> many asso⁣ci⁣a⁣tions with harm are con⁣founded by past or present to⁣bacco use [...] but when pure nicotine is ex⁣am⁣ined [...] the harms ap⁣peared min⁣i⁣mal: like all stim⁣u⁣lants, nico⁣tine may raise blood pres⁣sure some⁣what, and is ad⁣dic⁣tive to some de⁣gree, but the risks do not ap⁣pear much more strik⁣ingly harm⁣ful than caffeine [...] There is lit⁣tle ev⁣i⁣dence from the NRT [nicotine replacement therapy] lit⁣er⁣a⁣ture that ‘never-smokers’ like my⁣self are all that likely to be⁣come highly ad⁣dicted

(To be clear, I understand why the medical community would be hesitant to endorse this without it rising to the level of a "cover-up," but it seems like it's not as bad an idea as it intuitively sounds. But it's also unclear if the stimulant levels mentioned in that article are anywhere close to the levels relevant for covid.)

But the proposal here isn't about running NixOS as your OS, since we're talking about macOS. It's about using Nix as an additional package/environment manager on top of another OS/kernel, in this case macOS, though of course Linux is well-supported too.

Each file in Nix is stored in a path that's computed based on the hash of the relevant source code, and depends on other files (e.g., libraries) via their hash-based paths, too. So you can straightforwardly have multiple execution environments with their own dependencies that don't interfere. It's an alternative solution to the dependency problem: containers leave paths alone, but create a new root filesystem for each container. Nix programs all share one root filesystem, but modify the paths so nothing uses e.g. /usr/bin or /usr/lib.

Precisely because Nix binaries isolate themselves from /usr and carry their own dependencies, the Nix packaging repo "nixpkgs" can be used on any Linux machine, not just NixOS ones. And the Nix folks also build nixpkgs for macOS, so most software in nixpkgs can be installed on a macOS machine too. This gets you a solution to the dependency problem on macOS itself (because there are no Linux-style containers on macOS). If you want, it also gets you a relatively consistent dev environment for applications that will be eventually deployed on Linux: although the kernel is different and of course the binaries are compiled for different kernels, the entire userspace can be the same on macOS and Linux.

> If you as a public university had no power against racism beyond the nobility of your intentions, your mission statement wouldn't matter a damn anyway. The public university's power against racism is the inherently anti-racist power of genuine knowledge.

And I think it actually refutes some of the more simplistic comments by other signatories about e.g. a desire to keep politics out of science or whether a university's goal should be truth or social justice. Such a phrasing implicitly claims that social justice (however one defines it) is a separable goal from truth. It reminds me a little of the "non-overlapping magisteria" non-solution to conflicting claims from science and religion, that either science determines truth and religion determines, I dunno, vibes, or alternatively that religion has real truth and science is limited to some subset of reality - it solves the problem by refusing to take either one or the other seriously.

The claims of politics and social justice are claims within the domain of truth, just as the claims of science are. Either climate change is happening and merits a response, or it isn't. Either diversity brings conflict or it doesn't. Either the implicit association test is good science or it isn't. Either social Darwinism is good science or it isn't.

The goal of the university should be to seek the truth because it helps humanity. This is why the research university publishes its research and the teaching university opens its doors to the public, after all. There are enough places (as we tech folks know!) where you can pursue the truth about many things for private gain.

Those of us who are on the side of "science" and "truth" must say that when the pursuit of truth has brought us somewhere, we need to do something with that conclusion. It might take us a long while and to false places on the way (as with social Darwinism), but once we've landed on the shores we sought, we need to build something there. And those of us who adhere to the cause of "social justice" as widely understood (and I certainly count myself as one) must believe that the claims it makes about the world we live in are in fact true, and that the pursuit of truth will keep us focused on what actually benefits the people or causes we support, and we need to not cede ground to the idea that our pursuit of truth is somehow a different thing from the ordinary pursuit of truth.

Think about technical discussions as a thing that you need to spend extended amounts of time and energy on - probably more than programming, once you get senior enough as an individual contributor.

(So, yes, I think it's a lack of skill, largely because of a lack of recognition that it's a skill worth developing. I can't say whether the "blame" is yours or theirs, but it is highly likely that everyone has a lot of room to get better at it.)

In fact I think we do use the term "self-host" in exactly that way when talking about "self-hosted newsletters." I can (and do!) run a newsletter where I generate the HTML and the MIME document locally, find an SMTP provider of my choice, and instruct it to directly mail recipients. I maintain the mailing list (in a text file in a Git repo) and pass it to my SMTP provider every time I do a mailing, and people contact me directly to sign up. I could also use Substack/Tinyletter/Buttondown/etc., which would have various advantages and disadvantages; the hosting provider would handle most of this for me, including maintaining the list of subscribers. You can also talk about "self-hosted Mailman," etc. In these cases, the self-hoster sees the email addresses of subscribers but not (necessarily) their IP addresses.

I don't think I'm conflating TCP and HTTP. NNTP, UUCP, and SMTP all use TCP, but they're designed in a way that doesn't have this property. In fact it's not even HTTP per se that's a problem. It's mostly about what I called "direct HTTP" - though you posted your comment to me over HTTP, there's no HTTP (nor TCP) connection to me.

(Also other comments claim that the CLOUD Act means that if GH the US entity runs EU servers, that doesn't actually solve the problem - it'd have to be a non-US entity not subject to US jurisdiction. That's why I think the old-school-web model of mirrors is a better example; they're generally run by universities or other entities with no legal relation to the site they're mirroring.)

It might be meaningful under the model of direct HTTP, where you could be DoSing me or trying to exploit my web server. But if you don't contact me over HTTP, then that problem doesn't arise. There's no meaningful concept of blocking people from a Usenet post I write. Even for indirect HTTP, I don't need to block people from my GitHub Pages or from my HN comments. They're public.

If I add dynamic feature like a comment system or discussion forum to my website, then it becomes meaningful, but also at that point I can implement a way for you to consent to sharing your IP address with me as part of signing up.

You don't have to make a direct TCP/IP connection for two people to communicate. We had systems like Usenet and UUCP that replicated data through a series of servers. Even today, when you use email, you talk to your email provider who talks to the recipient's email provider, and they have no need to share your personal IP addresses in the process. Some providers used to include this in Received: headers, but many today do not, rightly seeing it as a privacy concern. And even on HTTP we had (and still have, in some cases) mirrors, where legally-unrelated entities host copies of each others' data. Someone in the EU can visit http://ftp.icm.edu.pl/pub/linux/Documentation/ and never have their connection known to the US-juridiction host of TLDP.

It is both socially sensible for these providers to consent to sharing their own infrastructure IP addresses with other providers (but not share their customers' IP addresses) and legally practical for them to make that consent under the GDPR.

Why should it be the case that when you visit my personal website, which I happen to self-host, I have access to your IP address? I don't want that information. I don't even get that information when using higher-level services like Hacker News or Twitter or GitHub, even though those services operate over HTTP. It's weird that I get it, honestly.

I understand there's a huge planetary investment in HTTP, and so the collision of abstractly-reasonable privacy rights with that reality is an extremely hard engineering and policy problem. But that doesn't make the privacy rights unreasonable.

> 2. This Regulation does not apply to the processing of personal data:

> (c) by a natural person in the course of a purely personal or household activity

My sense (I am neither a lawyer nor European so this is certainly not European legal advice) is that you cannot use GDPR to compel someone to delete your contact info if they're solely a social acquaintance, but you can use it to compel them to delete it if they're a one-person business of some sort (contractor, Etsy seller, lawyer, etc.).

(But in practice, we mostly rely on the fact that if you are in Google Cloud and specify a minimum CPU version, Google masks CPUID in that VM to exactly match that CPU, even if the underlying hardware is newer. They do this so live-migration of the whole VM works, but it also helps for process migration. I'm not sure where this is specifically documented but see e.g. https://stackoverflow.com/a/44507857 .)

And a few of these aren't even heinous! If I happen to be self-taught in the law and I am particularly good at giving wise and helpful legal advice, but I am not actually admitted to the bar, nobody is directly hurt by my advice, but society has decided the potential for harm in this situation is high enough that I still shouldn't be allowed to do that.

Absent a holy constitution given to us by the divine, the way we decide what is and isn't a right is we look at its effect. Places that recognize a right to bear arms, for instance, do so because they believe that arming the citizenry protects them against abuses of the government. Places that don't do so because they believe that disarming the citizenry protects them against crimes from other citizens. To the extent that one of these views is correct and the other is not, it is not because they guessed wrong about the nature of the universe - it is because one argument is correct and another is not.

Free speech is not axiomatic. Free speech is a right (and I agree it is a right!) because it has particular positive effects on society, through the benefits of open and unfiltered public discourse.

And the same reasoning helps us define exactly what "free speech" is. We make significant restrictions on free speech - classified information, copyright and trademark law, slander and tortious interference, electioneering laws, unauthorized practice of medicine or law, fraud, etc. - in the expectation that those restrictions serve to benefit society, and in the understanding that if we were to allow these forms of speech, they wouldn't really serve the goals which we see free speech, overall, as helping. If I were to say "I am a licensed doctor and I think you should take two pounds of Vitamin D a day," we understand that the benefit of me adding that statement to the public discourse is nil, and the harm is great, and so we don't recognize that as protected by free speech.

The NSPA's goal was never to actually hold a march. They never did hold a march in Skokie, after that defense. Their goal was to harass Jewish communities through the process of applying for the march, which Goldberger, for all his good intention, assisted them with.

As the article notes, they sent letters to a whole bunch of suburbs asking for a permit to hold a march. They never followed up with the suburbs that ignored them, nor did they march in those suburbs either.

The whole thing was a bad-faith tactic which today we'd call trolling. They weren't fighting for their right to speak freely in Skokie, they were fighting for their right to use the legal process to harass the city of Skokie.

Advising underage people through a wiki on how to make hormones at home is neither sexual assault nor grooming as the term is conventionally understood. How could it be? You can't get in contact with an anonymous reader of information that has been published to the public. You have no idea what they do with that information. So I am not really understanding what its relevance in this thread is.

(If anything, it's an example of free speech. You might not be a fan of it, which is totally fine, but information that advises people of any age on knowledge that people would prefer to be un-known is obviously at least as deserving of free speech protection - both in the legal sense of protection from government interference and in the moral sense that lovers of a free society should support it having a platform - as anything posted on Kiwifarms.)

And startups have long asked for people to star their projects for visibility.

I don't know at what point it hasn't been "gamed." Maybe there are now bots starring repos, but is that meaningfully different than masses of very real humans being excited by hype?

There's an analogy in the article to airplane seat pricing. The solution there was to tell the airlines they couldn't collude with each other, not to say "The real problem is the lack of flight supply."

Do you self-host your services on some Linux distro? How many FAANG employees have upload access to that distro or maintain its infrastructure?

(Or maybe you audited everything yourself and you're 100% confident in your audit, somehow, and you've turned off automatic updates. How many FAANG employees are working on fuzzers to automatically find new exploitable security vulnerabilities and scale out those fuzzers on their employers' infrastructure?)

To be fair, this is an entirely reasonable threat model for a lot of people. For instance, if you're a reporter in an authoritarian country, Google is almost certainly not colluding with the attackers who are literally trying to kill you, and using a Chromebook and Gmail is probably the best option out there. Your threat model is "Don't die," not "Don't be subject to surveillance capitalism."

But it's also something we should collectively be pushing back on. The motivating example for these products is "intelligent ambient systems," i.e., things like Nest hubs and doorbells that capture audio/video all the time. These products probably shouldn't exist at all, and to the extent they do, they should process data locally and discard it as soon as they can.

As a totally non-web example of this, as of 2017, "Google’s third-party partnerships ... capture approximately 70% of credit and debit card transactions in the United States." https://adwords.googleblog.com/2017/05/powering-ads-and-anal...

When you buy something with MasterCard, in person, with a magstripe or even an old-school carbon-copy imprinter, MasterCard can go give that data to Google.

I think the incognito warning could say "Websites you visit, and anyone those sites share data with" to draw attention to this, but I'm not sure if that's quite enough. I'm leaning towards the argument from this article that "incognito" itself is simply a poor name.

A bunch of folks who have been using Slack for a long time have saved their xoxs cookie from a couple of years ago and not invalidated their old sessions, and they'll tell you the various clients still work. For a new user who is getting an xoxc token, your client needs a way to pass cookies along with your token. Many of the terminal clients I've seen don't obviously give you a way to pass the cookie.

My company uses the enterprisiest Slack offering (Enterprise Grid, compliance archiving, proxy restrictions, the works) hooked up to Azure AD as the identity provider and previously to Okta via ADFS, and I have working programmatic auth to Slack (leveraging local Kerberos tickets from Windows AD signon). Give me some details on what your auth setup looks like and I can probably help you with it. (I can try to open-source my internal client if it helps, but it's specific in some ways to our setup so it might be easier to just talk you through it.)