Threads for cwill

    1. 35

      Why did GitHub remove his account/projects?

      1. 44

        That’s the part that bothers me.

        I understand it wasn’t a nice thing to do, and that people are upset, but it’s his own code in his own repos. He even announced ahead of time he would do something like this, so “buyer” beware.

        I realize GitHub TOS covers them to remove accounts and repos at their discretion, but it’s a little unsettling that they’ll actually do so arbitrarily without a clear TOS violation. It might be time I move everything to Sourcehut and treat GitHub as a mirror…

        1. 24

          It might be time I move everything to Sourcehut…

          The Sourcehut guy has always seemed a little unstable to me (didn’t he get banned from this site, in fact?) So, why would I trust him any more than I trust GitHub?

          1. 33

            I banned him and I would not call him unstable. Not just because that kind of insult is inappropriate here, but because it obviously doesn’t apply. He writes inflammatory hyperbole that’s not a good fit for this site, but he’s a skilled, accomplished professional who looks like he’s seeing a lot of success in his life.

            1. 11

              I didn’t mean to insult him. Maybe “erratic” would have been a better word without any mental health connotations (which I absolutely didn’t intend)? Poor word choice on my part, I’m sorry for that.

              …but he’s a skilled, accomplished professional who looks like he’s seeing a lot of success in his life.

              Sure, same goes for the GitHub guys. A person who can’t tone it down enough to keep a Lobsters account just isn’t someone I feel I can trust to host my code, particularly given that he’s in charge of the whole operation. Obviously everyone is free to decide who to trust and for what reasons.

              1. 9

                A person who can’t tone it down enough to keep a Lobsters account just isn’t someone I feel I can trust to host my code

                Bear in mind, Linus Torvalds would also probably have been banned from here multiple times in the past.

                I’d be perfectly happy to trust someone that volatile a lot (and I guess I do, running Linux since 1996 :) ). But I would be careful which groups and forums I invited them to :)

                1. 2

                  …I guess I do, running Linux since 1996

                  Very different, at least to me. If Linux was a service, control would have been taken away from Linus a long time ago (I mean, as it is they made him step back for awhile to work on his issues). But it’s not, it’s just code that other people then build into something, often applying patches in the process. If Linus had a meltdown there is already sufficient infrastructure in place that the vast majority of us wouldn’t even notice.

                  I wouldn’t trust a code hosting service Linus ran by himself either.

                  1. 1

                    Nobody made Linus step back. He recognized that he had issues and took a sabbatical to deal with them himself. Are you saying you wouldn’t trust a service by a guy who has been diligently working on the same project for 30 years? Not to mention the guy who invented the base of all of the services discussed in this thread.

                    Why do people assume that “Bigger is better” when it comes to web services? The two most reliable services I use are Pinboard, run by an insanely opinionated and outspoken developer, and NewsBlur, who was, and may still be, a one man shop that just quietly does his own thing. In the same time as those services have been faithfully up and running, Google has shut down more services than I can count, because “It didn’t fit with their corporate vision”

                    It’s misguided, and harmful.

                    1. 2

                      Nobody made Linus step back.

                      We’ll probably never know for sure, but the subtext (well, and the text) of his announcement email sure makes it sound like his hand was forced, at least to me.

                      Are you saying you wouldn’t trust a service by a guy who has been diligently working on the same project for 30 years?

                      No, I’m saying I wouldn’t trust a service run by a guy who randomly goes off on people in totally inappropriate ways (his admission). Or, as is the case here, a guy who can’t even behave himself well enough to keep a Lobsters account.

                      Not to mention the guy who invented the base of all of the services discussed in this thread.

                      That has literally nothing to do with anything. A person can be productive or brilliant and also have other, undesirable, qualities.

                      Why do people assume that “Bigger is better” when it comes to web services?

                      I don’t, so I can’t answer that.

                      Google has shut down more services than I can count…

                      Agree with you there! I don’t trust Google for anything but search (I don’t even use Gmail), because that’s the one thing I don’t think they’ll ever kill (or break). I don’t think GitHub is going anywhere either, the worst case scenario is that Microsoft sells it.

                      It’s misguided, and harmful.

                      If there was a person who had the views you seem to ascribe to me, then I might agree!

          2. 30

            That’s unfair to Drew. He’s passionate, and rude, and opinionated, and submissions here from his site generally stirred up giant flamewars. But I do believe he’s got what it takes to keep sourcehut running.

            1. 18

              GitHub will keep running, too. I’m not sure we’ve answered the question of

              why would I trust him any more than I trust GitHub?

              1. 8

                Not only is the sourcehut software available under the AGPL, the issue trackers and such give you export and import functions to pull your data into another instance easily. The software itself is not trivial to host, but it’s not prohibitively hard either. If I needed to eject because Drew became untrustworthy, I am very comfortable that I could do that.

                Even though that’s a non-zero amount of work, GitHub gives me no comparable ability. That’s a good reason to trust him more than I trust GitHub, in my opinion.

                1. 3

                  GitHub gives me no comparable ability.

                  The GitHub command line client provides this functionality, as does the API. Obviously, the data formats are specific to the way GH works, but there are ways to extract most if not all of the relevant data (I use this heavily with my team to script up our findings workflow, for example).

                  1. 5

                    Interesting. Unless I’m missing something, you can’t stand up your own self-hosted instance of github, and import that, can you? The ability to stand up my own instance of the forge and import my data, to use on a self-hosted site, is what I meant by “comparable”. (That’s the angle I was coming from… if Drew won’t let me use his hosted service, I can just set up my own copy on any host I want since upstream is AGPL, then import my data from the export since exposes those functions.)

                    1. 2

                      GitLab supports importing to a self-hosted instance from GitHub [1], although I’m sure it’s not perfect, so it may or may not be useful. It also isn’t clear to me based on a 15 second review whether you can import from some kind of local data dump or raw GitHub API responses or if your GitHub account needs to be currently active.


                      1. 2

                        That looks much better than I thought, particularly if it turns out to work off saved data/responses. And it’s nice that Gitlab enable that for all their tiers.

                    2. 1

                      Unless I’m missing something, you can’t stand up your own self-hosted instance of github, and import that, can you?

                      GitHub Enterprise can be bought as a GitHub-hosted or self-hosted thing. These support (most of) the same APIs as the public GitHub, so you can run your own instance if you are willing to pay.

                      1. 2

                        It would be an interesting experiment to see whether they would sell an enterprise installation to someone whose account they forcibly closed. I was sort of assuming that if they won’t let you be a customer of their public service, they won’t sell you the private one, but that is uninformed speculation.

              2. 3

                Because sourcehut is open source so nothing is lost when I leave. More than that chances are if sourcehut goes a bad route there would likely be others jumping in.

            2. 2

              Not that you exactly claim otherwise, but Drew also makes some nice things and has created a business structure that enables at least one other developer to make some nice things.

              Quite apart from that, though, and similarly quite apart from whether he has what it takes to keep sourcehut running, he’s given me an out so that I don’t, strictly speaking, need him to. He’s released the software that runs the forge under the AGPL, here. And it exposes ways for me to export the hosted stuff and import it into a self-hosted instance.

              So regardless of whether I trust Drew personally, he’s made it so I don’t need to for this purpose.

              If Drew got angry and decided I couldn’t be his customer anymore, I could stand up my own instance or pay someone to do that for me and import my data. My repos wouldn’t be down at all, my tickets, docs, etc. would be down for a day or so, and my mailing lists might see a bit more disruption than that. If github decided that I shouldn’t be their customer anymore, I’d have my repos. For the rest, I’d kind of be out of luck. (I think this last paragraph is more responsive to @glesica ‘s comment than the one I’m replying to, and I’m too lazy to split it to another reply.)

          3. 17

            Because “more than I trust Microsoft” is a damn low bar.

            1. 7

              It’s like a little devil hovering over my right shoulder, and a slightly less predictable devil hovering over the other.

        2. 6

          From other options there’s also fediverse approach with Gitea, and p2p approach will be available soon with Radicle.

        3. 11

          It might be time I move everything to Sourcehut and treat GitHub as a mirror…

          That time was years ago, but hey, better late than never.

        4. 5

          Consider hosting your own, instead. I published a blog post with a list of defunct code hosting sites which I update occasionally. Maybe that list is a good reminder. Remember, it’s not just code that goes away with such sites, it’s also issue queues and in some cases, wikis and mailing lists too.

          1. 4

            Are you also start hosting a list of defunct private websites that used to host Git repos that are gone forever and where the disappearence came completely unexpected? I would trust Github more with staying online since that’s their job than a developer running a Gitweb on some VPS with some domain name that requires regular payment to stay online.

            Kinda like I registered after it lapsed to make sure the links to the CHICKEN website don’t break and it doesn’t get domain-squatted and I’m redirecting to the official website these days.

            1. 1

              Are you also start hosting a list of defunct private websites that used to host Git repos that are gone forever and where the disappearence came completely unexpected?

              I can’t think of anything offhand where I’ve taken a dependency that’s done that. But when I do take a dependency on something, I generally mirror the SCM repo if there is one. And I am very reluctant to take dependencies on things I can’t have the source to. Since the things I depend on generally haven’t gone away, I haven’t bothered to publish my mirrors, but I would if the license permits it.

              1. 3

                But when I do take a dependency on something, I generally mirror the SCM repo if there is one.

                I learned that the hard way when Rubyforge went down, a few employers ago. We weren’t that active in the Ruby community anymore, so we missed the notice. When the site went away and I had to do some small maintenance tasks on a legacy project, all the third party svn subtrees from Rubyforge were no longer working (and, more painfully, another project of ours was completely gone too). Note that Rubyforge was huge in the Ruby community back in the day.

            2. 1

              I would trust Github more with staying online since that’s their job than a developer running a Gitweb on some VPS with some domain name that requires regular payment to stay online.

              Like I said, history has shown these hosting sites are not as trustworthy as people like to believe they are. The GitHub company can get sold to an untrustworthy partner (har har, like that’d ever happen… oh wait) or go out of business (what if MS decides to sell the company to, I dunno, Oracle or something because it’s not making a profit?), or there might be some other new VCS that comes out that completely blows git out of the water. I’m sure nobody saw coming what happened to Bitbucket - it started out as a Mercurial hosting site, then started offering git and finally dropped Mercurial after Atlassian took over. Its founders probably never would have let that happen if it were still in their power.

              From my own perspective, I’ve personally ran into at least five hosting sites who were hosting projects I started or heavily contributed to that are no longer available now (Rubyforge, Dutch govt OSOSS’ uitwisselplatform, Berlios, Bitbucket and Google Code). And then there’s Sourceforge which at least still hosts some of my defunct projects, but had for a while been injecting malware into downloads. If I or my employers (as the case may be) had hosted our own projects from the start, this pain would’ve been completely avoided. These are projects in which I had a stake, and it was in my interest to not let them die.

              Now, having said that, I agree that from a third party perspective (someone who is using the hosted code) that’s different. I understand your point saying you don’t want to rely on some random developer’s VPS being up, and neither would I. But then, people change repositories on code hosting sites all the time, too. They move to other hosting sites, or rename repositories etc. Links rot and die, which is unfortunate and something we all have to live with.

              Case in point:

              Kinda like I registered after it lapsed to make sure the links to the CHICKEN website don’t break and it doesn’t get domain-squatted and I’m redirecting to the official website these days.

              Thanks for doing that. AFAIK this domain was never communicated as being official, but I might be wrong.

      2. 8

        I don’t know what the GitHub rationale was, but the ‘limitation of liability’ bit in most open source licenses only goes so far. If I intentionally introduce malicious behaviour into one of my open source projects, knowing that it would damage downstream consumers, then I’d probably be liable under the Computer Misuse Act in the UK and similar legislation elsewhere. GitHub’s T&C’s don’t explicitly prohibit using their service for criminal purposes but that’s normally implicit: if GitHub didn’t act then they might end up being liable as an accessory (at least as an accessory after the fact). Their distribution channel (NPM) is being used by a malicious actor to attack other users.

        It’s normally difficult to prove malicious intent in this kind of thing (incompetence and malice look similar) but it seems pretty clear here from the author’s own statements.

        1. 12

          I don’t know what the GitHub rationale was, but the ‘limitation of liability’ bit in most open source licenses only goes so far.

          This is disturbing. Software is provided as is, with no liability whatsoever, but the author should still be liable for what happens when other people use it, because it broke things? What if the author decided to completely change the library’s API, or recycle it to just print squares of color, because they liked the name?

          If find what the author did pretty stupid, but frankly, suggesting it falls into criminal behavior call for some stepping back and put things in perspective.

          1. 8

            There is a difference, and it’s not subtle at all, between making a possibly unwanted change in software that is provided without any warranty, and deliberately making a crippling change with the express intent of breaking other people’s applications.

            To put it another way: if you accidentally commit an integer overflow bug that causes batteries to blow up, that is, presumably, just bad engineering. But if you deliberately commit a clever hack that causes people’s batteries to blow up, with the express intent of getting people injured, or at least destroying their phones, I think it makes a little sense to not put it under “well, it did say no warranty of any kind on the box, didn’t it?”.

            Obviously, this didn’t kill anyone, so I’m obviously not thinking it ought to be treated as murder. But “no warranty” is not a license to do anything.

            It’s not like software is being given special treatment here, it’s how warranties work everywhere. If you sell boats with two years’ servicing warranty and they break down after three years, that’s one thing, but if you fit them with bombs that go off after two years and one day, with the express intent of killing anyone on them, that still falls under “murder”, not “what happens after two years isn’t our problem, it says so on the purchase contract”.

            (Edit: obviously IANAL and this is not legal advice, either, I’m only parroting second-hand, non-lawyer advice about how insurance works for some high-stakes software projects)

            1. 5

              I guess that makes sense, when you put it that way :)

          2. 3

            I am not a lawyer, this is not legal advice:

            My understanding is that it comes down to intent. If I upload a buggy piece of crap to GitHub with an open source license, and you use it, then it sucks to be you. If I upload something to GitHub, wait for you to deploy it and then intentionally introduce a vulnerability or other malicious behaviour in it then legally dubious. Normally it’s very difficult to prove intent. If I submit a patch to the Linux kernel that introduces a vulnerability, if you wanted to prosecute me then you’d have to prove that I did so knowing that the bug was there and with the intent to cause harm. That’s very difficult to do in the general case (the NSA null-pointer dereference bugs are a great case in point here: people suspect that the NSA knew about that vulnerability class and introduced it deliberately, but no one can prove it and there’s enough reasonable doubt that it would never stick in court unless there was some corroborating evidence - it could easily have been accidental). If, before I submit the patch, I post publicly about how I am going to intentionally break things for the people using my code and then I push a new version out to public repositories then it’s likely to be easy to prove malicious intent. The author of these packages did exactly that: posted saying that he was going to break things for people if they didn’t pay him and then, when they didn’t pay him, broke things. That may (again, not a lawyer) count as blackmail, as well as computer misuse.

          3. 3
            1. Code license != Github TOS.
            2. Liability could only be disclaimed to the extent permitted by law. You cannot put a sign “free food, no liability whatsoever” and then put poison inside and expect that disclaimer to save you from prison. E.g., GPL states “THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.”
      3. 7

        I think until they make a statement about it, nobody knows but them. But my assumption is that this happened on a weekend, and whoever was on call figured that the easiest thing to do to minimize disruption till Monday was to suspend the account and hard revert the content until more people could be brought in. I’m also assuming suspending the account just automatically says that you violated the ToS.

      4. 3

        I could imagine that somebody identified this as a possible account hack and thus locked it.

      5. 2

        They didn’t, they suspended his account so he can’t log in. You are still free to troll him on GitHub without any recourse whatsoever.

    2. 8

      I am compelled to drop in Stephen Ball’s Deliberate Git video every time commit messages come up. It’s been 7 years since he presented that talk at Steel City Ruby 2013 and I still show that video to interns, early career folks, and new team members of every vintage at least once per year if not more often.

      1. 4

        I actually work with Stephen now, and the quality of our git commits has gone up tremendously!

      2. 2

        Yeah, that’s what I immediately thought of. It’s a great video and I probably need to rewatch it.

      3. 1

        Thanks, I’ll give it a watch.

    3. 3

      Just finished my mobile ham radio install! Icom id-4100, direct wired to my car battery. I wanted to take the time to route all the cables prettily so it meant taking apart my center console to route wires. Worth it!

    4. 1

      I’m I’m kinda with @wink, I just don’t find anyone on Mastodon that toots enough for it to be interesting.

    5. 3

      PyCharm has this great feature that allows it to attach to a running Python program and debug it - how does this work? No changes to the code (like described for manhole) are required.

      1. 3

        I assume it’s using something like pyrasite. How old is this feature in PyCharm?

        I’d be surprised if they did it before gdb got the feature via pyrasite. It would be kind of sad, in a way, because that means that work was recreated just because Pycharm is proprietary.

        As to your question on this works, what gdb does (and any debugger, really) at least on Unix, is a ptrace syscall. The OS has to allow this syscall, which can be denied for permissions reasons. Once one process can control the other, it’s a matter of inspecting memory to figure out where the program stack and local variables are and, going further, knowing how CPython works so that you can recreate the Python stack and variables from there.

        1. 4

          PyCharm’s debugger is open source and almost always has been. That includes how they are attaching.

          1. 2

            Right, so they’re just calling gdb:


            This is still a small consolation for me, since such a widespread IDE is not free.

      2. 2

        You can do this without PyCharm as well. You need some additional instrumentation for gdb so that instead of looking at the innards of CPython itself you’d get new commands like py-list, py-bt:

        But this Manhole thing actually sounds more convenient.

        1. 2

          This isn’t the same. This doesn’t let you inject code into the running process, only to inspect it. Pyrasite is the thing made the same gdb maintainers who implemented py-bt which does let you inject code.

    6. 2

      My sister-in-law is having a baby shower, so I think the whole family is going to that. After that, board games with my kids and wife.

      Personal Projects: I’m turning my Creality CR-10S into a dual extrusion printer… soon. Just have to print a couple more pieces first and then I’m set. I hope to have the last 2 pieces printed, and then go through my plans again. I may actually start putting the print head together this weekend.

      I’ll continue working on a few personal projects around home automation, and probably keep reading up on Kubernetes which is more for professional development, but has been a pretty good time thus far.

      1. 2

        Nice! I just got the parts to add a glass bed and a PEI sheet, i’m finally doing that this weekend! Also updating my firmware to the latest Marlin so that my printer doesn’t have the sometimes-catches-on-fire problem of i3 clones.

        1. 1

          Glass bed and a build sheet are both great additions. I’ve been using a BuildTak sheet for a while and have quite enjoyed that. Making your printer not light on fire is also a key part of letting things print overnight.

          How do you like your i3 clone?

          1. 2

            I love it so far! So far I feel like I’ve just printed mod parts for the actual printer instead of printing other things but it’s been a blast! So far I’ve done the external mosfet mod, added an octoprint raspberry pi, a camera, spool holders, and planning on building a lack enclosure next.

            1. 1

              So far I feel like I’ve just printed mod parts for the actual printer instead of printing other things

              This is how I can tell that you’re a real 3d Printer Enthusiast; I think about half the stuff we all print is for the printer.

              I’ve also gotten into printing board game pieces; I plan on giving my siblings some custom made board games for their birthdays (in the summer), and DnD minis, but a significant amount of printing has been for the printer itself - the pi mount, spool holders, supports, better knobs for levelling, and some pegboard things for various tools.

    7. 3

      Here’s kind of an interesting question I’d have for this community.

      You almost certainly do not need a degree

      On almost every job posting that I’m a part of hiring for, we put that the candidate needs at least an associates degree, with a preference of bachelors. Not a degree in the field we’re hiring for (software dev), mind you, just a degree. In the past, I’ve found that if we don’t put that, we get a lot of applicants that are self-taught and have learned what they know through either online tutorials or coding bootcamps.

      While I think you can learn a lot by teaching yourself or going through bootcamps, I have not found a single applicant that has done so that really learned how to think critically about software development. They come prepared by knowing all the answers to the book of “common software development interview questions” but never seem to be able to just think about a problem.

      I’ve found that people who at least went through some kind of “college”-type education generally are better interviewees, regardless of whether it’s in our field.

      Does anyone have that same experience? Or a way I can word a job posting that’s not “critical thinking required”? I know that’s a pretty big generalization to make, but as someone who ends up interviewing almost everyone that applies to a job (we don’t have some magic resume spit-out-if-you-don’t-have-20-years-experience-in-spacecraft-design tool), I have felt like without this on job postings, I struggle.

      1. 4

        I have not found a single applicant that has done so that really learned how to think critically about software development. They come prepared by knowing all the answers to the book of “common software development interview questions” but never seem to be able to just think about a problem.

        How does this manifest concretely? And does that mean they are incapable of producing software?

        Either thinking about a problem is not needed to produce software (I don’t buy it), or degreeless people can’t produce software (obviously false). Maybe there are many bad apples. Or maybe these people just don’t interview well, which makes it look like they’re unable to think?

        I’d be interested in seeing some examples of problems they are unable to think through.

        I haven’t conducted interviews, but I know plenty of darn good programmers without degrees. And I know programmers who only got their degrees a decade into their successful career. The degreeless people on my team wrote their own operating system that’s been used in production for, I don’t know, around two decades now? Oh, I’m degreeless too.

        1. 1

          I haven’t conducted interviews, but I know plenty of darn good programmers without degrees.

          Same, and don’t get me wrong there are many people I work with that don’t have them and are great engineers. And I guess this goes more towards young professionals (less than 3 years experience) without degrees. But in general I find that people that come out of programming bootcamps especially (the majority of people that I see that don’t have any degree but still apply) don’t ever really know how their program works. If there was a performance issue in the code they wrote, for example, they wouldn’t know how to start getting down to the problem.

          I guess it’s more of a criticism of programming bootcamps?

          1. 3

            I guess it’s more of a criticism of programming bootcamps?

            I was about to suggest it. Then you said it. So, I’m just going to corroborate it.

            It can also be true for people with degrees, though, since one can often bullshit through academic courses more than real coding. If one has to filter, one of the better ways to do it with unknown candidates seems to be giving them an exercise to work on that:

            (a) is similar to what they’ll do at your company

            (b) pays something if they complete the exercise

            (c) takes significant time to complete but not enough to wear down folks who are already busy (job, family, many interviews).

            (d) isn’t actual work your company needs done so people know you aren’t farming off work to unpaid or barely paid applicants to save on programming time. Is mocked up or not strongly adding to your bottom line.

            That’s a recipe I got from others on HN and Lobsters mainly who I can’t recall right now. It’s not mine. It looked like decent compromise, though, if you couldn’t get trustworthy references or prior work on someone.

            I’ll also add that people with degrees might have to pay down loans on those degrees. They can cost more for that reason. A person that didn’t have degrees, but did build their skills, might be able to do the same thing for less. However, a lot of employers like the idea a person committed to something for 2-4 years and finished it despite the difficulties. That might build character but maybe they just coasted. I still don’t trust that metric. You might be able to use it, though, if it’s a school or group in school with a reputation for building talent with some track record of what they did there. So, there’s some up’s and down’s to they have a degree.

      2. 2

        Your comment made me a bit sad.

        Even though I fully understand the possible struggle, I still think that your “lazy” (allow me being lazy too for not finding a more appropriate word) attitude is bad and outdated.

        I want to live in a world where if you break your back and study on your own but, for some reason, don’t have a degree, you still have a chance to land a junior job somewhere.

        I want to believe that if a 30/40yo person who couldn’t afford going to university and decided to get a job as a programmer would only require to study 1/2 years by themselves, while doing their current job, and have hope to put even just a toe in the world of IT.

        I want a motivated and somewhat talented youngster to be able to apply to their first real job right after school, before deciding on. whether focus their next 3/4 years on a more focused education at a university of their choice with their own money.

        These are not abstract characters, these are actual people who are damaged by the “it’s easier this way” attitude. The person I would like to pass through the door is someone I can give a task (more or less demanding) and have them put their very best and succeed. Whether they went through the classic route or not should be completely irrelevant.

        Sorry, maybe I’m a bit too optimistic or maybe I know far too many people with high-grades from university who I wouldn’t even trust with writing some documentation.

        I’d like to hear your opinion on this.

      3. 2

        I can totally understand why you’d require a degree based on what you’ve said and seen.

        Something I said later on in there though:

        Tell people what you want, give them goals, and let them tell you how they satisfy them

        At the moment, my understanding is that you’re requiring a degree partly as a way of demonstrating critical thinking ability

        My gut reaction would be to strip out the degree requirement and replace it with a short test at application time (bearing in mind the caveats I mention around take-homes!) designed to test their ability to “just think about a problem”

        This won’t be easy, and sure, it wouldn’t surprise me to hear that a lot of people who come through it successfully have degrees, but you’re still improving the accuracy of your filtering (by trying to practically test for the property instead of just testing for something that hopefully correlates) and you’ve opened it up to people who don’t

        A few off-the-cuff ideas for tests that might help (I’ve not thought about these enough to claim they’re good though!):

        • “Here’s some code, write some documentation/warnings to users”
        • “Find the bugs in this code”
        • “What security concerns does this code raise”

        Those are all things where you can have some easy obvious answers, but also deeper issues that should assess their ability to think about the bigger picture / further consequences of things, which feels like it should tie in with the “critical thinking” you’re after

        How’s that sound?

      4. 1

        recommend they read “How to solve it” by George Pólya as part of the interview preparation?

      5. 1

        we don’t have some magic resume spit-out-if-you-don’t-have-20-years-experience-in-spacecraft-design tool

        Can you use your human eyes on the resume to get an even better result than such a tool would be? I’ve found that by looking up the website, projects, or Github profile on a resume I can weed out the bulk of the not-worth-interviewing enough to at least make the process not terrible.

        OTOH, I’ve definitely interviewed (and even worked with) people who had degrees and couldn’t accomplish any useful task on the job.

        1. 1

          by looking up the website, projects, or Github profile on a resume I can weed out the bulk of the not-worth-interviewing

          If you weed them out, how do you know they were not worth interviewing?

          What if your lookup turns up nothing?

          1. 1

            That’s fair, my wording was perhaps suboptimal. I suppose I meant really that the bulk of those remaining are worth interviewing, which is the goal.

    8. 9

      I too had issues around syncing my own files using pass in the past and eventually settled on LastPass. In my opinion, it’s worth paying $24 a year for premium support which gives me 1GB of encrypted storage and more two-factor authentication options. Plus having the app seamlessly sync to my phone is great as I can just copy passwords to the clipboard for other apps on my phone. It’s been easy to use and I enjoy not having to worry about passwords anymore.

      Edit: Sorry that this was seen as spam. I realized after the fact that it was a little zealous. I am by no means connected to or trying to endorse LastPass.

      1. 2

        I have actually been really impressed with their android auto-fill as well, it actually works pretty well.

        1. 1

          Does that work in Firefox as well? This is one pretty big pain point for 1password for me

          1. 1

            Talking about Firefox on Android? I don’t think so, at least it doesn’t for me. I don’t think that’s LastPass vs 1Password though, I think each app has to implement it. Looks like Android P will bring it to browsers by default

      2. 1

        I’ve been sticking with LastPass for a while as well. They have a good automatic sync and user experience on all platforms, and from what I understand, the data architecture is good - master password never touches their servers, always handled by Javascript in the browser or in the mobile app. I do try and remember to back up the password list periodically as well.

    9. 16

      Reminded me I’ve had Google Analytics code up on my blog since forever for no benefit for me whatsoever. Off it goes!

      1. 2

        Kudos for removing it but I am curious how Google Analytics ends up running on so many sites to begin with?

        1. 11

          It’s free, it’s very easy to setup and understand, and there is a lot of documentation out there on how to integrate it into different popular systems like Wordpress. It’s definitely invasive, but it’s hard to deny that it’s easy to integrate.

          1. 1

            not as easy as doing nothing though… it’s free and easy to crawl around on all fours… that can be invasive too if you crawl under someone’s desk… but this still leaves the question why.

            1. 5

              Because a lot of the time when you’ve just made a site you want to see if anyone’s looking at it, or maybe what kind of browsers are hitting it, or how many bots, or whatever, so you set up analytics. Then time passes, you find out what you wanted to find out, and you stop caring if people are looking at the site, but the tracking code is still there.

            2. 2

              I’d compare it to CCTV cameras in shops. You visit the shop (the website) voluntarily so the owner can and will track you. We can agree that this is a bad thing under certain conditions, but as long as it’s technically trivial it will be done. No use arguing what is, you’d need a face mask or TOR to avoid it.

              That said, I’d also prefer if it wasn’t Google Analytics on most pages but something that keeps the data strictly in the owner’s hands. I can wish for it to be deleted after a while all I want but my expectation is that all the laws in the world won’t change that to a 100% certainty.

        2. 8

          End-user-facing SaaS products are one thing. On a site I run on infrastructure that I run myself I can just look at the httpd logs¹ and doing so is way faster than looking at GA², but if I also bought a dozen other random SaaS products then the companies that run those won’t ship me httpd logs, but they will almost always give me a place to copy-paste in a GA tracking <script>. If I have to track usage on microsites and my main website, it’s nice if the same tracking works for all of them.

          It has some useful features. I believe offhand that, if you wire up code to tell it what counts as a “conversion event”, GA can out the box tell you things like “which pages tended to correlate positively and negatives with people subsequently pushing the shiny green BUY NOW button?”

          There’s a populace of people familiar with it. If you hire a head of marketing³, pretty much every single person in your hiring pool has used GA before, but almost none of them have scraped httpd logs with grep or used Piwik. (Though I would be surprised if they didn’t immediately find Piwik easy and pleasant to use.) So when that person says that they require quantitative analysis of visitor patterns in order to do their job⁴, they’re likely to phrase it as “put Google Analytics on the website, please.”

          (¹ GA writes down a bunch of stuff that Apache won’t, out the box. GA won’t immediately write down everything you care about because you have to tell it what counts as a conversion if you want conversion funnel statistics.)

          (² I have seriously no idea whatsoever how anybody manages to cope with using GA’s query interface on a day to day basis. It’s the most frustratingly laggy UI that I’ve ever used, and I’m including “running a shell and text editor inside ssh to a server on literally the opposite side of the planet” in this comparison. I think people who use GA regularly must have their expectations for software UI adjusted downward immensely.)

          (³ or whatever job title you give to the person whose pay is predicated on making the chart titled “Purchases via our website” go up and to the right.)

          (⁴ and they do! If you think they don’t, take it up with Ogilvy. He wrote a whole book and everything, you should read it.)

          1. 1

            what’s that book?

            1. 3

              The book is “Ogilvy on Advertising”. It’s not long, the prose is not boring and there are some nice pictures in it.

              The main thing it’s about is how an iterative approach to advertising can sell a boatload of product. That is, running several different adverts, measuring how well each advert worked, then trying another set of variations based on what worked the first time. For measurement he writes about doings things like putting different adverts for the same product up, each with a different discount code printed on it, and then counting how many customers show up using the discount code that was in each of those adverts. These days you’ll see websites doing things like using tracking cookies to work out what the conversion rate was from each advert they ran.

              Obviously the specific mechanisms they used for measurement back then are mostly obsolete now, but the underlying principle of evolving ad campaigns by putting out variations, measuring, then doubling down on the things you’ve demonstrated to work is timeless.

              Ogilvy also writes a little bit about specific practical things that he’s found worked when he put them in adverts in the past, such as putting large amounts of copy on the advert rather than small amounts, font choice, attention-grabbing wording, how to write a CTA, black text on white backgrounds or vice-verse, what kinds of photos to run and so on. Many are probably still accurate because human beings don’t change much.

              Many are plausibly wrong now because the practicalities of staring at a glowing screen aren’t identical to those of staring at a piece of paper. If you’re following the advice to in the first bit of the book about actually measuring things, then it won’t matter much to you how much is wrong or right because you’ll rapidly find out for yourself empirically anyway. :)

              Hypothetically, let’s say you’ve done a lot of little-a agile software development: you might feel that the evolutionary approach to advertising is really, really obvious. Well, congratulations, but not all advertising is done that way, and quite a lot of work is sold on the basis of how fashionable and sophisticated it makes the buyer of the advertising job feel. Ogilvy conveys, in much less harsh words, that the correct response to this is to burn those scrubs to the fucking ground by outselling them a hundred to one.

        3. 6

          For me it was probably ego-stroking to find out how much traffic I was getting. I’ve been blogging for more than a decade and not always from hosts where logs were easily accessible.

        4. 4

          What gets me is why people care about how many hits their blog gets anyway. If I write a blog, the main target is actually myself (and maybe, MAYBE, one or two other people I’ll email individually too), and I put it on the internet just because it is really easy to. Same thing with my open source libraries: I offer them for download with the hopes that they may be useful… but it really means nothing to me if you use it or not, since the reason I wrote it in the first place is for myself (or again, somebody who emailed me or pinged me on irc and I had some time to kill by helping them out).

          As such, I have no interest in analytics. It… really doesn’t matter if one or ten thousand people view the page, since it works for me and the individuals I converse with on email, and that’s my only goal.

          So I think that yes, Google Analytics is easy and that’s why they got the marketshare, but before that, people had to believe analytics mattered and I’m not sure how exactly that happened. Maybe it is every random blogger buying into the “data-driven” hype thinking they’re going to be the next John Rockefeller in the marketplace of ideas… instead of the reality where most blogs are lucky to have two readers. (BTW I think these thoughts also apply to the otherwise baffling popularity of

        5. 1

          Also, it’s invasive, sure but it’s also fairly high value even at the free level.

          You get a LOT of data about your users from inserting that tracking info into your site.

          Which leads me into my next question - what does all this pro-privacy stuff do to such a blog’s SEO?

          (I know, I know, we’re not supposed to care about SEO - we’re Maverick developers expressing our cultural otherness and doing Maverick-y things…)

          1. 2

            Oh, it totally tanks SEO.

            Alternately, the SEO consultants that get hired by biz request to have GA added anyways and they force you to bring it in. :(

            1. 1

              Google will derank pages what don’t have Google Analytics?

    10. 52

      It was quite predictable. Their incentives as a VC-backed, for-profit company aiming for massive IPO are to lock-in as many people as possible. Interoperability works against profitable lock-in. This is why rich, software companies either fight, subvert, or cripple it where possible. So, Slack eventually would ditch that. I doubt they put a lot of effort into maintaining its quality either if it was a marketing gimmick. I don’t use Slack, though, so I can’t say.

      1. 34

        Interop feels a lot like what some leaders said about democracy:

        It’s like a train. You get off when you reached your destination.

      2. 17

        Honestly, Slack to me has become a lot more than just chat, and I can see how they can’t coerce their methodology for chat anymore into IRC. Threads are used very extensively by my team, and I can see how that’s hard to fit into IRC. Rich content messages from apps, images, and posts are basically impossible to fit into IRC. I agree that all those things don’t fit into some people’s ideas of an ideal workflow, but they’ve become crucial for a lot of people on Slack, and kind of break in IRC.

        1. 10

          I think that the features you mention could be mapped to IRC, with some loss of course, but IRC users are (maybe?) used to a simpler experience.

          IIRC, less choice is often touted as a good design practice. But Slack is removing the simple thing in favour of the bells and whistles. It’s not a surprise, but it’s sad.

        2. 4

          hard to fit into IRC

          Could you be more specific? This is a Slack-IRC gateway using the recent IRCv3 drafts for threads, reactions and rich content messages:

          As far as I can see, IRC can handle all these just fine.

        3. 3

          It’s in the ‘wrong’ place in my stack, but the wee-slack plugin mentioned by @oz claims to have thread support. As a WeeChat plugin has access to windows and buffers I can imagine that being a smoother experience that a plugin in the otherwise ‘correct’ place: the bouncer.

          Messages from apps are or could be notices in IRC, and images appear as links that I can click through to see using a web browser. It is certainly true that the more a tool tries to structure a conversation the more difficult it becomes to map that to the IRC protocol. That said, I’m absolutely open to retaining the ability to chat from an IRC client by fixing problems anywhere and everywhere they need to be fixed. There is no fundamental reason a thread feature can’t work outside of the official client.

          1. 3

            It’s in the ‘wrong’ place in my stack, but the wee-slack plugin mentioned by @oz claims to have thread support. As a WeeChat plugin has access to windows and buffers I can imagine that being a smoother experience that a plugin in the otherwise ‘correct’ place: the bouncer.

            Yeah I can see where you’re coming from. I love wee-slack, and would use it if it had Enterprise Grid support. I just think that Slack is making more and more design decisions that make it hard to shoe-horn back into IRC.

            1. 3

              I just think that Slack is making more and more design decisions that make it hard to shoe-horn back into IRC.

              If not IRC, then an open, extended version of it or new protocol with a reference client. Worst case is that important stuff like messages stay in the open system whereas extra bells and whistles end up in proprietary system. Less transition cost later if people want to ditch Slack for something better. An open, reference implementation people are using in a lot of environments would also give them more testing of their protocols. They definitely have the money for it at their revenue levels.

              They’re locking it up instead since it’s more profitable in the long run for the founders and investors. The good news is they might have at least inspired some revamps of IRC or chat that will be done better for us without their problems. I think I’ve already seen some like that but we gotta wait to see who gets a sound, business model going.

              1. 6

                I’m hoping that new protocol will be matrix. It’s open, federated, has good support for bridges (even a slack bridge), and a solid e2e encryption design (with some polishing left in the implementation to do). There are lots of clients, with being the most featureful.

      3. 3

        I’ve used the Jabber gateway to connect to HipChat and the IRC gateway to connect to Slack. Hands down the Slack gateway was the superior experience. You could, to be sure, tell you were not connecting to a real IRC server. The experience was remarkably good anyway. by comparison, my messages in to HipChat would sometimes take hours (actual multiple hours) to be received–completely crippling my ability to participate.

    11. 11

      What about Stack Exchange/Discourse’s solution to limit the depth of replies in a discussion to one level? See Jeff Atwoods article Web Discussions: Flat by Design for details. I like this solution but I am unsure how others think about it.

      1. 7

        For me, it would be a regression. I find indented threads are the only design I’ve seen so far that makes this kind of long discussion followable.

      2. 6

        The two times I’ve designed commenting, it’s been like that. Top level comment, then linear chain of replies. It supports the typical conversation quite well. Somebody posts a link, I ask what’s a monad, somebody answers. It has its own pathological cases, with a dozen people arguing back and forth in a big jumble, but it’s not necessarily worse than the tree model in that case. The tree model appeals to people because it’s “technically correct” but sometimes worse is better.

        1. 2

          The only reason I like the tree model above one-level conversations is that a tree that becomes “toxic” can be hidden entirely from the discussion. It helps when a “troll” comment gets posted, and all the conversation related to that comment as well as the comment itself can just be collapsed out of a conversation, instead of polluting the whole conversation flow. Kind of like the “comment score below threshold” on reddit. Even if didn’t want to auto-hide these flows, I think it’s useful to be able to do that my self.

      3. 6

        Personally, I quite like threaded discussion, as it helps to keep track of who’s replying to who, and to separate different topics as comments diverge.

    12. 3

      I’m working on getting a private beta of out to some early users. One of the big tasks is getting the servers setup with Terraform. I’d already done a ton of work setting up the supporting infrastructure, but this was my first time really using systemd in anger, and it took quite a lot of time to figure out some dependency cycles for running my main app. I’m also digging in to Varnish for the first time, although I’m sort of familiar with it from setting up Fastly for Clojars.

      1. 4

        What’s your differentiation from something like Artifactory? Not trying to say it’s better, honestly curious.

        1. 2

          Sure, great question. Hosted Artifactory is a great option if you have a large organisation, or you want to store packages of many different kinds. The downside is that it is fairly expensive to run and somewhat complicated to manage and configure. This is in part because each customer runs on their own VM.

          Deps is designed for smaller JVM based teams that want simpler management and browsing. Crucially it runs as a multi-tenant service, so we don’t need to run a VM per customer. In exchange you get a simpler interface, higher availability, and cheaper pricing. It will be better for some people, but not for everyone, particularly if you need to handle multiple kinds of packages in one system.

    13. 2

      Just make sure you use this as a template and not actually run it - as it installs a user and copies ssh keys that aren’t yours

      1. 4

        Hey - I think you linked the same article this submission is about, and not the original? Did you mean to link the article or the original?

        1. 1

          Yep, I pasted the wrong thing, thanks for the fix.

    14. 19

      If you’re not even squeezing real fruit, then what is the point of this “juicer”? Why would I buy Juciero packs, which require a $400 can-opener, when I can just get a 12-pack of Naked fruit juice?

      1. 27

        The naked juice doesn’t have a QR code on it to prevent you from drinking it a day after expiration.

        1. 5

          It just has an expiration date. Much simpler.

          1. 5

            There is unfortunately a well-known exploit in that expiry mechanism, which can lead to careless drink-after-expiry vulnerabilities!

            1. 2

              Yeah, ownership of objects like this can lead to problems if mismanaged.

      2. 8

        I think there is real fruit in the bags just packed conveniently

        1. 5

          The bags last for 5-7 days after which the machine supposedly refuses to process them.

          What advantage does this machine deliver which bottled, cold-pressed juice does not?

          1. 4

            My god that sounds like the dumbest shit ever. DRM in kitchen appliances.

            1. 3

              “Taking the D out of DRM”

            2. 2

              See also coffee pods and printer ink cartridges.

          2. 2

            There’s an alternative on kickstarter which at least allows you to fill your own bags of fruit.

            1. 2

              I don’t like the tagline for this product. It says “Juicing without the cleaning”, but:

              Chop fruit and vegetables into pieces roughly the size of a dollar coin for maximum yield

              … which means you have to clean the knife and cutting board. And if you don’t want to use the single-use bags, you have to clean the bag between each use, AND put in a new “cotton filter”, which is USD $0.20.

              What they mean is you don’t have to clean the machine. A bit misleading…

          3. 1

            I’m not sure without actually trying it.

    15. 21

      The problem is not that LetsEncrypt issued those certificates. It’s that we taught people that they should look for the green lock to tell whether a website is legitimate.

      1. 3

        Well, it is.

        If the green lock is right next to, then the site really is,.

        1. 5

          I think he means that people think that if the green lock is there, that the website is somehow more “trustworthy”. When in fact, it’s just a measure of connection security. So someone sees the green lock on and thinks that means it is “trustworthy”. Most people I know have no idea what the green lock means other than “it’s good to look for when I online bank”.

          1. 2

            Most modern browsers do attempt to also convey information the owner of the site in the URL bar, where available, and distinguish that from the connection security status. A green lock on its own means just that the connection is secure (but the site could be anything), while a green lock with text next to it, like “? JPMorgan Chase and Co. (US)”, which is what shows for me in Firefox and Chrome when I visit Chase, conveys that the connection is secure and the site has also been authenticated by the CA as owned by “JPMorgan Chase and Co. (US)”. I think many users are likely unaware of how to interpret these distinctions, though.

            1. 2

              This is not browser specific. The ownership information is shown for EV certificates(“extended validation”). Let’s Encrypt offers DV certs only, which means all they verify is that the person requesting the cert really owns the domain.

        2. 1

          I agree. If anything, I’d say it makes more sense for browsers to take on this role rather than the CAs. Perhaps browsers could warn users if they’re about to send secrets to a site with a domain that contains or is a misspelling of one of Alexa’s top 500 domains.

          This certainly isn’t a perfect solution. It might not even be a good one. But I don’t think a CA filtering which domains are allowed is a good solution either.

      2. 2

        I never taught anyone that. I taught them it means that 3rd parties can’t eavesdrop on their conversation with that server.

    16. 5

      I got a YubiKey over the weekend. It’s a really cool device and, sadly, not as many places can use it as I hoped. So far I’ve only be able to tie it to my Gmail and my Github accounts. I have a feeling I’m not even close to making full use of it though. If anyone has any helpful advice on how to make better use of it, I’m all ears.

      1. 3

        I LOVE my YubiKey (got a bunch at BlackHat USA 2015). I have three - one 4 Nano in my desktop at home, one on my keychain, and one in a fireproof safe. I use Lastpass for all my emails and it’s behind my Yubikey, but I still use Google Authenticator for a bunch of two-factor sites (except Github, Fastmail, and Google). I do wish more people implemented it as a second factor, but having it on my Lastpass at least makes me feel safer.

      2. 2

        I’ve had a YubiKey for a while now but not really used it enough - I’m pretty much only using it for GitHub right now. I’ve been meaning to do all sorts of things (GPG key storage, system logins) but just not had the tuits. Would be curious to hear what others are doing.

        BTW, make sure you get a second one, set it up as a backup and store it somewhere safe - losing your key and getting locked out of services would be a Bad Thing.

    17. 2

      Curious to see how this turns out, can this work without corporate backing? Uber has been paying a lot of legal fees from what I’ve understood.

      1. 2

        Probably the biggest problem is adoption. Assuming that’s overcome, I don’t see what could make this illegal. It’s essentially a dispatch service which is already how most cab companies operate. The biggest difference from Lyft is that this isn’t trying to hire and pay drivers, but instead connects cash/bitcoin (on roadmap) payers.

        Note: IANAL

        1. 1

          I’m just going to assume that in some places, if you accept payment for driving someone around, you are considered a “taxi / limo service” and would have to follow ordinances and whatnot. Isn’t that what Uber has run into?

          1. 1

            Yeah, for sure. Uber / Lyft have problems because there are taxi and limo commissions in various cities. I wasn’t considering this as something everyday people would just do, but rather an enhancement to existing Taxi’s. My mistake!

    18. 2

      Try to figure out why saucelabs is so freaking hard to integrate end-to-end tests with on one of my pet projects. Almost every google-able page for “protractor and saucelabs” is a 404’d page on saucelabs own site :/