branch and make a series of small commits as I go, knowing that I will squash them into more logical groupings before merging my work. This lets me experiment with a direction reversibly without forcing my peers to see 25 commits over a single workday.

                                                                        I’m also a big fan of carving out uninterrupted blocks of time (no meetings, chitchat, chores, etc.) but as I work fully remote this is likely both easier for me as well as more desirable to me, assuming people to some extent self-select into fully remote work.

                                                                        1. 1

                                                                          Thanks! If only I could post this to myself 10 years ago :)

                                                                        2. 2

                                                                          use a binary search approach for debugging

                                                                          What does this mean?

                                                                          1. 5

                                                                            I assume somewhat like git bisect, e.g. we know that version/commit 30 has a bug, we know that version 10 didn’t. Rather than checking version 29, then 28, etc. instead check version 20 (preferably automatically, with a regression test). If it works, check version 25, and so on. This can make narrowing down issues much easier, especially when (a) every commit can be checked (e.g. it always compiles successfully, doesn’t crash during initialisation, etc.; this can be enforced with things like pre-commit hooks) and (b) the commit history has lots of small commits, rather than e.g. squashing large changesets into a single diff.

                                                                            Note that the same approach can be taken when printf debugging, or stepping in a debugger: check the state near the start/input part of the code, check the state near the end/output part, and check the state roughly half way through the processing. This narrows down the problem to one half of the program/trace. Add checks roughly half way through the dodgy half, and iterate until the problematic step is found. This can be more efficient than e.g. stepping through each statement one after another; or reading page after page of logs.

                                                                            1. 4

                                                                              I assume somewhat like git bisect

                                                                              Ah, I wouldn’t exactly call that debugging. Debugging, to me, is the step that comes after finding the problem commit, if there is such a thing.

                                                                              Note that the same approach can be taken when printf debugging, or stepping in a debugger

                                                                              Mmm-hmm. All fine until it’s race conditions you’re debugging. My week at work..

                                                                              1. 3

                                                                                Mmm-hmm. All fine until it’s race conditions you’re debugging. My week at work..

                                                                                Yeah, consistently reproducing an error is an important prerequisite, but sometimes the most difficult part!

                                                                                1. 1

                                                                                  Ah, I wouldn’t exactly call that debugging. Debugging, to me, is the step that comes after finding the problem commit, if there is such a thing.

                                                                                  In that case, you might still not “get” what’s happening. In that case, if you can figure out your input, the expected output, and what the output actually is, you have a good starting point.

                                                                                  From there, if you are judicious about choosing what part of the input to vary, you can quickly eliminate classes of problems. “Oh, the username probably doesn’t matter here because this shows up all the time”, “ah turns out that it’s this inner function that is returning problematic data, so stuff after it might not be the cause”

                                                                                  Draw a circle around the entire state of your commit, and then find ways to cut off huge chunks of it until you’re certain that the bug is in what’s left. If you’re not rigorous about this it doesn’t work well, but if you figure out “logical certainties” you’ll likely quickly isolate the bug

                                                                                  (This is part of why TDD works well in debugging. You found a snippet of code that is misbehaving. You dig deeper until you find a minimal problematic snippet. A quick refactor to place that snippet in its own function, and now you have a test case!)

                                                                                  1. 1

                                                                                    Yeah, I keep thinking race conditions. Where you could draw multiple circles that all converge at different points, all points being code that is obviously correct. The commit is right, it’s just probabilistically exposing the presence of a bug somewhere else in the code base. And that’s why TDD doesn’t work, because the bug isn’t in the minimal problematic snippet.

                                                                                    1. 1

                                                                                      I’m not real sure what your race conditions looked like, but you could maybe synchronize everything in a program (wrap mutex, log access, &c), or synchronize nothing, or something in between. That would be sort of binary searchable, or at least div-&-conquerable.

                                                                                      You’re not writing Go, by chance, are you?

                                                                                      1. 1

                                                                                        C

                                                                              2. 5

                                                                                Not sure this is what OP mean, but it reminds me of the approach I take to debugging. Your goal is to come up with a hypothesis that cuts the search space in half. Think through what could be causing this bug and try to falsify each possibility. This talk by Stuart Halloway does a good job explaining the approach. https://www.youtube.com/watch?v=FihU5JxmnBg

                                                                                1. 2

                                                                                  Binary search is an algorithm that allows to find the solution in O(log(N)) attempts. It’s the same algorithm used by git-bisect but it can be used in the real world as well.

                                                                                  It’s part of the discipline because it forces to make assumptions and probe the extremities first instead of trying things randomly. Usually it’s possible to make assumptions about the bug location. Split in the middle with some debug statement, find which side is broken. Loop.

                                                                              1. 7

                                                                                I have been running the 18.09 prerelease for a while, and for me the largest visible improvement over 18.03 is that GNOME works out of the box with Wayland. Thanks NixOS team!

                                                                                [1] Though I install many ‘unstable’ packages through home-manager.

                                                                                1. 1

                                                                                  nice! is wayland automatically enabled or I have to set an option?

                                                                                    1. 1

                                                                                      I think this just makes GDM run with Wayland. Once the user session activates it could be switching back to X11. Fedora had GDM running on Wayland for a while to test it out while keeping Gnome on X11.

                                                                                      1. 2

                                                                                        See the rest of the thread ;).

                                                                                      2. 1

                                                                                        I don’t think that actually enables wayland on the gnome desktop itself unfortunately, I think it just enables it for GDM itself :(

                                                                                        I’ve actually been following this issue and this PR waiting for it to be merged in because Xorg is consistently kind of janky and low framerate in my setup and I can’t get my desktop to scale correctly.

                                                                                        1. 1

                                                                                          I know that that is for enabling GDM on Wayland. But in GDM, one can choose the Wayland session type. But you are right, even the Wayland session type uses Xorg. The Wayland session type just didn’t work before on my machine, so I expected that it was actually running Wayland now that it works. But loginctl indeed reports X11 and now that I look more at it, I have the typical small X11 mouse cursors in places, despite 2.0 scaling.

                                                                                          1. 1

                                                                                            With that PR applied, the GNOME Wayland session actually runs Wayland indeed.

                                                                                            % echo $XDG_SESSION_TYPE
                                                                                            wayland
                                                                                            

                                                                                            Thanks!