Interesting article! Maybe I’m missing context but I’m not sure the post sufficiently explained how they verify that a “trusted source” wasn’t injecting something it shouldn’t into some software artifact that it then wrote to cache (think SolarWinds). The closest the post got was:
Creating trusted build workers is easier said than done. Having our trusted worker run Bazel actions implies that we’re evaluating arbitrary untrusted code on our trusted machine. It’s critical that untrusted actions are prevented from writing directly to the action cache or otherwise influencing other co-tenant actions.
However, it then only really talks about isolation.
All cache in Bazel is verified with SHA256 hash. So if you upgrade from lib-a-v1 to lib-a-v2, that’s a change to it’s SHA256. This SHA256 will be used to calculate a merkle-tree of build actions, so when you update a dependency SHA256, the rest of the downstream build actions will get cache-invalidated.
So if lib-a-v2 is detected to be vulnerable, then you can just revert the commit and rebuild the entire repo to mitigate (and guarantee that your cache will behave correctly). Moreover, the article elaborated that the remote cache is only accessible from their trusted Remote Build Executor, thus increasing the security of the deployable artifact.
Yes, I think the cache invalidation is useful for recovery but I was thinking more about how the trusted Remote Build Executor is actually trusted / validated. I think there are some interesting problems there and while you likely can’t ever be 100% certain, I was wondering which SLSA requirements they were meeting. I think they probably do meet several (build service, scripted builds, hermetic), I’m curious about what else they’re doing.
Thanks for the link! I’m curious, as this seems to indicate hermetic builds are also guaranteed to be deterministic. Is that always the case? I’ve always thought of them as very close / related guarantees but not necessarily the same properties.
I have seen several orgs where these are not applicable to their setup.
I.e. They self-host their infrastructure and have runtime monitoring to ensure all the configs (baremetal, VM, container) are up-to-date. So having an additional validation layer just for the build system is redundant and was not a requirement for these orgs.
For some other orgs I know of, only a certain degree of hermeticity is required.
There are certain loopholes such as OS patch version, or git version that can be relatively safe to ignore.
They are pragmatic about what needs to be reproducible and to what degree is it needed to be validated.
Over-engineering a validation system does come with a negative side effect, which is that changes to such systems would become more difficult and slower over time and speed is definitely something folks pay a lot of attention to.
Finally, there are some orgs that really need correctness.
Bazel is used by companies with physical hardware: Tesla, Nvidia, SpaceX, ASML
as well as some banking/healthcare institutions. These companies have a low tolerance for errors and highly value correctness.
I have seen folks in similar orgs investigating Nix Package Manager recently as a means to wrap the environment Bazel operates in.
Bazel itself guarantees the hermeticity during build execution but does have leaks when it comes to external dependency and toolchain management. So by using Nix to wrap around Bazel and provide Bazel with the needed external dependencies, they were able to plug where things previously tend to leak.
Before Nix, these are often solved using Docker container, but when the container itself is not reproducible, you will have to fall back on a lot of manual investigation and fixes.
Thanks for the link! I’m curious, as this seems to indicate hermetic builds are also guaranteed to be deterministic. Is that always the case? I’ve always thought of them as very close/related guarantees but not necessarily the same properties.
So Bazel build is cryptographically verifiable thanks to the Merkle-tree made of SHA256 of everything related to your build: source code, script, environment variables, external dependencies, bazel version, compiler version, etc…
But every cryptography is breakable under a certain assumption.
And it’s possible to design a build that is not reproducible in Bazel.
For example, I could intentionally make my build action to depends on some API over the network, and if that API goes down, my build would break.
So I would say that using Bazel, it’s easier to make your build hermetic, and eventually deterministic.
But you can certainly break Bazel hermeticity if you use it wrong, thus the high cost of adopting Bazel today (I also wrote about this in another blog post).
I think we need to understand their threat model to better understand why it is “trusted source”. It seems they tried to use ephemeral VMs (or locked-down containers) to avoid builder being compromised through Bazel remote build execution path (i.e. inject code to take over these builders and then inject malicious code into the cache). Of course, it doesn’t protect cases where their container repos compromised and start to ship malicious container images to these VMs.
The whole premise of the post is based on a shaky conjecture and as a whole a little bit alarmist.
At one point there was a collective push to make GitHub stop providing services to Russia and Belarus because of the war. GitHub replied that they won’t stop providing services or restrict access.
One possible explanation (linked in the OP) is GH compliance with US sanctions against some Russian organizations (namely, select banks). If that’s the case then it’s hardly GH who can’t be trusted. No US company is immune to this.
Another explanation might be that people might’ve deleted their accounts themselves in an act of defiance, for example. OP doesn’t provide any confirmation from those people that it was GH who deleted/suspended their accounts. The main source for GH’s fault theory is one polish guy’s comment merely suggesting the possibility.
I get the frustration but don’t support laying blame thick on GitHub when there’s no evidence of fault, no comments from GitHub, nor from the closed accounts’ holders.
I’m not convinced that it matters whether github closed the accounts or not. Even if, as you suggest, these people might’ve deleted their accounts in an act of defiance, the way this deletion adversely impacted the poster’s project is a deficiency on gtihub’s side of the ledger. A hosting service that destroys your project’s history this way can’t be trusted.
The behavior is a fault. Even if there’s no malice involved.
I don’t think it’s that clear cut. If I deleted my account I would like it all to be deleted and not scattered around the internet. My PR is my until it’s accepted. I want to be able to delete it. Likewise, if it’s GH’s doing, they probably want to remove all code of an offending account.
Despite the OP’s frustration they’re not entitled to those PRs.
iOS Mail is a truly awful mail client, yet macOS mail is probably my favourite mail client. As far as I know, the same team is responsible for both at Apple. I have no idea how it ended up in this state.
I agree, also loved K-9 when I was on Android. Have you had a chance to experiment with iOS clients by any chance? Haven’t found anything that quite works as well, stuck on the default Mail app…
Am I mistaken or does Thunderbird handle this well? Our emails go through urldefense.proofpoint.com, and sometimes, if the text is the original link, it shows a pop up asking me which link I want to go to–the original, or the proofpoint proxy.
I am finishing up an essay I’ve been working on for a month or two that’s part of a series that bridges human languages and programming languages. I’ll probably post here, I’m not entirely sure. I’m talking about how to discover supplemental tests and frame up Acceptance Test-Driven Development, but because I don’t clearly spell that out, I’m concerned it might not look relevant (even though it is).
Looks like I’m also rebuilding an EC2 instance I’m using for a wiki. I really, really like Wikimedia, and ever since I took down my old wiki I miss having the option to format related material using a wiki. It just does some things much better than anything else I’ve ever used does.
I’m also thinking about downloading that alien life evolver from GitHub and playing around. Those are some really cool pictures!
The usual problem encountered when cross-compiling from a non-macOS system to macOS is you need the macOS headers and it’s against the licence agreement to redistribute them or even use them on non-Apple hardware:
You may not alter the Apple Software or Services in any way in such copy, e.g., You are expressly prohibited from separately using the Apple SDKs or attempting to run any part of the Apple Software on non-Apple-branded hardware.
How does Zig handle this?
Edit: having said that, this repo has existed for a long time and hasn’t been taken down yet…
That’s the one. If I recall correctly, Google originally lost, then appealed, and the ruling was basically reversed to “interfaces are not subject to copyright”.
Now that was American law. I have no idea about the rest of the world. I do believe many legislations have explicit exceptions for interoperability, though.
That’s the one. If I recall correctly, Google originally lost, then appealed, and the ruling was basically reversed to “interfaces are not subject to copyright”.
The Supreme Court judgement said ‘assume interfaces are copyrightable, in this case Oracle still loses’ it did not make a ruling on whether interfaces are copyrightable.
and the ruling was basically reversed to “interfaces are not subject to copyright”
Not exactly, the ruling didn’t want to touch the “interfaces are not subject to copyright” matter since that would open a big can of worms. What it did say, however, was that Google’s specific usage of those interfaces fell into the fair use category.
Ah, so in the case of Zig, it would also be fair use, but since fair use is judged on a case by case basis, there’s still some uncertainty. Not ideal, though it looks like it should work.
There’s no useful precedent. Google’s fair use was from an independent implementation of an interface for compatibility. Zig is copying header files directly and so must comply with the licenses for them. The exact licenses that apply depend on whether you got the headers from the open source code dump or by agreeing to the XCode EULA. A lot of the system headers for macOS / iOS are only available if you agree to the XCode EULA, which prohibits compilation on anything other than an Apple-branded system.
Java doesn’t have any analogue of .h files, they wrote new .java files that implemented the same methods. There is a difference between creating a new .h file that contains equivalent definitions and copying a .h file that someone else wrote. If interfaces are not copyrightable, then the specific serialisation in a text file may still be because it may contain comments and other things that are not part of the interface.
I’d be super nervous about using this in production. This is using code under the Apple Public Source License, which explicitly prohibits using it to circumvent EULAs of Apple products. The XCode EULA under which the SDKs are prohibited explicitly prohibits cross-compiling from a non-Apple machine. I have no idea what a judge would decide, but I am 100% sure that Apple can afford to hire better lawyers than I can.
Zig has nothing to do with xcode. Zig does not depend on xcode or use xcode in any way. The macos headers have to do with interfacing with the Darwin kernel.
Thinkpads compete just fine. In fact, they beat Macbooks outright. I cannot find a single flaw with the T495s I’m typing this on. Incredible battery life, sharp screen, good keyboard and trackpad, a decent number of ports, good cooling, lightweight and portable. Personally I like the aesthetics of the Thinkpad more than the Macbook’s too, but that’s subjective.
Thinkpads compete just fine. In fact, they beat Macbooks outright.
As someone who happily chooses to use a ThinkPad T480 after many years of using Apple laptops, I disagree vehemently. I bought mine when my macbook pro died and the only new Apple replacements were the terrible keyboard, touchbar endowed models that maxed out at 16GB RAM. That didn’t work for me, so I went T480.
The screen is a downgrade. The keyboard is an upgrade. The touchpad is a cruel joke. Fortunately, I can just turn the touchpad off and use the trackpoint. Battery life is better. The cooling is worse. CPU throttles regularly. I may open it up and re-paste it; I hear that helps.
Getting Linux to work well on it was bumpy. I use Fedora. Setting up disk encryption so that it worked across two drives was a royal PITA. I still have to hold my jaw just right when I plug or unplug my thunderbolt 3 docking station. Most of the time I choose to shutdown first. Resolution scaling doesn’t work half as well as it did on Mac. Jetbrains tools can lock up the entire gui. The wired ethernet adapter on the Lenovo thunderbolt dock is hideously slow; it’s actually faster to use wifi. Multiple displays still suck compared to Mac.
Make no mistake. I like this machine, and am happier overall with it than I was with my macbook setup. It wins for me, as a software developer, on balance. Especially when I consider that, when I bought it, this $2100 rig would’ve cost $3500 for something from Apple with half the RAM but a faster CPU and SSD.
But there’s no way I’d say it wins outright. Even if you gave me a week to tweak Linux the best I could, I could not hand it to any of my Macbook-toting friends (who are not software developers) and expect them to have a better experience with my hand tweaked thinkpad than they have out of the box on their Macbook.
I strongly prefer the matte screen on the Thinkpads. I also got the 400nit low-power screen and its colour range is incredible. I have use Macbooks before briefly and they definitely have good screens (especially so 5-6 years ago, when they had the highest res screens in laptops), but my T495s’ screen is equally good, if not better, thanks to it being matte.
The touchpad is a cruel joke
Touchpads are the one thing that Macbooks have an edge in and I’ll admit that. But the T495s’ touchpad is nowhere near that and I like it a lot. I also use the trackpoint a lot; took a while to get used to, but it’s quite powerful.
I strongly prefer the matte screen on the Thinkpads.
While I think, based on looking over the shoulders of colleagues, that Apple has gotten the anti-glare coating on their glossy screens good enough that I could happily use them, I was comparing my T480’s screen to my (2011 or 2012?) MBP17’s matte 1920x1200 screen that it replaced. That MBP17 was by quite some distance my favorite laptop screen ever. If I could get that keyboard/battery/trackpad/screen with a modern motherboard, I’d happily do so.
Based on your description of the 495, it sounds like they improved the matte screen between the T480 and the T495. I’d rate the 480’s as passable but not great.
They may also have improved the touchpad; the T480’s touchpad makes me understand why so many Thinkpad users hate touchpads. (Or maybe Apple ruined me for those.) I like the trackpoint a great deal, though, so I’m happy as long as I can disable the touchpad. And I actually don’t run it fully disabled these days. I have all of its “click” functionality turned off, set its scrolling to two finger only mode, and use it like a big scroll wheel so that my trackpoint middle button functions like a traditional middle mouse button. I’m pretty happy with that.
I really love the giant external battery on the T480. I routinely get 12 hours of heavy VMware usage or 22+ hours of browsing/editing usage with the 72Wh. I’m disappointed and annoyed that they seem to have discontinued this feature on the 490 series, and really hope they bring it back.
To add another datapoint for you, on my T480 with the big 72Wh rear battery, I see 12-ish hours of heavy compiling/VM testing usage. 22+ hours of browsing and text editing. I’m running Fedora 31 with powertop and tlp packages to manage power, but no manual customization on those.
Personal: I’ve been working on a recipe website after some friends and I got frustrated at how bloated existing recipe sites are. It is privacy friendly, fairly accessible and hopefully easy to use.
University: My next university semester starts this week (I’m studying part time as well as working). I’m doing reading-heavy courses this semester so I’ll have to spend time working through the assigned papers.
Work: Trying to keep productive while working from home, partially succeeding :)
hint from an old guy: bigger font, please!
just imagine you’re almost 50, the arms are too short to hold anything to read, and you want to use minimalrecipe on a tablet fixed to a kitchen cupboard door.
Your hands are covered in ground beef, eggs and spices. You want to know what the next part to the recipe is but it’s sitting on the counter a few feet away. If the font is big everything is cool. Otherwise, you’re going to need to wash your hands, check the recipe, stick your hands back in the mixture, finish and wash your hands again. (Or try to use that one knuckle that’s clean on the trackpad, but I don’t recommend it.)
Sure you can zoom at the start, but if you forgot you may be SOL in the middle of some steps.
I agree. The default font size on the web is standard, it’s something like 16 CSS
px if I remember correctly. Every website should use this size for body text. But hopefully one CSS px is not one pixel on the display and good web browsers support adjusting this ratio through zooming. I don’t remember how to do this on Android (from memory it was a bit awkward on Chrome), but on iOS there’s the “aA” button at the left of the URL bar and you can also set a default level in the settings.
Thanks! I’ll think about ways we can cater for this, though I’d prefer not to increase the default font size too much. Perhaps we could have a setting that increases the font size, but would probably have to have a cookie notice if we were to make it persistent between visits (I think?). Another idea we’ve discussed was having a ‘viewing mode’ just for tablets in the kitchen
CSS can accomplish this fairly simply with some well-placed media queries to provide different font sizes depending on the display’s logical resolution.
Thank you! We just want to grow the number of high quality recipes that are on there to maximise the public good that the website can bring. We’re not looking to make a living or anything. The idea is to keep the features simple and people-first (privacy first, accessibility first, etc). Hopefully then we will naturally gain usage, and full bellies :)
I note that the crepes recipe mentions keeping batter in the fridge and making more later. Is that even possible? I’ve always seen the batter run out before people’s appetites. :-)
Also, the Irish Soda Bread recipe doesn’t have units on its oven instructions.
This looks fantastic! Bookmarked. Do you have any thoughts on allowing people to add recipes via GitHub or something similar (and you folks still get to control what gets in)?
Thanks a lot! At the moment, we’re taking suggestions via email (suggestions@minimalrecipe.com) but might let people submit PR’s directly in the future.
I use an early-2015 MacBook Pro (the last one before the butterfly keyboard and touch bar) dual booted with MacOS and a linux based distro. I think it’s going to be time for an upgrade in the next year or so, and I’ll probably get a ThinkPad and move my linux installation over to that.
Interesting that GitHub doesn’t require / verify the signature from their online key on a commit with dependabot’s identity as the committer.
Interesting article! Maybe I’m missing context but I’m not sure the post sufficiently explained how they verify that a “trusted source” wasn’t injecting something it shouldn’t into some software artifact that it then wrote to cache (think SolarWinds). The closest the post got was:
However, it then only really talks about isolation.
All cache in Bazel is verified with SHA256 hash. So if you upgrade from lib-a-v1 to lib-a-v2, that’s a change to it’s SHA256. This SHA256 will be used to calculate a merkle-tree of build actions, so when you update a dependency SHA256, the rest of the downstream build actions will get cache-invalidated.
So if lib-a-v2 is detected to be vulnerable, then you can just revert the commit and rebuild the entire repo to mitigate (and guarantee that your cache will behave correctly). Moreover, the article elaborated that the remote cache is only accessible from their trusted Remote Build Executor, thus increasing the security of the deployable artifact.
I write a series of articles explaining how Bazel works on the side here https://sluongng.hashnode.dev/bazel-caching-explained-pt-1-how-bazel-works.
Yes, I think the cache invalidation is useful for recovery but I was thinking more about how the trusted Remote Build Executor is actually trusted / validated. I think there are some interesting problems there and while you likely can’t ever be 100% certain, I was wondering which SLSA requirements they were meeting. I think they probably do meet several (build service, scripted builds, hermetic), I’m curious about what else they’re doing.
Thanks for the link! I’m curious, as this seems to indicate hermetic builds are also guaranteed to be deterministic. Is that always the case? I’ve always thought of them as very close / related guarantees but not necessarily the same properties.
I have seen several orgs where these are not applicable to their setup. I.e. They self-host their infrastructure and have runtime monitoring to ensure all the configs (baremetal, VM, container) are up-to-date. So having an additional validation layer just for the build system is redundant and was not a requirement for these orgs.
For some other orgs I know of, only a certain degree of hermeticity is required. There are certain loopholes such as OS patch version, or git version that can be relatively safe to ignore. They are pragmatic about what needs to be reproducible and to what degree is it needed to be validated. Over-engineering a validation system does come with a negative side effect, which is that changes to such systems would become more difficult and slower over time and speed is definitely something folks pay a lot of attention to.
Finally, there are some orgs that really need correctness. Bazel is used by companies with physical hardware: Tesla, Nvidia, SpaceX, ASML as well as some banking/healthcare institutions. These companies have a low tolerance for errors and highly value correctness. I have seen folks in similar orgs investigating Nix Package Manager recently as a means to wrap the environment Bazel operates in. Bazel itself guarantees the hermeticity during build execution but does have leaks when it comes to external dependency and toolchain management. So by using Nix to wrap around Bazel and provide Bazel with the needed external dependencies, they were able to plug where things previously tend to leak. Before Nix, these are often solved using Docker container, but when the container itself is not reproducible, you will have to fall back on a lot of manual investigation and fixes.
So Bazel build is cryptographically verifiable thanks to the Merkle-tree made of SHA256 of everything related to your build: source code, script, environment variables, external dependencies, bazel version, compiler version, etc…
But every cryptography is breakable under a certain assumption. And it’s possible to design a build that is not reproducible in Bazel. For example, I could intentionally make my build action to depends on some API over the network, and if that API goes down, my build would break.
So I would say that using Bazel, it’s easier to make your build hermetic, and eventually deterministic. But you can certainly break Bazel hermeticity if you use it wrong, thus the high cost of adopting Bazel today (I also wrote about this in another blog post).
Hah! You just helped me out earlier today on the Bazel Slack. Nice to see you around here as well!
I think we need to understand their threat model to better understand why it is “trusted source”. It seems they tried to use ephemeral VMs (or locked-down containers) to avoid builder being compromised through Bazel remote build execution path (i.e. inject code to take over these builders and then inject malicious code into the cache). Of course, it doesn’t protect cases where their container repos compromised and start to ship malicious container images to these VMs.
The whole premise of the post is based on a shaky conjecture and as a whole a little bit alarmist.
At one point there was a collective push to make GitHub stop providing services to Russia and Belarus because of the war. GitHub replied that they won’t stop providing services or restrict access.
One possible explanation (linked in the OP) is GH compliance with US sanctions against some Russian organizations (namely, select banks). If that’s the case then it’s hardly GH who can’t be trusted. No US company is immune to this.
Another explanation might be that people might’ve deleted their accounts themselves in an act of defiance, for example. OP doesn’t provide any confirmation from those people that it was GH who deleted/suspended their accounts. The main source for GH’s fault theory is one polish guy’s comment merely suggesting the possibility.
I get the frustration but don’t support laying blame thick on GitHub when there’s no evidence of fault, no comments from GitHub, nor from the closed accounts’ holders.
I’m not convinced that it matters whether github closed the accounts or not. Even if, as you suggest, these people might’ve deleted their accounts in an act of defiance, the way this deletion adversely impacted the poster’s project is a deficiency on gtihub’s side of the ledger. A hosting service that destroys your project’s history this way can’t be trusted.
The behavior is a fault. Even if there’s no malice involved.
Deleting accounts, to my knowledge, doesn’t delete PRs and issues. It replaces references to the user with “ghost”.
Agreed. I ran into several of these ghost accounts just this week. But in that case, no essential information is lost, just names.
Turns out monopolies are bad even before they turn abusive.
Feels like we should have learned this lesson already, but here we are.
I don’t think it’s that clear cut. If I deleted my account I would like it all to be deleted and not scattered around the internet. My PR is my until it’s accepted. I want to be able to delete it. Likewise, if it’s GH’s doing, they probably want to remove all code of an offending account.
Despite the OP’s frustration they’re not entitled to those PRs.
I’ve seen independent confirmations that some accounts are indeed banned, and that PRs and issues of banned accounts are also deleted.
https://habr.com/ru/news/t/661113/
If only they had an iOS version. I loved K-9 when I was primarily an Android user. iOS Mail just can’t keep up.
iOS Mail is a truly awful mail client, yet macOS mail is probably my favourite mail client. As far as I know, the same team is responsible for both at Apple. I have no idea how it ended up in this state.
I agree, also loved K-9 when I was on Android. Have you had a chance to experiment with iOS clients by any chance? Haven’t found anything that quite works as well, stuck on the default Mail app…
Am I mistaken or does Thunderbird handle this well? Our emails go through urldefense.proofpoint.com, and sometimes, if the text is the original link, it shows a pop up asking me which link I want to go to–the original, or the proofpoint proxy.
I am finishing up an essay I’ve been working on for a month or two that’s part of a series that bridges human languages and programming languages. I’ll probably post here, I’m not entirely sure. I’m talking about how to discover supplemental tests and frame up Acceptance Test-Driven Development, but because I don’t clearly spell that out, I’m concerned it might not look relevant (even though it is).
Looks like I’m also rebuilding an EC2 instance I’m using for a wiki. I really, really like Wikimedia, and ever since I took down my old wiki I miss having the option to format related material using a wiki. It just does some things much better than anything else I’ve ever used does.
I’m also thinking about downloading that alien life evolver from GitHub and playing around. Those are some really cool pictures!
I’d be interested to read that essay. I can also think of a couple of people in my circles who’d be interested as well. :)
The usual problem encountered when cross-compiling from a non-macOS system to macOS is you need the macOS headers and it’s against the licence agreement to redistribute them or even use them on non-Apple hardware:
How does Zig handle this?
Edit: having said that, this repo has existed for a long time and hasn’t been taken down yet…
it’s not against the license agreement. the header files are under the APSL https://spdx.org/licenses/APSL-1.1.html
Even if it was, it’s probably not enforceable. Didn’t we have a ruling a while back stating that interfaces were not eligible for copyright?
That was Oracle v Google, right?
That’s the one. If I recall correctly, Google originally lost, then appealed, and the ruling was basically reversed to “interfaces are not subject to copyright”.
Now that was American law. I have no idea about the rest of the world. I do believe many legislations have explicit exceptions for interoperability, though.
The Supreme Court judgement said ‘assume interfaces are copyrightable, in this case Oracle still loses’ it did not make a ruling on whether interfaces are copyrightable.
Not exactly, the ruling didn’t want to touch the “interfaces are not subject to copyright” matter since that would open a big can of worms. What it did say, however, was that Google’s specific usage of those interfaces fell into the fair use category.
Ah, so in the case of Zig, it would also be fair use, but since fair use is judged on a case by case basis, there’s still some uncertainty. Not ideal, though it looks like it should work.
There’s no useful precedent. Google’s fair use was from an independent implementation of an interface for compatibility. Zig is copying header files directly and so must comply with the licenses for them. The exact licenses that apply depend on whether you got the headers from the open source code dump or by agreeing to the XCode EULA. A lot of the system headers for macOS / iOS are only available if you agree to the XCode EULA, which prohibits compilation on anything other than an Apple-branded system.
I recall that Google did copy interface files (or code) directly, same as Zig?
Java doesn’t have any analogue of .h files, they wrote new .java files that implemented the same methods. There is a difference between creating a new .h file that contains equivalent definitions and copying a .h file that someone else wrote. If interfaces are not copyrightable, then the specific serialisation in a text file may still be because it may contain comments and other things that are not part of the interface.
Interesting. Ok so does Zig just include the headers from the most SDK then?
The way zig collects macos headers is still experimental. We probably need to migrate to using an SDK at some point. For now it is this project.
I’d be super nervous about using this in production. This is using code under the Apple Public Source License, which explicitly prohibits using it to circumvent EULAs of Apple products. The XCode EULA under which the SDKs are prohibited explicitly prohibits cross-compiling from a non-Apple machine. I have no idea what a judge would decide, but I am 100% sure that Apple can afford to hire better lawyers than I can.
Zig has nothing to do with xcode. Zig does not depend on xcode or use xcode in any way. The macos headers have to do with interfacing with the Darwin kernel.
Apple generally doesn’t bother with small-scale infringement. They care about preventing cross compilation only insofar as it might hurt Mac sales.
It’s 2020, we still don’t have a good Linux laptop which competes with Macbooks yet.
What about Dell XPS Developer Edition?
13” is a bit small for the developer version.
They also have the Precision with Ubuntu pre-installed. It’s the XPS15 with better hardware under the hood IIRC.
Thinkpads compete just fine. In fact, they beat Macbooks outright. I cannot find a single flaw with the T495s I’m typing this on. Incredible battery life, sharp screen, good keyboard and trackpad, a decent number of ports, good cooling, lightweight and portable. Personally I like the aesthetics of the Thinkpad more than the Macbook’s too, but that’s subjective.
As someone who happily chooses to use a ThinkPad T480 after many years of using Apple laptops, I disagree vehemently. I bought mine when my macbook pro died and the only new Apple replacements were the terrible keyboard, touchbar endowed models that maxed out at 16GB RAM. That didn’t work for me, so I went T480.
The screen is a downgrade. The keyboard is an upgrade. The touchpad is a cruel joke. Fortunately, I can just turn the touchpad off and use the trackpoint. Battery life is better. The cooling is worse. CPU throttles regularly. I may open it up and re-paste it; I hear that helps.
Getting Linux to work well on it was bumpy. I use Fedora. Setting up disk encryption so that it worked across two drives was a royal PITA. I still have to hold my jaw just right when I plug or unplug my thunderbolt 3 docking station. Most of the time I choose to shutdown first. Resolution scaling doesn’t work half as well as it did on Mac. Jetbrains tools can lock up the entire gui. The wired ethernet adapter on the Lenovo thunderbolt dock is hideously slow; it’s actually faster to use wifi. Multiple displays still suck compared to Mac.
Make no mistake. I like this machine, and am happier overall with it than I was with my macbook setup. It wins for me, as a software developer, on balance. Especially when I consider that, when I bought it, this $2100 rig would’ve cost $3500 for something from Apple with half the RAM but a faster CPU and SSD.
But there’s no way I’d say it wins outright. Even if you gave me a week to tweak Linux the best I could, I could not hand it to any of my Macbook-toting friends (who are not software developers) and expect them to have a better experience with my hand tweaked thinkpad than they have out of the box on their Macbook.
I strongly prefer the matte screen on the Thinkpads. I also got the 400nit low-power screen and its colour range is incredible. I have use Macbooks before briefly and they definitely have good screens (especially so 5-6 years ago, when they had the highest res screens in laptops), but my T495s’ screen is equally good, if not better, thanks to it being matte.
Touchpads are the one thing that Macbooks have an edge in and I’ll admit that. But the T495s’ touchpad is nowhere near that and I like it a lot. I also use the trackpoint a lot; took a while to get used to, but it’s quite powerful.
While I think, based on looking over the shoulders of colleagues, that Apple has gotten the anti-glare coating on their glossy screens good enough that I could happily use them, I was comparing my T480’s screen to my (2011 or 2012?) MBP17’s matte 1920x1200 screen that it replaced. That MBP17 was by quite some distance my favorite laptop screen ever. If I could get that keyboard/battery/trackpad/screen with a modern motherboard, I’d happily do so.
Based on your description of the 495, it sounds like they improved the matte screen between the T480 and the T495. I’d rate the 480’s as passable but not great.
They may also have improved the touchpad; the T480’s touchpad makes me understand why so many Thinkpad users hate touchpads. (Or maybe Apple ruined me for those.) I like the trackpoint a great deal, though, so I’m happy as long as I can disable the touchpad. And I actually don’t run it fully disabled these days. I have all of its “click” functionality turned off, set its scrolling to two finger only mode, and use it like a big scroll wheel so that my trackpoint middle button functions like a traditional middle mouse button. I’m pretty happy with that.
I really love the giant external battery on the T480. I routinely get 12 hours of heavy VMware usage or 22+ hours of browsing/editing usage with the 72Wh. I’m disappointed and annoyed that they seem to have discontinued this feature on the 490 series, and really hope they bring it back.
Same question: what’s the battery life on Linux?
I consistently get 9-10 hours and I haven’t even bothered to optimise it.
To add another datapoint for you, on my T480 with the big 72Wh rear battery, I see 12-ish hours of heavy compiling/VM testing usage. 22+ hours of browsing and text editing. I’m running Fedora 31 with powertop and tlp packages to manage power, but no manual customization on those.
Here’s to not paying for a Windows install I’ll never use!
I suspect I’ll need a new machine later this year so this is great for me.
Personal: I’ve been working on a recipe website after some friends and I got frustrated at how bloated existing recipe sites are. It is privacy friendly, fairly accessible and hopefully easy to use.
University: My next university semester starts this week (I’m studying part time as well as working). I’m doing reading-heavy courses this semester so I’ll have to spend time working through the assigned papers.
Work: Trying to keep productive while working from home, partially succeeding :)
yep, the minimalism rocks!
hint from an old guy: bigger font, please! just imagine you’re almost 50, the arms are too short to hold anything to read, and you want to use minimalrecipe on a tablet fixed to a kitchen cupboard door.
You can zoom the page to make the fonts bigger.
Counterpoint:
Your hands are covered in ground beef, eggs and spices. You want to know what the next part to the recipe is but it’s sitting on the counter a few feet away. If the font is big everything is cool. Otherwise, you’re going to need to wash your hands, check the recipe, stick your hands back in the mixture, finish and wash your hands again. (Or try to use that one knuckle that’s clean on the trackpad, but I don’t recommend it.)
Sure you can zoom at the start, but if you forgot you may be SOL in the middle of some steps.
I agree. The default font size on the web is standard, it’s something like 16 CSS
pxif I remember correctly. Every website should use this size for body text. But hopefully one CSSpxis not one pixel on the display and good web browsers support adjusting this ratio through zooming. I don’t remember how to do this on Android (from memory it was a bit awkward on Chrome), but on iOS there’s the “aA” button at the left of the URL bar and you can also set a default level in the settings.Thanks! I’ll think about ways we can cater for this, though I’d prefer not to increase the default font size too much. Perhaps we could have a setting that increases the font size, but would probably have to have a cookie notice if we were to make it persistent between visits (I think?). Another idea we’ve discussed was having a ‘viewing mode’ just for tablets in the kitchen
CSS can accomplish this fairly simply with some well-placed media queries to provide different font sizes depending on the display’s logical resolution.
Oh wow, that recipe website rocks! It’s a breath of fresh air.
Thank you very much :)
This is awesome. Where are you planning to take your recipe site?
Thank you! We just want to grow the number of high quality recipes that are on there to maximise the public good that the website can bring. We’re not looking to make a living or anything. The idea is to keep the features simple and people-first (privacy first, accessibility first, etc). Hopefully then we will naturally gain usage, and full bellies :)
I note that the crepes recipe mentions keeping batter in the fridge and making more later. Is that even possible? I’ve always seen the batter run out before people’s appetites.
:-)Also, the Irish Soda Bread recipe doesn’t have units on its oven instructions.
I’ve had that happen when my eyes were bigger than my belly!
Thanks, I’ll fix that soon. :)
Edit: Fixed.
Padrón peppers? Is there a Galician in our midst?
Nope, the site is made by two British people and a French person, but that doesn’t mean we don’t love food from a little further West!
Ah, gotcha! My father is from Galicia, but in California it’s a lot more common to see shishito peppers.
This looks fantastic! Bookmarked. Do you have any thoughts on allowing people to add recipes via GitHub or something similar (and you folks still get to control what gets in)?
Thanks a lot! At the moment, we’re taking suggestions via email (suggestions@minimalrecipe.com) but might let people submit PR’s directly in the future.
I’m also working on one of these! We have a recipe database but all the individual recipes are still on bloated websites and it’s very frustrating.
Do you use the canonical recipe format?
We don’t use the recipe format, but that’s a great suggestion. Thanks!
Update, we just implemented this. It’s live now and we’ll improve the integration in the future.
Amazing! I’m excited to check it out.
This is great. I love the minimal design.
Do you have plans to open source the recipe website? I am looking to build my own collection.
Not yet, possibly in the future :)
This seems interesting, and a little more neater than Riot. It still, however, lacks support for encrypted chats. I’m bookmarking it though!
Yeah. I personally don’t use it as security is more important to me than features and user interface.
I use an early-2015 MacBook Pro (the last one before the butterfly keyboard and touch bar) dual booted with MacOS and a linux based distro. I think it’s going to be time for an upgrade in the next year or so, and I’ll probably get a ThinkPad and move my linux installation over to that.
I just finished Black Swan and 21 Lessons for the 21st Century. Now reading A Gentleman in Moscow.