I’m trying to get back to writing and sharing small side projects.
For a couple years now, I’ve been toying with large ideas in isolation. It isn’t the worst, but I do miss sharing things.
Last month I wrote a tinyproxy replacement in async Rust, https://codeberg.org/awal/snoyproxy. It’s a drop-in replacement for most use-cases, so if anyone tries it, please do let me know how it goes!
This weekend, I’m hoping to start a tiny image editor for Linux which can be used in shell scripts. i.e., reads image data/path from stdin/argv, displays the image with a small UI for annotations/cropping/rotation/etc., and returns image data/path to stdout when user is done. If anyone would like to pair with me on this, you’re most welcome!
“Mandate less secure” makes it sound like they want to downgrade the algorithm selection. Actual article text says that they want to mandate certain CAs for better security, but that their plan happens to be bad.
I’d flag this as “incorrect” but that flag isn’t available anymore. 🤷
Goals vs. outcomes. There have been actual efforts to make TLS less secure—that is, with the stated goal of making TLS less secure—and this is not one of them.
If the title were “EU proposal would force browsers to accept less secure certificates” then the title would not be implying intent. But using the phrase “plans to” speaks to intent, which makes it incorrect.
No. This legislation would mandate less secure certificates. The point of a certificate is solely proving identity, and this legislation mandates browsers accept a substantially less secure CA’s certificates.
Hence the certificates are less secure. It would matter if they used 16bit key, they would still be less secure for their one purpose.
Again, I’m speaking about goals vs. outcomes and the wording of the title. You seem to be arguing about the outcome, even though I don’t necessarily disagree with you about that.
The title is “EU plans to mandate less secure certificates in browsers”. That is the correct title.
The EU’s intent is to improve security (debatable), but the mandate isn’t “browsers must make PKI safer”, the mandate is that browsers must support certificates from unsafe/insecure CAs. Which is what the title says.
Yeah, title is misleading. Though things like that are common in journalism, but of course on here rules are more strict with that kind of thing. I don’t really see the point of mandating certain ones for better security rather than all, would there even be a benefit to that besides slightly stricter/more secure authority on certs?
Malleable identifiers make signed patches the default, while allowing users to later change their personal details (email address, name, login…). The full story for synchronising these identifiers from multiple different source repos is not yet completely written. Testing and suggestions are welcome!
This is an interesting design decision. As far as I can tell, there are two options, both of which are bad. The git option is to make these part of the hash and immutable. This means that:
If there’s a GDPR right-to-be-forgotten request on a public repo and you have to erase someone’s email address, you may need to rewrite history and end up with broken downstreams.
If you need to fix a commit message after pushing, then you can’t without breaking downstreams.
The Pijul option to make them mutable is also problematic:
It’s easy to change the commit message to a different one after review, which makes it easy to hide changes.
You can’t rely on the authorship information for copyright ownership auditing.
You can’t detect tampering with commit messages / authorship if the repo is compromised.
I think my ideal solution would be to make these things separately signed such that you have an audit trail of updates but you can also retain a hash of old versions if you need to delete them from the public tree. This would let you delete someone’s email address but still preserve a public log of the fact that the author was updated after the original commit. It would let you rewrite the commit message but (unless explicitly deleted) preserve the original in the audit trail.
It’s possible I’m misunderstanding the Pijul docs on this, but I believe Pijul handles the situation quite nicely. The commits themselves are immutable, but instead of signing them with a string of your username/email, you sign them with a public key. There is then a mutable mapping file from public key to author details.
I think this is a good overall solution, because if an author wants to delete their details they just delete the entry in the map file. But the commits stay immutable like Git.
I believe what David is saying is that it’s not necessarily enough for the commits to stay immutable. You need an audit trail of changes to authorship as well. If that isn’t a problem for your use cases then Pijul will be fine. If you do need an audit trail of changes to authorship though then Pijul’s mechanism will be problematic.
If you do need an audit trail of changes to authorship though then Pijul’s mechanism will be problematic.
Quite the opposite: patches that don’t have a fixed author name must be signed, which is actually stronger than plaintext in the commit, not weaker. Sure, you need to trust the key owner on their identity, but you have the same problem with plaintext author names.
In that case, I think the public/private key is the audit trail, no? I don’t think a different author can “claim” the commits, but the original author can change their email address/name. I see it more like scuttlebutt’s approach to naming[1]
[1] everything is public/private key, and names/nicknames or whatever are mappings individuals can apply independently
Do you mean remove just the username/email mapped to the public key or do you remove the public key as well?
In the former case, what happens when someone sends a “right-to-be-forgotten request” to remove the public key? Surely the author could have used the same public key author at other public places from where they don’t want to remove it, and thus the key itself could be construed as PII.
In the latter case, how do you actually verify the entire trail without the public keys?
Thanks. With git, email addresses are immutable and so you can use that in auditing if you have some other mechanism for validating the addresses. For public-key crypto, I worry that this is a harder problem. With git, anyone can fake my email address but my repo can require pushes to have out-of-band authentication (for example, the FreeBSD git repo doesn’t accept pushes with the author set to anyone other than the account associated with the credentials used for the push). I know that any email address in the public FreeBSD git repo is the person to point to if there are problems with the code. An email address is an identifier. You can’t compromise an identifier, you can compromise only the authorisation that’s coupled to that identifier. In the case of FreeBSD, that’s an ssh private key, but that key can be revoked and then the attacker can’t impersonate that user anymore.
With a public key, I’m not sure what the infrastructure would look like. If a private key that is used directly to sign commits is compromised then I have no way of temporally bounding the scope of the compromise. Any patch signed with that key is suspect - it may be valid or it may come from the attacker. You might be able to manage with a trusted service that does the signing and includes a trusted time stamp, coupled with a revocation list, so that you can identify suspect patches and have them signed with the new key if they are valid.
In general, anything that depends on public-key crypto and doesn’t have a revocation mechanism is suspect. Things that depend on long-lived persistent signed artefacts and don’t have revocation and freshness mechanisms are suspect. Designing this correctly is incredibly hard.
First, I want to stress out that there are two separate issues indeed:
Public key signatures when authoring a patch.
Public keys/Authentication used to run the command that applies it.
In general, anything that depends on public-key crypto and doesn’t have a revocation mechanism is suspect.
Absolutely. That story in Pijul is not complete, and adding revocation certificates shouldn’t be hard. Btw, the current keys have a non-optional expiration date.
Things that depend on long-lived persistent signed artefacts and don’t have revocation and freshness mechanisms are suspect. Designing this correctly is incredibly hard.
I fully agree, which is also one of the reasons for this beta: feedback and design discussions on issues like that need to happen before the full 1.0 version.
First, I want to stress out that there are two separate issues indeed:
I agree. The one that I’m interested in is the first:
Public key signatures when authoring a patch.
This becomes a long-term attestation of authorship.
Absolutely. That story in Pijul is not complete, and adding revocation certificates shouldn’t be hard. Btw, the current keys have a non-optional expiration date.
But what does expiration mean? If I get a patch from a repo and it’s signed with a key that expired, does that mean I shouldn’t trust it? But the repo metadata says that it was committed a year ago, so does that mean I trust it?
The root question is: what is the trust relationship that you’re trying to establish with these signatures? A public-key signature is a verifiable attestation of something. For code signatures, it’s an attestation of a particular publisher. This is backed up by two things:
The public key is signed by something (either a CA or by the distributor of the software). This is another layer of public-key-based attestation where the signing party attests that the key is owned by a specific entity and the entity then attests that they created the software. This depends on some form of trust root (typically a set of root certs distributed with the client).
A revocation mechanism that allows you to stop installing the software after you learn that the key was compromised. At this point, the publisher can create a new key pair, sign a new version of the package with the new private key and ask the publisher or CA to sign the new public key.
For TLS, something similar works but the question of what to with revoked certs is easier because TLS is for interactive sessions and you don’t want to use a TLS cert to verify the authenticity of a connection log from a year ago.
There are a few ways that I can see how you’d apply the first part of this in the context of a revision-control system. For example, the repo could form part of a PKI system and sign the public keys of authorised committers to attest that they have gone through some (repo-specific) confirmation of identity. This, in turn, could be signed by a hosting service to attest that the repo used some specific authentication policy. I’m not really sure if any of that would work though.
The really tricky part is the second one. A patch in a repo is a long-lived artefact. It may exist for decades. If a key is compromised then it can be used to sign commits in a repo that has its date set in the past. This means that even if I know the date of compromise then the only thing that a signed patch gives me is an attestation that it was authored either by the entity I think created it or by an attacker. This is not a valuable thing to attest. Having a signature here actually makes the situation worse than just having an identity because you have something that looks like it is a trust anchor but isn’t.
I honestly have no idea what a useful solution looks like here. Perhaps you can establish a chain of trust over the flow of patches, rather than the patches themselves, so that it’s not the signature of the patch that matters but the signature of whoever gave you the patch (which could provide a chain of custody for the patch set)? That way, if a private key is compromised then it doesn’t matter because it’s only one of the things in the chain of custody and the next one attests that they are happy that this wasn’t one of the malicious uses of the compromised key. The chain of custody could also include the root of a Merkel tree of a CRL so that you can establish some partial ordering between patches being received by a repo and the signing key being revoked?
I fully agree, which is also one of the reasons for this beta: feedback and design discussions on issues like that need to happen before the full 1.0 version.
I’m looking forward to seeing what you end up with, the rest of the project looks fantastic.
Having a trusted 3rd party attest that it was presented with a particular hash at or before a particular timestamp seems like a good idea. There’s no reason why you would need to have only TTP, too.
you have something that looks like it is a trust anchor but isn’t
Honestly I think that’s already a problem. It’s psychologically very easy to assume the authorship on unsigned patches is honest.
the next one attests that they are happy that this wasn’t one of the malicious uses of the compromised key
It’s not clear to me that key revocation should be handled at the VCS protocol level.
The important thing is to get universal commit signing and allow layering of arbitrary trust/audit systems on top of that. Even if we could get a significant fraction of developers to invest in a web-of-trust setup … private keys are lost all the time, repo servers get hacked, and individual authors sometimes publish malicious changes.
What’s important (and what I am hoping Pijul has implemented) is to make it easy to track changes in trust at every level and enable clients/servers to support arbitrary security policies. Can a repo (like NPM) express that a password reset has occurred, a new 2FA token, N-of-M signatures, or some other new protocol we haven’t invented yet?
Even if Pijul just auto generates a key pair and stores it in paintext on the developer’s system, a repo server compromise would show a new developer key being used. That’s would be a huge step forward over Git’s status quo. For that reason functionality alone, I think Pijul should disabled unsigned commits by default.
Having immutable data but mutable/evolvable metadata would be great. Mercurial has that (sort of) by allowing to mark some commits as deprecated/hidden. The key thing is to preserve history, but to allow to rework how it is presented (the main tree of changes). The GDPR use case is an interesting and tricky one.
You clearly haven’t worked at a BigCorp or you’d know they force you to patent anything no matter how trivial. I have several such patents to my name, which I would be embarrassed to link to (the patent plaques I got went straight into the trash). All the nontrivial ideas I’ve had (some of which have shown up in research papers) have never been patented, to the best of my knowledge.
I wasn’t pressured, I was just told “sign on the dotted line”. Ditto at Amazon. I’m sure things are no different at GOOG or FB. Big companies are forced to maintain an arsenal of defensive patents for strategic reasons, so I can’t blame them for responding to incentives.
Yep. An old colleague of mine has a patent for “generating a receipt after a transaction, but not showing the receipt to anyone at the time just storing it somewhere where it’ll get aggregated into a big receipt database” or something to that effect.
That reminds me of those patch notes when after more than two decades, the Internet Explorer engineers discovered that the DOM can be stored in memory as a tree instead of a long string that contains all the elements [1]. Kind of a “car mechanic discovers the concept of a wheel” moment. The fact that this was a noteworthy thing a few years ago blew my mind. No wonder Internet Explorer was left in the dust by its competitors.
Using a string data structure (a highly optimized one mind you) for the DOM wasn’t a stupid decision at all back when the DOM really was “just text” and programmatic DOM manipulation wasn’t really a thing.
They’ve blogged about this a bit in the past and the answer isn’t all that straightforward. For the configuration side they sync the configuration to the host from their control plane (source) so that their control plane servers don’t need to be involved in each request. The host side is much more complicated and is OS dependent. On the Linux side it depends heavily on how the individual distro configures DNS resolution. In the case of Windows, macOS, and Linux with systemd-resolved the resolver supports a routing table for DNS queries and can send them to different servers based on a few different criteria.
While it’s really good to see Tailscale investing in maintaining technical accuracy and readability in their blog, they’ve unfortunately fell in the same trap as their predecessors.
Of course, we think we’re more right than others, but the others think the same about themselves, and Debian resolvconf refuses to pick a winner.
and later
However, as Tailscale we actually want this behavior, so we use it to set DNS configuration when we can:
No, you don’t want this behavior. There is no reason for Tailscale to be the authority of DNS on machines where Tailscale is deployed and it should not be handling the forwarding of non-Tailscale queries. A user of dnsmasq or systemd-resolved or similarly capable local DNS resolver should be able to specify which subdomains they want to resolve using Tailscale’s DNS. Should the UI for this tooling be improved? Absolutely. Should the Tailscale stack be where it happens? Certainly not. Multiple VPNs or other overlay networks could exist on the same machine and Tailscale shouldn’t be the one owning edge DNS routing.
At this point, one wonders why none of the giants have tried to fix the real issue here:
/etc/resolv.conf does not have support for routing DNS based on the domain name
Even if you solved it you’d have to wait years for your code to end up in Debian or Red Hat and there’d be a good chance your fix was never accepted widely enough to rely on.
Is resolv a good place for this though? If we can achieve subdomain DNS server routing with a single line in dnsmasq, is it worth trying to update an old, underspecified config file?
Not sure. I think reasonable people could disagree on that, specially when it comes to embedded/containers. While I’m personally in the dnsmasq-everywhere-camp, we could do better than both the options.
I fear that at this point unless someone makes a PR to glibc and other such libraries/oses with such an improvement and a distribution-agnostic specification to do it, you may be able to avoid the XKCD Standards problem; but I fear that the pushback is going to be along the lines of “just use dnsmasq/systemd-resolved/libfoobang” or whatever. If you want to champion such a thing then I’d be more than happy to use it, but I wouldn’t want to do it myself. The current state of the world is kinda painful yes but at least it somewhat works enough to bootstrap more elaborate mechanisms.
Mine is a junkyard too. It (the /home partition) is also (relatively) small at 15gigs.
Instead I keep a separate partition (/mnt/awal/) all clean and organized, and then symlink/source a few files and directories back into home. I find that this conveniently allows me to separate machine-agnostic things from machine-specific.
No, you’re not alone.
The only folder I create besides the usual XDG user directories is ~/code, for /bin there is already ~/.local/bin.
In my humble opinion, micro managing dotfiles and $HOME subdirectories is plain procrastination (which is not a bad thing per se).
Dell XPS 13 9350 (over two years old now). Previous two were ThinkPad X series. None of them with 15” displays, though.
My main problem with cheap laptops, and even some expensive “consumer market” laptops is flimsy keyboards with poor key travel or (worse) flex in the top of the chassis when typing (I’m a relatively heavy typist.)
Plus I value a docking station or a USB type C cable where I can quickly plug in/out at my desk.
(Your priorities may vary, of course.)
If you’re on a budget, I recommend looking for something high specced and a couple of years old. My laptop before this one was bought used (two years old) and had belonged to the CTO of a high frequency trading company. Was optioned up completely when new, so build quality and specs were still way above anything available new at that price.
Another (new) xps user. Enjoying it so far, had a Zenbook before this and was cheap components by comparison. I’ve only had mine for 3 months, so far far I’m very happy.
Maybe I just got a bad release, because I’ve usually had good luck with Dells, but my XPS 15 had tons of thermal problems. The battery started swelling and popped off the trackpad! It was a refurb unit off eBay (but Dell certified), so who knows.
After dragging my heels forever, I finally settled on an XPS last week as a replacement for the endless series of 2011 Macbook Pros I’ve been wearing out for the past 10 years (2007 Macbooks before that). I don’t like buying new hardware, so ended up with a 4K 9550 / i7 quad / 32 GB RAM from eBay.
The machine is almost everything I was hoping for, including the touchpad, with one exception: the panel response time is so bad you could measure it with a sand timer. Looking around, it seems this is a long-running complaint with XPS. I’m chatting to the seller to see if he repasted the machine because there was some trick to make the panel behave sanely, but otherwise, looks like this is not the Macbook replacement I’ve been dreaming of :(
Currently travelling with my trusty beaten up “hobo” Macbook Pro and its barely functional keyboard – it’s almost impossible to beat this machine, and it’s increasingly looking like its final replacement is going to be yet another 2011 Macbook Pro
Note that many of the XPS 13 models have soldered disk / RAM.
If you are willing to spend as much, the XPS 15” is great. For a cheaper option, consider Dell’s Inspirons. https://www.dell.com/en-us/shop/dell-laptops/new-inspiron-15-7000/spd/inspiron-15-7580-laptop/dncwwc120h. They used to be of awful quality but the new series is decent (15” 1080p IPS, metallic body, thin bezels, great linux support, reliable build quality, comes with dual-drives - SSD and HDD together). I’ve been using one myself since over a year now. But don’t expect more than 3 hours of battery life for serious work, webcam is garbage, and the aluminium edges will cut your wrists.
Sweet. There is a similar community here https://github.com/hashbang/hashbang. They provide free shell accounts and I’m told their infrastructure runs on a combination of VPSes/dedicated servers.
I’m going to start this message the same as I am the Disroot one:
I’ve heard of them, and I’m pretty sure I have an account! It’s great that there are multiple communities in this space (Hashbang, Disroot, SDF, etc.), it fits perfectly into my philosophy that there should be many communities rather than single organizations serving tons of people.
It looks like Hashbang is pretty narrow-focused, though. They have shell, chat, and mail, whereas Asymptote’s focus is anything FLOSS that might be useful to a community, so much wider. Both philosophies have their merits, and I don’t believe that one is better than the other, but they’re certainly different.
The page mentions sublevel, created by you, sharing the tech-stack. So I went to the sublevel site from the link in your profile and found a message stating it is “now open source”, but I can’t find a link to the source code repository, will you please share it here?
Django 2.0, PostgreSQL, Pillow for images, Gunicorn, Jinja2, Sass for themes, django-cleanup and django-simple-captcha. A VPS form DigitalOcean running Ubuntu 16.04 which is faster than 18.04.
Released the code for Sublevel then Microsoft acquired GitHub the next day, so I removed it.
The chronology is clearly that he got to the page for updating payment information without resetting the password, just by following the link. The password reset was only done later to collect information on “Eve”. So the step 6 as written is correct.
Just putting this here after a brief conversation in IRC. Don’t think it counts but whatever.
The comment in question was most definitely on-topic.
Simply by having the word “hate” in it doesn’t mean it is a hate post. Reading it made me laugh, yet in no way did I feel immediately turned off by the story itself. I checked it out further and appreciated its existence anyways.
Deletion of the comment was not nice. No. (ignoring the deletion of entire thread since that is just a bug)
Momentarily there was a “dragon” feature in the past which let mods mark a comment as dragon, which’d hide it and push it down, but not delete it. It seems to have gone now. I’d suggest bringing it back for cases like these.
By “are you using containers”, I assume you mean “are you using containers for developing/shipping an application in an isolated environment”, to which the answer is - I don’t. @pushcx did a good job explaining many reasons, I’d try to put it in my own words:
I find containers to be semantically broken for that purpose. What developers want is better and easier management of state/configuration, and I don’t see how putting all that non-managed state into a deeper room is the solution. How about we fix the problem where it exists instead of covering it under rugs and calling it a day.
Here is a crazy idea, which is probably never going to see life:
Lets standardize software configuration! One of my favorite examples of existing “configuration management” is the linux utility visudo. It is used to edit the /etc/sudoers configuration file. While you can just edit the file as it is, using visudo ensures that only one user is editing the file at once, does syntax checks on the file before it takes effect etc. Lets take this a bit further…
I’d like to see a configuration system (and not dbus or windows' registry) which lets me manage configuration files in plain text, and statically verifies that they will work. i.e., syntax checks, type checks, environment checks (eg. check if the same port is going to be used by multiple applications) etc. and when it catches errors, it should return useful error messages and probably hints on what to fix. We already have amazing static analysis for programming languages - why not configuration systems, which aren’t even turing complete? :)
You really need to provide some examples of those comments, because it can be really hard to tell the difference between comment quality actually dropping and people just wanting to say “back in my day this was awesome and now it sucks”.
Especially accusations of trolling need to be substantiated better because the word tends to be grossly overused.
It seems just about every comment you linked was received with polite, but firm criticism/sensible answers, and didn’t end up spoiling the thread or the community’s view. Now while it’d be great to not have these comments at all, I think those examples actually show the bigger picture - the high maturity level of the people in community.
Perhaps the lobsters software should be able to track repeated troll attempts from a single user and raise an alert for moderators to step in. One thing I’ve experienced from moderation of a few communities is that it is generally better to accept more users cheaply, and have stricter rules to kick them out if/when they misbehave.
It seems just about every comment you linked was received with polite, but firm criticism/sensible answers, and didn’t end up spoiling the thread or the community’s view. Now while it’d be great to not have these comments at all, I think those examples actually show the bigger picture - the high maturity level of the people in community.
Amen. I agree, and this is why I don’t think censorship is needed.
Hacker News is heavily modded and it’s still a cesspool.
The best way to handle the problem of bad users is not to attract them in the first place. I think that we’re doing a good job of keeping the forum in a state that doesn’t attract the YC type.
You are such a prolific commentator here, that one of the explicit benefits of HN (compared to lobsters) is that you aren’t there.
[EDIT] I stand by what I said above, but @angersock is right, I probably could have expressed it better. Some clarification: https://lobste.rs/c/01bj1d
This is the sort of feedback that is best left to private messages, or that really requires further elaboration and generalization of principle in order to raise the level of discourse. Please consider either of those options in the future.
This is the sort of feedback that is best left to private messages
I generally agree. I’ve mostly stopped interacting with michaelochurch because all previous interactions have been remarkably negative. But if we’re going to participate in a meta discussion about the comment quality on lobsters, then it seems more than appropriate to air grievances.
While I don’t always agree with michaelochurch’s comments, and sometimes they’re only vaguely related to the parent post (which can be disruptive), I think he’s a valuable member of the community. He holds a minority opinion on a number of issues, but argues them in a thought-provoking way. I’d hate to see lobste.rs as a community push people out because of contrarian viewpoints.
Hm, I actually liked the “two types” of programmers comment made by michaelochurch and remember thinking “this guy can really write well”. It made me check out his blog and add it to my feed.
But maybe that’s because what he wrote down agrees with my opinion?
Virtually every single comment by him either insults entire classes of programmers with absurd generalizations or participates in revisionist history.
While we’re on the topic of quality content and all, it would be great if you could back up your claims by quoting something Michael said and telling us why he’s wrong (or why it’s reasonable to get “offended” or upset by it).
You are such a prolific commentator here, that one of the explicit benefits of HN (compared to lobsters) is that you aren’t there.
Banning me from HN was part of a larger effort. They forced Quora (which YC bought) to ban me. On Reddit, they used to attack me heavily with sock puppets and brigades. Then I started getting the death threats, including harassment from homeless on the street (presumably paid off by YCs; it is a common tactic) when I was in the Bay Area. On one occasion, those assholes tried to get me fired.
I suppose you’re a fan of all that, too?
If you wonder what I did to piss them off, I wrote a blog post in 2013 where I used the term “chickenhawk” to describe VC’s attraction to inexperience founders. I never mentioned Paul Graham once in that context, and did not have him in mind, but he took the post to be about him, and the rest is history.
I’m sure, though, that you think you dislike me because you think for yourself and not because you’ve been told what to think by Paul Graham and his menagerie of boypets. Carry on, then.
I’d imagine the point was that you were warned by a mod to stop doing something and then banned after you kept doing it.
Either those posts were not in fact written by you (which would be consistent with your accusation that they are trying to get rid of you by any means necessary), or you broke the rules of their private space and got kicked out for it.
I’m not going to tell you they aren’t out to get you - I have every reason to believe PG would act like that - but the HN ban sure looks like more like regular old moderation than some kind of conspiracy.
Either those posts were not in fact written by you (which would be consistent with your accusation that they are trying to get rid of you by any means necessary), or you broke the rules of their private space and got kicked out for it.
The rules, to the extent that they can be argued to exist, are inconsistently enforced. People who point out that Silicon Valley has devolved into a pyramid scheme, and that Y Combinator is morally culpable to a large degree, are treated differently from people who aren’t perceived to represent a threat to Paul Graham’s economic or cultural interests.
I’m not going to tell you they aren’t out to get you - I have every reason to believe PG would act like that - but the HN ban sure looks like more like regular old moderation than some kind of conspiracy.
They definitely know who I am. I have a couple sources inside Y Combinator (they’re not all bad people).
[ETA.] Oddly enough, Paul Graham isn’t as bad as he’s made out to be, and he’s been pretty much retired for close to 2 years. I wouldn’t call him a good person, but he’s not Hitler either. PG can be childish and vindictive, but the evil that YC is known for comes mostly from people under him.
They forced Quora (which YC bought) to ban me. On Reddit, they used to attack me heavily with sock puppets and brigades. Then I started getting the death threats, including harassment from homeless on the street (presumably paid off by YCs; it is a common tactic) when I was in the Bay Area. On one occasion, those assholes tried to get me fired.
What do you think would cause a diverse group of people across a number of sites to all attack you like that? They can’t handle the truth?
It wasn’t a diverse group of people. It was a small number of people (maybe five). Y Combinator owns Quora, which explains the ban.
The death threats could have come from anywhere, and although the Reddit brigade detected last April consisted of 45-70 accounts, it’s overwhelmingly likely in my mind that it was fewer than five people, working together and possibly in the same physical space (YC headquarters).
Of course, I don’t know for sure, but I know how these people fight. It’s more likely that a small number of people are doing bad things than that there is a large conspiracy.
What motivated them? It’s not that they “can’t handle the truth”. They know the truth. What they don’t want getting out there is how much of this current “startup” bubble is outright fraudulent, not only against employees and customers, but also against the institutional investors who provide the capital.
At my peak, I got about 2,500 uniques per day. I had a low four-digit Alexa rank in the SF Bay Area.
I’ve pulled out of that game. I don’t care about this industry. I enjoy programming, but the tech industry can go to hell (who would know the difference?)
I certainly poked the bear, although I didn’t intend to provoke the specific response I got.
In July 2012, I wrote an essay called “Don’t waste your time in crappy startup jobs”. It got about 200,000 hits. That put me on Paul Graham’s radar and soon afterward he put me on “rank ban”, a Hacker News “feature” that would cause my comments to fall to the bottom no matter how many upvotes they got. It wasn’t until 2015 that Gack (the current moderator) admitted to this, but most people in-the-know were aware of it, and I wasn’t the only person affected by it.
It wasn’t a personal grudge, on Paul Graham’s end, until about a year later when I wrote this blog post. He thought “chickenhawk” was intended to refer to him. It wasn’t. I didn’t even have him in mind, to be honest. This is probably an exaggeration, coming from one of my sources inside YC, but I was told that after reading that essay, PG couldn’t even get out of bed for three days. At that point, the grudge was personal. Even though is essentially retired these days, he encouraged his puppies, Gack and Paul Buchheit, to attack me at every opportunity.
I was very active as a technology writer. I’ll admit that it took some effort to get the Paul Grahams of the world as pissed off as I did. It’s not something that you just fall into. What I didn’t expect is that these people would take a difference in economic and cultural interests and then try to spin it into something personal and vicious.
Uh.. I totally understand why you posted that, and won’t call it out for being entirely unreasonable given the way this thread (unfortunately) went. So don’t take this personally.
But as a plea for the future, could we all please not dig up dirt on our community members? I really think it is one of the saddest things one can do here. And if we really have to judge somebody, then it should be based on their contribution here on lobsters. Not elsewhere, and definitely not over ten years ago elsewhere.
There are multiple reasons for this. Through such external sources, we catch a glimpse of community drama and claims without context, with no way to verify these claims, with no way to understand the background. No way to know who’s lying and who’s saying the truth. That community might be toxic, and toxicity often breeds toxicity. I admit, I can be quite toxic on the trollfest that slashdot is. And the past is past, people can change. I no longer participate on slashdot.
Along these lines, I can ascertain that when we have a nice friendly community here, then the people here are naturally encouraged to play along and be nice regardless of how they do elsewhere. That is what matters.
But when people come in and bring personal grudges and vendettas and dig up dirt, they bring in the toxin from these other communities. It evokes negative feelings and it hurts, and when it hurts, it is easy to forget what a nice community we have here. And so the poison spreads.
But as a plea for the future, could we all please not dig up dirt on our community members?
If you peruse this particular community member’s comments, you will note that he speaks frequently of his past interaction with various folks. It at least seems clear to me from his comments that he’s quite willing to discuss the past and his interaction with communities he’s been banned from. He may very well be telling the truth about many things (as you say, there’s no way to know), but one thing is very very clear: he omits critical details that are terribly inconvenient to his narrative. If he’s willing to talk about it, then adding additional context to what he’s saying seems absolutely fair to me.
one thing is very very clear: he omits critical details that are terribly inconvenient to his narrative.
I omit details that are irrelevant, regardless of whether they are favorable or not. It’s not like I post, “I’ve received death threats from YC partners” at every opportunity, because who cares? What would I gain from that? I come here to read and talk about technology, not this sort of shit.
I don’t talk about this stuff except when asked or provoked. The record shows that you, not me, are the one who turned this thread into a personal-attack-driven shitshow. And you owe an apology to the Lobsters community for doing it.
And you owe an apology to the Lobsters community for doing it.
As I said, I could have expressed myself better. I never intended for anything I said to be a personal attack, but I can absolutely see how I came across that way. For that, I apologize to you. My intent was to express how unfavorably I view your contributions to this web site. Intent doesn’t count for much, but there it is.
In any case, I’ve learned from my mistake. This will be the last time I respond to you on this web site.
In general I agree with you, but in this case I was responding to a comment in which Church claims he was banned from HN and Quora as part of a larger conspiracy against him (that includes YC paying the homeless to harass him). When someone makes a claim like that, I feel like I need to point out there were several clear reasons for why he was banned.
That user’s hate page was debunked a long time ago. Most of those accounts don’t even exist. Granted, I did some stupid shit on Wikipedia back in 2004. Just not that.
you were banned from Hacker News for calling Marissa Mayer the C-word
Not true. I used a different word, “queynte”, specifically because some people consider “cunt” to be a gender slur when applied to a woman. The best translation of “queynte” would be “ornament”, not “crude term for vagina”.
you were banned from Quora for repeated sockpuppeting.
I am aware of that being their stated reason. However, those sock puppet accounts didn’t exist.
Back when I had an active blog, Marc Bodnick posted a comment putting the blame on Paul Buchheit who demanded it. Paul Buchheit denied it. I don’t know who’s responsible for that. What I do know is that Marc Bodnick got fired a few months later, because Adam D'Angelo specifically blamed his moderation for the collapse in user engagement and comment quality.
Please find a way either to become more intelligent, or to become more graceful in apologizing for what you currently are.
I’d agree that the number of bad comments has gone up, but I’m not sure that the S:N has gotten worse.
polite, but firm criticism/sensible answers, and didn’t end up spoiling the thread
We have quite a low quantity of BS, so it’s relatively low-effort to refute (which keeps the place nice).
There’s a threshold beyond which people stop being willing to invest time doing that.
accept more users cheaply, and have stricter rules to kick them out if/when they misbehave
My only concern with this approach (which works well in genereal) is that the failure mode is collapse (when e.g. a key moderator is absent for a few months and there isn’t suitable handover).
If that were our approach, I think it would become important to recruit a larger pool of moderators to reduce this risk.
Disclaimer: I’m one of the word-criminals listed above.
I pointed out what I consider to be an obvious fact - that Common Lisp itself is not very practical, but didn’t want to go through the effort of trying to convince people of it. For example because if it’s not obvious to someone, he probably wouldn’t be amenable to convincing either.
Someone who’s never considered CL impractical but does have an open mind, might benefit from seeing the idea, in case it led to him investigating and reaching the same conclusion himself.
It seems just about every comment you linked was received with polite, but firm criticism/sensible answers, and didn’t end up spoiling the thread or the community’s view.
Yes, someone asked the reasonable question: “Why?”, and someone else provided a great answer.
All in all, which would you say caused a greater disturbance to Lobste.rs’s peace & harmony: my comment, or this thread? It could be argued that whoever started this thread is sowing discord!
The thing is, we all interpret quality content and whether an article “belongs here” in different ways. Lobste.rs itself can reasonably be found highly lacking in greatness, even if it is better than HN in some ways.
So, to summarize those examples for people that don’t want to follow links:
Throwaway comment saying Clojure is more practical than Common Lisp.
Comment asking why news about a suicide of a non-notable person is being posted to Lobsters.
Comment expressing skepticism about EU competence on regulating crypto based on linked material.
Comment (mine) tersely pointing out misuse of math tag and panning article source.
Comment wondering why so many Julia Evans drawings (simple diagrams) keep showing up lately.
With the possible exception of the first comment, those all seem like reasonable comments to me and are not particularly trollish (compared with, say, this or some of yui’s stuff.
I think something worth considering is the content of articles all of those comments were in reply to: we need to all remember that a bad submission (like somebody deciding to kill themselves, or spamming pretty drawings, or public policy news) will usually breed bad comments, either asking “why is this here on lobsters?” or failing to have useful content for discussion.
In short, if you submit garbage, don’t be surprised if you attract flies.
bad submission (like somebody deciding to kill themselves, or spamming pretty drawings, or public policy news)
I wouldn’t call any of those submissions bad. News about tech industry’s culture affecting people’s mental state, public policy related to tech and other “meta” articles are relevant to lobste.rs, in my opinion. The pretty drawings in question were educational and about tech. Although I didn’t necessarily like some of those submissions, they’re still on-topic.
those all seem like reasonable comments to me and are not particularly trollish
IMO, not all low quality comments are trolls. I agree with the OP that comments like the ones linked are nearly content free, and I find it disappointing that they’re appearing on lobsters with increasing frequency. I don’t have any good solutions, unfortunately. Ideally, we as a group would discourage those sorts of comments from existing in the first place. Perhaps @nickpsecurity is right in that the only other choice is heavier moderation, but I don’t really like that choice either. sigh
Three of them aren’t content free though–they are meta comments on the submission. There is a place for such comments and unfortunately they are necessary if we want the community to self regulate properly.
Perhaps the increase in bad comments you are seeing is due to an increase in bad submissions?
Im pushing two: careful who you invite to point you audit prior comments or behavior (approximates friend-to-friend model); heavier moderation if discouraging specific behaviors that persist. I think the invites arent usually handled like in the first. Many were casting a wide net.
I personally put sub-par comments that spark good discussions into a different category
I think this is important. There are so many ways a sub-par comment that on its own contributes nothing can lead to very fruitful or informative discussion that is worth having, and quite likely would not be had if it were not for that comment. Sometimes, these little comments can even seem a little trollish or otherwise inflammatory. That is one way to spark discussion; perhaps it is not perceived to be a good way, but it can be very effective. Of course there is no way to know in advance what such a thread will turn into.
I disagree, given that the brevity of such comments is usually more likely to produce misunderstandings and hostility than creative discussion. Additionally, the brevity of such comments increases the odds that any subsequent discussion is likely to be less topical because of lost context.
Sure, we get occasional gems, but the aggregate effect is always going to be junk commentary and poor decorum.
The negative effect of lack of context is important. I overlooked that in my response. It does usually result in people talking past each other until the “real” point comes out. Happened to me here a few times.
Therefore best to write at least enough of a comment that claim and context are clear. This might be worth becoming a guideline at some point.
This seems to happen most when the comment represents a common misconception that many other readers might have. On HN, I often give a detailed counter with evidence and upvote the comment so corrected information reaches that commenter and others reading along. I also upvote the correct ones past it. Can’t recall how much I do it on Lobsters.
The idea being that just filtering out very different views doesnt make them go away. In absence of correcting feedback, misinformation remains with self-reinforcement and more gets built on it. Im still undecided on best strategy here but think it’s worthwhile keeping and countering low-value comments reflectinh misconceptions if person’s other comments were decent.
Jews are to be “excluded if not eliminated from society”, as in all societies that are not Israel. You’ve got your own homeland now, which we of the Alt West fully support, relocate yourself there.
is also correct, and prompted a discussion I at least think is worthwhile,
I vehemently disagree with that characterization. The OP posted a useless comment. Of what use to others is to state conclusion without an argument or observation so the we can reach our conclusions? Then ssl appears to have attempted to use the maieutic approach to teach the OP about the importance of backing up your conclusions. At which point you derailed the discussion posting a bunch of incorrect statements that because they take more time and effort to refute normally go unchallenged.
Furthermore I see no good discussion that sparked from it.
Some of the real goodies are on the Changes for Developers page. Things that will immediately fill holes are:
You can now finally do forEach on nodelists. No more [].forEach.call etc.! Rewrite all the things!
The console can now use sourcemaps to link to the original location of errors (and other things) in source, instead of going into the compiled scripts.
You can now trace the origin of xhrs much easily, since they get stack traces. This was something missing from FF which Chrome had for a long while.
Note: User rain1 from chat suggested testing it on https://thejh.net/misc/website-terminal-copy-paste where it didn’t work. That site uses CSS to hide the actual selected text instead. The extension above however shows what you copied so it might still work for you anyways.
Edit: Also note that it puts the copied text in a textarea (separate from webpage context) so you can edit something if you like. Now I am actually thinking of using it, but needs an FF port :P
Considering a project (and possibly looking for collaborators):
I use stagit1 for personal project hosting (and github as social media but that’s irrelevant to this). I find stagit to be simple and minimal. Does the job. Does one thing and does it well. But I miss issues and PRs. Allowing collaboration from other people is pretty much impossible (asked people to format-patch, anyone?). So I am thinking of creating a “bundle” project which uses stagit and some mailing list software that allows anyone with his own vps and an ip/domain to quickly setup a github like personal project host with patches and discussion over emails with a public mailing list. So people won’t have to “register” to everyone’s site for contributing or opening an issue (which is mostly what keeps people from moving out of github or any other centralized service). They’d just use emails. If we can keep things consistent enough, it could offer the consistency of Github (or other hosts) while getting the decentralization of git back. Add some light css (see http://bettermotherfuckingwebsite.com/) and people wouldn’t find it dull or boring either.
Thoughts? Anyone feels like collaborating? Am I missing something crucial?
Edit: Just realized that this thread might be more about already accomplished/started things and not made up ideas. Apologies if this is offtopic for the thread.
It really looks like you’re describing Phabricator here (code reviews, issues, discussions, git hosting, simple design, simple hosting…), you should check that too.
I’m trying to get back to writing and sharing small side projects.
For a couple years now, I’ve been toying with large ideas in isolation. It isn’t the worst, but I do miss sharing things.
Last month I wrote a tinyproxy replacement in async Rust, https://codeberg.org/awal/snoyproxy. It’s a drop-in replacement for most use-cases, so if anyone tries it, please do let me know how it goes!
This weekend, I’m hoping to start a tiny image editor for Linux which can be used in shell scripts. i.e., reads image data/path from stdin/argv, displays the image with a small UI for annotations/cropping/rotation/etc., and returns image data/path to stdout when user is done. If anyone would like to pair with me on this, you’re most welcome!
(Original) headline is misleading.
“Mandate less secure” makes it sound like they want to downgrade the algorithm selection. Actual article text says that they want to mandate certain CAs for better security, but that their plan happens to be bad.
I’d flag this as “incorrect” but that flag isn’t available anymore. 🤷
They article says it will force browsers to accept CAs that do not currently meet the requirements for their root programs.
How is that not making them less secure?
Goals vs. outcomes. There have been actual efforts to make TLS less secure—that is, with the stated goal of making TLS less secure—and this is not one of them.
If the title were “EU proposal would force browsers to accept less secure certificates” then the title would not be implying intent. But using the phrase “plans to” speaks to intent, which makes it incorrect.
No. This legislation would mandate less secure certificates. The point of a certificate is solely proving identity, and this legislation mandates browsers accept a substantially less secure CA’s certificates.
Hence the certificates are less secure. It would matter if they used 16bit key, they would still be less secure for their one purpose.
Again, I’m speaking about goals vs. outcomes and the wording of the title. You seem to be arguing about the outcome, even though I don’t necessarily disagree with you about that.
The title is “EU plans to mandate less secure certificates in browsers”. That is the correct title.
The EU’s intent is to improve security (debatable), but the mandate isn’t “browsers must make PKI safer”, the mandate is that browsers must support certificates from unsafe/insecure CAs. Which is what the title says.
Scenario: Olliej wants to go out to get some groceries. Olliej gets the keys to his petroleum fuel burning transportation device.
Two headline options:
Which one would you say is more accurate?
Not a reasonable analogy as it assumes the person making the action is the person making the decision.
A better equivalent would be:
People drive to grocery stores
In order to prevent traffic jams due to cars running out of gas, a law is planned that requires people to have 20kms of gas in the car.
People now have to buy a gas can for their electric cars.
The goal: stopping people running out of gas
The solution: require people have a gas buffer
The plan: require every car to have a gas tank
Yeah, title is misleading. Though things like that are common in journalism, but of course on here rules are more strict with that kind of thing. I don’t really see the point of mandating certain ones for better security rather than all, would there even be a benefit to that besides slightly stricter/more secure authority on certs?
The title should probably be changed to “EU plans to mandate less secure certificate authorities in browsers “
This is an interesting design decision. As far as I can tell, there are two options, both of which are bad. The git option is to make these part of the hash and immutable. This means that:
The Pijul option to make them mutable is also problematic:
I think my ideal solution would be to make these things separately signed such that you have an audit trail of updates but you can also retain a hash of old versions if you need to delete them from the public tree. This would let you delete someone’s email address but still preserve a public log of the fact that the author was updated after the original commit. It would let you rewrite the commit message but (unless explicitly deleted) preserve the original in the audit trail.
It’s possible I’m misunderstanding the Pijul docs on this, but I believe Pijul handles the situation quite nicely. The commits themselves are immutable, but instead of signing them with a string of your username/email, you sign them with a public key. There is then a mutable mapping file from public key to author details.
I think this is a good overall solution, because if an author wants to delete their details they just delete the entry in the map file. But the commits stay immutable like Git.
I believe what David is saying is that it’s not necessarily enough for the commits to stay immutable. You need an audit trail of changes to authorship as well. If that isn’t a problem for your use cases then Pijul will be fine. If you do need an audit trail of changes to authorship though then Pijul’s mechanism will be problematic.
Quite the opposite: patches that don’t have a fixed author name must be signed, which is actually stronger than plaintext in the commit, not weaker. Sure, you need to trust the key owner on their identity, but you have the same problem with plaintext author names.
Ah, I see. Thanks for clarifying.
In that case, I think the public/private key is the audit trail, no? I don’t think a different author can “claim” the commits, but the original author can change their email address/name. I see it more like scuttlebutt’s approach to naming[1]
[1] everything is public/private key, and names/nicknames or whatever are mappings individuals can apply independently
Exactly.
Do you mean remove just the username/email mapped to the public key or do you remove the public key as well?
In the former case, what happens when someone sends a “right-to-be-forgotten request” to remove the public key? Surely the author could have used the same public key author at other public places from where they don’t want to remove it, and thus the key itself could be construed as PII.
In the latter case, how do you actually verify the entire trail without the public keys?
You can’t do that in Pijul, only the mapping between author and signing key.
Quite the opposite, the patches are signed! This is stronger than plaintext author names.
You can, if you trust the key or the reviewer’s key.
Nice, thanks! Since you’re depending on keys, what is your revocation story? If my secret key is compromised, what do I do next?
This isn’t completely done yet. We decided not to store keys inside the repo, mostly to make it fully mutable, but it isn’t fully fleshed out yet.
Thanks. With git, email addresses are immutable and so you can use that in auditing if you have some other mechanism for validating the addresses. For public-key crypto, I worry that this is a harder problem. With git, anyone can fake my email address but my repo can require pushes to have out-of-band authentication (for example, the FreeBSD git repo doesn’t accept pushes with the author set to anyone other than the account associated with the credentials used for the push). I know that any email address in the public FreeBSD git repo is the person to point to if there are problems with the code. An email address is an identifier. You can’t compromise an identifier, you can compromise only the authorisation that’s coupled to that identifier. In the case of FreeBSD, that’s an ssh private key, but that key can be revoked and then the attacker can’t impersonate that user anymore.
With a public key, I’m not sure what the infrastructure would look like. If a private key that is used directly to sign commits is compromised then I have no way of temporally bounding the scope of the compromise. Any patch signed with that key is suspect - it may be valid or it may come from the attacker. You might be able to manage with a trusted service that does the signing and includes a trusted time stamp, coupled with a revocation list, so that you can identify suspect patches and have them signed with the new key if they are valid.
In general, anything that depends on public-key crypto and doesn’t have a revocation mechanism is suspect. Things that depend on long-lived persistent signed artefacts and don’t have revocation and freshness mechanisms are suspect. Designing this correctly is incredibly hard.
First, I want to stress out that there are two separate issues indeed:
Absolutely. That story in Pijul is not complete, and adding revocation certificates shouldn’t be hard. Btw, the current keys have a non-optional expiration date.
I fully agree, which is also one of the reasons for this beta: feedback and design discussions on issues like that need to happen before the full 1.0 version.
I agree. The one that I’m interested in is the first:
This becomes a long-term attestation of authorship.
But what does expiration mean? If I get a patch from a repo and it’s signed with a key that expired, does that mean I shouldn’t trust it? But the repo metadata says that it was committed a year ago, so does that mean I trust it?
The root question is: what is the trust relationship that you’re trying to establish with these signatures? A public-key signature is a verifiable attestation of something. For code signatures, it’s an attestation of a particular publisher. This is backed up by two things:
For TLS, something similar works but the question of what to with revoked certs is easier because TLS is for interactive sessions and you don’t want to use a TLS cert to verify the authenticity of a connection log from a year ago.
There are a few ways that I can see how you’d apply the first part of this in the context of a revision-control system. For example, the repo could form part of a PKI system and sign the public keys of authorised committers to attest that they have gone through some (repo-specific) confirmation of identity. This, in turn, could be signed by a hosting service to attest that the repo used some specific authentication policy. I’m not really sure if any of that would work though.
The really tricky part is the second one. A patch in a repo is a long-lived artefact. It may exist for decades. If a key is compromised then it can be used to sign commits in a repo that has its date set in the past. This means that even if I know the date of compromise then the only thing that a signed patch gives me is an attestation that it was authored either by the entity I think created it or by an attacker. This is not a valuable thing to attest. Having a signature here actually makes the situation worse than just having an identity because you have something that looks like it is a trust anchor but isn’t.
I honestly have no idea what a useful solution looks like here. Perhaps you can establish a chain of trust over the flow of patches, rather than the patches themselves, so that it’s not the signature of the patch that matters but the signature of whoever gave you the patch (which could provide a chain of custody for the patch set)? That way, if a private key is compromised then it doesn’t matter because it’s only one of the things in the chain of custody and the next one attests that they are happy that this wasn’t one of the malicious uses of the compromised key. The chain of custody could also include the root of a Merkel tree of a CRL so that you can establish some partial ordering between patches being received by a repo and the signing key being revoked?
I’m looking forward to seeing what you end up with, the rest of the project looks fantastic.
Having a trusted 3rd party attest that it was presented with a particular hash at or before a particular timestamp seems like a good idea. There’s no reason why you would need to have only TTP, too.
Honestly I think that’s already a problem. It’s psychologically very easy to assume the authorship on unsigned patches is honest.
This sounds obviously good.
It’s not clear to me that key revocation should be handled at the VCS protocol level.
The important thing is to get universal commit signing and allow layering of arbitrary trust/audit systems on top of that. Even if we could get a significant fraction of developers to invest in a web-of-trust setup … private keys are lost all the time, repo servers get hacked, and individual authors sometimes publish malicious changes.
What’s important (and what I am hoping Pijul has implemented) is to make it easy to track changes in trust at every level and enable clients/servers to support arbitrary security policies. Can a repo (like NPM) express that a password reset has occurred, a new 2FA token, N-of-M signatures, or some other new protocol we haven’t invented yet?
Even if Pijul just auto generates a key pair and stores it in paintext on the developer’s system, a repo server compromise would show a new developer key being used. That’s would be a huge step forward over Git’s status quo. For that reason functionality alone, I think Pijul should disabled unsigned commits by default.
Having immutable data but mutable/evolvable metadata would be great. Mercurial has that (sort of) by allowing to mark some commits as deprecated/hidden. The key thing is to preserve history, but to allow to rework how it is presented (the main tree of changes). The GDPR use case is an interesting and tricky one.
TL;DR: They stopped sending reverse deltas for rollback and now generate them on-the-fly during installation.
They gotta be kidding, right?
“DISCOVERED”. No shit Sherlock! Also, easy to miss icing on the cake at the end of the article:
You clearly haven’t worked at a BigCorp or you’d know they force you to patent anything no matter how trivial. I have several such patents to my name, which I would be embarrassed to link to (the patent plaques I got went straight into the trash). All the nontrivial ideas I’ve had (some of which have shown up in research papers) have never been patented, to the best of my knowledge.
There is no pressure to patent things at Microsoft.
I wasn’t pressured, I was just told “sign on the dotted line”. Ditto at Amazon. I’m sure things are no different at GOOG or FB. Big companies are forced to maintain an arsenal of defensive patents for strategic reasons, so I can’t blame them for responding to incentives.
Can you just put references to the prior art in the patent application and save the examiner some time?
Yep. An old colleague of mine has a patent for “generating a receipt after a transaction, but not showing the receipt to anyone at the time just storing it somewhere where it’ll get aggregated into a big receipt database” or something to that effect.
That reminds me of those patch notes when after more than two decades, the Internet Explorer engineers discovered that the DOM can be stored in memory as a tree instead of a long string that contains all the elements [1]. Kind of a “car mechanic discovers the concept of a wheel” moment. The fact that this was a noteworthy thing a few years ago blew my mind. No wonder Internet Explorer was left in the dust by its competitors.
[1] https://blogs.windows.com/msedgedev/2017/04/19/modernizing-dom-tree-microsoft-edge/
Using a string data structure (a highly optimized one mind you) for the DOM wasn’t a stupid decision at all back when the DOM really was “just text” and programmatic DOM manipulation wasn’t really a thing.
Very true, though IE sucked at it even then. :-P
That’s surprisingly sensible! You can probably generate the rollback delta as you apply the forward patch.
They’ve blogged about this a bit in the past and the answer isn’t all that straightforward. For the configuration side they sync the configuration to the host from their control plane (source) so that their control plane servers don’t need to be involved in each request. The host side is much more complicated and is OS dependent. On the Linux side it depends heavily on how the individual distro configures DNS resolution. In the case of Windows, macOS, and Linux with systemd-resolved the resolver supports a routing table for DNS queries and can send them to different servers based on a few different criteria.
While it’s really good to see Tailscale investing in maintaining technical accuracy and readability in their blog, they’ve unfortunately fell in the same trap as their predecessors.
and later
No, you don’t want this behavior. There is no reason for Tailscale to be the authority of DNS on machines where Tailscale is deployed and it should not be handling the forwarding of non-Tailscale queries. A user of dnsmasq or systemd-resolved or similarly capable local DNS resolver should be able to specify which subdomains they want to resolve using Tailscale’s DNS. Should the UI for this tooling be improved? Absolutely. Should the Tailscale stack be where it happens? Certainly not. Multiple VPNs or other overlay networks could exist on the same machine and Tailscale shouldn’t be the one owning edge DNS routing.
At this point, one wonders why none of the giants have tried to fix the real issue here:
Even if you solved it you’d have to wait years for your code to end up in Debian or Red Hat and there’d be a good chance your fix was never accepted widely enough to rely on.
Is resolv a good place for this though? If we can achieve subdomain DNS server routing with a single line in dnsmasq, is it worth trying to update an old, underspecified config file?
Not sure. I think reasonable people could disagree on that, specially when it comes to embedded/containers. While I’m personally in the dnsmasq-everywhere-camp, we could do better than both the options.
I fear that at this point unless someone makes a PR to glibc and other such libraries/oses with such an improvement and a distribution-agnostic specification to do it, you may be able to avoid the XKCD Standards problem; but I fear that the pushback is going to be along the lines of “just use dnsmasq/systemd-resolved/libfoobang” or whatever. If you want to champion such a thing then I’d be more than happy to use it, but I wouldn’t want to do it myself. The current state of the world is kinda painful yes but at least it somewhat works enough to bootstrap more elaborate mechanisms.
There’s not much to it, but I like to keep it minimal: https://bejarano.io
Minimal here, too: https://soc.me
(Largely articles on language design.)
Love your website. The keyboard section is really cool (and the XDG migration status too).
Thanks!
I third your minimalism: https://awalgarg.me.
I like yours
I love the style, reminds me of good old https://notes.torrez.org/ - a blog design I was always jealous of.
I like the design - clean and straightforward. At least on mobile. Also the way you organized your sites is also efficient, I think.
Thanks!
This is beautiful!
Thanks!
It seems like I’m the only here whose $HOME looks like a junkyard.
Mine is a junkyard too. It (the
/homepartition) is also (relatively) small at 15gigs.Instead I keep a separate partition (
/mnt/awal/) all clean and organized, and then symlink/source a few files and directories back into home. I find that this conveniently allows me to separate machine-agnostic things from machine-specific.No, you’re not alone. The only folder I create besides the usual XDG user directories is
~/code, for/binthere is already~/.local/bin. In my humble opinion, micro managing dotfiles and$HOMEsubdirectories is plain procrastination (which is not a bad thing per se).Edit: typo.
I use a very simple trick to fix this: https://github.com/awalgarg/curl-tap-sh
Dell XPS 13 9350 (over two years old now). Previous two were ThinkPad X series. None of them with 15” displays, though.
My main problem with cheap laptops, and even some expensive “consumer market” laptops is flimsy keyboards with poor key travel or (worse) flex in the top of the chassis when typing (I’m a relatively heavy typist.)
Plus I value a docking station or a USB type C cable where I can quickly plug in/out at my desk.
(Your priorities may vary, of course.)
If you’re on a budget, I recommend looking for something high specced and a couple of years old. My laptop before this one was bought used (two years old) and had belonged to the CTO of a high frequency trading company. Was optioned up completely when new, so build quality and specs were still way above anything available new at that price.
I have had the XPS 13 9343 for around ~three years I think. I think it’s great.
I bought this particular one refurb from Amazon for ~$900. I feel like I gambled and got lucky.
After having used this one for so long, I think I’d prefer a laptop with more memory. Everything else has been excellent.
I bought my laptop used as well. It was in person and the person let me test it, so it didn’t feel like a huge gamble, but it was more time consuming.
Another (new) xps user. Enjoying it so far, had a Zenbook before this and was cheap components by comparison. I’ve only had mine for 3 months, so far far I’m very happy.
Thanks. I’m looking at the XPS15. the non-touch model is a strong contender.
Have an xps15 with Linux, no trouble whatsoever and it’s an amazingly nice experience.
Maybe I just got a bad release, because I’ve usually had good luck with Dells, but my XPS 15 had tons of thermal problems. The battery started swelling and popped off the trackpad! It was a refurb unit off eBay (but Dell certified), so who knows.
After dragging my heels forever, I finally settled on an XPS last week as a replacement for the endless series of 2011 Macbook Pros I’ve been wearing out for the past 10 years (2007 Macbooks before that). I don’t like buying new hardware, so ended up with a 4K 9550 / i7 quad / 32 GB RAM from eBay.
The machine is almost everything I was hoping for, including the touchpad, with one exception: the panel response time is so bad you could measure it with a sand timer. Looking around, it seems this is a long-running complaint with XPS. I’m chatting to the seller to see if he repasted the machine because there was some trick to make the panel behave sanely, but otherwise, looks like this is not the Macbook replacement I’ve been dreaming of :(
Currently travelling with my trusty beaten up “hobo” Macbook Pro and its barely functional keyboard – it’s almost impossible to beat this machine, and it’s increasingly looking like its final replacement is going to be yet another 2011 Macbook Pro
Note that many of the XPS 13 models have soldered disk / RAM.
@lorddimwit
If you are willing to spend as much, the XPS 15” is great. For a cheaper option, consider Dell’s Inspirons. https://www.dell.com/en-us/shop/dell-laptops/new-inspiron-15-7000/spd/inspiron-15-7580-laptop/dncwwc120h. They used to be of awful quality but the new series is decent (15” 1080p IPS, metallic body, thin bezels, great linux support, reliable build quality, comes with dual-drives - SSD and HDD together). I’ve been using one myself since over a year now. But don’t expect more than 3 hours of battery life for serious work, webcam is garbage, and the aluminium edges will cut your wrists.
Sweet. There is a similar community here https://github.com/hashbang/hashbang. They provide free shell accounts and I’m told their infrastructure runs on a combination of VPSes/dedicated servers.
I’m going to start this message the same as I am the Disroot one:
I’ve heard of them, and I’m pretty sure I have an account! It’s great that there are multiple communities in this space (Hashbang, Disroot, SDF, etc.), it fits perfectly into my philosophy that there should be many communities rather than single organizations serving tons of people.
It looks like Hashbang is pretty narrow-focused, though. They have shell, chat, and mail, whereas Asymptote’s focus is anything FLOSS that might be useful to a community, so much wider. Both philosophies have their merits, and I don’t believe that one is better than the other, but they’re certainly different.
I haven’t heard of hashbang.
The ones I am familiar with are freeshell and tilde.town.
tilde.town is less of a free shell/hosting provider and more of a social space, though. Asymptote/Hashbang/Disroot are different things to tilde.town.
Hi, the markup looks solid and neat.
Great job, thanks for posting!
The chronology is clearly that he got to the page for updating payment information without resetting the password, just by following the link. The password reset was only done later to collect information on “Eve”. So the step 6 as written is correct.
I see the site is still being served via nginx.
~ curl -I https://lobste.rs
HTTP/2 302
server: nginx
[…]
This is really bad for scalability and security. Please switch to apache with php-cgi.
Just putting this here after a brief conversation in IRC. Don’t think it counts but whatever.
By “are you using containers”, I assume you mean “are you using containers for developing/shipping an application in an isolated environment”, to which the answer is - I don’t. @pushcx did a good job explaining many reasons, I’d try to put it in my own words:
I find containers to be semantically broken for that purpose. What developers want is better and easier management of state/configuration, and I don’t see how putting all that non-managed state into a deeper room is the solution. How about we fix the problem where it exists instead of covering it under rugs and calling it a day.
Here is a crazy idea, which is probably never going to see life:
Lets standardize software configuration! One of my favorite examples of existing “configuration management” is the linux utility visudo. It is used to edit the
/etc/sudoersconfiguration file. While you can just edit the file as it is, using visudo ensures that only one user is editing the file at once, does syntax checks on the file before it takes effect etc. Lets take this a bit further…I’d like to see a configuration system (and not dbus or windows' registry) which lets me manage configuration files in plain text, and statically verifies that they will work. i.e., syntax checks, type checks, environment checks (eg. check if the same port is going to be used by multiple applications) etc. and when it catches errors, it should return useful error messages and probably hints on what to fix. We already have amazing static analysis for programming languages - why not configuration systems, which aren’t even turing complete? :)
You really need to provide some examples of those comments, because it can be really hard to tell the difference between comment quality actually dropping and people just wanting to say “back in my day this was awesome and now it sucks”.
Especially accusations of trolling need to be substantiated better because the word tends to be grossly overused.
I didn’t want to call anyone in particular out. But since you asked, here are some instances:
It seems just about every comment you linked was received with polite, but firm criticism/sensible answers, and didn’t end up spoiling the thread or the community’s view. Now while it’d be great to not have these comments at all, I think those examples actually show the bigger picture - the high maturity level of the people in community.
Perhaps the lobsters software should be able to track repeated troll attempts from a single user and raise an alert for moderators to step in. One thing I’ve experienced from moderation of a few communities is that it is generally better to accept more users cheaply, and have stricter rules to kick them out if/when they misbehave.
Amen. I agree, and this is why I don’t think censorship is needed.
Hacker News is heavily modded and it’s still a cesspool.
The best way to handle the problem of bad users is not to attract them in the first place. I think that we’re doing a good job of keeping the forum in a state that doesn’t attract the YC type.
You are such a prolific commentator here, that one of the explicit benefits of HN (compared to lobsters) is that you aren’t there.
[EDIT] I stand by what I said above, but @angersock is right, I probably could have expressed it better. Some clarification: https://lobste.rs/c/01bj1d
This is the sort of feedback that is best left to private messages, or that really requires further elaboration and generalization of principle in order to raise the level of discourse. Please consider either of those options in the future.
IMO, michaelochurch’s comments are a non-trivial portion of the low quality comments I’ve seen on lobsters. Virtually every single comment by him either insults entire classes of programmers with absurd generalizations or participates in revisionist history.
I generally agree. I’ve mostly stopped interacting with michaelochurch because all previous interactions have been remarkably negative. But if we’re going to participate in a meta discussion about the comment quality on lobsters, then it seems more than appropriate to air grievances.
While I don’t always agree with michaelochurch’s comments, and sometimes they’re only vaguely related to the parent post (which can be disruptive), I think he’s a valuable member of the community. He holds a minority opinion on a number of issues, but argues them in a thought-provoking way. I’d hate to see lobste.rs as a community push people out because of contrarian viewpoints.
I wonder if you’d actually walk the walk too.
Hm, I actually liked the “two types” of programmers comment made by michaelochurch and remember thinking “this guy can really write well”. It made me check out his blog and add it to my feed.
But maybe that’s because what he wrote down agrees with my opinion?
While we’re on the topic of quality content and all, it would be great if you could back up your claims by quoting something Michael said and telling us why he’s wrong (or why it’s reasonable to get “offended” or upset by it).
I provided links and have otherwise said enough. At this point, it’s up to folks to come to their own conclusions.
I didn’t see anything wrong with what Michael said in the comments you linked to, so you definitely haven’t said enough.
Generally, I think this sort of stat-waving is in poor taste, but I have a higher average karma-per-comment than you do.
You made the first personal attack, not me.
This thread is bringing out some of the worst in our posters I’ve seen in a while–let’s not exacerbate things further.
Banning me from HN was part of a larger effort. They forced Quora (which YC bought) to ban me. On Reddit, they used to attack me heavily with sock puppets and brigades. Then I started getting the death threats, including harassment from homeless on the street (presumably paid off by YCs; it is a common tactic) when I was in the Bay Area. On one occasion, those assholes tried to get me fired.
I suppose you’re a fan of all that, too?
If you wonder what I did to piss them off, I wrote a blog post in 2013 where I used the term “chickenhawk” to describe VC’s attraction to inexperience founders. I never mentioned Paul Graham once in that context, and did not have him in mind, but he took the post to be about him, and the rest is history.
I’m sure, though, that you think you dislike me because you think for yourself and not because you’ve been told what to think by Paul Graham and his menagerie of boypets. Carry on, then.
You’ve conveniently left out some important details that might color one’s perspective. For an example of such a detail, see: https://news.ycombinator.com/item?id=10017538
I have no idea what point you’re trying to make.
I’d imagine the point was that you were warned by a mod to stop doing something and then banned after you kept doing it.
Either those posts were not in fact written by you (which would be consistent with your accusation that they are trying to get rid of you by any means necessary), or you broke the rules of their private space and got kicked out for it.
I’m not going to tell you they aren’t out to get you - I have every reason to believe PG would act like that - but the HN ban sure looks like more like regular old moderation than some kind of conspiracy.
The rules, to the extent that they can be argued to exist, are inconsistently enforced. People who point out that Silicon Valley has devolved into a pyramid scheme, and that Y Combinator is morally culpable to a large degree, are treated differently from people who aren’t perceived to represent a threat to Paul Graham’s economic or cultural interests.
They definitely know who I am. I have a couple sources inside Y Combinator (they’re not all bad people).
[ETA.] Oddly enough, Paul Graham isn’t as bad as he’s made out to be, and he’s been pretty much retired for close to 2 years. I wouldn’t call him a good person, but he’s not Hitler either. PG can be childish and vindictive, but the evil that YC is known for comes mostly from people under him.
They forced Quora (which YC bought) to ban me. On Reddit, they used to attack me heavily with sock puppets and brigades. Then I started getting the death threats, including harassment from homeless on the street (presumably paid off by YCs; it is a common tactic) when I was in the Bay Area. On one occasion, those assholes tried to get me fired.
What do you think would cause a diverse group of people across a number of sites to all attack you like that? They can’t handle the truth?
It wasn’t a diverse group of people. It was a small number of people (maybe five). Y Combinator owns Quora, which explains the ban.
The death threats could have come from anywhere, and although the Reddit brigade detected last April consisted of 45-70 accounts, it’s overwhelmingly likely in my mind that it was fewer than five people, working together and possibly in the same physical space (YC headquarters).
Of course, I don’t know for sure, but I know how these people fight. It’s more likely that a small number of people are doing bad things than that there is a large conspiracy.
What motivated them? It’s not that they “can’t handle the truth”. They know the truth. What they don’t want getting out there is how much of this current “startup” bubble is outright fraudulent, not only against employees and customers, but also against the institutional investors who provide the capital.
The operative word here is crazy.
At my peak, I got about 2,500 uniques per day. I had a low four-digit Alexa rank in the SF Bay Area.
I’ve pulled out of that game. I don’t care about this industry. I enjoy programming, but the tech industry can go to hell (who would know the difference?)
I certainly poked the bear, although I didn’t intend to provoke the specific response I got.
In July 2012, I wrote an essay called “Don’t waste your time in crappy startup jobs”. It got about 200,000 hits. That put me on Paul Graham’s radar and soon afterward he put me on “rank ban”, a Hacker News “feature” that would cause my comments to fall to the bottom no matter how many upvotes they got. It wasn’t until 2015 that Gack (the current moderator) admitted to this, but most people in-the-know were aware of it, and I wasn’t the only person affected by it.
It wasn’t a personal grudge, on Paul Graham’s end, until about a year later when I wrote this blog post. He thought “chickenhawk” was intended to refer to him. It wasn’t. I didn’t even have him in mind, to be honest. This is probably an exaggeration, coming from one of my sources inside YC, but I was told that after reading that essay, PG couldn’t even get out of bed for three days. At that point, the grudge was personal. Even though is essentially retired these days, he encouraged his puppies, Gack and Paul Buchheit, to attack me at every opportunity.
I was very active as a technology writer. I’ll admit that it took some effort to get the Paul Grahams of the world as pissed off as I did. It’s not something that you just fall into. What I didn’t expect is that these people would take a difference in economic and cultural interests and then try to spin it into something personal and vicious.
You’re omitting a few details. You were banned from Wikipedia for sockpuppeting, you were banned from Hacker News for calling Marissa Mayer the C-word, and you were banned from Quora for repeated sockpuppeting.
Uh.. I totally understand why you posted that, and won’t call it out for being entirely unreasonable given the way this thread (unfortunately) went. So don’t take this personally.
But as a plea for the future, could we all please not dig up dirt on our community members? I really think it is one of the saddest things one can do here. And if we really have to judge somebody, then it should be based on their contribution here on lobsters. Not elsewhere, and definitely not over ten years ago elsewhere.
There are multiple reasons for this. Through such external sources, we catch a glimpse of community drama and claims without context, with no way to verify these claims, with no way to understand the background. No way to know who’s lying and who’s saying the truth. That community might be toxic, and toxicity often breeds toxicity. I admit, I can be quite toxic on the trollfest that slashdot is. And the past is past, people can change. I no longer participate on slashdot.
Along these lines, I can ascertain that when we have a nice friendly community here, then the people here are naturally encouraged to play along and be nice regardless of how they do elsewhere. That is what matters.
But when people come in and bring personal grudges and vendettas and dig up dirt, they bring in the toxin from these other communities. It evokes negative feelings and it hurts, and when it hurts, it is easy to forget what a nice community we have here. And so the poison spreads.
If you peruse this particular community member’s comments, you will note that he speaks frequently of his past interaction with various folks. It at least seems clear to me from his comments that he’s quite willing to discuss the past and his interaction with communities he’s been banned from. He may very well be telling the truth about many things (as you say, there’s no way to know), but one thing is very very clear: he omits critical details that are terribly inconvenient to his narrative. If he’s willing to talk about it, then adding additional context to what he’s saying seems absolutely fair to me.
I omit details that are irrelevant, regardless of whether they are favorable or not. It’s not like I post, “I’ve received death threats from YC partners” at every opportunity, because who cares? What would I gain from that? I come here to read and talk about technology, not this sort of shit.
I don’t talk about this stuff except when asked or provoked. The record shows that you, not me, are the one who turned this thread into a personal-attack-driven shitshow. And you owe an apology to the Lobsters community for doing it.
As I said, I could have expressed myself better. I never intended for anything I said to be a personal attack, but I can absolutely see how I came across that way. For that, I apologize to you. My intent was to express how unfavorably I view your contributions to this web site. Intent doesn’t count for much, but there it is.
In any case, I’ve learned from my mistake. This will be the last time I respond to you on this web site.
In general I agree with you, but in this case I was responding to a comment in which Church claims he was banned from HN and Quora as part of a larger conspiracy against him (that includes YC paying the homeless to harass him). When someone makes a claim like that, I feel like I need to point out there were several clear reasons for why he was banned.
“Point[ing] out” things that aren’t actually true isn’t a public service. It’s annoying and, frankly, you aren’t very convincing or talented at it.
That user’s hate page was debunked a long time ago. Most of those accounts don’t even exist. Granted, I did some stupid shit on Wikipedia back in 2004. Just not that.
Not true. I used a different word, “queynte”, specifically because some people consider “cunt” to be a gender slur when applied to a woman. The best translation of “queynte” would be “ornament”, not “crude term for vagina”.
I am aware of that being their stated reason. However, those sock puppet accounts didn’t exist.
Back when I had an active blog, Marc Bodnick posted a comment putting the blame on Paul Buchheit who demanded it. Paul Buchheit denied it. I don’t know who’s responsible for that. What I do know is that Marc Bodnick got fired a few months later, because Adam D'Angelo specifically blamed his moderation for the collapse in user engagement and comment quality.
Please find a way either to become more intelligent, or to become more graceful in apologizing for what you currently are.
What does that mean?
I’d agree that the number of bad comments has gone up, but I’m not sure that the S:N has gotten worse.
We have quite a low quantity of BS, so it’s relatively low-effort to refute (which keeps the place nice). There’s a threshold beyond which people stop being willing to invest time doing that.
My only concern with this approach (which works well in genereal) is that the failure mode is collapse (when e.g. a key moderator is absent for a few months and there isn’t suitable handover).
If that were our approach, I think it would become important to recruit a larger pool of moderators to reduce this risk.
Disclaimer: I’m one of the word-criminals listed above.
I pointed out what I consider to be an obvious fact - that Common Lisp itself is not very practical, but didn’t want to go through the effort of trying to convince people of it. For example because if it’s not obvious to someone, he probably wouldn’t be amenable to convincing either.
Someone who’s never considered CL impractical but does have an open mind, might benefit from seeing the idea, in case it led to him investigating and reaching the same conclusion himself.
Yes, someone asked the reasonable question: “Why?”, and someone else provided a great answer.
All in all, which would you say caused a greater disturbance to Lobste.rs’s peace & harmony: my comment, or this thread? It could be argued that whoever started this thread is sowing discord!
The thing is, we all interpret quality content and whether an article “belongs here” in different ways. Lobste.rs itself can reasonably be found highly lacking in greatness, even if it is better than HN in some ways.
So, to summarize those examples for people that don’t want to follow links:
mathtag and panning article source.With the possible exception of the first comment, those all seem like reasonable comments to me and are not particularly trollish (compared with, say, this or some of yui’s stuff.
I think something worth considering is the content of articles all of those comments were in reply to: we need to all remember that a bad submission (like somebody deciding to kill themselves, or spamming pretty drawings, or public policy news) will usually breed bad comments, either asking “why is this here on lobsters?” or failing to have useful content for discussion.
In short, if you submit garbage, don’t be surprised if you attract flies.
I wouldn’t call any of those submissions bad. News about tech industry’s culture affecting people’s mental state, public policy related to tech and other “meta” articles are relevant to lobste.rs, in my opinion. The pretty drawings in question were educational and about tech. Although I didn’t necessarily like some of those submissions, they’re still on-topic.
IMO, not all low quality comments are trolls. I agree with the OP that comments like the ones linked are nearly content free, and I find it disappointing that they’re appearing on lobsters with increasing frequency. I don’t have any good solutions, unfortunately. Ideally, we as a group would discourage those sorts of comments from existing in the first place. Perhaps @nickpsecurity is right in that the only other choice is heavier moderation, but I don’t really like that choice either. sigh
Three of them aren’t content free though–they are meta comments on the submission. There is a place for such comments and unfortunately they are necessary if we want the community to self regulate properly.
Perhaps the increase in bad comments you are seeing is due to an increase in bad submissions?
Im pushing two: careful who you invite to point you audit prior comments or behavior (approximates friend-to-friend model); heavier moderation if discouraging specific behaviors that persist. I think the invites arent usually handled like in the first. Many were casting a wide net.
I think this is important. There are so many ways a sub-par comment that on its own contributes nothing can lead to very fruitful or informative discussion that is worth having, and quite likely would not be had if it were not for that comment. Sometimes, these little comments can even seem a little trollish or otherwise inflammatory. That is one way to spark discussion; perhaps it is not perceived to be a good way, but it can be very effective. Of course there is no way to know in advance what such a thread will turn into.
I disagree, given that the brevity of such comments is usually more likely to produce misunderstandings and hostility than creative discussion. Additionally, the brevity of such comments increases the odds that any subsequent discussion is likely to be less topical because of lost context.
Sure, we get occasional gems, but the aggregate effect is always going to be junk commentary and poor decorum.
The negative effect of lack of context is important. I overlooked that in my response. It does usually result in people talking past each other until the “real” point comes out. Happened to me here a few times.
Therefore best to write at least enough of a comment that claim and context are clear. This might be worth becoming a guideline at some point.
This seems to happen most when the comment represents a common misconception that many other readers might have. On HN, I often give a detailed counter with evidence and upvote the comment so corrected information reaches that commenter and others reading along. I also upvote the correct ones past it. Can’t recall how much I do it on Lobsters.
The idea being that just filtering out very different views doesnt make them go away. In absence of correcting feedback, misinformation remains with self-reinforcement and more gets built on it. Im still undecided on best strategy here but think it’s worthwhile keeping and countering low-value comments reflectinh misconceptions if person’s other comments were decent.
Are you also this “hga”? https://news.ycombinator.com/user?id=hga who was recently banned?
I vehemently disagree with that characterization. The OP posted a useless comment. Of what use to others is to state conclusion without an argument or observation so the we can reach our conclusions? Then ssl appears to have attempted to use the maieutic approach to teach the OP about the importance of backing up your conclusions. At which point you derailed the discussion posting a bunch of incorrect statements that because they take more time and effort to refute normally go unchallenged.
Furthermore I see no good discussion that sparked from it.
Some of the real goodies are on the Changes for Developers page. Things that will immediately fill holes are:
forEachon nodelists. No more[].forEach.calletc.! Rewrite all the things!That entire page is worth a quick read :)
Self-plug:
A simple proof of concept chrome extension which skips the standard copy route itself to avoid this: https://github.com/awalGarg/realcopy
Note: User rain1 from chat suggested testing it on https://thejh.net/misc/website-terminal-copy-paste where it didn’t work. That site uses CSS to hide the actual selected text instead. The extension above however shows what you copied so it might still work for you anyways.
Edit: Also note that it puts the copied text in a textarea (separate from webpage context) so you can edit something if you like. Now I am actually thinking of using it, but needs an FF port :P
Considering a project (and possibly looking for collaborators):
I use stagit1 for personal project hosting (and github as social media but that’s irrelevant to this). I find stagit to be simple and minimal. Does the job. Does one thing and does it well. But I miss issues and PRs. Allowing collaboration from other people is pretty much impossible (asked people to format-patch, anyone?). So I am thinking of creating a “bundle” project which uses stagit and some mailing list software that allows anyone with his own vps and an ip/domain to quickly setup a github like personal project host with patches and discussion over emails with a public mailing list. So people won’t have to “register” to everyone’s site for contributing or opening an issue (which is mostly what keeps people from moving out of github or any other centralized service). They’d just use emails. If we can keep things consistent enough, it could offer the consistency of Github (or other hosts) while getting the decentralization of git back. Add some light css (see http://bettermotherfuckingwebsite.com/) and people wouldn’t find it dull or boring either.
Thoughts? Anyone feels like collaborating? Am I missing something crucial?
Edit: Just realized that this thread might be more about already accomplished/started things and not made up ideas. Apologies if this is offtopic for the thread.
It really looks like you’re describing Phabricator here (code reviews, issues, discussions, git hosting, simple design, simple hosting…), you should check that too.
+1 phabricator. used it at my old job.
Almost definitely not off topic :-)
I’m busy with exams right now, but this is something I’d be interested in following & possibly contributing to in the future :)
Google has a project where they abuse git-notes as a code review tool. Maybe something similar can be done for issues?
Or maybe we should all just realise that what we really should be using is fossil-scm.
That is really clever. It seems like making a new GitHub repo for it will be a necessary evil though ;)
Thanks. It is maybe clever eyesight, not a clever idea in itself because git was meant to be used that way only.
Why would this require a GitHub repo?
I feel like that would be a better place than Lobsters to pool ideas and find out who wants to participate.
This looks like something I’d find pretty useful for https://eigenstate.org and https://myrlang.org.
At the moment, I mirror my code on github, and use their bugs/issues.
Definitely interested in this. Got a repo for it yet?