I do like them, but at the same time why do I have to encrypt my recipe site? I would like the option in my browser to not warn about sites that don’t use TLS. Or at least to be presented with an option? Oh, this is a reference recipe site. Would you like not to use encryption? Encryption is such a pita for simple things. I do think that sites that accept credentials always need to be encrypted, but why go through the hassle for things that are public? I am very thankful to let’s encrypt and the caddy web server for making certificates. A non-issue, but at the same time I kind of get tired of oh no it’s not encrypted properly warnings which everyone will ignore anyway.
Back in ~2012 users of our startup’s iPhone app complained that it crashed when they were on the London Underground (I think, I may be misremembering the details).
It turned out the WiFi down there was modifying HTML pages served over HTTP, and our app loaded HTML pages that included comments with additional instructions for how the app should treat the retrieved page… and those comments were being stripped out!
We fixed the bug by switching to serving those pages over HTTPS instead. I’ve used HTTPS for everything I’ve built since then.
I can sort of understand that since bandwidth was a premium in 2012, so if they could remove as many bytes from the payload as possible, then they increase their network bandwidth overall. Still surprising, but I could at least rationalize it.
No matter how much bandwidth you (an ISP) have, there are always schemes which promise to reduce your usage and thus improve the end-user experience – or invade their experience and make you money.
(Some of those schemes actually work. CDNs, for example.)
Interesting. I wonder if my memory is just off. NYC had really bad internet back then, as I recall, because our infrastructure is buried and expensive to upgrade. But I could swear we had like 100Mbps.
It’s not just ISPs, it’s any malicious actor, such as the operator of the wireless access point you’ve connected to (which may not be the person you think it is). You have a choice of either protecting visitors to your site from trivial interception and tampering or leaving them vulnerable. No one is forcing you to choose either way.
I originally chose to not enable TLS for our game’s asset CDN because checking certs on arbitrary Linux distros is ~unsolvable and we have our own manifest signing so we don’t need TLS’s security guarantees anyway, then we found some ISPs with broken caching that would serve the wrong file for a given URL, so I enabled it and disabled cert verification in the Linux client instead.
ISPs don’t even have to be malicious, just crappy…
It’s sort of self explanatory. Confidentiality and Integrity.
I know that I’m getting exactly the recipe that you are serving from your site
I know that no one else can see which recipe I’m cooking
I know that no one can inject ads, malicious code, tracking, malicious/ abusive images, etc.
If you aren’t willing to give those two things to your users I’m really convinced that you just aren’t in a position to host. Recipe site or not, we all have basic obligations. If you can’t meet them, that’s okay, you don’t have to host a website.
HTTPS leaks a lot less metadata than HTTP. With HTTP, you can see the full URL of the request. With HTTPS, you can see only the IP address. There’s a huge difference between knowing that I visited Wikipedia and that I read a specific Wikipedia page (the latter may be possible to determine based on the size of the response, but that’s harder). With SNI, the IP address may be shared by hundreds of domains and so a passive adversary doesn’t even see the specific host, let alone the specific page.
Usually SNI is sent in the clear, because the server needs to know the server name to be able to choose the right cert to present to the client, and it would require an extra round trip to do key exchange before certificate exchange.
There’s ongoing work on encrypted SNI (ESNI) but it requires complicated machinery to establish a pre-shared key; it only provides meaningful protection for mass virtual hosters (ugly push to centralize); and it’s of limited benefit without encrypted DNS (another hump on the camel).
Thanks, SNI does not work how I thought it worked. I assumed there was an initial unauthenticated key exchange and then the negotiated key was signed with the cert that the client said it wanted. I believe QUIC works this way, but I might be wrong there as well.
QUIC illustrated shows that the initial packet is encrypted with keys derived from a nonce that is sent in the clear in the initial packet; inside the wrapper is a TLS/1.3 client hello
I suppose this makes sense in that QUIC is designed to always encrypt, and it’s harder to accidentally send a cleartext packet if there aren’t any special cases that need cleartext. RFC 9000 says, “This protection does not provide confidentiality or integrity against attackers that can observe packets, but it does prevent attackers that cannot observe packets from spoofing Initial packets.”
Looking at today’s instant messaging solutions, I think IRC is very
underrated. The functionality of clients for IRC made years ago still
surpass what “modern” protocols like Matrix have to offer. I think
re-adoption of IRC is very much possible only by introducing a good UI,
nothing more.
About a year ago I moved my family/friends chat network to IRC. Thanks to modern clients like Goguma and Gamja and the v3 chathistory support and other features of Ergo this gives a nice modern feeling chat experience even without a bouncer. All of my users other than myself are at basic computer literacy level, they can muddle along with mobile and web apps not much more. So it’s definitely possible.
I went this route because I wanted something that I can fully own, understand and debug if needed.
You could bolt-on E2EE, but decentralization is missing—you have to create accounts on that server. Built for the ’10s, XMPP + MUCs can do these things without the storage & resource bloat of Matrix + eventual consistency. That said, for a lot of communites IRC is a serviceable, lightweight, accessible solution that I agree is underrated for text chat (even if client adoption of IRCv3 is still not where one might expect relative to server adoption)—& I would 100% rather see it over some Slack/Telegram/Discord chatroom exclusivity.
I dunno. The collapse of Freenode 3 years ago showed that a lot of the accounts there were either inactive or bots (because the number of accounts on Libera after the migration was significantly lower). I don’t see any newer software projects using IRC (a depressingly large number of them still point to Freenode, which just reinforces my point).
I like IRC and I still use it but it’s not a growth area.
There’s an ongoing effort to modernize IRC with https://ircv3.net. I would agree that most of these evolutions is just IRC catching up with features of modern chat plaforms.
Calling IRCv3 an “ongoing effort” is technically correct, but it’s been ongoing for around 8 to 9 years at this point and barely anything came out of it - and definitely nothing groundbreaking that IRC would need to catch up to the current times (e.g. message history).
The collapse of Freenode 3 years ago showed that a lot of the accounts there were either inactive or bots (because the number of accounts on Libera after the migration was significantly lower).
I don’t know if that’s really the right conclusion. A bunch of communities that were on Freenode never moved to Libera because they migrated to XMPP, Slack, Matrix, Discord, OFTC, and many more alternatives. I went from being on about 20 channels on Freenode to about 5 on Libera right after Freenode’s death, and today that number is closer to 1 (which I’m accessing via a Matrix bridge…).
I guess it just depends what channels you were in; every single one I was using at the time made the jump from Freenode to Libera, tho there were a couple that had already moved off to Slack several years earlier.
It’s “opt-in” in the sense that if you send an OTR message to someone without a plugin, they see garbage, yes. OTR is the predecessor to “signal” and back then (assuming you meant “chats” above), E2EE meant “one-to-one”: https://en.wikipedia.org/wiki/Off-the-record_messaging – but it does support end-to-end encrypted messages, and from my memory of using it on AIM in the zeros, it was pretty easy to setup and use. (At one point, we quietly added support to the hiptop, for example.)
Someone could probably write a modern double-ratchet replacement, using the same transport concepts as OTR, but I bet the people interested in working on that are more interested in implementing some form of RFC 9420 these days.
Seems like it’s based on tracking with Signals are accessed when a given Signal is evaluated:
Computed Signals work by automatically tracking which other Signals are read during their evaluation. When a computed is read, it checks whether any of its previously recorded dependencies have changed, and re-evaluates itself if so. When multiple computed Signals are nested, all of the attribution of the tracking goes to the innermost one.
I feel like I’m taking crazy pills whenever I read one of these articles. CoPilot saves me so much time on a daily basis. It just automates so much boilerplate away: tests, documentation, switch statements, etc. Yes, it gets things wrong occasionally, but on balance it saves way more time than it costs.
Comments like this always make me wonder: How much boilerplate are you writing and why? I generally see boilerplate as a thing that happens when you’ve built the wrong abstractions. If every user of a framework is writing small variation on the same code, that doesn’t tell me they should all use an LLM to fill in the boilerplate, it tells me that we want some helper APIs that take only the things that differ between the users as arguments.
“It should be noted that no ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure. Basic professional ethics would instead require him to write a DestroyCity procedure, to which Baghdad could be given as a parameter.” — Nathaniel Borenstein
What on earth are you talking about? How could “tests, documentation, and switch statements” possibly be a questionable example? They’re the perfect use-case for automated AI completion.
I’ve found it useful when I want to copy an existing test and tweak it slightly. Sure, maybe I could DRY the tests and extract out common behavior but if the test is only 10 LoC I find that it’s easier to read the tests without extracting stuff to helpers or shared setup.
That was one of the places where Copilot significantly reduces the amount I type relative to writing it entirely, but I found it was only a marginal speedup relative to copying and pasting the previous test and tweaking. It got things wrong enough that I had to carefully read the output and make almost as many changes as if I’d copied and pasted.
IME the cumulative marginal savings from each place it was helpful was far, far, far outweighed by one particular test where it used fail instead of error for a method name and it took me a distressingly long time to spot.
I think I’ve only wasted a cumulative five minutes of debugging test failures caused by Copilot writing almost the right test, but I’m not sure I could claim that it’s actually saved me more than five minutes of typing.
I think the general answer is “a lot”. Once you have a big codebase and several developers the simplicity you get from NOT building abstractions is often a good thing. Same as not DRYing too much and not making too many small functions to simplify code flow and local changes. Easy to maintain code is mostly simple and reducing “boilerplate” while great in theory always means macros or metaprogramming or some other complicated thing in practice.
I don’t think you are taking crazy pills! Copilot could totally be saving you time. That’s why I prefaced by saying the kind of project I use Copilot with is atypical.
But I also want to say, I once believed Copilot was saving me time too, until I lost access to it and had some time to compare and reflect.
I’ve used Copilot for a while and don’t use it anymore. In the end, I found that for most boilerplate can better be solved with snippets and awk scripts, as they are more consistent. For example, to generate types from SQL, I have an AWK script that does it for me.
For lookup, I invested in good offline docs that I can grep, that way I can be sure I’m not trusting hallucinations.
I didn’t think Copilot was useless but my subscription ran out and I don’t really feel like I need to resubscribe, it didn’t add enough.
Same here. One of the biggest ways it helps is by giving me more positive momentum. Copilot keeps me thinking forward, offers me an idea of a next step to either accept, adjust, or reject, and in effectively looking up the names and structure of other things (like normal IDE autocomplete but boosted) it keeps me from getting distracted and overfocusing on details.
It does help though that I use (somewhat deliberately) pretty normal mainstream stacks.
Ditto. Especially the portion of the article that mentions it being unpredictable. Maybe my usage is biased because I mostly write python and use mainstream libraries, but I feel like I have a very good intuition for what it’s going to be smart enough to complete. It’s also made me realize how uninteresting and rote a lot of code tends to be on a per-function basis.
If you are trying to prescribe something new for front-end web but your demo is riddled with questionable pracitices, there’s irony folks can’t help but point out. …Like pitching a new restaurant with a the musk of rotten food as you open the door, why trust this establishment?
I had a tangential question if that’s allowed. Has anyone here been using these LLMs and if yes, how have they helped you?
I missed the chatgpt train because I wasn’t interested. Recently I found out about llamafiles which makes running these easier but the large variety of models and the unintuitive nomenclature dissuaded me. I still wanna try these out and looks like I have enough RAM to run the Mistral-7B.
I have played around with stable diffusion but the slowness due to weak specs and the prompt engineering aspect made me bounce.
I’ve been using LLMs on almost a daily basis for more than a year. I use them for a ton of stuff, but very rarely for generating text that I then copy out and use directly.
Code. I estimate 80% of my LLM usage relates to code in some way - in Python, JavaScript, Bash, SQL, jq, Rust, Go - even AppleScript, see https://til.simonwillison.net/gpt3/chatgpt-applescript - it’s like having a tutorial that can produce exactly the example you need for the problem you are working on, albeit with occasional mistakes
Brainstorming. This one surprised me, because everyone will tell you that LLMs can never come up with a new idea, they just spit out what they’ve been trained on. The trick with brainstorming is to ask for 20 ideas, and to prompt in a way that combines different things. “20 ideas for Datasette plugins relevant to investigative reporting” for example: https://chat.openai.com/share/99aeca01-62c7-4b7c-9878-7ce055738682 - you’ll rarely get an idea that you want to use directly, but some of them may well genuinely spark something interesting
World’s best thesaurus: you will NEVER be unable to find that word that’s on the tip of your tongue ever again.
Entertainment. There are so many weird dystopian games you can play with these things. I recently got ChatGPT to tell me “Incorporating the spirit of Fabergé eggs into your orchestrion project is a brilliant and deeply evocative concept” and I’ve been chuckling about that for days - it’s a consummate “yes man”, so one game is feeding it increasingly ludicrous ideas and watching it breathlessly praise them.
I do most of my work with GPT-4 because it’s still a sizable step ahead of other LLM tools. I love playing with the ones that run on my laptop but I rarely use them for actual work, since they are far more likely to make mistakes or hallucinate than GPT-4 through paid ChatGPT.
Mistral 7B is my current favourite local model - it’s very capable, and I even have a version of it that runs on my iPhone! https://llm.mlc.ai/#ios
Generating simple programs in languages I barely know, like C++ and javascript, which I can then kludge into something that does what I want.
“Here is a some data in this format, convert it to data in this other format.”
Generating regular expressions
Bulk searching: “here’s a list of ten libraries, give me the github or gitlab page for each of them.” or “Take this snippet of code, find all of the references for the NetworkX library, and link the docs page for each of them.”
Summarizing youtube videos
LLMs are good in cases where it’s hard to solve a problem, but easy to verify a solution.
This was a challenge and I’m proud of how I approached it. Most of my friends and family know that “I’m a programmer”, but they have no idea what I do. I made a video that takes a non-technical person through python, numpy, matplotlib, pandas and jupyter in a very concise way so that I can show my data table built on top of those projects.
How do you explain your projects to non-technical loved ones?
I think it’s very worthwhile to work to explain your work. What’s your niche? Give it a try here.
I really want to make individual videos explaining NumPy, pandas, Matplotlib, Jupyter and polars to programmers. Not explaining how to sue them, but a quick overview of what they are capable of in the hands of an experienced practitioner. I have worked at a couple of places where the devs only know Node/Typescript, there’s a lot going on outside of that world.
“I help make sure that servers keep running while we’re asleep, as well as when we’re awake. Usually I succeed.” They usually don’t ask more than that.
At a certain level I don’t think they need to fully understand things. I love it when someone close to me geeks out over their hobby and gets excited explaining it to me, even if at the end of the day I probably won’t fully understand it.
All this is within reason of course, I knew someone that would talk nonstop for 15+ min about Dungeons & Dragons and even though I play it, those conversations were still exhausting.
Oh no )-: another step towards moving basic functions to web and web-browsers. Why?
I used to have a shortcut (when I ran dwm) to open a text editor with a scratchpad file. Now I have a shortcut to open a terminal and a single letter shell alias to open a scratchpad file for editing.
I bet most people can’t multiply two numbers without sending a bunch of HTTP request to Google search engine anymore )-:
The utility of the tool is only part of the reason, the other being nostalgia.
A local scratch-pad is great, I use i3 and have shortcuts for opening an editor too. More often than not, I usually use my local scratch-pad, but it’s nice to always have something I can open on a machine that’s not set-up by me.
If you aren’t convinced, that’s fair. Just letting you know that it was more a labour of love.
I sense my remark might have landed unwell. If you took it personally (at your work or at yourself), I’m sorry. It was just sort of “an old man yelling at a cloud” kind of remark. Thank you for the explanation and more context provided.
Tone is lost in text. Your remark landed well, rest assured, no need to apologize. I merely wanted to post my rationale for posterity. I appreciate the follow-up nonetheless.
Absolutely agreed! But there are degrees to this. If I adjust the fonts once, that’s some cost. If the design keeps changing and moving things around in ways I don’t care about, that’s a larger cost.
Good design is a contingent thing you can gain or lose. When Gruber compares a proprietary Mastodon app with an open source one, that’s a perfect place for the caveat that, you know, this one’s great now but if it degrades because they took out some additional VC funding, you’re outta luck. With this second app they know someone else might make a fork so they’ll be more careful. They gave up some leverage early, and that deserves credit.
I did and now I do have a website but there’s no RSS feed and the entries are sorted randomly and not by date. At least I can deploy via git push, but I’m actually kind of missing a WYSIWYG text editor for quick notes. And to create a new page I need to mkdir article_name and add it to a list in a Python script, kind of sucks really.
I agree, the biggest barrier for me when it comes to writing blog posts isn’t the site generation or deployment or formatting, it’s actually typing the words out. And Hugo/Jekyll/… don’t help with that problem.
My favorite conspiracy theory: Emacs has bad defaults on purpose, because using it unconfigured is so unbearable that it serves as great motivation to learn how to write Elisp. (Bonus: also works for XMonad/Haskell!)
Things can get weird when your files don’t end in a newline.
I’ve actually had production data loss due to a design bug in cron where if the last line doesn’t end in a newline, it gets completely ignored with no warnings! Very fun, and also the first time a piece of software made me want to punch the author.
Unfortunately parsing newline or EOF is a really common oversight that AFAIK almost every significant grammar has encountered at some point (so don’t go punching any authors ;]). It requires a lookahead to define properly so many parser generators can’t even do it natively in the grammar itself (but there are plenty of workarounds).
This won’t parse any comment that ends in an EOF instead of a newline. But you can’t simply accept [\r\n]+ | EOF to terminate the line comment either as it will consume the EOF (and the file rule will fail). If you remove the EOF from the file rule (and also don’t check that all input was consumed), the last line(s) that fail to parse will be silently ignored similar to the cron behavior you describe.
In the end I had to settle for making fun of those absolute nincompoops in the comments section on various tech web sites; not quite as satisfying but still OK.
I’ve actually had production data loss due to a design bug in cron where if the last line doesn’t end in a newline, it gets completely ignored with no warnings! Very fun, and also the first time a piece of software made me want to punch the author.
I’m not sure if this was the cause, but traditional UNIX lex / yacc required inputs to end with a newline and would not detect an end-of-file marker without it. This fed into the C specification (fun fact: it is undefined behaviour in C if your file does not end with a newline character and the compiler is allowed to do absolutely anything when it encounters it because the original C compiler would fail in weird ways).
It just occurred to me that probably most of the people here are too young to have used Usenet in anger. The explanation:
Recognized shorthand on the Usenet group comp.std.c for any unexpected behavior of a C compiler on encountering an undefined construct. During a discussion on that group in early 1992, a regular remarked “When the compiler encounters [a given undefined construct] it is legal for it to make demons fly out of your nose” (the implication is that the compiler may choose any arbitrarily bizarre way to interpret the code without violating the ANSI C standard). Someone else followed up with a reference to “nasal demons”, which quickly became established. The original post is web-accessible at http://groups.google.com/groups?hl=en&selm=10195%40ksr.com.
If your definition of “valid” depends on differences that are literally invisible to the naked eye, then it’s a bad definition and you need to make a better one.
As dictatorships go, Valve is a mostly benevolent one. Steam is probably the least abusive and most social-good-increasing walled garden out there. Which admittedly isn’t saying too much, but their track record for violating the trust people put in them, while far from flawless, is remarkably clean compared to literally everyone else.
Conflict of interest disclaimer: I’ve been playing Baldur’s Gate 3 on linux and it runs better than on Windows, which is frankly black magic. I can think of a few different reasons this might be, most of which aren’t due to Proton, but I’ve been too busy enjoying the game to try to dig into the details.
For the record, complaints of BG3 Act 3 game performance (and struggling hardware does lead to more crashes) have been orthogonal to the platform the game is running on- Windows people complain about it just as much- I’m still just at the beginning of Act 2 myself due to having a 2 year old and also experiencing “character restart-itis” a few times after “irreconcilable” screwups, but my main gaming machine is a NixOS Linux machine (I can’t play Starfield yet, but that’s Starfield’s fault, it’s incompatible with the NVIDIA 535+ driver and I refuse to downgrade just for that game)
On average there were 96.40% of people who did better at this game than you. If this was an exam and I was grading it on a curve, I would give you a F.
My work pays for Copilot and I’ve found it useful when writing boilerplate code (e.g. writing a simple test case or boring data manipulation). I’ll write something like // sort users by ID and split into batches of 100<tab> and it often works.
Sometimes it gets things wrong, but the general shape of code it generates (iterate over some list, use a switch, generate a bunch of if/elses) is a good starting point.
It’s sad that it takes so many ugly hacks just to try to beat browsers at storing DOM.
The huge cost of React generating DOM for invisible elements seems like a self-inflicted problem. I’d prefer a solution that focuses on either rendering the DOM faster without React’s overhead (server-side, or with direct DOM APIs) or building the not-yet-visible DOM asynchronously.
Browsers aren’t that bad at having large invisible DOM. 2MB/18K lines is not much for a static web page. It’s JS that’s slow, and GitHub chose to fight too much slow JS with even more JS.
it isn’t “just” 2MB of text, though. it is one with many thousands if not tens of thousands of elements for syntax highlighting. while a browser can easily handle large quantities of content with little complexity, each tag adds complexity and ultimately costs time.
IME generating large static HTML files, it is extremely easy to cause very noticeable load times with what’d be a couple MB of data at most if you stripped out all of the HTML tags.
It’s worth noting that none of these are problems with React specifically; any page with a very large DOM would experience the first two problems, and any solution where a large DOM is created and managed by JavaScript would experience the third.
This is argument from experience. I’ve worked professionally for years on HTML rendering optimizations.
I think their view of browser performance is too pessimistic, especially that it’s only about rendering mostly-static content on a mostly-desktop site. They aren’t even fighting for building that DOM under 16ms on budget Androids.
In DOM manipulation there are a few pitfalls that can cause O(n^2) costs (e.g. reading and writing to the live DOM, causing constant reflows, instead of building nodes in a detached DocumentFragment). I suspect they’ve stumbled upon one of such problems, and instead of removing the pitfall, they’ve assumed browsers are slow and need “virtualized” scrolling, which they definitely don’t need. Tens of thousands of nodes is not much for DOM if you just build it once and let the browser render and scroll it. It’s much only if you futz with it using JS that isn’t careful about superlinear costs.
That might be epub-specific problem? epub is not exactly HTML, so it may require renderers to do things the hard way to emulate page splits, font size adjustments, etc.
For speed:
avoid making large containers that have to resize themselves to their content. These are display: flex and table. If you use regular flow layout (display: block containers), browsers will handle them easily and incrementally.
avoid making large surfaces that need to be animated (if you put transform on all your content, it may force the browser to create pre-rendered layers for compositing, and that’s slow and memory-heavy).
The HTML spec itself is a 12MB, 300K DOM nodes document. For me it takes about 3 seconds to parse and lay out, but then works super fast for me — easily 120fps scrolling anywhere in the 12MB document. And it’s a document with quite a lot of formatting, links, syntax highlighting, and illustrations. So 27 second delay for GitHub’s 2MB text file really looks like GitHub’s problem.
I broke my right wrist and had to wear a full wrist cast for a couple of months. I’m not sure how much movement your arm will have but I didn’t really change much - I just pecked at the keyboard with my broken hand every once in a while.
I was a little slow at typing but that’s never felt like a bottleneck to me.
So you are able to use your right hand then? Have you considered using one of those miniature handheld Bluetooth keyboards? I had shoulder surgery too one time, and that’s what I used.
I’m not talking about something to wear, I mean something like this. When I had my arm in the special sling, I could slide my hand out of the holder and use the keyboard at my side. I don’t know if it works for your situation though.
I do like them, but at the same time why do I have to encrypt my recipe site? I would like the option in my browser to not warn about sites that don’t use TLS. Or at least to be presented with an option? Oh, this is a reference recipe site. Would you like not to use encryption? Encryption is such a pita for simple things. I do think that sites that accept credentials always need to be encrypted, but why go through the hassle for things that are public? I am very thankful to let’s encrypt and the caddy web server for making certificates. A non-issue, but at the same time I kind of get tired of oh no it’s not encrypted properly warnings which everyone will ignore anyway.
Because your viewers don’t want their ISP to serve them ads in the content.
Back in ~2012 users of our startup’s iPhone app complained that it crashed when they were on the London Underground (I think, I may be misremembering the details).
It turned out the WiFi down there was modifying HTML pages served over HTTP, and our app loaded HTML pages that included comments with additional instructions for how the app should treat the retrieved page… and those comments were being stripped out!
We fixed the bug by switching to serving those pages over HTTPS instead. I’ve used HTTPS for everything I’ve built since then.
I can sort of understand that since bandwidth was a premium in 2012, so if they could remove as many bytes from the payload as possible, then they increase their network bandwidth overall. Still surprising, but I could at least rationalize it.
Bandwidth was a premium in 2012? That can’t be right, I feel like 2012 had plenty of bandwidth.
No matter how much bandwidth you (an ISP) have, there are always schemes which promise to reduce your usage and thus improve the end-user experience – or invade their experience and make you money.
(Some of those schemes actually work. CDNs, for example.)
Of course, but in 2012 I’m pretty sure even homes could get gigabit networking. I don’t think of it as being a bandwidth constrained time.
I lived in Cleveland at the time (major US city) and was still limited to sub-5 megabit ISP service.
Interesting. I wonder if my memory is just off. NYC had really bad internet back then, as I recall, because our infrastructure is buried and expensive to upgrade. But I could swear we had like 100Mbps.
Dunno. Crazy to think that 2012 was so long ago.
I looked through my inbox to find what speeds I have had over time.
I both understand and resent this. Bad actors are making my life worse, and for some unfathomable reason it’s legal?!
If your ISP is manipulating your data it should be sued into oblivion, in a just world.
It’s not just ISPs, it’s any malicious actor, such as the operator of the wireless access point you’ve connected to (which may not be the person you think it is). You have a choice of either protecting visitors to your site from trivial interception and tampering or leaving them vulnerable. No one is forcing you to choose either way.
Well, it’s not a just world in every country.
I originally chose to not enable TLS for our game’s asset CDN because checking certs on arbitrary Linux distros is ~unsolvable and we have our own manifest signing so we don’t need TLS’s security guarantees anyway, then we found some ISPs with broken caching that would serve the wrong file for a given URL, so I enabled it and disabled cert verification in the Linux client instead.
ISPs don’t even have to be malicious, just crappy…
Why didn’t you just ship your own root certificate? :p
It’s sort of self explanatory. Confidentiality and Integrity.
If you aren’t willing to give those two things to your users I’m really convinced that you just aren’t in a position to host. Recipe site or not, we all have basic obligations. If you can’t meet them, that’s okay, you don’t have to host a website.
https://doesmysiteneedhttps.com/
because IPSEC failed so it’s up to application protocols to provide secure communication instead of the network layer.
Because the some entities are passively monitoring all traffic worldwide.
Other than ad networks?! /s
But then again, those entities only really need metadata.
HTTPS leaks a lot less metadata than HTTP. With HTTP, you can see the full URL of the request. With HTTPS, you can see only the IP address. There’s a huge difference between knowing that I visited Wikipedia and that I read a specific Wikipedia page (the latter may be possible to determine based on the size of the response, but that’s harder). With SNI, the IP address may be shared by hundreds of domains and so a passive adversary doesn’t even see the specific host, let alone the specific page.
Usually SNI is sent in the clear, because the server needs to know the server name to be able to choose the right cert to present to the client, and it would require an extra round trip to do key exchange before certificate exchange.
There’s ongoing work on encrypted SNI (ESNI) but it requires complicated machinery to establish a pre-shared key; it only provides meaningful protection for mass virtual hosters (ugly push to centralize); and it’s of limited benefit without encrypted DNS (another hump on the camel).
Thanks, SNI does not work how I thought it worked. I assumed there was an initial unauthenticated key exchange and then the negotiated key was signed with the cert that the client said it wanted. I believe QUIC works this way, but I might be wrong there as well.
Gosh, I thought QUIC is basically TLS/1.3 with a different transport, but it’s weirder than either of us believed!
TLS/1.3 illustrated shows the SNI in the client hello in the clear
QUIC illustrated shows that the initial packet is encrypted with keys derived from a nonce that is sent in the clear in the initial packet; inside the wrapper is a TLS/1.3 client hello
I suppose this makes sense in that QUIC is designed to always encrypt, and it’s harder to accidentally send a cleartext packet if there aren’t any special cases that need cleartext. RFC 9000 says, “This protection does not provide confidentiality or integrity against attackers that can observe packets, but it does prevent attackers that cannot observe packets from spoofing Initial packets.”
Browsers are application runtimes, and plenty of bad actors are all too happy to include their JS software in your pages
I mean if people are going to ignore the warnings it sounds like you don’t need to enable encryption anyways
Looking at today’s instant messaging solutions, I think IRC is very underrated. The functionality of clients for IRC made years ago still surpass what “modern” protocols like Matrix have to offer. I think re-adoption of IRC is very much possible only by introducing a good UI, nothing more.
aka drawing the rest of the owl
More like upscaling an image drawn before the average web developer was born.
no UI will add offline message delivery to IRC
Doesn’t the “IRCToday” service linked in this post solve that? (and other IRC bouncers)
sure but that’s more than just a UI
Specs and implementations on the other hand…
I thínk “Lounge” is a really decent web-based UI.
About a year ago I moved my family/friends chat network to IRC. Thanks to modern clients like Goguma and Gamja and the v3 chathistory support and other features of Ergo this gives a nice modern feeling chat experience even without a bouncer. All of my users other than myself are at basic computer literacy level, they can muddle along with mobile and web apps not much more. So it’s definitely possible.
I went this route because I wanted something that I can fully own, understand and debug if needed.
You could bolt-on E2EE, but decentralization is missing—you have to create accounts on that server. Built for the ’10s, XMPP + MUCs can do these things without the storage & resource bloat of Matrix + eventual consistency. That said, for a lot of communites IRC is a serviceable, lightweight, accessible solution that I agree is underrated for text chat (even if client adoption of IRCv3 is still not where one might expect relative to server adoption)—& I would 100% rather see it over some Slack/Telegram/Discord chatroom exclusivity.
I dunno. The collapse of Freenode 3 years ago showed that a lot of the accounts there were either inactive or bots (because the number of accounts on Libera after the migration was significantly lower). I don’t see any newer software projects using IRC (a depressingly large number of them still point to Freenode, which just reinforces my point).
I like IRC and I still use it but it’s not a growth area.
There’s an ongoing effort to modernize IRC with https://ircv3.net. I would agree that most of these evolutions is just IRC catching up with features of modern chat plaforms.
The IRC software landscape is also evolving with https://lobste.rs/s/wy2jgl/goguma_irc_client_for_mobile_devices and https://lobste.rs/s/0dnybw/soju_user_friendly_irc_bouncer.
Calling IRCv3 an “ongoing effort” is technically correct, but it’s been ongoing for around 8 to 9 years at this point and barely anything came out of it - and definitely nothing groundbreaking that IRC would need to catch up to the current times (e.g. message history).
Message history is provided by this thing (IRC Today), and it does it through means of IRC v3 support.
I don’t know if that’s really the right conclusion. A bunch of communities that were on Freenode never moved to Libera because they migrated to XMPP, Slack, Matrix, Discord, OFTC, and many more alternatives. I went from being on about 20 channels on Freenode to about 5 on Libera right after Freenode’s death, and today that number is closer to 1 (which I’m accessing via a Matrix bridge…).
I guess it just depends what channels you were in; every single one I was using at the time made the jump from Freenode to Libera, tho there were a couple that had already moved off to Slack several years earlier.
IRC really needs end-to-end encrypted messages.
Isn’t that what OTR does?
Not really. It’s opt-in and it only works for 1:1 charts, doesn’t it?
It’s “opt-in” in the sense that if you send an OTR message to someone without a plugin, they see garbage, yes. OTR is the predecessor to “signal” and back then (assuming you meant “chats” above), E2EE meant “one-to-one”: https://en.wikipedia.org/wiki/Off-the-record_messaging – but it does support end-to-end encrypted messages, and from my memory of using it on AIM in the zeros, it was pretty easy to setup and use. (At one point, we quietly added support to the hiptop, for example.)
Someone could probably write a modern double-ratchet replacement, using the same transport concepts as OTR, but I bet the people interested in working on that are more interested in implementing some form of RFC 9420 these days.
I’m very curious about how the “automatic dependency tracking” would work.
Seems like it’s based on tracking with Signals are accessed when a given Signal is evaluated:
this is so cursed, I love it
I feel like I’m taking crazy pills whenever I read one of these articles. CoPilot saves me so much time on a daily basis. It just automates so much boilerplate away: tests, documentation, switch statements, etc. Yes, it gets things wrong occasionally, but on balance it saves way more time than it costs.
Comments like this always make me wonder: How much boilerplate are you writing and why? I generally see boilerplate as a thing that happens when you’ve built the wrong abstractions. If every user of a framework is writing small variation on the same code, that doesn’t tell me they should all use an LLM to fill in the boilerplate, it tells me that we want some helper APIs that take only the things that differ between the users as arguments.
“It should be noted that no ethically-trained software engineer would ever consent to write a
DestroyBaghdadprocedure. Basic professional ethics would instead require him to write aDestroyCityprocedure, to whichBaghdadcould be given as a parameter.” — Nathaniel BorensteinYeah it’s definitely that I don’t know when to add abstractions, not that the tool is useful in some specific circumstances 🙄
You created that perception by choosing such a questionable example. It’s reasonable pushback.
What on earth are you talking about? How could “tests, documentation, and switch statements” possibly be a questionable example? They’re the perfect use-case for automated AI completion.
I’ve found it useful when I want to copy an existing test and tweak it slightly. Sure, maybe I could DRY the tests and extract out common behavior but if the test is only 10 LoC I find that it’s easier to read the tests without extracting stuff to helpers or shared setup.
That was one of the places where Copilot significantly reduces the amount I type relative to writing it entirely, but I found it was only a marginal speedup relative to copying and pasting the previous test and tweaking. It got things wrong enough that I had to carefully read the output and make almost as many changes as if I’d copied and pasted.
IME the cumulative marginal savings from each place it was helpful was far, far, far outweighed by one particular test where it used
failinstead oferrorfor a method name and it took me a distressingly long time to spot.I think I’ve only wasted a cumulative five minutes of debugging test failures caused by Copilot writing almost the right test, but I’m not sure I could claim that it’s actually saved me more than five minutes of typing.
I think the general answer is “a lot”. Once you have a big codebase and several developers the simplicity you get from NOT building abstractions is often a good thing. Same as not DRYing too much and not making too many small functions to simplify code flow and local changes. Easy to maintain code is mostly simple and reducing “boilerplate” while great in theory always means macros or metaprogramming or some other complicated thing in practice.
I don’t think you are taking crazy pills! Copilot could totally be saving you time. That’s why I prefaced by saying the kind of project I use Copilot with is atypical.
But I also want to say, I once believed Copilot was saving me time too, until I lost access to it and had some time to compare and reflect.
Programming in Lisp, I rarely have boiler plate, because any repeated code gets abstracted away.
I’ve used Copilot for a while and don’t use it anymore. In the end, I found that for most boilerplate can better be solved with snippets and awk scripts, as they are more consistent. For example, to generate types from SQL, I have an AWK script that does it for me.
For lookup, I invested in good offline docs that I can grep, that way I can be sure I’m not trusting hallucinations.
I didn’t think Copilot was useless but my subscription ran out and I don’t really feel like I need to resubscribe, it didn’t add enough.
Same here. One of the biggest ways it helps is by giving me more positive momentum. Copilot keeps me thinking forward, offers me an idea of a next step to either accept, adjust, or reject, and in effectively looking up the names and structure of other things (like normal IDE autocomplete but boosted) it keeps me from getting distracted and overfocusing on details.
It does help though that I use (somewhat deliberately) pretty normal mainstream stacks.
Ditto. Especially the portion of the article that mentions it being unpredictable. Maybe my usage is biased because I mostly write python and use mainstream libraries, but I feel like I have a very good intuition for what it’s going to be smart enough to complete. It’s also made me realize how uninteresting and rote a lot of code tends to be on a per-function basis.
Yeah I feel like I type too slowly so sometimes I’ll just let copilot generate something mostly in line with that I’m thinking and then refine it.
why are comments on this website so snarky
If you are trying to prescribe something new for front-end web but your demo is riddled with questionable pracitices, there’s irony folks can’t help but point out. …Like pitching a new restaurant with a the musk of rotten food as you open the door, why trust this establishment?
indeed, pretty disappointing. starts to look like HN :/
That’s because we live in snarky times.
I had a tangential question if that’s allowed. Has anyone here been using these LLMs and if yes, how have they helped you?
I missed the chatgpt train because I wasn’t interested. Recently I found out about llamafiles which makes running these easier but the large variety of models and the unintuitive nomenclature dissuaded me. I still wanna try these out and looks like I have enough RAM to run the Mistral-7B.
I have played around with stable diffusion but the slowness due to weak specs and the prompt engineering aspect made me bounce.
I’ve been using LLMs on almost a daily basis for more than a year. I use them for a ton of stuff, but very rarely for generating text that I then copy out and use directly.
I do most of my work with GPT-4 because it’s still a sizable step ahead of other LLM tools. I love playing with the ones that run on my laptop but I rarely use them for actual work, since they are far more likely to make mistakes or hallucinate than GPT-4 through paid ChatGPT.
Mistral 7B is my current favourite local model - it’s very capable, and I even have a version of it that runs on my iPhone! https://llm.mlc.ai/#ios
Some of my uses:
LLMs are good in cases where it’s hard to solve a problem, but easy to verify a solution.
Maybe I’m just not thinking of the right examples, but is verifying that usually much easier than doing the conversion?
IIRC the formats were
and
So pretty easy to verify (just match the numbers and tokens up) but I was not looking forward to writing all those {{}}s by hand
Also it was only one (very convoluted instance), so I couldn’t justify the time in writing a regex or parser.
I use them to generate weird recipes and memes. At work we pay for copilot so I’m not sure how good they are at writing code.
My god, this feels too real. Excellent work.
Thank you, I try!
This was a challenge and I’m proud of how I approached it. Most of my friends and family know that “I’m a programmer”, but they have no idea what I do. I made a video that takes a non-technical person through python, numpy, matplotlib, pandas and jupyter in a very concise way so that I can show my data table built on top of those projects.
How do you explain your projects to non-technical loved ones?
Geeze I struggle to explain my niche to other programmers, I’ve given up on trying to explain it to nontechnical people.
Does this make you feel lonely? I spent a couple of years working alone on a graph synchronization protocol and the loneliness was brutal…
I think it’s very worthwhile to work to explain your work. What’s your niche? Give it a try here.
I really want to make individual videos explaining NumPy, pandas, Matplotlib, Jupyter and polars to programmers. Not explaining how to sue them, but a quick overview of what they are capable of in the hands of an experienced practitioner. I have worked at a couple of places where the devs only know Node/Typescript, there’s a lot going on outside of that world.
“I help make sure that servers keep running while we’re asleep, as well as when we’re awake. Usually I succeed.” They usually don’t ask more than that.
At a certain level I don’t think they need to fully understand things. I love it when someone close to me geeks out over their hobby and gets excited explaining it to me, even if at the end of the day I probably won’t fully understand it.
All this is within reason of course, I knew someone that would talk nonstop for 15+ min about Dungeons & Dragons and even though I play it, those conversations were still exhausting.
Oh no )-: another step towards moving basic functions to web and web-browsers. Why?
I used to have a shortcut (when I ran dwm) to open a text editor with a scratchpad file. Now I have a shortcut to open a terminal and a single letter shell alias to open a scratchpad file for editing.
I bet most people can’t multiply two numbers without sending a bunch of HTTP request to Google search engine anymore )-:
I wrote about why I reimplemented typehere: https://squadrick.dev/journal/typehere.html
The utility of the tool is only part of the reason, the other being nostalgia.
A local scratch-pad is great, I use i3 and have shortcuts for opening an editor too. More often than not, I usually use my local scratch-pad, but it’s nice to always have something I can open on a machine that’s not set-up by me.
If you aren’t convinced, that’s fair. Just letting you know that it was more a labour of love.
I sense my remark might have landed unwell. If you took it personally (at your work or at yourself), I’m sorry. It was just sort of “an old man yelling at a cloud” kind of remark. Thank you for the explanation and more context provided.
Tone is lost in text. Your remark landed well, rest assured, no need to apologize. I merely wanted to post my rationale for posterity. I appreciate the follow-up nonetheless.
I don’t see how this moves anything to the browser
It moves text editing/ note taking, as in everything from vi to NotePad to Obsidian, into a web browser window.
I don’t understand why anyone would want to do that, but I accept that nostalgia is a powerful motivator.
for me, good design and UX are part of this
if a tool makes me squint or mess around with my window or zoom or fonts or styling, that’s effort spent on something besides actually using it
Absolutely agreed! But there are degrees to this. If I adjust the fonts once, that’s some cost. If the design keeps changing and moving things around in ways I don’t care about, that’s a larger cost.
Good design is a contingent thing you can gain or lose. When Gruber compares a proprietary Mastodon app with an open source one, that’s a perfect place for the caveat that, you know, this one’s great now but if it degrades because they took out some additional VC funding, you’re outta luck. With this second app they know someone else might make a fork so they’ll be more careful. They gave up some leverage early, and that deserves credit.
I did and now I do have a website but there’s no RSS feed and the entries are sorted randomly and not by date. At least I can deploy via git push, but I’m actually kind of missing a WYSIWYG text editor for quick notes. And to create a new page I need to
mkdir article_nameand add it to a list in a Python script, kind of sucks really.I am more and more convinced, for playing with tech, go build SSGs. For writing blogs, use Publii or something.
I agree, the biggest barrier for me when it comes to writing blog posts isn’t the site generation or deployment or formatting, it’s actually typing the words out. And Hugo/Jekyll/… don’t help with that problem.
My favorite conspiracy theory: Emacs has bad defaults on purpose, because using it unconfigured is so unbearable that it serves as great motivation to learn how to write Elisp. (Bonus: also works for XMonad/Haskell!)
I’ve actually had production data loss due to a design bug in cron where if the last line doesn’t end in a newline, it gets completely ignored with no warnings! Very fun, and also the first time a piece of software made me want to punch the author.
Unfortunately parsing newline or EOF is a really common oversight that AFAIK almost every significant grammar has encountered at some point (so don’t go punching any authors ;]). It requires a lookahead to define properly so many parser generators can’t even do it natively in the grammar itself (but there are plenty of workarounds).
For example:
This won’t parse any comment that ends in an EOF instead of a newline. But you can’t simply accept [\r\n]+ | EOF to terminate the line comment either as it will consume the EOF (and the file rule will fail). If you remove the EOF from the file rule (and also don’t check that all input was consumed), the last line(s) that fail to parse will be silently ignored similar to the cron behavior you describe.
In the end I had to settle for making fun of those absolute nincompoops in the comments section on various tech web sites; not quite as satisfying but still OK.
I’m not sure if this was the cause, but traditional UNIX lex / yacc required inputs to end with a newline and would not detect an end-of-file marker without it. This fed into the C specification (fun fact: it is undefined behaviour in C if your file does not end with a newline character and the compiler is allowed to do absolutely anything when it encounters it because the original C compiler would fail in weird ways).
Nasal demons!
It just occurred to me that probably most of the people here are too young to have used Usenet in anger. The explanation:
A warning would be ideal, but if you go stuffing invalid text files in all over the place you gotta expect things to break sometimes…
No.
If your definition of “valid” depends on differences that are literally invisible to the naked eye, then it’s a bad definition and you need to make a better one.
I don’t see how this is relevant to the parent comment
As dictatorships go, Valve is a mostly benevolent one. Steam is probably the least abusive and most social-good-increasing walled garden out there. Which admittedly isn’t saying too much, but their track record for violating the trust people put in them, while far from flawless, is remarkably clean compared to literally everyone else.
Conflict of interest disclaimer: I’ve been playing Baldur’s Gate 3 on linux and it runs better than on Windows, which is frankly black magic. I can think of a few different reasons this might be, most of which aren’t due to Proton, but I’ve been too busy enjoying the game to try to dig into the details.
For the record, complaints of BG3 Act 3 game performance (and struggling hardware does lead to more crashes) have been orthogonal to the platform the game is running on- Windows people complain about it just as much- I’m still just at the beginning of Act 2 myself due to having a 2 year old and also experiencing “character restart-itis” a few times after “irreconcilable” screwups, but my main gaming machine is a NixOS Linux machine (I can’t play Starfield yet, but that’s Starfield’s fault, it’s incompatible with the NVIDIA 535+ driver and I refuse to downgrade just for that game)
can confirm that BG3 is also janky as all hell on windows
I fail to see what Steam has to do with BG3 crashes.
:x 🫡
😭
My work pays for Copilot and I’ve found it useful when writing boilerplate code (e.g. writing a simple test case or boring data manipulation). I’ll write something like
// sort users by ID and split into batches of 100<tab>and it often works.Sometimes it gets things wrong, but the general shape of code it generates (iterate over some list, use a
switch, generate a bunch ofif/elses) is a good starting point.It’s sad that it takes so many ugly hacks just to try to beat browsers at storing DOM.
The huge cost of React generating DOM for invisible elements seems like a self-inflicted problem. I’d prefer a solution that focuses on either rendering the DOM faster without React’s overhead (server-side, or with direct DOM APIs) or building the not-yet-visible DOM asynchronously.
Browsers aren’t that bad at having large invisible DOM. 2MB/18K lines is not much for a static web page. It’s JS that’s slow, and GitHub chose to fight too much slow JS with even more JS.
it isn’t “just” 2MB of text, though. it is one with many thousands if not tens of thousands of elements for syntax highlighting. while a browser can easily handle large quantities of content with little complexity, each tag adds complexity and ultimately costs time.
IME generating large static HTML files, it is extremely easy to cause very noticeable load times with what’d be a couple MB of data at most if you stripped out all of the HTML tags.
That’s a reductive argument.
This is argument from experience. I’ve worked professionally for years on HTML rendering optimizations.
I think their view of browser performance is too pessimistic, especially that it’s only about rendering mostly-static content on a mostly-desktop site. They aren’t even fighting for building that DOM under 16ms on budget Androids.
In DOM manipulation there are a few pitfalls that can cause
O(n^2)costs (e.g. reading and writing to the live DOM, causing constant reflows, instead of building nodes in a detachedDocumentFragment). I suspect they’ve stumbled upon one of such problems, and instead of removing the pitfall, they’ve assumed browsers are slow and need “virtualized” scrolling, which they definitely don’t need. Tens of thousands of nodes is not much for DOM if you just build it once and let the browser render and scroll it. It’s much only if you futz with it using JS that isn’t careful about superlinear costs.I’ve had browsers chug when rendering 1MB of text (epubs/ebooks with plain HTML), do you have any tips for fast rendering?
That might be epub-specific problem? epub is not exactly HTML, so it may require renderers to do things the hard way to emulate page splits, font size adjustments, etc.
For speed:
avoid making large containers that have to resize themselves to their content. These are
display: flexandtable. If you use regular flow layout (display: blockcontainers), browsers will handle them easily and incrementally.avoid making large surfaces that need to be animated (if you put
transformon all your content, it may force the browser to create pre-rendered layers for compositing, and that’s slow and memory-heavy).The HTML spec itself is a 12MB, 300K DOM nodes document. For me it takes about 3 seconds to parse and lay out, but then works super fast for me — easily 120fps scrolling anywhere in the 12MB document. And it’s a document with quite a lot of formatting, links, syntax highlighting, and illustrations. So 27 second delay for GitHub’s 2MB text file really looks like GitHub’s problem.
I broke my right wrist and had to wear a full wrist cast for a couple of months. I’m not sure how much movement your arm will have but I didn’t really change much - I just pecked at the keyboard with my broken hand every once in a while.
I was a little slow at typing but that’s never felt like a bottleneck to me.
I won’t be able to reach the keyboard with my right hand for at least 2 weeks I assume
Oof, that sucks. If it’s less than a month it might not be worth messing with keyboard layouts though. Hope you heal up soon!
So you are able to use your right hand then? Have you considered using one of those miniature handheld Bluetooth keyboards? I had shoulder surgery too one time, and that’s what I used.
Uh. Not sure if wearing something on the hand is a good idea, as its exrra weight.
I’m not talking about something to wear, I mean something like this. When I had my arm in the special sling, I could slide my hand out of the holder and use the keyboard at my side. I don’t know if it works for your situation though.