I don’t think the argument is “web apps are bad” but instead “native UI is superior”
I use plenty amazing web apps. But I accept those for what they are. When an Electron app tries to become a native desktop app then the line blurs and it is clear that the lack of native UI is very noticeable.
Users, both in the consumer and business space, do not care. One hour of Netflix at 4K is roughly 7 GB, a typical Call of Duty update regularly clocks in more than 300 GB. In practice, we have not seen end users care about binary size more than they do about virtually anything else your engineering team could spend time on.
Something you seem to forget in this paragraph, is that watching a movie or playing a game tend to be performed exclusively — save for background tasks the user isn’t even aware of, the video player or game tend to be the only app running. Okay, maybe not the video player, but those 7GB are never going to be sitting in RAM at the same time.
Regular applications however tend to be run concurrently. Often we have at least the browser, messenger, email, and whatever we’re working on, all open at the same time. I personally like to have reasonable assurances that doing so will not cause my computer to swap like crazy and slow down to a crawl. And as a consumer, I would really have liked to not have to buy 32 gigs of RAM, when I’m pretty sure more reasonable coding practices would require an order of magnitude less than that — same for CPU, I love games, but my regular use requires less than two orders of magnitude computational power, if only programs were more performant.
The cost of adding ~200MB per app, for all user across the globe, is significant. The resources and pollution involved can’t be dismissed out of hand, and the benefits better be as significant. Not that Electron’s aren’t, the mere fact that it enables web devs to write native apps is huge. But it’s also part of its cost: if a web dev writes an Electron app, they’re less likely to consider resource & performance constraints, and even less likely to address them.
Electron isn’t here to compete with anyone.
But it is. People have limited time to develop applications, and they have to chose how much of that time is dedicated to Electron apps. No way around that, that’s true of pretty much anything we publish — including this very comment.
At a deeper level, people have to learn how to do stuff. There Electron is a double edged sword. On the good side it reduces the learning a web dev has to do, as well as reducing the need to learn various natives APIs for whatever set of platforms one is targetting. On the other hand it discourages learning about more efficient (at runtime) ways of writing programs, and as such is an impediment to reasonable performance — programs that’s aren’t the ludicrous CPU or RAM hogs that they so often are right now.
However, the entire point of Electron is that you can pair your web app with any native code you want to write—specifically with C++, Objective-C, or Rust.
Okay, but people aren’t using it that way. As far as I know they stop at JavaScript. Because they can. They may be missing “the entire point of Electron”, but in practice there’s very little incentive there to learn native programming: the biggest selling point of Electron after all is that it lets web devs write desktop apps. Meaning, without having to learn how to write a native app.
It’s not learning that’s the bandwidth limitation. Learning Swift+SwiftUI or C++/WinUI is something to do once and then leverage forever. I know Android, iOS, Mac, enough to build apps from scratch, and I’ve dabbled in Qt and Gnome stuff.
The issue is that Electron+Web largely lets you target all platforms from a shared codebase, rather than needing to write and indefinitely maintain 2-5 different copies of your app. If I only want to target Mac, I’ll use Swift & the native toolkits. But if I need to support Mac and Windows, I’ll pick Electron so I don’t need a second copy of my app. And if I want to target iOS and Android, all the more reason to use Electron on desktop, and wrap a webview on the mobile platforms.
I’ll have to write some duplicate code in the webview wrappers (and can add other native features selectively) but once that’s out of the way, I can implement a new feature once in my web codebase and deliver it same-day to everyone, no matter their platform.
I’m not aware of any options besides Dart/Flutter or game engine stacks that can claim the same write-once-run-everywhere, and neither of those feel like a credible option on web yet.
VS Code is the only desktop app I use. It dawned on me that Electron changed the game for app devs. Every OS vendor loves rug pulls with UI toolkits, gtk2->gtk3, winforms, various Mac UI toolkits. Its often a multi year effort to port apps between em just to stay on same platform.
By using electron you can keep using your html ui toolkit from 2010 for next century and offload all the hard integration work onto chrome devs.
When I worked at Mozilla just ensuring that Firefox wont crash on newly released MacOS was occasionally a huge undertaking cos for example libc io functions would randomly start throwing objc exceptions.
Firefox is a great example of what not supporting native UI does to your product. For years, No probably for more than a decade , Firefox did not integrate well with native UI and OS features that people take for granted to be available in every app they use.
To this day it doesn’t properly support the CoreText keyboard navigation shortcuts (Chromium, notably, does) in its text fields implementation, which drives people like me batty. Edit to add: For folks reading this who are not aware: a huge subset of the Emacs-style keyboard navigation and transformation commands Just Work™ in native Mac text fields, including Ctrl-A and Ctrl-E to go to the start and end of line, Ctrl-B and Ctrl-F to navigate by characters, Ctrl-T to swap characters, Ctrl-O to insert a newline after the cursor, Ctrl-H to delete characters, etc. It is the kind of thing that becomes second nature/muscle memory, so then finding it not working in a text field becomes incredibly distracting and annoying.
I mostly agree with you, the cross platform bit is significant¹. Though I will note that anything UI better be reduced to the absolute minimum (stateless and dumb), if only because it makes the rest of the program so much easier to test. That alone would reduce the amount of duplication needed. Most devs (and I’ve been guilty myself) don’t do this, because leveraging the framework you’re using is so much more convenient in the short term.
Which leads to learning: you’re correct, it’s not really a bandwidth limitation. It’s an investment: big initial cost, pays off later. And we humans are notoriously bad at making such investments.
[1] Edit: I forgot about Qt. It’s mere existence significantly weakens the cross platform bit, unless you count the web itself as a platform.
The cost of adding ~200MB per app, for all user across the globe, is significant.
Thanks, you mostly made my point so I don’t have to. It’s a bit of a Catch-22. The “bigger” and more important the app, the more likely it is written as a native app because it’s a proper app I properly interact with. I don’t have a problem with electron here, it’s a choice and I can reserve resources.
But the more of a situational tool the app is (e.g. a little helper, a GUI for a driver, anything) - the more likely it is written to be in Electron, because it’s not that important (even the authors see that) and the more of them I have running, and the more I’d prefer them to use 5MB of RAM and not 200.
Slack’s Electron-based app was horrible. So bad that I refuse to use it. (My M1 Max MBP only has 10 cores, 32GB RAM, and 2TB of flash, which seems either insufficient or barely-sufficient to run the Slack app.) The web version looks the same as the Electron app, but seems so much better. Even on Firefox. I don’t like Slack, so I still avoid it whenever possible, but if I need to be on Slack, it’s always going to be on the web app.
OTOH, I think the Discord app is fine. Even pleasant. I didn’t even realize it was Electron-based, but that makes sense in retrospect. It’s obviously not the fastest or lightest app (by a long shot), but it’s never made me cringe. It just seems like the Discord developers actually tried using their own app, and worked hard to make it not suck. I’ve used the web app for Discord, too, but I really didn’t care for it (even though it looked the exact same).
So anecdotally, two different apps, each available as an Electron app and as a web app, and the result of using those two apps (and both Electron and web with both apps) caused me to select the diametrically opposite outcome for each. I think with a group like the Discord dev team, I’d feel pretty comfortable building an Electron app, and not be embarrassed by the result. As for Slack, I’d say that they do a great job of making Electron look pretty bad.
This would be worth a sidebar conversation in and of itself. I don’t “rely” on Discord much, but I do use it for a slew of random purposes including (a) work chats (99% text), (b) non-work tech group chats (all text), (c) random friend circle chats (all text), (d) various web site centric chats e.g. /r/programminglanguages Discord server (all text) and (e) my family online gaming chat (mostly audio). It doesn’t tend to get in my way for any of these purposes, which is my main measure of “doesn’t suck”. I’m on macOS and spend most of my time in a code editor (IntelliJ), a shell (zsh), or the browser (Firefox), so Discord is just one of the “always on” apps (like Mail and Calendar) that sits there doing mostly nothing until I need to look at it. Anyhow, I’m curious why it is “unspeakably horrible” for you. Maybe I’m just not using it in anger, or my expectations are just super low for it 🤣
Anyhow, I’m curious why it is “unspeakably horrible” for you.
Gosh. It’s a bit like saying why you don’t like gangrene. Where to start?
I find it a visually confusing mess. It’s hard to tell groups, from contents of that group, from subtopics of that group, from threads in a topic.
It threading is nonexistent.
It’s bright and colourful and distracting, but doesn’t use colour intelligently to indicate who said what where: it seems to just splash it around for decoration. To me it looks like a UI for a teenaged boy.
Its tools for navigating from conversation to conversation are nonexistent.
It feels to me like a badly-thought-out badly-designed incompetent replacement for IRC that was put together by someone who’s never seen IRC, never seen any other text chat or 1:1 or 1:many chat app, but overheard a description in a noisy bar and thought “I can do that.” Without understanding the first thing about what’s good about such things, or what’s bad, or caring.
Are we using the same app? Discord is gray on gray. The only color is user profile pics, server-assigned name coloring, the red of the “live” indicator, and the green “share screen” button (which could probably get a coat of gray).
Threading exists, but no one uses it because a handful of topic-specific text channels works fine.
Channel groups have a “expand/collapse” chevron, text channels have a #, voice channels have a loudspeaker. Threads are indented.
Navigating between conversations is a single click?
I hear UI complaints about Discord a lot, but the complaints are always so alien to my experience.
Oh yes, but seeing it through different eyes. (Mine are 57 and myopic.)
Discord is gray on gray.
Yeah. A badly-done, low-contrast version of the annoyingly trendy “dark mode”. DO NOT WANT.
The only color is user profile pics, server-assigned name coloring, the red of the “live” indicator, and the green “share screen” button (which could probably get a coat of gray).
In other words, 4 things I don’t care about, resulting in an ugly garish riot.
Threading exists, but no one uses it
Translation: broken for non-trivial discussions.
Channel groups have a “expand/collapse” chevron, text channels have a #, voice channels have a loudspeaker. Threads are indented.
Summary: chaotic mess with no overall plan, designed for millennials who do not grok hierarchies.
Navigating between conversations is a single click?
WTF is a conversation and why should I have to know?
I hear UI complaints about Discord a lot, but the complaints are always so alien to my experience.
How do you feel about Usenet and IRC?
For me, Usenet was about as good as threaded discussion got.
While I feel inclined to join the “electron bad” bandwagon, I just haven’t had this experience with Slack and I’ve used its electron app on Windows, MacOS, and Linux. Not to mention that the computers I’ve used it on have fewer cores and RAM than yours. Does it lag from time to time? Probably? But I just leave it running in the background and it’s generally fine.
I’m curious to know what people mean when they say they find various electron apps unusable, since I’m seeing it a lot in this thread. I love to complain myself about electron whenever something inconveniences me, but I’ve never had anything more than an inconvenience. Maybe my standards for usability are much lower?
The Slack app got a lot better when they rewrote it in 2020. Prior to that it was terrible and would routinely use more than 2Gb of RAM, as shown in the chart in the linked post.
OTOH, I think the Discord app is fine. Even pleasant. I didn’t even realize it was Electron-based, but that makes sense in retrospect. It’s obviously not the fastest or lightest app (by a long shot), but it’s never made me cringe. It just seems like the Discord developers actually tried using their own app, and worked hard to make it not suck. I’ve used the web app for Discord, too, but I really didn’t care for it (even though it looked the exact same).
It makes me chuckle a bit that you have that reaction. I don’t love the slack app, and do prefer the site, but my reaction wasn’t nearly as strong as yours.
The discord app, on the other hand… I hate it with the fire of a thousand suns. I mean, it feels OK when I’m plugged in, and the web app is very aggressive about pushing me to install the electron app rather than just letting me use the site in peace.
But holy cow, the electron app is beyond awful when I’m working on battery. Leaving it running usually halves my battery life. Sometimes worse.
I only sporadically work mostly on battery, but when I do, discord is right out. I try to leave the mobile app set for notifications on my phone so that I’m still reachable that way, but I’d cheerfully pay for the ability to use an alternative discord front-end that doesn’t destroy my battery during those times when I’m working on battery.
The web app is only any better for the battery if I run it in Safari. And it feels more glitchy on Safari than in Chrome or Electron.
With a sample size of (my own usage) I’d say the discord team made an awful thing and they should feel bad, where your experience with that gives you the opposite feeling. And that’s why it makes me chuckle… two of us, using the same app for the same thing, on the same platform (I’m using a lower end M1 Pro MBP with 16GB of RAM) have very different reactions.
My experience with the Discord app is so bad that I do my best to exhaust other communication mechanisms before resorting to Discord, and I’m less likely to engage with projects that only/mostly use Discord.
I’m in camp of those who dislike most Electron apps (even though I’ll be writing one myself), but for me Slack in browser is clearly worse than in the app. At least in the app version mostly knows how to load missed messages while the app wasn’t running which is something that browser version in Firefox regularly miserably fails at. Not sure why though as I’d expect them to run the same code.
i like my macbook air m1 so much that i am considering buying a backup in case this one breaks. i’ve had this 16GB / 256GB model since it came out and i can do all my personal hacking on it. Python, Rust, Go and even Xcode (within limits with SwiftUI) work without any issues and just as fast as on my M2 Pro for work. I usually have half a dozen apps open like Safari, Chrome, Ghostty, Slack VSCode or Zed plus Mail 1Password and Messages and i really never get the feeling that it is under memory pressure.
Best form factor and fantastic battery / performance from such a cheap laptop
The fact that you have to buy an entire new one in case your current one breaks just demonstrates how terrible these laptops are. You can’t repair them because they’re designed to be disposable, and that’s not sustainable long term.
I’m curious to know why you don’t like Apple laptops. Because it’s a locked-down system, or because of the planned obsolescence? I think these points are valid criticism to iPhones, but Apple laptops are fine in these regards from my perspective. Sure, they could have more upgradability and repairability, but those didn’t bother me that much. (I have been using a 13” MacBook Pro since 2018, and it served me well until recently when it became unbearably slow, so I upgraded to a shiny M4 Pro MacBook Pro to have some fun with local LLMs. Later I took the old MacBook Pro apart and realized it’s slow simply because the fan has gathered a lot of dust, so the CPU basically got thermal throttled to death. In other words, I could have used it even longer by simply cleaning the dust on my own. Either way, I think 6 years is a fairly long time for a laptop’s lifespan!)
Also curious to hear why people like ThinkPad + Linux so much!
This is just me and my problems. I don’t expect anyone else will have these problems, but this is why I, personally, detest working with macOS or Apple software.
Because macOS is a horrible operating system that doesn’t let me fix stuff. The friggin’ OS locks me out of ptracing processes by default, fer crissakes. There is no /proc. Heck, there isn’t even a FHS. Most of the userland is from BSD, not from GNU, so grep doesn’t have a -P flag for PCRE and find doesn’t default to searching the CWD. I know I can fix this stuff with MachoMeBrew, but why would I need MachoMeBrew? It takes so much tweaking to make macOS just work like I want it to.
Because the keyboard is all wrong. I use Emacs. I require ctrl keys in comfortable positions. Most McKeyboards just don’t have right ctrl keys or they have them in weird locations. I use modifier keys on both sides of the keyboard to work with in Emacs. I don’t want an option key. I want ctrl, meta, and super, and I want them in their normal positions.
Because there is no selection like in X. I can’t just highlight and middle click to copy-paste. I have to use the keyboard instead.
Because system upgrades locked my computer for a long time, sometimes over an hour, without any indication of what the operating system was doing. I couldn’t use anything while the upgrade was happening. What nonsense is this? When I’m running apt upgrade on Debian, I can still use all of my programs while the upgrade is happening. I only have to restart processes to reload the new version in RAM, if I want to. And reboots? Again, I can install a new Linux and reboot to the new Linux whenever I feel like getting around to it. It should be my machine, but Apple makes it feel like it’s their machine I happen to be renting while the hardware lasts.
Because Apple wants me to sign up and give them my personal information just to install basic software. Some of this stuff I’m complaining about can sort of be fixed and emulated if you install the right software. But even before you’re even given permission by Apple to install software on your own machine, you have to tell them your name, maybe your phone number, and click “I agree” multiple times on many piles of unreadable legalese.
It’s just a mess I don’t want to bother with. Give me a Linux, give me open source, give me free drivers, give me the right keyboard layout, give free licenses, not EULAs.
What is this Planned Obsolescence that I keep hearing about? Do iPhones or Mac stop working after a few years? Or have we set some unrealistic expectation that Apple should support hardware to infinity and beyoooond?
I think it’s mostly about not allowing old devices to upgrade to the latest operating systems even if they are perfectly capable, but at least for macOS, you can bypass this restriction with tools like OpenCore Legacy Patcher. Apple also made old phones with degraded batteries slower via software updates, but that was a few years ago.
The oldest supported Mac running macOS 15 is now 8 years old.
The reason I always get a little upset is that people have this unrealistic expectation that Apple somehow must invest and do far beyond what is reasonable. Why is that?
And why is it immediately assumed to be malicious intent? Because that is what “planned obsolescence” really means: that they sat in a meeting room in 2017 and said “we are are not going to make macOS 16 work on this hardware so that people will have to buy our new stuff in 2025! Haha!”.
For anything else it is just software and hardware that becomes unsupported over time, like 99% of this crap we deal with in this industry. Which we accept because the engineering and qa burden to keep things working is huge. Specially compared to where your users are. (They are not on hardware from 2017).
But … Apple is somehow special and must do this on purpose.
My old MacBook Pro is a 2017 model (A1708), which doesn’t support macOS 14, but I was able to install macOS 15 on it with OpenCore Legacy Patcher, and it works perfectly fine. Reportedly, you can even install macOS 15 on devices dating back to 2007. From my understanding, the new software “just works” on old devices without extra engineering investments (otherwise the patcher wouldn’t work so seamlessly), but Apple is putting efforts into preventing users from installing new software on it, and that is not cool. I mean, there’s a difference between “upgrade if you want to, but don’t blame us when things break because it’s unsupported” and “you are no allowed to upgrade”. On the other hand, nobody would/should complain about Apple Intelligence not being available on Intel macs: these doesn’t have the required hardware, so that’s an unrealistic expectation as you pointed out.
Meanwhile, maybe Apple bans these software upgrades simply because they don’t want to deal with bug reports from unsupported devices? Moreover, you can always use the patcher to bypass the hardware check, so yeah, I wouldn’t say planned obsolescence is a good reason to hate Apple. For me it’s more of a minor nuisance that can be easily overcome. That’s why I was asking JordiGH why he hates Apple laptops.
8 is a bit short. I replaced my MacBook Pro a bit over a year ago. The old one was ten years old and still working fine. It was faster for most day-to-day things than the Surface Book 2 that Microsoft had given me for work. It had a 4-core Haswell (8 Hyperthread) CPU and 16 GiB of RAM, which is ample for the vast majority of things I do (compiling LLVM is a lot faster on the new machine, as is running place-and-route tools, everything else was fine with the old one).
I believe they dropped support for anything without the Secure Element chip in the last update, which is annoying but understandable. I wouldn’t be surprised if the last x86 Macs have a much shorter support lifetime than normal because dropping x86 support from XNU will save a lot of development effort. A lot of people complained when they dropped support for the original x86 Macs, but given that they’d already started the 64-but transition with the G5 it was obvious that the 32-bit x86 Macs were a dead end, which is why I waited until the Core 2 came out. That machine lasted until it was much slower than the replacements. It was still supported when I replaced it with the Sandy Bridge model (which had two unfortunate encounters with a pavement and ended up being retired quite quickly).
My first Mac was a G4 PowerBook and, back then, a three-year-old computer (of any kind) was painfully obsolete. Most companies did 3-4 year rolling upgrades. Now, that’s been extended to 7 in a lot of places and even then it’s eligible for upgrade rather than automatic because a seven-year-old computer is often fine. I basically use computers until they wear out now. The performance difference between a modern Intel chip and one from two years ago used to be a factor of two, now you’re lucky if it’s more than 10%, so the need to upgrade is much less.
I’m less annoyed with this on Macs because the bootloader is not locked and, if macOS is unsupported then the device can have a second life running something else (even the Arm ones now have nice Linux support). It’s indefensible for the iPhones, where they just become eWaste as soon as Apple stops providing updates because there’s no possible way for third parties to support them. An iPhone 7 would run modern Android quite nicely if you could unlock the bootloader.
“Made old phones with degraded batteries slower via software updates” is literally true, but a tad misleading.
The software update started tracking what time the phone usually gets charged, and clocked the CPU down if it weren’t going to last until that time.
I had an affected model, and having my phone suddenly slow down definitely sucked, but having it start lasting until I got home wasn’t a bad thing to gain in return.
I’d agree that it should have - at minimum - be something you can disable.
That’s not what they lost in court for. They were reducing the clock frequency to make batteries discharge slower when the maximum charge capacity dropped. Rather than seeing short battery life and getting a replacement battery (which was often covered by warranty). people would see a slow phone and buy a new one.
This settlement is why iPhones (but not iPads) now have a battery health UI in settings: so you can see if the battery is holding less than 80% of its rated charge and replace it, rather than the whole phone. The iPad does not have this because it was not covered by the settlement, which was specifically a class action suit by iPhone owners.
Yes, and if it had caused the voltage to drop and reboot, people would have taken them to the shops and discovered that the battery needed replacing, which was covered by the warranty or consumer-rights law in a lot of cases.
That’s true but the decision-makers at Apple had no notion that it was the case and didn’t factor the extra income they made into their decision-making /s
For what its worth, apple slowed down the CPU of old iphones (I believe 4-5 years at a time? Most other vendors would simply not care about such an old device), because with degraded batteries they were prone to random restarts (CPU would have needed higher voltage than the battery could provide).
This wasn’t communicated and they got fined (in France), but if only apple actually communicated better, this whole fiasco could actually have a positive spin (company fixes bug in 5 years old device). In the end though, it became a user-selectable choice, so best of both worlds.
It’s not appropriate to connect systems that don’t get security updates to the Internet, so in that sense, yes iPhones and Mac do stop being suitable for the tasks they were previously suitable for after some years.
In the case of iOS, Apple’s track record is much better than competitors’. In the case of macOS, Apple’s track record is worse than competitors’, so I think it’s quite justified to complain about the macOS situation.
(The above is deliberately phrased in terms of track record: going forward, there are the twists that Samsung and Google are getting better on the mobile side and Microsoft is getting worse on the desktop side.)
In the past 6 months or so, I have given away 3 Penryn Macs with a working Wayland Linux environment on them and I have installed Ubuntu on two Haswell Macs that are staying in the extended family. The Haswell Macs would have worked in their previous role just fine if macOS had continued to get security updates: The move was entirely about Apple’s software obsolescence. The key problem afer the switch to Ubuntu is that iCloud Drive and Apple Photos don’t work the way they do on macOS (you can get some access via the Web at least if you don’t have the encryption enabled).
The way hardware progress has changed means that N years before Haswell and N years from Haswell onwards (on the Intel side) is very different in terms of what hardware is quite OK for users who aren’t compiling browser engines. It doesn’t feel reasonable to treat Haswell hardware as obsolete. (FWIW, Adobe raised the requirement for a prosumer app, Lightroom, to Haswell only late last year. That is, until very recently a prosumer subscription app supported pre-Haswell hardware.)
In the case of macOS, Apple’s track record is worse than competitors’, so I think it’s quite justified to complain about the macOS situation.
Sorta, I guess. Apple supports the entire laptop for at least 6 years from the day they stop selling it. Not just MacOS, but hardware too. MacOS just gets rolled into that support.
It’s hard to find any PC vendor willing to support a laptop past 3 years. Many , by default, come with 1yr of support(for varying definitions of support) in the best case.
If you buy an Apple laptop, you know you should be able to keep it supported and working without too much hassle for 6 years. When you buy a Dell or Lenovo, you don’t have any idea how long it might last.
Generally trying to get repairs for consumer grade laptops from any vendor other than Apple is usually annoying at the very least, if not impossible, regardless of warranty status. For business grade laptops, as long as you paid extra for the support, you can usually get repairs done for 3 years. Past 3 years, the answer is almost always: NO.
Even in server/enterprise land, it’s hard to get support past 5 years for any server/switch/etc.
Either way, I think 6 years is a fairly long time for a laptop’s lifespan!
I find it interesting how wildly ppl’s expectations of laptop lifespans seems to differ. Just here in the comments the lifespans people are happy with seem to range between 3–4 and 10 years. Some of this is probably differences in usage patterns, but it’s wild to me that we’re seeing over 2× differences.
At the moment my “new laptop” is a 2017 Surface Pro I got used two years ago, and save for some games it handles pretty much everything I do without any issues.
My previous laptop is now 12 years old. It has a quad-core (eight-thread) Haswell 2.something GHz processor, 16 GiB of RAM, an 1 TB SSD, and a moderately old GPU. You can buy laptops today that have slower CPUs, less RAM, and smaller disks. I think the worst Intel GPU is a bit faster than the NVIDIA one in that machine. If the old machine is obsolete then people are buying brand new machines that are already obsolete and selling them should be regarded as fraud. It isn’t, because they’re actually fine for a lot of use cases.
It’s gone from being a top-of-the-line machine to one that’s a bit better than bargain basement in that time.
My “Late 2010” 11.6” Macbook Air is still going. I had to replace the original battery last month.
Note that I am actually able to use that one for (light) development purposes.
It now has an aftermarket larger SSD. So 4 GB RAM, 240 GB SSD, 1.4 GHz Core 2 Duo.
That said, it is no longer my main machine. I prefer my Framework 13 which is roughly the same size, but but with a larger screen.
I have a very high end X1 extreme through work (i7-11th gen something, RTX 3050, 64GB of RAM). It’s running windows ATM, but I’ve had Linux on it, and let me tell you it does not compete. It gets insanely hot and the battery lasts AT BEST, if I really try, 3.5 hours. This is not better on Linux either.
The macs easily last an entire day of work on a single charge, while I can’t even work for a full afternoon. It’s not even close in terms of convenience.
There’s also just annoying lack of attention to detail. One of the most annoying misfeatures of this laptop is that if you charge it with anything weaker than the included 170W (!!!) charger (say, from the hub in a monitor, since IIRC USB couldn’t do that much power when this was released, and it’s not really needed if it’s plugged in all day), it pops up a BIOS error saying that the charger is below the wattage of the included one. This is only shippable by pressing the ESC key, and AFAIK it is completely impossible to disable. This is very early in the boot process so the CPU is still stuck at 100%.
I have been woken up SEVERAL TIMES because windows decided to update in the middle of the night, so it then rebooted, and got stuck in that screen with the fan at 100%, because it was plugged into “only” a 95W charger.
This is so dumb. You can just tell no thought was put into it, especially because it happily updates on battery with no warning, too. If anyone happens to know how to disable this LMK because I’ve just resorted to leaving the laptop unplugged from my dock or plugging in the bulky included charger along with it, which kind of ruins the point of having a single cable.
Oh, just thought of another one: I had recently started having some issues with the laptop shutting down if I put it in hibernate mode (so all state was lost).
Turns out, it’s because it does not have 64GB of storage free to persist the memory, so it just did not work and shut down instead. But it did not tell me! I had to dig through forums to find that out. How hard is it to just disable it if the free storage is less than the amount of RAM?
Tbf that’s mostly on windows, not Lenovo, but gah. It’s just bad UX.
gets insanely hot and the battery lasts AT BEST, if I really try, 3.5 hours
Sounds like a dGPU (mis)management thing mostly..? My AMD-based L14, despite a small battery capacity (like barely 50Wh or something) easily lasts for 5-7 hours of coding and hanging around online, while staying cool and (with thinkfan) quiet.
Unfortunately I work with CUDA quite a lot, not for anything super intensive so the 3050 is fine, but enough that I can’t just completely disable the GPU and be fine. If I’m just browsing the web or something though back when I had Linux disabling the dGPU easily doubled the battery life.
I need to look better into this, I’m not sure if there’s some way to have it turn on on-demand on Windows.
I rock(ed) one for many years, and frankly.. no. They have CPU throttling issues, and their battery lives are nothing to be happy about.
I am most definitely not an Apple fan, but the M-series Macs are definitely a paradigm shift in that laptops, for the first time ever, are not just desktop PCs with uninterruptible power supplies that last for the duration of going from your home to work, when you have to plug it in again.
FWIW even my 2023 Thinkpad X13 Gen4 (AMD) lasts a whopping…. 3-5 hours on battery, if the moon is in the right phase and I don’t sneeze too hard. I’ve gotten as little as 2.5 hours of web browsing and terminal use out of it on a bad day, and my max, ever, was about 6.
Sure, that’s not nothing, and that’s more than “from work to home” (I guess - I don’t commute anymore), but it doesn’t survive a full flight between Seattle and Chicago, and that’s my benchmark for “good battery life”.
My 16” Lenovo Legion Pro 5i (2023) with 24 core i9-13900HX lasted six hours on battery in Windows 11, doing text editing and web browsing and short compiles (few seconds). I kicked the Windows off and put on Ubuntu 24.04 and battery life is now 5 hours. Which is still more than I need.
Yeah, I bet the top end MacBook Pro lasts a lot longer, but then this cost me $1600 (incl tax and shipping) while an equivalent MBP with M4 Max costs $3999 plus tax.
I liked it, too, until I saw hell with my P53. Nothing to do with Linux, it was just a very bad purchase. Worked ok within the warranty, and now a mere 6 years later (!), it is full of hardware defects, crawling on the best it can. Six years with this kind of behavior would be unthinkable for old IBM or even early Lenovo Thinkpads. Sadly, I have no idea what to recommend instead. All things considered (Framework etc), they still seem to be the best. Of the worst.
The problem with post-IBM ThinkPads is that Lenovo has no attention to detail. They have good designers but they are spread thin across a gazillion devices. It’s impossible to do a great job in those conditions. Different models have different flaws, like fan noise, bad panels, etc. They should streamline their offering and stop trying to copy some Apple features that are not aligned with their ethos.
Fan noise is fixable (just take control from the OS with thinkfan), if that’s the issue I’m thinking about (shitty fan curve in firmware that doesn’t go silent on idle).
What’s not fixable is the shitty firmware bugs. My L14gen2a doesn’t like staying asleep and just wakes up randomly for no reason a lot, and sometimes the keyboard controller hangs with a pressed key (one key gets logically “stuck”, other keys stop responding – only fixed by a sleep-wake cycle).
Before anyone says Apple is so much better though: that exact same keyboard controller issue happened to me back in the day on a 2010 MacBook Air, at the worst moment possible… I was playing Dungeon Crawl Stone Soup. You can imagine the outcome.
Fan noise is fixable (just take control from the OS with thinkfan), if that’s the issue I’m thinking about (shitty fan curve in firmware that doesn’t go silent on idle).
I was referring more to the lack of sufficiently good cooling hardware in some ThinkPad models. They have so many SKUs that heating designs, pipes and fans are not thought or tested carefully in some models. Others are great.
I am one of the people who began to wonder “Is my phone listening to me?” because of Instagram ads. I never really believed that they were, but it felt like they could be given how targeted the ads were. Here’s a dilemma.
Instagram/Meta/Whoever was listening and sending me microphone-based targeted ads. That’s definitely bad.
Instagram/Meta/Whoever was not listening but they still had a method to send me (and people I talked with) ads (well) targeted enough that they felt as if they could have been based on microphone data. (E.g., I talk to my wife about needing sweaters. Within minutes, both wife and me have buckets of ads for men’s sweaters on Instagram.) That’s also definitely bad.
Either way, I’m glad I quit Instagram (and all social media) as a 2022 New Year’s resolution.
There are plenty ways to track users nowadays: cookies, pixels, tcp hello handshake,… Each comes with a different “resolution” allowing advertisers to send you more relevant ads. Chance is that Meta, Google, Adobe, Alibaba, Bytedance are just really good at building these data pipelines and segment them with different clustering algorithms, ML powered recommendations. It’s next to impossible to disable these completely given that many of these services also design and sell the underlying compute platform that you are using: android, chrome, search, email, isp, etc…
I think all these fear mongers created a really good selling pitch for Apple’s private compute pitch. However, i doubt that it gona last long bc Apple could start selling ads themselves
“Ads that are delivered by Apple’s advertising platform may appear on the App Store, Apple News, Stocks, and Apple TV app. Apple’s advertising platform does not track you, meaning that it does not link user or device data collected from our apps with user or device data collected from third parties for targeted advertising or advertising measurement purposes, and does not share user or device data with data brokers.”
Yes. Why does nobody believe anything a company says any more?
When companies are caught lying even a tiny bit it’s headline news. And yet a lot of people seem convinced you can’t believe anything any company says about anything.
I guess the big problem here is probably around telling the difference between marketing and material statements. If a company says “our product is the best solution on the market” that’s a different category of statement from “our products do not listen to your microphone to target ads” or “we don’t train our LLMs on your inputs”.
Why does nobody believe anything a company says any more?
Because they’re incentivized to lie by the only factor that they care about, money. If they can make more money by lying, they will, then pay a fine or a PR agency or fire some token employee if it comes out. Doing otherwise would be failing the great god of “maximizing shareholder value”. I mean, look who the richest man in the world is right now; what’s his history with materially false statements?
I also believe that “they are listening”. I’m a software engineer who’s worked in ad-tech and has developed mobile apps in the past.
I’m aware that, for example, the Facebook app may not be able to literally use my microphone to listen at that exact second. But I am also aware at a high level that lots of data is collected and exchanged between companies for advertising.
So whether or not Google’s app is listening to me, or my “smart TV” is listening and sending that info with identifying IP or other identity resolution methods, or someone else’s phone is listening and sharing text plus ip and geo, the result is the same. I have many times said incredibly specific things and immediately gone from seeing zero ads about that product to seeing an ad for that product.
It’s kind of like solving a crime or debugging a production issue. The advertisers possess the motive. I believe that they do possess the means (other devices or maybe other more unscrupulous apps on your phone).
More often than not the xkcd observation is true “Correlation doesn’t imply causation, but it does waggle its eyebrows suggestively and gesture furtively while mouthing ‘look over there’”.
You make a good point. While I am comfortable with Apple, and their promise of protecting users, my home network has several IoT devices of questionable origin (like the 4K projector that allows me to login to Netflix and plays sound), and I cannot be sure that they aren’t listening in.
As an example, Chinese random projector brands offer their $300+ projectors for peanuts (like under $50) with coupon codes. I won’t be surprised if these are actually CCP survellience devices. I cannot prove it either way, but I am inclined to believe the no-name cheap Chinese projector is doing something nasty.
My favourite feature of Firefox mobile is being able to put the URL bar on the bottom of the screen. I wish I could buy a phone with good specs and a screen about the size of the original iPhone so I could actually reach the top bar without contorting my hand too much, but since I can’t I’ll happily take the bottom bar instead.
The only deal breaker for me is that it’s missing keyboard controls, so if I decide to pack light on a trip and want to do some programming on the go with my tablet and a BT keyboard, I have to either use Chrome for browsing the internet or get a very annoying experience on Firefox.
The only deal breaker for me is that it’s missing keyboard controls
It’d sad how much Android keyboard handling has regressed. In the early days we had configurable keyboard shortcuts and a consistent menus that were accessible using hardware buttons or the keyboard. Apps usually had good keyboard support too. Nowadays we get to play “hunt the hamburger” or “guess what to tap” instead.
Don’t all mobile browsers do that nowadays? Safari has had this feature since iOS 14 or 15 I think, 3 or 4 years ago, and it was already late to the game.
Directly from Apple is actually reasonably priced. Unfortunately, they don’t seem to have any refurb 13 minis in stock. I’m ride or die with the 12 mini until there’s a worthy challenger for a mini phone.
I’m ride or die with the 12 mini until there’s a worthy challenger for a mini phone.
I’m afraid I’m waiting for that kind of challenger, too. I love my 2022 SE, but apps and sites are not adequately testing on that screen size anymore. Navigation apps have gotten especially frustrating. I’m hoping against hope that the next mini maintains TouchID, because I really don’t like FaceID on my phone, but all signs point to “no” on that front.
I’d halfway be happier to get a less expensive flip phone that I could tether a tablet to, and carry both things, but I don’t see any evidence of one of those either.
Not refurb, but I’ve been buying all iPhones both for myself and family members used from swappa.com for years. It’s worked great for me, zero issues and you save a lot of money.
The equivalent for Europe is swappie.com. They make it very easy to trade-in your old phone give you a proper chargeback. I think started operating from Finland but now have warehouses in different countries. e.g. Germany, which makes shipping pretty fast.
While this isn’t wrong, there’s an interesting snippet buried in there:
On the contrary: I would like to see PyPI integrate more of these as Trusted Publishing providers, provided that the usage statistics and operational complexity for each actually benefit the community as a whole.
It seems like this, combined with the discussion of effort in validating OIDC, indicates that independent hosting may never be supported. I’m hoping that I’m misinterpreting this.
Enrolling a few thousand projects on a single self-hosted forge would be great; having to review dozens of forges with under a dozen users would not be.
The problem is not ‘self-hosted’ versus not; it’s scale. PyPI already has API tokens for people who want to self-host everything. It does not make sense to dedicate the engineering and review time to federating with everybody on the internet, given that API tokens work just fine.
Your comments so far haven’t really been taking a productive approach, but I’ll attempt to explain anyway:
You should not think about “Trusted Publishing” as being about PyPI trusting specific sites. Instead it’s about setting up a framework in which you, the author/developer of one or more packages, can trust a third party which you do not own or control and delegate to them permission to publish to PyPI on your behalf.
If you want to have packages published to PyPI from something you do own and control yourself, you don’t need this! That’s why people have told you multiple times that the answer to “self hosting” is to just generate and use a PyPI API token. The Trusted Publishing approach is more complex and involves the whole OIDC flow and short-lived tokens and the whole nine yards precisely because it isn’t for something you self-host and fully own/control, and thus you want a high degree of care to be taken with what access it’s given and how and for how long.
Part of the concern is sites like Are we PEP 740 Yet? are already popping up from some of the groups involved in PEP 740 which does not give confidence that alternative flows will continue to be supported. Will PyPI mandate all publishes go through trusted publishers when enough packages are green on those trackers?
PEP 740, for those who don’t click links, just provides a way to attach a standardized “attestation” — i.e., digital signature — as metadata on a package uploaded to PyPI. This replaces the deprecated and removed PGP signature support PyPI used to have.
That’s it. That’s PEP 740: PyPI now has standardized support for package signing, a feature people have suggested and even outright demanded for years now, and someone made a site to track which of the most popular packages have adopted it.
PEP 740 does not mandate “Trusted Publishing” (aka, publishing from a CI system via a short-lived OIDC token). The “are we PEP 740” site does not say anything about forcing or requiring people to use TP.
Yet here we are, with it being presented as a suspicious and sinister thing which is assumed to herald the eventual takeover of all Python packages by Microsoft or something.
And it’s a no-win situation for PyPI, because there’s nothing they can say or do that will ever satisfy someone like you. No, PEP 740 is not a secret plot to make everyone use GitHub. But it does no good to say so, because anyone operating on reason and evidence can already see that and wouldn’t have had “concern” about it in the first place.
PEP 740, for those who don’t click links, just provides a way to attach a standardized “attestation”
It sounds like you have looked at/worked with this thing for a bit longer, so I’d suggest you step into the shoes of someone who hs only heard about this like yesterday (it me). I looked at the PEP, I read 2 blog posts and yet the question “is this even needed for self-hosted repos” didn’t pop into my mind and if it did, none of the 3 resources would have answered that.
I’m not disagreeing with anything you said, but if I interpret the question in the most basic way, aka “does this mean that I can get a green check mark via github and not via my own forgejo instance and being ‘shamed’ on AreWePep740Yet?” then that does sound bad and the comparison to gpg-signed doesn’t make any sense (for this aspect) because it would have worked both ways. If I am misunderstanding, then disregard.
But please don’t tell people to just RTFM when this is a topic that apparently warrants a full PEP and multiple explainer posts. Just clicking the link without reading for.. maybe 2h? does nothing.
I told people what PEP 740 does and, importantly, what it doesn’t do (it doesn’t force you to use GitHub). Anyone who wants to go read it and verify for themselves that I’m telling the truth can do so.
And the context was a response to someone who is spreading the same old conspiracy theory that somehow PyPI will be used to force the entire Python community to use GitHub/Microsoft. This is easily debunked just from looking at what PyPI has actually done. Every time they’ve rolled out something like this they’ve started the implementations/integrations with the currently-most-popular code hosting site (GitHub) and then expanded to others. The “concern” about being locked in to a single provider has never ever been justified by the actual reality, yet is brought up again and again and again. Just like PEP 740 attestations are initially doing an integration with the most popular code hosting site and will expand in the future. Just like the article this comment thread is attached to says.
Trusted Publishing initially only supported GitHub. Now it supports more than GitHub. You’re replying in the comments on an article which explains that the implementations have opted to go with the most popular platforms first and then expanding afterward. Yet you are pushing the idea that they won’t do what they clearly already have done.
Again: there is nothing that could be done to assuage your “concern”.
No. Self-hosted forges are and will always be supported, via API tokens. They won’t necessarily be supported via OIDC federation, because it doesn’t make sense at smaller scales.
(Yes, OIDC federation is not fit for small-scale use. It’s fit for large scale use. That’s the point, and it’s why PyPI supports technologies that fit well at both scales.)
See my other comment - so just so I understand this correctly: hypothetically, if suddenly 90% of packages would self-host (aka none of the “trusted publishers”) then this page would show up to 90% yellow (aka bad) and yet there is no real problem? Doesn’t that mean there should be another color?
If 90% of projects were self-hosted, it would indeed have been irresponsible to pick yellow (which I doesn’t mean bad, but “in progress”). But, as noted in the post, this is counterfactual: the overwhelming majority of Python projects have their source on GitHub, and I suspect that this number skews even further to GitHub in the top 360.
(If people are repeatedly getting the impression that “yellow bad,” I can adjust the website so that it only marks a project yellow when one or more of its URLs come from GitHub.)
I think people will absolutely get the impression that “yellow bad”. This is what people mean by social pressure to host on GitHub. Again, no conspiracy theory here, I don’t think it’s intended, just that it’s what will happen.
That’s fair. I’m going to tweak the colors now, then, to make this clearer.
Edit: the site has been updated, and now has a new category for platforms that PyPI doesn’t support attestations from yet. At the moment, that’s 7% of the top 360, which is inline with the hypothesis that the top Python projects use GitHub as much or more than the average.
Thanks for clarifying how I understood it and indeed I think this is what most people (casual observers) would expect.. (Maybe https://www.arewewebyet.org/ is the most popular analogous example?) I mean, good that you didn’t choose red or orange, and I don’t personally see it as a problem, but I can see how some people would perceive it that way, because it was my first impression as well (before reading a lot)
When you say “declining to support self hosted repos” what do you mean? What’s the concrete feature that you would like self hosted repos to have that they won’t have?
I don’t think it is just scale. I think it is simply impossible to trust a self hosted repo and for example attestations generated by that repo.
(Assuming we’re talking not just about a place to host a package but actually the whole build pipeline)
For GitHub I can download their SOC2 and other reports and see that they had a professional audit of their services and practices. I can read they set a high standard for good security practices. Both technically and operationally.
For a self hosted repo by an individual or small group of individuals this is pretty much impossible.
But does it matter? I don’t know. If the Twisted folks publish outside of GitHub (they don’t it is just an example) and maybe they have a lower ranking because of that. I can still trust their attestations and hosting/build platform based on other factors like their presence in the community or how they run their project.
If
I think as a consumer of packages you are always ultimately in control?
I love passkeys as a second form of auth. GitHub did a great job with that. If my passkey is available then I sign in with a single tap on the touchid sensor or with FaceID. If not then I fall back to username/password/code.
On GitHub it is specially useful to have Passkeys to access sensitive settings. Like managing Teams & Collaborators just requires a quick tap to verify it is me.
I wish more websites did this.
No reason to fully dismiss passkeys. I think it was wrong to market them as full password replacements. I like to think of them as complimentary.
By default, a Rust program is much faster than a Swift program. This is because Rust is fast by default, and lets you be slow, while Swift is easy by default and lets you be fast.
I think this was just a particularly bad case, and Swift could do better, but also shows that implicit boxing and refcounting can add a big overhead if you’re not careful.
Rust’s “fast by default” sounds like an exaggeration, but from perspective of unexpected overheads it’s true. Rust doesn’t have just a string type, and is pedantic about &str vs Box<str> vs String (and a bunch of others). If you want refcounting, you need to specify which one (Rc or Arc) and bump the refcount manually every time. This is tedious, but also impossible to miss and make things heap-allocated and refcounted by accident.
It makes sense to me that a network protocol base test would not put Swift in the best light. If there is a request response cycle, a language with a tracing GC only needs to trace the living heap and copy it over. Most data isn’t going to survive past the original request so tracing should be relatively cheap. Allocating might just be bumping a pointer too. In a ref counted language, it needs to increment and decrement on everything it touches (with some ref count elision and other tricks I’m sure).
On the programming language benchmarks game, Swift fairs a bit better than Javascript, Haskell, and OCaml.
What does this setting change? The linked register article is a lot of words, a summary of the change would be nice. And the formatting is nice, but no way I’m executing that curl command…
Yup, would’ve appreciated an explanation or a more direct link right in that script. Here is Mozillas own explanation of the “Privacy-Preserving Attribution” feature that is switched off by the script: https://support.mozilla.org/en-US/kb/privacy-preserving-attribution
(no clue though whether PPA is a good idea or whether I should enable or disable it)
There’s no need to execute the curl command; you can just paste the command at the top into your terminal after reading it to confirm it doesn’t contain anything malicious.
It disables a feature that allows advertisers to track users in an allegedly-anonymized way.
It disables a feature that allows advertisers to track users in an allegedly-anonymized way.
It disables a feature that allows advertisers to get information about their ad campaigns – how many times was an ad viewed, how many times was it clicked on, etc. – without using cookies or other techniques to try to attach stable identifiers to individual users and track what they’ve seen/clicked/etc.
In other words, it’s supposed to be an alternative to user tracking, to allow judging the success/effectiveness of an ad campaign without the need to track users.
Most of the agitation I’ve seen about it has either been people misrepresenting it as just another form of tracking users, or people literally arguing against mathematics (usually with some sort of claim that because prior anonymization systems have failed, k-anonymity must also have some fatal but as-yet-unknown flaw, when k-anonymity’s strengths and weaknesses and the things you need to do to get it right are actually pretty well analyzed and understood by the people who deploy it).
Yeah .. turning this feature off will actually make advertisers who support it fall back to actually privacy invading techniques. Like you mention, cookies, tracking pixels, javascript hacks, whatever. Not what you actually want.
It is good that there is a choice, but I think this setting has been pretty poorly named and also very poorly explained by Mozilla.
Do you have any example at all of an advertiser who gave up their previous and still-working tracking techniques in favor of using private technology exclusively?
Without force, I can’t think of a logical reason they wouldn’t just use both.
I don’t but probably mostly because the privacy preserving alternatives are only now being developed.
And it’s not as black and white as you make it seem, either. The more it impacts advertisers revenue the more force is needed. Google wanted to deprecate third-party cookies and gave up because it was too expensive. At least that is my very uninformed interpretation of events. :)
This is a false dichotomy. The choice isn’t exclusively between “advertisers using very invasive tracking techniques” and “advertisers using metrics for insight without invasive tracking” (especially since I no longer believe advertisers should be given the benefit of the doubt that they’ll ever actually embrace the latter). There’s at least one other option: not having advertisers. This is the world I want to live in.
There’s at least one other option: not having advertisers. This is the world I want to live in.
This statement is equivalent to saying that the world you want to live in is one where either:
Only people who are wealthy enough to run a site without needing it to self-fund or make money to compensate their time should be allowed to have sites on the web, or
Only people who are wealthy enough to be able to pay for every site they use should be allowed to use the web
I don’t think that world is one you actually want to live in.
I don’t know that it is productive for us to engage in this conversation further because I can tell our political differences might be vast, but I will aim to at least give a glimpse into where our logical paths diverge: in particular, your two options assume that capitalism/wealth is the only mechanism by which a website could come to be available—I fundamentally disagree. Just to list a couple alternatives:
the internet could be deemed purely public infrastructure, and governments could set aside bandwidth and storage for all citizens to host something (something of an analog to UBI, but for the internet)
large charities could do the same (picking up where society leaves off, often colored by the organization’s mission)
at-cost, or near-at-cost hosting could become the norm (e.g., NearlyFreeSpeech)
…
I remain fundamentally unconvinced that capitalism has been a net-positive force for the world, and do not believe it has demonstrated enough utility/priority¹ to justify its continued existence. I recognize that that’s not necessarily a widely-held belief, but it should hopefully clarify why I, in no way, expect any platform for expression and information-exchange (which is what the Internet, in my opinion, should be) to be dominated or controlled by wealth. In fact, that’s part of why I come to Lobsters more frequently than TheOrangeSite™; as far as I know, @pushcx and the rest of the moderator/infrastructure team aren’t driven to host/manage this site out of profit-motive.
And yes, I believe advertising is unethical; I do not believe it should exist. Full stop.
The person I was replying to made clear that they want a world which does not have advertisers, period. They’ve already been offered a strategy for trying to make ads not require invasive tracking of the viewer and rejected that; I don’t think it’s productive to continue trying to define a world of “good ads” to see if they come around on it.
Agreed! In fact, I migrated off AdBlock Plus the moment they started allowing “ethical ads” (a misnomer, in my opinion).
If the only choices I’m allowed to make as a “consumer” in our modern society are bound by some systemic assumptions that are so widely-accepted-without-question that changing them is nearly-heretical, then of course I’d prefer less tracking / privacy-invasion. But, I have no faith that advertisers would embrace such a thing (DNT didn’t exactly fair well). Moreover, whether I can actually make meaningful strides toward the world I would rather see or not, I can at least imagine, propose, and defend it.
So long as there are alternative choices out there—especially ones I would deem to be strictly superior—I’ll argue for them!
turning this feature off will actually make advertisers who support it fall back to actually privacy invading techniques.
It’s hard to imagine anyone in the target audience for this web site who doesn’t already have ublock origin installed. If you block this, they might attempt to fall back to a worse alternative, but the worse alternative will also be blocked, so who cares?
(That said, it would be better if the site had a note mentioning ublock origin instead of just leaving it implied.)
I am someone that doesn’t comply with the RTO policy of my company for much of the same reasons OP mentions.
However I didn’t quit on the spot, I will not give them that satisfaction. I am currently being very close to having final action taken against me by the company because of it and frankly I welcome it. Probably I will take them to court and see what comes out of that. I’m committed in making this as difficult as possible for them and I’m willing to pay out of pocket for the privilege.
Was your employment agreement prior to the RTO policy such that you expected it would be remote indefinitely?
If not, this seems rather spiteful. I love being able to work in the environment that best suites me, but if your employer/team/etc chooses either in person or remote work, I think it’s valuable to be a team player-especially if the alternative is a worse hybrid world.
My last employer was fully remote and I wanted to be in person much of the time. I find it to be very useful for certain things like collaboration. But playing with the team’s wants as a whole and adjusting communication style appropriately is more important than individual wants if one wants to stay employed.
I got hired at the start of Corona, so for the past years I was never required to be in the office, even though it was never explicitly put into writing. My team, and the company itself had its largest numbers while everyone was remote. And that’s the reason why I’m being petty. I realized I enjoy being remote a lot, and all the weasel words managers use for RTO are just a disguised lay off.
I would be fine being let go, but at least have the decency to call that what it is, and pay the people the severance their tenures earned them.
And yes, I fully support people like you that enjoy being in the office being in the office, but fuck you if you imagine that your enjoyment requires my discomfort just in order to be a “team player”.
Probably I will take them to court and see what comes out of that.
If you’re openly defying your employer’s orders, do you expect what comes out of that to be anything other than your being left to pay millions of $money_unit in lawyers’ fees?
Lol. It’s not going to be millions. Even if I lose the most I’ll pay is my lawyer’s and the court’s fees. This is a civilized country.
And “publicly defying your employer’s ‘orders’” is usually called a strike. And I’m not even doing that because I continue to do my job to the best of my abilities.
In my experience messaging platforms work in one of three ways:
“At least once delivery”
“At most once delivery”
“Exactly once”
When building systems that communicate via messaging, eventual consistency becomes the trade off. This is why building these systems with idempotency is crucial.
A message broker itself cannot guarantee exactly once delivery. A system can achieve exactly once, but it is complex and almost no system does it correctly.
It’s possible if and only if the whole system/chain supports idempotency.
Take emails for example. There is no support for idempotency in the protocol (to my knowledge) so even if you can guarantee that your system attempts to send the exactly once, there is no guarantee that it will reach the user exactly once.
You could, but the nodes can’t operate independently of each other, thus impacting throughput. They would have to form a quorum, and a node must suspend operation if it became partitioned.
The queue has no way to determine if the Worker is dead or just late in delivering an ACK. So a reasonable approach is to timeout and make the message available again. “At least once deliver” is how most of these queue solutions work I have found. And in that pattern its on the Worker to determine whether this message they are processing should be processed if it has already been seen, especially if the action not idempotent.
The alternative (within the same at-least-once pattern) would be for the worker to resolve the issue and govern the message visibility, but then that breaks if the Worker dies during processing.
This queue pattern is like half of the solution, it works but there is still some responsibility on the Worker to not just blindly process a message if a duplicated message would cause an issue.
There’s an open PR adding Steel Scheme as configuration/plugin language that I’ve been following recently. It’s not quite done yet but I’m really looking forward to it! I’m not particularly a fan of having a massive editor config but I really want to use that file tree plugin from the PR description and I’d definitely be adding a few utility commands to do stuff like creating a new file in the current buffer’s directory. A git plugin would be really cool to have as well.
This is insane. It shows how vulnerable monocultures are.
But this is not (directly) a Microsoft issue. According to The Guardian, some company named CrowdStrike is involved here. They’re a self-described “AI native platform”, so who knows what kind of AI fuckup is involved here.
Crowdstrike is an enterprise surveillance malware company.
I wouldn’t work at a place that uses something like that, but from friends that do I’ve not heard good things about it. At least one of them has managed to run it in a virtualised and resource constrained environment though without his employer noticing (so that it can’t go and extract confidential data, or hog resources).
It is actually pretty good at catching malware. So that is the other side of it. It is shitty intrusive software? Yes. But it also serves a purpose.
You can disable it or mess with it if your company laptop is not completely locked down. But then what? If you are hit by some malware because of you and the company is now subject to paying ransomware .. is that a situation you want to be in?
I hate fear based infosec education but unfortunately that is a world we live in now. Constant malware attacks and security issues. Whether you are on Windows, macOS or Linux. This crap is not just a compliance checkbox.
If you are hit by some malware because of you and the company is now subject to paying ransomware .. is that a situation you want to be in?
The real question that too few people seem to be asking here is: Why is a random employee’s laptop able to ransomware the entire company?
If one laptop gets compromised by malware and as a consequence your entire org is infected, the fault lies squarely with whoever set that system up in the first place, not with that one employee.
If you deliberately sabotage protection against malware then I think your company is probably not going to be very happy with you.
But yes, you are right of course. Why do we build such security-fragile services?
Think how far reaching this is though and what the complexities are .. suppose I gain root on my laptop .. what I will instantly get is:
control over the browser. incuding signed in services like slack, github, google workspace, aws.
control over files on your machine including dot files, shell history, scripts, etc. hope you don’t have plain text passwords in any of those. or api keys? or tokens? or any kind of credentials that can be a step towards full pwnage.
control over user input which means I can capture anything you type, including your 1password or keychain (macOS) password. and then from there take things out of it. copy and paste can go straight to a control server. hope you don’t copy/paste credentials.
control your ssh agent and possibly connect to all the machines you have allowed public key auth on.
control your network. once you are vpn’ed into your corp or production network i can connect to resources there.
the list goes on and on.
you need an extremely strict security policy and a company willing to give up a lot of flexibilty/agility to get this under control.
why do we allow a single laptop to be the entry point for company wide malware / takeover you ask? :-)
The capability-security world has been aware the entire time that the cost is high: we’re asking the world to rewrite most of its software and processes. However, as you’re seeing this weekend, the cost of not doing it is much higher.
as you’re seeing this weekend, the cost of not doing it is much higher.
Without making an object level point about whether capability based security is worth the cost or not, you’re comparing one unestimated cost against another unestimated cost as if the comparison is self-evident.
You’re right, it’s not self-evident. How many machines needed to be bricked in order to write e.g. seL4? Probably a nonzero number, probably less than one hundred. This is a Fermi estimate but it seems reasonable to suggest that the cost of rewriting an entire operating system to be capability-safe is less than the cost of recovering from the CrowdStrike disaster, currently estimated at 8.5 million machines bricked. You can pick the standard metrics instead, like billions of dollars spent or labor-hours required, without changing the conclusion.
From what I read, 8.5 million machines were affected–temporarily blue screened, not bricked, which would be irrecoverably affected. 8.5 million bricked machines would certainly be more impactful.
Beyond that, I think the relevant cost is not the cost of creating a capability safe mini-kernel. That is the minimum fixed cost, but then there is the incremental cost of building an ecosystem that supports the various use cases that people currently use WIndows or Linux for, and then the marginal costs of either migrating existing systems or replacing them with new systems. There may also be other benefits to migrating away from Windows, or even Linux.
It’s also true that you start getting benefits without doing a full migration (imagine a world where crowdstrike hit 4 million machines, because many things had moved away from Windows but not all. Presumably the impact is lessened, but still real). So all in all, it’s still a very complex cost-benefit equation.
I’m not, so far, convinced that the cost of not doing it is actually more expensive than the cost of doing it. You’re right that there’s a significant cost to rewriting all of the software and processes. The other cost, though, is the perpetual opex and friction: if you’re going to strictly limit what each user has access to, someone needs to be managing those ACLs continuously or there’s going to be shadow IT popping up with less friction. That or there’s going to be ACLs that are applied so broadly that they don’t serve their intended purpose anyway.
That’s the Equivalence Myth from Capability Myths Demolished. The hope was to write something closer to a smart contract than a flowchart of ACLs. Smart contracts suck too, but they’re better than a static matrix which continually lags behind the actual delegation of responsibilities, because dynamic delegation of capabilities can still be confined. (See also the Confinement Myth, same paper.)
Okay, but the person installing CS probably isn’t the one who made security decisions for the company on day 0. We’re all just trying to play catch up with the tools available to us.
Yeah, I’ve done the same in the past, and was actually vindicated when one day a couple of the company laptops were nuked due to their tech support screwing up.
As a crazy idea, we should integrate our systems with a gene-like protection system so that not everyone goes down at the same time when a virus, outage, or whatever attacks them.
Try finding an enterprise security company that understands security at all. The principle of least privilege is completely alien to most of them.
Around twenty years ago, there was a vulnerability in Norton Antivirus that allowed drive-by downloads to execute arbitrary code with kernel privilege. The problem was that the AV program parsed files that might be malicious with their kernel-mode component. Any bug in a file parser that led to arbitrary-code execution would let you control the kernel completely. In contrast, if the user just ran the program, the impact would be less.
This was embarrassing at the time. It is much more embarrassing that, since then, almost(?) every major AV vendor (including Windows Defender!) has had a vulnerability stemming from exactly the same approach. When your ‘fix’ for security is ‘add more C/C++ code that runs with kernel privileges and handles untrusted data’, your opinions on any security-related subject should be discarded.
A big chunk of the blame for this lies with the Windows team. The hooks that most AV vandors use are either intercepting system calls (oh, look, it’s 20 years since Robert’s paper about why that is trivial to bypass) or adding NTFS filter drivers that intercept all filesystem operations and scan files on demand. They could have provided a generic mechanism that prevents files from being read or executed until they’ve been scanned by an approved service, which must run with access to that file and nothing else.
They continue to encourage ‘security’ vendors to run things in the kernel.
Yeah, it really is that bad. And not just antivirus, network security appliances make the exact same type of mistake:
The usual setup is to have a physical box (firewall, VPN gateway, email gateway etc.) on the very perimeter of your network that handles untrusted internet traffic and filters it. The bad part: Many deployments do, and vendors encourage, give these boxes access to Active Directory, usually with admin privileges. As a consequence, your “first line of defense” is also your very last.
And of course these appliances all run ancient versions of Linux and other critical components and are filled with just the worst C++, PHP and Perl that the vendor war able to churn out.
Not just academic hypocrisy — https://lobste.rs/s/lqf39p/autodafe_1_0_released_for_freeing , posted a couple of weeks ago, has as the top comment someone arguing that the name makes that project anathema to them since it references the Spanish Inquisition, which was too evil to justify association.
Stalin was of course a brutal dictator who ruled at a time when the world was full of brutal dictators at war with each other, but I’d rather have more whimsical names of pieces of software than less, and one person’s whimsical is another person’s heretical.
I believe this aligns with what @Student has mentioned in this thread: Stalin is not regarded as evil as Hitler or Mao in the US, although I think that he should be. Meanwhile, individuals in the US were forking projects like ‘Rubocop’ due to the term ‘cop’ becoming sensitive in the wake of the George Floyd case, which led to a general disfavor towards the police. I guess for US “Stalin” is whimsy, and “cop” was heretical (as well as the “master” branch).
This is a pretty bizarre false equivalence. What’s the connection between people were upset the naming of a tool for a mainstream programming language and a 14 year old niche Scheme compiler?
Or the other guy who killed millions in his country’s main colony, or the other guy who killed millions in a fully independent country to prevent it from unifying.
the (obvious) reason that they named it after stalin is that it is a joke. so basically they thought the ‘pun’ that the compiler is ruthless in a similar way to stalin was funny.
naming it stalin is not an endorsement of the actions of that historical figure in any way.
Nobody should write Perl in 2025
It’s a nice language, I find it fun to write and it is immensely useful for some text-related tasks.
We still do :-)
Who’s “we”? Just curious.
FinTech company with >600,000 lines of Perl code.
Certain Dutch company related to hotels. :^)
Oh still? I know it was like that 20 years ago, but I’m surprised it still is big there.
I don’t think the argument is “web apps are bad” but instead “native UI is superior”
I use plenty amazing web apps. But I accept those for what they are. When an Electron app tries to become a native desktop app then the line blurs and it is clear that the lack of native UI is very noticeable.
Something you seem to forget in this paragraph, is that watching a movie or playing a game tend to be performed exclusively — save for background tasks the user isn’t even aware of, the video player or game tend to be the only app running. Okay, maybe not the video player, but those 7GB are never going to be sitting in RAM at the same time.
Regular applications however tend to be run concurrently. Often we have at least the browser, messenger, email, and whatever we’re working on, all open at the same time. I personally like to have reasonable assurances that doing so will not cause my computer to swap like crazy and slow down to a crawl. And as a consumer, I would really have liked to not have to buy 32 gigs of RAM, when I’m pretty sure more reasonable coding practices would require an order of magnitude less than that — same for CPU, I love games, but my regular use requires less than two orders of magnitude computational power, if only programs were more performant.
The cost of adding ~200MB per app, for all user across the globe, is significant. The resources and pollution involved can’t be dismissed out of hand, and the benefits better be as significant. Not that Electron’s aren’t, the mere fact that it enables web devs to write native apps is huge. But it’s also part of its cost: if a web dev writes an Electron app, they’re less likely to consider resource & performance constraints, and even less likely to address them.
But it is. People have limited time to develop applications, and they have to chose how much of that time is dedicated to Electron apps. No way around that, that’s true of pretty much anything we publish — including this very comment.
At a deeper level, people have to learn how to do stuff. There Electron is a double edged sword. On the good side it reduces the learning a web dev has to do, as well as reducing the need to learn various natives APIs for whatever set of platforms one is targetting. On the other hand it discourages learning about more efficient (at runtime) ways of writing programs, and as such is an impediment to reasonable performance — programs that’s aren’t the ludicrous CPU or RAM hogs that they so often are right now.
Okay, but people aren’t using it that way. As far as I know they stop at JavaScript. Because they can. They may be missing “the entire point of Electron”, but in practice there’s very little incentive there to learn native programming: the biggest selling point of Electron after all is that it lets web devs write desktop apps. Meaning, without having to learn how to write a native app.
It’s not learning that’s the bandwidth limitation. Learning Swift+SwiftUI or C++/WinUI is something to do once and then leverage forever. I know Android, iOS, Mac, enough to build apps from scratch, and I’ve dabbled in Qt and Gnome stuff.
The issue is that Electron+Web largely lets you target all platforms from a shared codebase, rather than needing to write and indefinitely maintain 2-5 different copies of your app. If I only want to target Mac, I’ll use Swift & the native toolkits. But if I need to support Mac and Windows, I’ll pick Electron so I don’t need a second copy of my app. And if I want to target iOS and Android, all the more reason to use Electron on desktop, and wrap a webview on the mobile platforms.
I’ll have to write some duplicate code in the webview wrappers (and can add other native features selectively) but once that’s out of the way, I can implement a new feature once in my web codebase and deliver it same-day to everyone, no matter their platform.
I’m not aware of any options besides Dart/Flutter or game engine stacks that can claim the same write-once-run-everywhere, and neither of those feel like a credible option on web yet.
VS Code is the only desktop app I use. It dawned on me that Electron changed the game for app devs. Every OS vendor loves rug pulls with UI toolkits, gtk2->gtk3, winforms, various Mac UI toolkits. Its often a multi year effort to port apps between em just to stay on same platform.
By using electron you can keep using your html ui toolkit from 2010 for next century and offload all the hard integration work onto chrome devs.
When I worked at Mozilla just ensuring that Firefox wont crash on newly released MacOS was occasionally a huge undertaking cos for example libc io functions would randomly start throwing objc exceptions.
Firefox is a great example of what not supporting native UI does to your product. For years, No probably for more than a decade , Firefox did not integrate well with native UI and OS features that people take for granted to be available in every app they use.
To this day it doesn’t properly support the CoreText keyboard navigation shortcuts (Chromium, notably, does) in its text fields implementation, which drives people like me batty. Edit to add: For folks reading this who are not aware: a huge subset of the Emacs-style keyboard navigation and transformation commands Just Work™ in native Mac text fields, including Ctrl-A and Ctrl-E to go to the start and end of line, Ctrl-B and Ctrl-F to navigate by characters, Ctrl-T to swap characters, Ctrl-O to insert a newline after the cursor, Ctrl-H to delete characters, etc. It is the kind of thing that becomes second nature/muscle memory, so then finding it not working in a text field becomes incredibly distracting and annoying.
I mostly agree with you, the cross platform bit is significant¹. Though I will note that anything UI better be reduced to the absolute minimum (stateless and dumb), if only because it makes the rest of the program so much easier to test. That alone would reduce the amount of duplication needed. Most devs (and I’ve been guilty myself) don’t do this, because leveraging the framework you’re using is so much more convenient in the short term.
Which leads to learning: you’re correct, it’s not really a bandwidth limitation. It’s an investment: big initial cost, pays off later. And we humans are notoriously bad at making such investments.
[1] Edit: I forgot about Qt. It’s mere existence significantly weakens the cross platform bit, unless you count the web itself as a platform.
I do count web itself as a platform - it’s probably the most important one for commercial cross-platform apps
Thanks, you mostly made my point so I don’t have to. It’s a bit of a Catch-22. The “bigger” and more important the app, the more likely it is written as a native app because it’s a proper app I properly interact with. I don’t have a problem with electron here, it’s a choice and I can reserve resources.
But the more of a situational tool the app is (e.g. a little helper, a GUI for a driver, anything) - the more likely it is written to be in Electron, because it’s not that important (even the authors see that) and the more of them I have running, and the more I’d prefer them to use 5MB of RAM and not 200.
Slack’s Electron-based app was horrible. So bad that I refuse to use it. (My M1 Max MBP only has 10 cores, 32GB RAM, and 2TB of flash, which seems either insufficient or barely-sufficient to run the Slack app.) The web version looks the same as the Electron app, but seems so much better. Even on Firefox. I don’t like Slack, so I still avoid it whenever possible, but if I need to be on Slack, it’s always going to be on the web app.
OTOH, I think the Discord app is fine. Even pleasant. I didn’t even realize it was Electron-based, but that makes sense in retrospect. It’s obviously not the fastest or lightest app (by a long shot), but it’s never made me cringe. It just seems like the Discord developers actually tried using their own app, and worked hard to make it not suck. I’ve used the web app for Discord, too, but I really didn’t care for it (even though it looked the exact same).
So anecdotally, two different apps, each available as an Electron app and as a web app, and the result of using those two apps (and both Electron and web with both apps) caused me to select the diametrically opposite outcome for each. I think with a group like the Discord dev team, I’d feel pretty comfortable building an Electron app, and not be embarrassed by the result. As for Slack, I’d say that they do a great job of making Electron look pretty bad.
Utter astonishment
It is my single most-hated modern internet comms vector because the client is so unspeakably horrible.
Including the fact that it wants to update multiple times every time I use it. For this reason I use the web or iPad app. The latter is electron free.
This would be worth a sidebar conversation in and of itself. I don’t “rely” on Discord much, but I do use it for a slew of random purposes including (a) work chats (99% text), (b) non-work tech group chats (all text), (c) random friend circle chats (all text), (d) various web site centric chats e.g. /r/programminglanguages Discord server (all text) and (e) my family online gaming chat (mostly audio). It doesn’t tend to get in my way for any of these purposes, which is my main measure of “doesn’t suck”. I’m on macOS and spend most of my time in a code editor (IntelliJ), a shell (zsh), or the browser (Firefox), so Discord is just one of the “always on” apps (like Mail and Calendar) that sits there doing mostly nothing until I need to look at it. Anyhow, I’m curious why it is “unspeakably horrible” for you. Maybe I’m just not using it in anger, or my expectations are just super low for it 🤣
Gosh. It’s a bit like saying why you don’t like gangrene. Where to start?
I find it a visually confusing mess. It’s hard to tell groups, from contents of that group, from subtopics of that group, from threads in a topic.
It threading is nonexistent.
It’s bright and colourful and distracting, but doesn’t use colour intelligently to indicate who said what where: it seems to just splash it around for decoration. To me it looks like a UI for a teenaged boy.
Its tools for navigating from conversation to conversation are nonexistent.
It feels to me like a badly-thought-out badly-designed incompetent replacement for IRC that was put together by someone who’s never seen IRC, never seen any other text chat or 1:1 or 1:many chat app, but overheard a description in a noisy bar and thought “I can do that.” Without understanding the first thing about what’s good about such things, or what’s bad, or caring.
And I don’t even like IRC!
Are we using the same app? Discord is gray on gray. The only color is user profile pics, server-assigned name coloring, the red of the “live” indicator, and the green “share screen” button (which could probably get a coat of gray).
Threading exists, but no one uses it because a handful of topic-specific text channels works fine.
Channel groups have a “expand/collapse” chevron, text channels have a #, voice channels have a loudspeaker. Threads are indented.
Navigating between conversations is a single click?
I hear UI complaints about Discord a lot, but the complaints are always so alien to my experience.
Oh yes, but seeing it through different eyes. (Mine are 57 and myopic.)
Yeah. A badly-done, low-contrast version of the annoyingly trendy “dark mode”. DO NOT WANT.
In other words, 4 things I don’t care about, resulting in an ugly garish riot.
Translation: broken for non-trivial discussions.
Summary: chaotic mess with no overall plan, designed for millennials who do not grok hierarchies.
WTF is a conversation and why should I have to know?
How do you feel about Usenet and IRC?
For me, Usenet was about as good as threaded discussion got.
While I feel inclined to join the “electron bad” bandwagon, I just haven’t had this experience with Slack and I’ve used its electron app on Windows, MacOS, and Linux. Not to mention that the computers I’ve used it on have fewer cores and RAM than yours. Does it lag from time to time? Probably? But I just leave it running in the background and it’s generally fine.
I’m curious to know what people mean when they say they find various electron apps unusable, since I’m seeing it a lot in this thread. I love to complain myself about electron whenever something inconveniences me, but I’ve never had anything more than an inconvenience. Maybe my standards for usability are much lower?
The Slack app got a lot better when they rewrote it in 2020. Prior to that it was terrible and would routinely use more than 2Gb of RAM, as shown in the chart in the linked post.
Interesting. Since I’ve avoided the Electron app for that long, I probably haven’t experienced the new and improved version, so my bias is ancient.
It makes me chuckle a bit that you have that reaction. I don’t love the slack app, and do prefer the site, but my reaction wasn’t nearly as strong as yours.
The discord app, on the other hand… I hate it with the fire of a thousand suns. I mean, it feels OK when I’m plugged in, and the web app is very aggressive about pushing me to install the electron app rather than just letting me use the site in peace.
But holy cow, the electron app is beyond awful when I’m working on battery. Leaving it running usually halves my battery life. Sometimes worse.
I only sporadically work mostly on battery, but when I do, discord is right out. I try to leave the mobile app set for notifications on my phone so that I’m still reachable that way, but I’d cheerfully pay for the ability to use an alternative discord front-end that doesn’t destroy my battery during those times when I’m working on battery.
The web app is only any better for the battery if I run it in Safari. And it feels more glitchy on Safari than in Chrome or Electron.
With a sample size of (my own usage) I’d say the discord team made an awful thing and they should feel bad, where your experience with that gives you the opposite feeling. And that’s why it makes me chuckle… two of us, using the same app for the same thing, on the same platform (I’m using a lower end M1 Pro MBP with 16GB of RAM) have very different reactions.
My experience with the Discord app is so bad that I do my best to exhaust other communication mechanisms before resorting to Discord, and I’m less likely to engage with projects that only/mostly use Discord.
I’m in camp of those who dislike most Electron apps (even though I’ll be writing one myself), but for me Slack in browser is clearly worse than in the app. At least in the app version mostly knows how to load missed messages while the app wasn’t running which is something that browser version in Firefox regularly miserably fails at. Not sure why though as I’d expect them to run the same code.
In my browser I can have at least some control over what it does (uMatrix is a great plugin), but the app can do whatever it wants. So, Firefox it is.
i like my macbook air m1 so much that i am considering buying a backup in case this one breaks. i’ve had this 16GB / 256GB model since it came out and i can do all my personal hacking on it. Python, Rust, Go and even Xcode (within limits with SwiftUI) work without any issues and just as fast as on my M2 Pro for work. I usually have half a dozen apps open like Safari, Chrome, Ghostty, Slack VSCode or Zed plus Mail 1Password and Messages and i really never get the feeling that it is under memory pressure.
Best form factor and fantastic battery / performance from such a cheap laptop
The fact that you have to buy an entire new one in case your current one breaks just demonstrates how terrible these laptops are. You can’t repair them because they’re designed to be disposable, and that’s not sustainable long term.
They are repairable, but it costs a lot.
Not a thinkpad with Linux? I quite like that combination.
I had a good laugh at “just €950.”
I got excited, but yeah, after clicking: no way I’m buying anything from Apple.
Glad that macOS works for all of you, all the power to you, but I personally will never willingly again touch an Apple laptop.
I’m curious to know why you don’t like Apple laptops. Because it’s a locked-down system, or because of the planned obsolescence? I think these points are valid criticism to iPhones, but Apple laptops are fine in these regards from my perspective. Sure, they could have more upgradability and repairability, but those didn’t bother me that much. (I have been using a 13” MacBook Pro since 2018, and it served me well until recently when it became unbearably slow, so I upgraded to a shiny M4 Pro MacBook Pro to have some fun with local LLMs. Later I took the old MacBook Pro apart and realized it’s slow simply because the fan has gathered a lot of dust, so the CPU basically got thermal throttled to death. In other words, I could have used it even longer by simply cleaning the dust on my own. Either way, I think 6 years is a fairly long time for a laptop’s lifespan!)
Also curious to hear why people like ThinkPad + Linux so much!
This is just me and my problems. I don’t expect anyone else will have these problems, but this is why I, personally, detest working with macOS or Apple software.
Because macOS is a horrible operating system that doesn’t let me fix stuff. The friggin’ OS locks me out of ptracing processes by default, fer crissakes. There is no
/proc. Heck, there isn’t even a FHS. Most of the userland is from BSD, not from GNU, so grep doesn’t have a-Pflag for PCRE andfinddoesn’t default to searching the CWD. I know I can fix this stuff with MachoMeBrew, but why would I need MachoMeBrew? It takes so much tweaking to make macOS just work like I want it to.Because the keyboard is all wrong. I use Emacs. I require ctrl keys in comfortable positions. Most McKeyboards just don’t have right ctrl keys or they have them in weird locations. I use modifier keys on both sides of the keyboard to work with in Emacs. I don’t want an option key. I want ctrl, meta, and super, and I want them in their normal positions.
Because there is no selection like in X. I can’t just highlight and middle click to copy-paste. I have to use the keyboard instead.
Because system upgrades locked my computer for a long time, sometimes over an hour, without any indication of what the operating system was doing. I couldn’t use anything while the upgrade was happening. What nonsense is this? When I’m running
apt upgradeon Debian, I can still use all of my programs while the upgrade is happening. I only have to restart processes to reload the new version in RAM, if I want to. And reboots? Again, I can install a new Linux and reboot to the new Linux whenever I feel like getting around to it. It should be my machine, but Apple makes it feel like it’s their machine I happen to be renting while the hardware lasts.Because Apple wants me to sign up and give them my personal information just to install basic software. Some of this stuff I’m complaining about can sort of be fixed and emulated if you install the right software. But even before you’re even given permission by Apple to install software on your own machine, you have to tell them your name, maybe your phone number, and click “I agree” multiple times on many piles of unreadable legalese.
It’s just a mess I don’t want to bother with. Give me a Linux, give me open source, give me free drivers, give me the right keyboard layout, give free licenses, not EULAs.
Give me control and ownership. Of my own machine.
What is this Planned Obsolescence that I keep hearing about? Do iPhones or Mac stop working after a few years? Or have we set some unrealistic expectation that Apple should support hardware to infinity and beyoooond?
I think it’s mostly about not allowing old devices to upgrade to the latest operating systems even if they are perfectly capable, but at least for macOS, you can bypass this restriction with tools like OpenCore Legacy Patcher. Apple also made old phones with degraded batteries slower via software updates, but that was a few years ago.
The oldest supported Mac running macOS 15 is now 8 years old.
The reason I always get a little upset is that people have this unrealistic expectation that Apple somehow must invest and do far beyond what is reasonable. Why is that?
And why is it immediately assumed to be malicious intent? Because that is what “planned obsolescence” really means: that they sat in a meeting room in 2017 and said “we are are not going to make macOS 16 work on this hardware so that people will have to buy our new stuff in 2025! Haha!”.
For anything else it is just software and hardware that becomes unsupported over time, like 99% of this crap we deal with in this industry. Which we accept because the engineering and qa burden to keep things working is huge. Specially compared to where your users are. (They are not on hardware from 2017).
But … Apple is somehow special and must do this on purpose.
My old MacBook Pro is a 2017 model (A1708), which doesn’t support macOS 14, but I was able to install macOS 15 on it with OpenCore Legacy Patcher, and it works perfectly fine. Reportedly, you can even install macOS 15 on devices dating back to 2007. From my understanding, the new software “just works” on old devices without extra engineering investments (otherwise the patcher wouldn’t work so seamlessly), but Apple is putting efforts into preventing users from installing new software on it, and that is not cool. I mean, there’s a difference between “upgrade if you want to, but don’t blame us when things break because it’s unsupported” and “you are no allowed to upgrade”. On the other hand, nobody would/should complain about Apple Intelligence not being available on Intel macs: these doesn’t have the required hardware, so that’s an unrealistic expectation as you pointed out.
Meanwhile, maybe Apple bans these software upgrades simply because they don’t want to deal with bug reports from unsupported devices? Moreover, you can always use the patcher to bypass the hardware check, so yeah, I wouldn’t say planned obsolescence is a good reason to hate Apple. For me it’s more of a minor nuisance that can be easily overcome. That’s why I was asking JordiGH why he hates Apple laptops.
8 is a bit short. I replaced my MacBook Pro a bit over a year ago. The old one was ten years old and still working fine. It was faster for most day-to-day things than the Surface Book 2 that Microsoft had given me for work. It had a 4-core Haswell (8 Hyperthread) CPU and 16 GiB of RAM, which is ample for the vast majority of things I do (compiling LLVM is a lot faster on the new machine, as is running place-and-route tools, everything else was fine with the old one).
I believe they dropped support for anything without the Secure Element chip in the last update, which is annoying but understandable. I wouldn’t be surprised if the last x86 Macs have a much shorter support lifetime than normal because dropping x86 support from XNU will save a lot of development effort. A lot of people complained when they dropped support for the original x86 Macs, but given that they’d already started the 64-but transition with the G5 it was obvious that the 32-bit x86 Macs were a dead end, which is why I waited until the Core 2 came out. That machine lasted until it was much slower than the replacements. It was still supported when I replaced it with the Sandy Bridge model (which had two unfortunate encounters with a pavement and ended up being retired quite quickly).
My first Mac was a G4 PowerBook and, back then, a three-year-old computer (of any kind) was painfully obsolete. Most companies did 3-4 year rolling upgrades. Now, that’s been extended to 7 in a lot of places and even then it’s eligible for upgrade rather than automatic because a seven-year-old computer is often fine. I basically use computers until they wear out now. The performance difference between a modern Intel chip and one from two years ago used to be a factor of two, now you’re lucky if it’s more than 10%, so the need to upgrade is much less.
I’m less annoyed with this on Macs because the bootloader is not locked and, if macOS is unsupported then the device can have a second life running something else (even the Arm ones now have nice Linux support). It’s indefensible for the iPhones, where they just become eWaste as soon as Apple stops providing updates because there’s no possible way for third parties to support them. An iPhone 7 would run modern Android quite nicely if you could unlock the bootloader.
It’s one bit short?!?
I’ve met some people who were a few bits short of a full byte…
“Made old phones with degraded batteries slower via software updates” is literally true, but a tad misleading.
The software update started tracking what time the phone usually gets charged, and clocked the CPU down if it weren’t going to last until that time.
I had an affected model, and having my phone suddenly slow down definitely sucked, but having it start lasting until I got home wasn’t a bad thing to gain in return.
I’d agree that it should have - at minimum - be something you can disable.
That’s not what they lost in court for. They were reducing the clock frequency to make batteries discharge slower when the maximum charge capacity dropped. Rather than seeing short battery life and getting a replacement battery (which was often covered by warranty). people would see a slow phone and buy a new one.
This settlement is why iPhones (but not iPads) now have a battery health UI in settings: so you can see if the battery is holding less than 80% of its rated charge and replace it, rather than the whole phone. The iPad does not have this because it was not covered by the settlement, which was specifically a class action suit by iPhone owners.
They made them discharge slower because otherwise the voltage drop caused the phone to shut off, but they didn’t communicate this to their customers.
Yes, and if it had caused the voltage to drop and reboot, people would have taken them to the shops and discovered that the battery needed replacing, which was covered by the warranty or consumer-rights law in a lot of cases.
That’s true but the decision-makers at Apple had no notion that it was the case and didn’t factor the extra income they made into their decision-making /s
For what its worth, apple slowed down the CPU of old iphones (I believe 4-5 years at a time? Most other vendors would simply not care about such an old device), because with degraded batteries they were prone to random restarts (CPU would have needed higher voltage than the battery could provide).
This wasn’t communicated and they got fined (in France), but if only apple actually communicated better, this whole fiasco could actually have a positive spin (company fixes bug in 5 years old device). In the end though, it became a user-selectable choice, so best of both worlds.
It’s not appropriate to connect systems that don’t get security updates to the Internet, so in that sense, yes iPhones and Mac do stop being suitable for the tasks they were previously suitable for after some years.
In the case of iOS, Apple’s track record is much better than competitors’. In the case of macOS, Apple’s track record is worse than competitors’, so I think it’s quite justified to complain about the macOS situation.
(The above is deliberately phrased in terms of track record: going forward, there are the twists that Samsung and Google are getting better on the mobile side and Microsoft is getting worse on the desktop side.)
In the past 6 months or so, I have given away 3 Penryn Macs with a working Wayland Linux environment on them and I have installed Ubuntu on two Haswell Macs that are staying in the extended family. The Haswell Macs would have worked in their previous role just fine if macOS had continued to get security updates: The move was entirely about Apple’s software obsolescence. The key problem afer the switch to Ubuntu is that iCloud Drive and Apple Photos don’t work the way they do on macOS (you can get some access via the Web at least if you don’t have the encryption enabled).
The way hardware progress has changed means that N years before Haswell and N years from Haswell onwards (on the Intel side) is very different in terms of what hardware is quite OK for users who aren’t compiling browser engines. It doesn’t feel reasonable to treat Haswell hardware as obsolete. (FWIW, Adobe raised the requirement for a prosumer app, Lightroom, to Haswell only late last year. That is, until very recently a prosumer subscription app supported pre-Haswell hardware.)
Sorta, I guess. Apple supports the entire laptop for at least 6 years from the day they stop selling it. Not just MacOS, but hardware too. MacOS just gets rolled into that support.
It’s hard to find any PC vendor willing to support a laptop past 3 years. Many , by default, come with 1yr of support(for varying definitions of support) in the best case.
If you buy an Apple laptop, you know you should be able to keep it supported and working without too much hassle for 6 years. When you buy a Dell or Lenovo, you don’t have any idea how long it might last.
Generally trying to get repairs for consumer grade laptops from any vendor other than Apple is usually annoying at the very least, if not impossible, regardless of warranty status. For business grade laptops, as long as you paid extra for the support, you can usually get repairs done for 3 years. Past 3 years, the answer is almost always: NO.
Even in server/enterprise land, it’s hard to get support past 5 years for any server/switch/etc.
I find it interesting how wildly ppl’s expectations of laptop lifespans seems to differ. Just here in the comments the lifespans people are happy with seem to range between 3–4 and 10 years. Some of this is probably differences in usage patterns, but it’s wild to me that we’re seeing over 2× differences.
At the moment my “new laptop” is a 2017 Surface Pro I got used two years ago, and save for some games it handles pretty much everything I do without any issues.
My previous laptop is now 12 years old. It has a quad-core (eight-thread) Haswell 2.something GHz processor, 16 GiB of RAM, an 1 TB SSD, and a moderately old GPU. You can buy laptops today that have slower CPUs, less RAM, and smaller disks. I think the worst Intel GPU is a bit faster than the NVIDIA one in that machine. If the old machine is obsolete then people are buying brand new machines that are already obsolete and selling them should be regarded as fraud. It isn’t, because they’re actually fine for a lot of use cases.
It’s gone from being a top-of-the-line machine to one that’s a bit better than bargain basement in that time.
My “Late 2010” 11.6” Macbook Air is still going. I had to replace the original battery last month.
Note that I am actually able to use that one for (light) development purposes. It now has an aftermarket larger SSD. So 4 GB RAM, 240 GB SSD, 1.4 GHz Core 2 Duo.
That said, it is no longer my main machine. I prefer my Framework 13 which is roughly the same size, but but with a larger screen.
I have a very high end X1 extreme through work (i7-11th gen something, RTX 3050, 64GB of RAM). It’s running windows ATM, but I’ve had Linux on it, and let me tell you it does not compete. It gets insanely hot and the battery lasts AT BEST, if I really try, 3.5 hours. This is not better on Linux either.
The macs easily last an entire day of work on a single charge, while I can’t even work for a full afternoon. It’s not even close in terms of convenience.
There’s also just annoying lack of attention to detail. One of the most annoying misfeatures of this laptop is that if you charge it with anything weaker than the included 170W (!!!) charger (say, from the hub in a monitor, since IIRC USB couldn’t do that much power when this was released, and it’s not really needed if it’s plugged in all day), it pops up a BIOS error saying that the charger is below the wattage of the included one. This is only shippable by pressing the ESC key, and AFAIK it is completely impossible to disable. This is very early in the boot process so the CPU is still stuck at 100%.
I have been woken up SEVERAL TIMES because windows decided to update in the middle of the night, so it then rebooted, and got stuck in that screen with the fan at 100%, because it was plugged into “only” a 95W charger.
This is so dumb. You can just tell no thought was put into it, especially because it happily updates on battery with no warning, too. If anyone happens to know how to disable this LMK because I’ve just resorted to leaving the laptop unplugged from my dock or plugging in the bulky included charger along with it, which kind of ruins the point of having a single cable.
Oh, just thought of another one: I had recently started having some issues with the laptop shutting down if I put it in hibernate mode (so all state was lost).
Turns out, it’s because it does not have 64GB of storage free to persist the memory, so it just did not work and shut down instead. But it did not tell me! I had to dig through forums to find that out. How hard is it to just disable it if the free storage is less than the amount of RAM?
Tbf that’s mostly on windows, not Lenovo, but gah. It’s just bad UX.
Sounds like a dGPU (mis)management thing mostly..? My AMD-based L14, despite a small battery capacity (like barely 50Wh or something) easily lasts for 5-7 hours of coding and hanging around online, while staying cool and (with thinkfan) quiet.
Unfortunately I work with CUDA quite a lot, not for anything super intensive so the 3050 is fine, but enough that I can’t just completely disable the GPU and be fine. If I’m just browsing the web or something though back when I had Linux disabling the dGPU easily doubled the battery life.
I need to look better into this, I’m not sure if there’s some way to have it turn on on-demand on Windows.
I rock(ed) one for many years, and frankly.. no. They have CPU throttling issues, and their battery lives are nothing to be happy about.
I am most definitely not an Apple fan, but the M-series Macs are definitely a paradigm shift in that laptops, for the first time ever, are not just desktop PCs with uninterruptible power supplies that last for the duration of going from your home to work, when you have to plug it in again.
Which Thinkpad models did you use? There are some that aim at the light weight and long battery life segment of business users.
FWIW even my 2023 Thinkpad X13 Gen4 (AMD) lasts a whopping…. 3-5 hours on battery, if the moon is in the right phase and I don’t sneeze too hard. I’ve gotten as little as 2.5 hours of web browsing and terminal use out of it on a bad day, and my max, ever, was about 6.
Sure, that’s not nothing, and that’s more than “from work to home” (I guess - I don’t commute anymore), but it doesn’t survive a full flight between Seattle and Chicago, and that’s my benchmark for “good battery life”.
My 16” Lenovo Legion Pro 5i (2023) with 24 core i9-13900HX lasted six hours on battery in Windows 11, doing text editing and web browsing and short compiles (few seconds). I kicked the Windows off and put on Ubuntu 24.04 and battery life is now 5 hours. Which is still more than I need.
Yeah, I bet the top end MacBook Pro lasts a lot longer, but then this cost me $1600 (incl tax and shipping) while an equivalent MBP with M4 Max costs $3999 plus tax.
T450. But I also bought used ThinkPads to my less tech savvy family members.
dupe comment, FYI
I liked it, too, until I saw hell with my P53. Nothing to do with Linux, it was just a very bad purchase. Worked ok within the warranty, and now a mere 6 years later (!), it is full of hardware defects, crawling on the best it can. Six years with this kind of behavior would be unthinkable for old IBM or even early Lenovo Thinkpads. Sadly, I have no idea what to recommend instead. All things considered (Framework etc), they still seem to be the best. Of the worst.
The problem with post-IBM ThinkPads is that Lenovo has no attention to detail. They have good designers but they are spread thin across a gazillion devices. It’s impossible to do a great job in those conditions. Different models have different flaws, like fan noise, bad panels, etc. They should streamline their offering and stop trying to copy some Apple features that are not aligned with their ethos.
Fan noise is fixable (just take control from the OS with thinkfan), if that’s the issue I’m thinking about (shitty fan curve in firmware that doesn’t go silent on idle).
What’s not fixable is the shitty firmware bugs. My L14gen2a doesn’t like staying asleep and just wakes up randomly for no reason a lot, and sometimes the keyboard controller hangs with a pressed key (one key gets logically “stuck”, other keys stop responding – only fixed by a sleep-wake cycle).
Before anyone says Apple is so much better though: that exact same keyboard controller issue happened to me back in the day on a 2010 MacBook Air, at the worst moment possible… I was playing Dungeon Crawl Stone Soup. You can imagine the outcome.
I was referring more to the lack of sufficiently good cooling hardware in some ThinkPad models. They have so many SKUs that heating designs, pipes and fans are not thought or tested carefully in some models. Others are great.
I am one of the people who began to wonder “Is my phone listening to me?” because of Instagram ads. I never really believed that they were, but it felt like they could be given how targeted the ads were. Here’s a dilemma.
Either way, I’m glad I quit Instagram (and all social media) as a 2022 New Year’s resolution.
There are plenty ways to track users nowadays: cookies, pixels, tcp hello handshake,… Each comes with a different “resolution” allowing advertisers to send you more relevant ads. Chance is that Meta, Google, Adobe, Alibaba, Bytedance are just really good at building these data pipelines and segment them with different clustering algorithms, ML powered recommendations. It’s next to impossible to disable these completely given that many of these services also design and sell the underlying compute platform that you are using: android, chrome, search, email, isp, etc…
I think all these fear mongers created a really good selling pitch for Apple’s private compute pitch. However, i doubt that it gona last long bc Apple could start selling ads themselves
https://www.apple.com/legal/privacy/data/en/apple-advertising/
Apple already sells ads.
“Ads that are delivered by Apple’s advertising platform may appear on the App Store, Apple News, Stocks, and Apple TV app. Apple’s advertising platform does not track you, meaning that it does not link user or device data collected from our apps with user or device data collected from third parties for targeted advertising or advertising measurement purposes, and does not share user or device data with data brokers.”
And you’re just going to take their word for it?
Yes. Why does nobody believe anything a company says any more?
When companies are caught lying even a tiny bit it’s headline news. And yet a lot of people seem convinced you can’t believe anything any company says about anything.
I guess the big problem here is probably around telling the difference between marketing and material statements. If a company says “our product is the best solution on the market” that’s a different category of statement from “our products do not listen to your microphone to target ads” or “we don’t train our LLMs on your inputs”.
Because they’re incentivized to lie by the only factor that they care about, money. If they can make more money by lying, they will, then pay a fine or a PR agency or fire some token employee if it comes out. Doing otherwise would be failing the great god of “maximizing shareholder value”. I mean, look who the richest man in the world is right now; what’s his history with materially false statements?
None of the companies I have ever worked for have seemed like that as an insider.
So what? That still allows selling targeted ads.
If there’s no user or device data shared with data brokers, how are those brokers targeting ads?
People buying ads from apple can target them at “segments” based on personal info, so long as each segment contains at least 5000 people. It’s in the link above. https://www.apple.com/legal/privacy/data/en/apple-advertising/
I also believe that “they are listening”. I’m a software engineer who’s worked in ad-tech and has developed mobile apps in the past.
I’m aware that, for example, the Facebook app may not be able to literally use my microphone to listen at that exact second. But I am also aware at a high level that lots of data is collected and exchanged between companies for advertising.
So whether or not Google’s app is listening to me, or my “smart TV” is listening and sending that info with identifying IP or other identity resolution methods, or someone else’s phone is listening and sharing text plus ip and geo, the result is the same. I have many times said incredibly specific things and immediately gone from seeing zero ads about that product to seeing an ad for that product.
It’s kind of like solving a crime or debugging a production issue. The advertisers possess the motive. I believe that they do possess the means (other devices or maybe other more unscrupulous apps on your phone).
More often than not the xkcd observation is true “Correlation doesn’t imply causation, but it does waggle its eyebrows suggestively and gesture furtively while mouthing ‘look over there’”.
You make a good point. While I am comfortable with Apple, and their promise of protecting users, my home network has several IoT devices of questionable origin (like the 4K projector that allows me to login to Netflix and plays sound), and I cannot be sure that they aren’t listening in.
As an example, Chinese random projector brands offer their $300+ projectors for peanuts (like under $50) with coupon codes. I won’t be surprised if these are actually CCP survellience devices. I cannot prove it either way, but I am inclined to believe the no-name cheap Chinese projector is doing something nasty.
Christmas with my loved ones.
Then, the whole family will all be heading to the 38th Chaos Communication Congress in Hamburg #38C3 :-)
I am so jealous that you get to go. And with the whole family! Enjoy :-)
Thank you, Stefan. Happy holidays to you and your family :)
be sure to wrap the babies well in tinfoil!
I moved from Emacs to Neovim and I like it a lot. But I will probably move to Helix once the script support lands.
My favourite feature of Firefox mobile is being able to put the URL bar on the bottom of the screen. I wish I could buy a phone with good specs and a screen about the size of the original iPhone so I could actually reach the top bar without contorting my hand too much, but since I can’t I’ll happily take the bottom bar instead.
The only deal breaker for me is that it’s missing keyboard controls, so if I decide to pack light on a trip and want to do some programming on the go with my tablet and a BT keyboard, I have to either use Chrome for browsing the internet or get a very annoying experience on Firefox.
Vivaldi (Chromium based) has the bottom tab bar & address bar feature too on mobile, plus a bunch of other customizations. It is refreshing!
It’d sad how much Android keyboard handling has regressed. In the early days we had configurable keyboard shortcuts and a consistent menus that were accessible using hardware buttons or the keyboard. Apps usually had good keyboard support too. Nowadays we get to play “hunt the hamburger” or “guess what to tap” instead.
Don’t all mobile browsers do that nowadays? Safari has had this feature since iOS 14 or 15 I think, 3 or 4 years ago, and it was already late to the game.
Yeah, most should. I recall the first relatively popular was either IE or Edge, on Windows Phone 10 years ago.
Refurbished iPhone 13 Mini
What’s a good site for refurb iPhones?
Directly from Apple is actually reasonably priced. Unfortunately, they don’t seem to have any refurb 13 minis in stock. I’m ride or die with the 12 mini until there’s a worthy challenger for a mini phone.
I’m afraid I’m waiting for that kind of challenger, too. I love my 2022 SE, but apps and sites are not adequately testing on that screen size anymore. Navigation apps have gotten especially frustrating. I’m hoping against hope that the next mini maintains TouchID, because I really don’t like FaceID on my phone, but all signs point to “no” on that front.
I’d halfway be happier to get a less expensive flip phone that I could tether a tablet to, and carry both things, but I don’t see any evidence of one of those either.
Not refurb, but I’ve been buying all iPhones both for myself and family members used from swappa.com for years. It’s worked great for me, zero issues and you save a lot of money.
The equivalent for Europe is swappie.com. They make it very easy to trade-in your old phone give you a proper chargeback. I think started operating from Finland but now have warehouses in different countries. e.g. Germany, which makes shipping pretty fast.
Best Buy seems to have a whole bunch. Not sure if third-party seller though.
While this isn’t wrong, there’s an interesting snippet buried in there:
It seems like this, combined with the discussion of effort in validating OIDC, indicates that independent hosting may never be supported. I’m hoping that I’m misinterpreting this.
The sentence directly under it clarifies it:
The problem is not ‘self-hosted’ versus not; it’s scale. PyPI already has API tokens for people who want to self-host everything. It does not make sense to dedicate the engineering and review time to federating with everybody on the internet, given that API tokens work just fine.
So, in short, they are fully declining to support self hosted repos.
It feels like if manual review is needed to support a hosting, perhaps the technology isn’t fit for purpose.
Your comments so far haven’t really been taking a productive approach, but I’ll attempt to explain anyway:
You should not think about “Trusted Publishing” as being about PyPI trusting specific sites. Instead it’s about setting up a framework in which you, the author/developer of one or more packages, can trust a third party which you do not own or control and delegate to them permission to publish to PyPI on your behalf.
If you want to have packages published to PyPI from something you do own and control yourself, you don’t need this! That’s why people have told you multiple times that the answer to “self hosting” is to just generate and use a PyPI API token. The Trusted Publishing approach is more complex and involves the whole OIDC flow and short-lived tokens and the whole nine yards precisely because it isn’t for something you self-host and fully own/control, and thus you want a high degree of care to be taken with what access it’s given and how and for how long.
This is a great answer and should probably be posted to a FAQ somewhere :)
Part of the concern is sites like Are we PEP 740 Yet? are already popping up from some of the groups involved in PEP 740 which does not give confidence that alternative flows will continue to be supported. Will PyPI mandate all publishes go through trusted publishers when enough packages are green on those trackers?
PEP 740, for those who don’t click links, just provides a way to attach a standardized “attestation” — i.e., digital signature — as metadata on a package uploaded to PyPI. This replaces the deprecated and removed PGP signature support PyPI used to have.
That’s it. That’s PEP 740: PyPI now has standardized support for package signing, a feature people have suggested and even outright demanded for years now, and someone made a site to track which of the most popular packages have adopted it.
PEP 740 does not mandate “Trusted Publishing” (aka, publishing from a CI system via a short-lived OIDC token). The “are we PEP 740” site does not say anything about forcing or requiring people to use TP.
Yet here we are, with it being presented as a suspicious and sinister thing which is assumed to herald the eventual takeover of all Python packages by Microsoft or something.
And it’s a no-win situation for PyPI, because there’s nothing they can say or do that will ever satisfy someone like you. No, PEP 740 is not a secret plot to make everyone use GitHub. But it does no good to say so, because anyone operating on reason and evidence can already see that and wouldn’t have had “concern” about it in the first place.
It sounds like you have looked at/worked with this thing for a bit longer, so I’d suggest you step into the shoes of someone who hs only heard about this like yesterday (it me). I looked at the PEP, I read 2 blog posts and yet the question “is this even needed for self-hosted repos” didn’t pop into my mind and if it did, none of the 3 resources would have answered that.
I’m not disagreeing with anything you said, but if I interpret the question in the most basic way, aka “does this mean that I can get a green check mark via github and not via my own forgejo instance and being ‘shamed’ on AreWePep740Yet?” then that does sound bad and the comparison to gpg-signed doesn’t make any sense (for this aspect) because it would have worked both ways. If I am misunderstanding, then disregard.
But please don’t tell people to just RTFM when this is a topic that apparently warrants a full PEP and multiple explainer posts. Just clicking the link without reading for.. maybe 2h? does nothing.
I told people what PEP 740 does and, importantly, what it doesn’t do (it doesn’t force you to use GitHub). Anyone who wants to go read it and verify for themselves that I’m telling the truth can do so.
And the context was a response to someone who is spreading the same old conspiracy theory that somehow PyPI will be used to force the entire Python community to use GitHub/Microsoft. This is easily debunked just from looking at what PyPI has actually done. Every time they’ve rolled out something like this they’ve started the implementations/integrations with the currently-most-popular code hosting site (GitHub) and then expanded to others. The “concern” about being locked in to a single provider has never ever been justified by the actual reality, yet is brought up again and again and again. Just like PEP 740 attestations are initially doing an integration with the most popular code hosting site and will expand in the future. Just like the article this comment thread is attached to says.
PyPI however, does mandate PEP 740 attestations come from a trusted publisher. And are we PEP 740 yet is measuring PyPI.
I will point out that someone is one of the three PEP authors, so not some internet random unrelated to this.
Trusted Publishing initially only supported GitHub. Now it supports more than GitHub. You’re replying in the comments on an article which explains that the implementations have opted to go with the most popular platforms first and then expanding afterward. Yet you are pushing the idea that they won’t do what they clearly already have done.
Again: there is nothing that could be done to assuage your “concern”.
No. Self-hosted forges are and will always be supported, via API tokens. They won’t necessarily be supported via OIDC federation, because it doesn’t make sense at smaller scales.
(Yes, OIDC federation is not fit for small-scale use. It’s fit for large scale use. That’s the point, and it’s why PyPI supports technologies that fit well at both scales.)
See my other comment - so just so I understand this correctly: hypothetically, if suddenly 90% of packages would self-host (aka none of the “trusted publishers”) then this page would show up to 90% yellow (aka bad) and yet there is no real problem? Doesn’t that mean there should be another color?
If 90% of projects were self-hosted, it would indeed have been irresponsible to pick yellow (which I doesn’t mean bad, but “in progress”). But, as noted in the post, this is counterfactual: the overwhelming majority of Python projects have their source on GitHub, and I suspect that this number skews even further to GitHub in the top 360.
(If people are repeatedly getting the impression that “yellow bad,” I can adjust the website so that it only marks a project yellow when one or more of its URLs come from GitHub.)
I think people will absolutely get the impression that “yellow bad”. This is what people mean by social pressure to host on GitHub. Again, no conspiracy theory here, I don’t think it’s intended, just that it’s what will happen.
That’s fair. I’m going to tweak the colors now, then, to make this clearer.
Edit: the site has been updated, and now has a new category for platforms that PyPI doesn’t support attestations from yet. At the moment, that’s 7% of the top 360, which is inline with the hypothesis that the top Python projects use GitHub as much or more than the average.
That’s a neat change, thanks for turning that around so fast.
Thanks for clarifying how I understood it and indeed I think this is what most people (casual observers) would expect.. (Maybe https://www.arewewebyet.org/ is the most popular analogous example?) I mean, good that you didn’t choose red or orange, and I don’t personally see it as a problem, but I can see how some people would perceive it that way, because it was my first impression as well (before reading a lot)
When you say “declining to support self hosted repos” what do you mean? What’s the concrete feature that you would like self hosted repos to have that they won’t have?
I don’t think it is just scale. I think it is simply impossible to trust a self hosted repo and for example attestations generated by that repo.
(Assuming we’re talking not just about a place to host a package but actually the whole build pipeline)
For GitHub I can download their SOC2 and other reports and see that they had a professional audit of their services and practices. I can read they set a high standard for good security practices. Both technically and operationally.
For a self hosted repo by an individual or small group of individuals this is pretty much impossible.
But does it matter? I don’t know. If the Twisted folks publish outside of GitHub (they don’t it is just an example) and maybe they have a lower ranking because of that. I can still trust their attestations and hosting/build platform based on other factors like their presence in the community or how they run their project. If I think as a consumer of packages you are always ultimately in control?
I love passkeys as a second form of auth. GitHub did a great job with that. If my passkey is available then I sign in with a single tap on the touchid sensor or with FaceID. If not then I fall back to username/password/code.
On GitHub it is specially useful to have Passkeys to access sensitive settings. Like managing Teams & Collaborators just requires a quick tap to verify it is me.
I wish more websites did this.
No reason to fully dismiss passkeys. I think it was wrong to market them as full password replacements. I like to think of them as complimentary.
This. Probably coming from companies trying to lockin people and control things.
This needs a benchmark.
There was one where Rust was just behind C, while Swift was head to head with JavaScript:
https://github.com/ixy-languages/ixy-languages
I think this was just a particularly bad case, and Swift could do better, but also shows that implicit boxing and refcounting can add a big overhead if you’re not careful.
Rust’s “fast by default” sounds like an exaggeration, but from perspective of unexpected overheads it’s true. Rust doesn’t have just a string type, and is pedantic about
&strvsBox<str>vsString(and a bunch of others). If you want refcounting, you need to specify which one (RcorArc) and bump the refcount manually every time. This is tedious, but also impossible to miss and make things heap-allocated and refcounted by accident.It makes sense to me that a network protocol base test would not put Swift in the best light. If there is a request response cycle, a language with a tracing GC only needs to trace the living heap and copy it over. Most data isn’t going to survive past the original request so tracing should be relatively cheap. Allocating might just be bumping a pointer too. In a ref counted language, it needs to increment and decrement on everything it touches (with some ref count elision and other tricks I’m sure).
On the programming language benchmarks game, Swift fairs a bit better than Javascript, Haskell, and OCaml.
https://benchmarksgame-team.pages.debian.net/benchmarksgame/box-plot-summary-charts.html
What does this setting change? The linked register article is a lot of words, a summary of the change would be nice. And the formatting is nice, but no way I’m executing that curl command…
Yup, would’ve appreciated an explanation or a more direct link right in that script. Here is Mozillas own explanation of the “Privacy-Preserving Attribution” feature that is switched off by the script: https://support.mozilla.org/en-US/kb/privacy-preserving-attribution
(no clue though whether PPA is a good idea or whether I should enable or disable it)
There’s no need to execute the curl command; you can just paste the command at the top into your terminal after reading it to confirm it doesn’t contain anything malicious.
It disables a feature that allows advertisers to track users in an allegedly-anonymized way.
It disables a feature that allows advertisers to get information about their ad campaigns – how many times was an ad viewed, how many times was it clicked on, etc. – without using cookies or other techniques to try to attach stable identifiers to individual users and track what they’ve seen/clicked/etc.
In other words, it’s supposed to be an alternative to user tracking, to allow judging the success/effectiveness of an ad campaign without the need to track users.
Most of the agitation I’ve seen about it has either been people misrepresenting it as just another form of tracking users, or people literally arguing against mathematics (usually with some sort of claim that because prior anonymization systems have failed, k-anonymity must also have some fatal but as-yet-unknown flaw, when k-anonymity’s strengths and weaknesses and the things you need to do to get it right are actually pretty well analyzed and understood by the people who deploy it).
Yeah .. turning this feature off will actually make advertisers who support it fall back to actually privacy invading techniques. Like you mention, cookies, tracking pixels, javascript hacks, whatever. Not what you actually want.
It is good that there is a choice, but I think this setting has been pretty poorly named and also very poorly explained by Mozilla.
Do you have any example at all of an advertiser who gave up their previous and still-working tracking techniques in favor of using private technology exclusively?
Without force, I can’t think of a logical reason they wouldn’t just use both.
I don’t but probably mostly because the privacy preserving alternatives are only now being developed.
And it’s not as black and white as you make it seem, either. The more it impacts advertisers revenue the more force is needed. Google wanted to deprecate third-party cookies and gave up because it was too expensive. At least that is my very uninformed interpretation of events. :)
This is a false dichotomy. The choice isn’t exclusively between “advertisers using very invasive tracking techniques” and “advertisers using metrics for insight without invasive tracking” (especially since I no longer believe advertisers should be given the benefit of the doubt that they’ll ever actually embrace the latter). There’s at least one other option: not having advertisers. This is the world I want to live in.
All the best,
This statement is equivalent to saying that the world you want to live in is one where either:
I don’t think that world is one you actually want to live in.
I don’t know that it is productive for us to engage in this conversation further because I can tell our political differences might be vast, but I will aim to at least give a glimpse into where our logical paths diverge: in particular, your two options assume that capitalism/wealth is the only mechanism by which a website could come to be available—I fundamentally disagree. Just to list a couple alternatives:
I remain fundamentally unconvinced that capitalism has been a net-positive force for the world, and do not believe it has demonstrated enough utility/priority¹ to justify its continued existence. I recognize that that’s not necessarily a widely-held belief, but it should hopefully clarify why I, in no way, expect any platform for expression and information-exchange (which is what the Internet, in my opinion, should be) to be dominated or controlled by wealth. In fact, that’s part of why I come to Lobsters more frequently than TheOrangeSite™; as far as I know, @pushcx and the rest of the moderator/infrastructure team aren’t driven to host/manage this site out of profit-motive.
And yes, I believe advertising is unethical; I do not believe it should exist. Full stop.
All the best,
-HG
1: cf. https://en.wikipedia.org/wiki/Prioritarianism
There are more than two possible worlds, though, including ones where ads exist without being what they are today.
The person I was replying to made clear that they want a world which does not have advertisers, period. They’ve already been offered a strategy for trying to make ads not require invasive tracking of the viewer and rejected that; I don’t think it’s productive to continue trying to define a world of “good ads” to see if they come around on it.
Agreed! In fact, I migrated off AdBlock Plus the moment they started allowing “ethical ads” (a misnomer, in my opinion).
If the only choices I’m allowed to make as a “consumer” in our modern society are bound by some systemic assumptions that are so widely-accepted-without-question that changing them is nearly-heretical, then of course I’d prefer less tracking / privacy-invasion. But, I have no faith that advertisers would embrace such a thing (DNT didn’t exactly fair well). Moreover, whether I can actually make meaningful strides toward the world I would rather see or not, I can at least imagine, propose, and defend it.
So long as there are alternative choices out there—especially ones I would deem to be strictly superior—I’ll argue for them!
All the best,
-HG
There are a plenty of free website hosting services that don’t have ads.
It’s hard to imagine anyone in the target audience for this web site who doesn’t already have ublock origin installed. If you block this, they might attempt to fall back to a worse alternative, but the worse alternative will also be blocked, so who cares?
(That said, it would be better if the site had a note mentioning ublock origin instead of just leaving it implied.)
adblockers should defeat anything advertisers could do.
Sure.. But why make this more convoluted than it should be?
What I think people would appreciate from a site spreading awareness about the flag would be if it:
The first thing the page asks me to do is run curl|sh…
Note that somebody with multiple Firefox profiles will need to decide which of those get the patch applied.
Much of the complexity of the command is to find which directory contains the default-profile user.js file, other profiles are untouched.
About the allegedly-anonymized part, have a look at https://datatracker.ietf.org/doc/draft-ietf-ppm-dap/ and https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/ (If you’re interested in internet standards and secure multi-party computation.)
I am someone that doesn’t comply with the RTO policy of my company for much of the same reasons OP mentions.
However I didn’t quit on the spot, I will not give them that satisfaction. I am currently being very close to having final action taken against me by the company because of it and frankly I welcome it. Probably I will take them to court and see what comes out of that. I’m committed in making this as difficult as possible for them and I’m willing to pay out of pocket for the privilege.
Please let us know how this story ends.
Was your employment agreement prior to the RTO policy such that you expected it would be remote indefinitely?
If not, this seems rather spiteful. I love being able to work in the environment that best suites me, but if your employer/team/etc chooses either in person or remote work, I think it’s valuable to be a team player-especially if the alternative is a worse hybrid world.
My last employer was fully remote and I wanted to be in person much of the time. I find it to be very useful for certain things like collaboration. But playing with the team’s wants as a whole and adjusting communication style appropriately is more important than individual wants if one wants to stay employed.
If being a “team player” means giving in to what a manager decided is good for the team, then I’d say the alternative is actually a better world.
Spiteful yes. Deservedly so, fuck yes.
I got hired at the start of Corona, so for the past years I was never required to be in the office, even though it was never explicitly put into writing. My team, and the company itself had its largest numbers while everyone was remote. And that’s the reason why I’m being petty. I realized I enjoy being remote a lot, and all the weasel words managers use for RTO are just a disguised lay off.
I would be fine being let go, but at least have the decency to call that what it is, and pay the people the severance their tenures earned them.
And yes, I fully support people like you that enjoy being in the office being in the office, but fuck you if you imagine that your enjoyment requires my discomfort just in order to be a “team player”.
If you’re openly defying your employer’s orders, do you expect what comes out of that to be anything other than your being left to pay millions of $money_unit in lawyers’ fees?
Lol. It’s not going to be millions. Even if I lose the most I’ll pay is my lawyer’s and the court’s fees. This is a civilized country.
And “publicly defying your employer’s ‘orders’” is usually called a strike. And I’m not even doing that because I continue to do my job to the best of my abilities.
Why would you need to pay a lawyer to get fired? I mean that’s literally the most severe recourse your employer has available.
not using ubuntu would be a hard fail on the canonical interview process.
One can have very fun bugs this way.
yes. you have to design your app for it. SQS was designed with eventual consistency in mind.
In my experience messaging platforms work in one of three ways:
When building systems that communicate via messaging, eventual consistency becomes the trade off. This is why building these systems with idempotency is crucial.
I thought that no distributed system could really guarantee exactly once delivery?
A message broker itself cannot guarantee exactly once delivery. A system can achieve exactly once, but it is complex and almost no system does it correctly.
See https://exactly-once.github.io/posts/exactly-once-delivery/
It’s possible if and only if the whole system/chain supports idempotency.
Take emails for example. There is no support for idempotency in the protocol (to my knowledge) so even if you can guarantee that your system attempts to send the exactly once, there is no guarantee that it will reach the user exactly once.
You could, but the nodes can’t operate independently of each other, thus impacting throughput. They would have to form a quorum, and a node must suspend operation if it became partitioned.
Kafka has exactly once delivery capabilities
See: https://docs.confluent.io/kafka/design/delivery-semantics.html#:~:text=Kafka%20supports%20exactly%2Donce%20delivery,processing%20data%20between%20Kafka%20topics.
If you work very carefully within certain boundaries, yep.
Right, but its trade-offs with any approach.
The queue has no way to determine if the Worker is dead or just late in delivering an ACK. So a reasonable approach is to timeout and make the message available again. “At least once deliver” is how most of these queue solutions work I have found. And in that pattern its on the Worker to determine whether this message they are processing should be processed if it has already been seen, especially if the action not idempotent.
The alternative (within the same at-least-once pattern) would be for the worker to resolve the issue and govern the message visibility, but then that breaks if the Worker dies during processing.
This queue pattern is like half of the solution, it works but there is still some responsibility on the Worker to not just blindly process a message if a duplicated message would cause an issue.
There’s an open PR adding Steel Scheme as configuration/plugin language that I’ve been following recently. It’s not quite done yet but I’m really looking forward to it! I’m not particularly a fan of having a massive editor config but I really want to use that file tree plugin from the PR description and I’d definitely be adding a few utility commands to do stuff like creating a new file in the current buffer’s directory. A git plugin would be really cool to have as well.
When this lands I will probably say goodbye to Neovim.
This is insane. It shows how vulnerable monocultures are.
But this is not (directly) a Microsoft issue. According to The Guardian, some company named CrowdStrike is involved here. They’re a self-described “AI native platform”, so who knows what kind of AI fuckup is involved here.
Crowdstrike is an enterprise surveillance malware company.
I wouldn’t work at a place that uses something like that, but from friends that do I’ve not heard good things about it. At least one of them has managed to run it in a virtualised and resource constrained environment though without his employer noticing (so that it can’t go and extract confidential data, or hog resources).
It is actually pretty good at catching malware. So that is the other side of it. It is shitty intrusive software? Yes. But it also serves a purpose.
You can disable it or mess with it if your company laptop is not completely locked down. But then what? If you are hit by some malware because of you and the company is now subject to paying ransomware .. is that a situation you want to be in?
I hate fear based infosec education but unfortunately that is a world we live in now. Constant malware attacks and security issues. Whether you are on Windows, macOS or Linux. This crap is not just a compliance checkbox.
The real question that too few people seem to be asking here is: Why is a random employee’s laptop able to ransomware the entire company?
If one laptop gets compromised by malware and as a consequence your entire org is infected, the fault lies squarely with whoever set that system up in the first place, not with that one employee.
If you deliberately sabotage protection against malware then I think your company is probably not going to be very happy with you.
But yes, you are right of course. Why do we build such security-fragile services?
Think how far reaching this is though and what the complexities are .. suppose I gain root on my laptop .. what I will instantly get is:
control over the browser. incuding signed in services like slack, github, google workspace, aws.
control over files on your machine including dot files, shell history, scripts, etc. hope you don’t have plain text passwords in any of those. or api keys? or tokens? or any kind of credentials that can be a step towards full pwnage.
control over user input which means I can capture anything you type, including your 1password or keychain (macOS) password. and then from there take things out of it. copy and paste can go straight to a control server. hope you don’t copy/paste credentials.
control your ssh agent and possibly connect to all the machines you have allowed public key auth on.
control your network. once you are vpn’ed into your corp or production network i can connect to resources there.
the list goes on and on.
you need an extremely strict security policy and a company willing to give up a lot of flexibilty/agility to get this under control.
why do we allow a single laptop to be the entry point for company wide malware / takeover you ask? :-)
Because executives don’t know about POLA and refuse to take security seriously.
Executives can do all they want, but those who report to them can still circumvent controls for their own convenience.
Ahhhh so while I don’t necessarily disagree with you, there are also costs associated with that which sometimes are worth paying and sometimes not.
The capability-security world has been aware the entire time that the cost is high: we’re asking the world to rewrite most of its software and processes. However, as you’re seeing this weekend, the cost of not doing it is much higher.
Without making an object level point about whether capability based security is worth the cost or not, you’re comparing one unestimated cost against another unestimated cost as if the comparison is self-evident.
You’re right, it’s not self-evident. How many machines needed to be bricked in order to write e.g. seL4? Probably a nonzero number, probably less than one hundred. This is a Fermi estimate but it seems reasonable to suggest that the cost of rewriting an entire operating system to be capability-safe is less than the cost of recovering from the CrowdStrike disaster, currently estimated at 8.5 million machines bricked. You can pick the standard metrics instead, like billions of dollars spent or labor-hours required, without changing the conclusion.
From what I read, 8.5 million machines were affected–temporarily blue screened, not bricked, which would be irrecoverably affected. 8.5 million bricked machines would certainly be more impactful.
Beyond that, I think the relevant cost is not the cost of creating a capability safe mini-kernel. That is the minimum fixed cost, but then there is the incremental cost of building an ecosystem that supports the various use cases that people currently use WIndows or Linux for, and then the marginal costs of either migrating existing systems or replacing them with new systems. There may also be other benefits to migrating away from Windows, or even Linux.
It’s also true that you start getting benefits without doing a full migration (imagine a world where crowdstrike hit 4 million machines, because many things had moved away from Windows but not all. Presumably the impact is lessened, but still real). So all in all, it’s still a very complex cost-benefit equation.
I’m not, so far, convinced that the cost of not doing it is actually more expensive than the cost of doing it. You’re right that there’s a significant cost to rewriting all of the software and processes. The other cost, though, is the perpetual opex and friction: if you’re going to strictly limit what each user has access to, someone needs to be managing those ACLs continuously or there’s going to be shadow IT popping up with less friction. That or there’s going to be ACLs that are applied so broadly that they don’t serve their intended purpose anyway.
That’s the Equivalence Myth from Capability Myths Demolished. The hope was to write something closer to a smart contract than a flowchart of ACLs. Smart contracts suck too, but they’re better than a static matrix which continually lags behind the actual delegation of responsibilities, because dynamic delegation of capabilities can still be confined. (See also the Confinement Myth, same paper.)
Thanks! I’ll give it a read!
Okay, but the person installing CS probably isn’t the one who made security decisions for the company on day 0. We’re all just trying to play catch up with the tools available to us.
Yeah, I’ve done the same in the past, and was actually vindicated when one day a couple of the company laptops were nuked due to their tech support screwing up.
fwiw crowdstrike is an enterprise antivirus platform.
this seems to say they rolled out a bad patch update: https://www.afr.com/technology/businesses-crippled-by-widespread-it-outage-20240719-p5jv2t
As a crazy idea, we should integrate our systems with a gene-like protection system so that not everyone goes down at the same time when a virus, outage, or whatever attacks them.
Or, y’know, ditch vendors that lack basic operational practices like staged deployments.
Try finding an enterprise security company that understands security at all. The principle of least privilege is completely alien to most of them.
Around twenty years ago, there was a vulnerability in Norton Antivirus that allowed drive-by downloads to execute arbitrary code with kernel privilege. The problem was that the AV program parsed files that might be malicious with their kernel-mode component. Any bug in a file parser that led to arbitrary-code execution would let you control the kernel completely. In contrast, if the user just ran the program, the impact would be less.
This was embarrassing at the time. It is much more embarrassing that, since then, almost(?) every major AV vendor (including Windows Defender!) has had a vulnerability stemming from exactly the same approach. When your ‘fix’ for security is ‘add more C/C++ code that runs with kernel privileges and handles untrusted data’, your opinions on any security-related subject should be discarded.
A big chunk of the blame for this lies with the Windows team. The hooks that most AV vandors use are either intercepting system calls (oh, look, it’s 20 years since Robert’s paper about why that is trivial to bypass) or adding NTFS filter drivers that intercept all filesystem operations and scan files on demand. They could have provided a generic mechanism that prevents files from being read or executed until they’ve been scanned by an approved service, which must run with access to that file and nothing else.
They continue to encourage ‘security’ vendors to run things in the kernel.
Yeah, it really is that bad. And not just antivirus, network security appliances make the exact same type of mistake:
The usual setup is to have a physical box (firewall, VPN gateway, email gateway etc.) on the very perimeter of your network that handles untrusted internet traffic and filters it. The bad part: Many deployments do, and vendors encourage, give these boxes access to Active Directory, usually with admin privileges. As a consequence, your “first line of defense” is also your very last.
And of course these appliances all run ancient versions of Linux and other critical components and are filled with just the worst C++, PHP and Perl that the vendor war able to churn out.
Why would you name your project after someone who killed millions of people.
Due to the WW2 alliance Stalin oddly isn’t demonized nearly as much as he deserves in the US.
He’s not even demonized in the country where many of his victims died.
Poland?
The Russian Federation.
People weirdly applaud him for defeating the Nazis.
Exquisite example of academic hypocrisy: imagine the reaction if it were named after a certain other mid-20th-century dictator…
Not just academic hypocrisy — https://lobste.rs/s/lqf39p/autodafe_1_0_released_for_freeing , posted a couple of weeks ago, has as the top comment someone arguing that the name makes that project anathema to them since it references the Spanish Inquisition, which was too evil to justify association.
Stalin was of course a brutal dictator who ruled at a time when the world was full of brutal dictators at war with each other, but I’d rather have more whimsical names of pieces of software than less, and one person’s whimsical is another person’s heretical.
Yeahhhhhhh … I don’t think it’d be considered “whimsy” if it were Hitler or Mao.
I believe this aligns with what @Student has mentioned in this thread: Stalin is not regarded as evil as Hitler or Mao in the US, although I think that he should be. Meanwhile, individuals in the US were forking projects like ‘Rubocop’ due to the term ‘cop’ becoming sensitive in the wake of the George Floyd case, which led to a general disfavor towards the police. I guess for US “Stalin” is whimsy, and “cop” was heretical (as well as the “master” branch).
This is a pretty bizarre false equivalence. What’s the connection between people were upset the naming of a tool for a mainstream programming language and a 14 year old niche Scheme compiler?
Or the other guy who killed millions in his country’s main colony, or the other guy who killed millions in a fully independent country to prevent it from unifying.
the (obvious) reason that they named it after stalin is that it is a joke. so basically they thought the ‘pun’ that the compiler is ruthless in a similar way to stalin was funny.
naming it stalin is not an endorsement of the actions of that historical figure in any way.