I believe they also have attorneys. Perhaps that's how Apple could make bug-tracking more effective -- hire a prosecuting attorney and a defending attorney for each bug.

The agent passes the Turing test...

Self-hosted Gitlab periodically blocks access for auto-upgrades. Github.com upgrades are usually invisible.

Github.com is periodically hit with the broad/systemic cloud-outage. Self-hosted Gitlab is more decentralized infra, so you don't have the systemic outages.

With self-hosted Gitlab, you likely to have to deal with rude bots on your own. Github.com has an ops team that deals with the rude bots.

I'm sure the list goes on. (shrug)

But there's a parallel push around taxing American firms using foreign labor (https://www.moreno.senate.gov/press-releases/new-moreno-bill...).

If multiple new policies are put in place at the same time, then... I dunno... it seems harder to predict...

Presumably, there is a farmer who raised the cow, then purchased the papier-mâché, then scrounged for a palette of paints, and meticulously assembled everything in a field -- all for the purpose of entertaining distant onlookers.

That is software engineering. In Gettier's story, we're not the passive observers. We're the tricksters who thought papier-mâché was a good idea.

* Normally, the big green button says "Merge pull request"

* Now, the big green button says "Merge when ready"

In a large project with lots of activity, a stampede of people pressing "Merge" at the same time will cause trouble. "Merge when ready" is supposed to solve this.

It seems to mean:

> "GH, please merge this, but take it slow. Re-run the tests a few extra times to be sure."

* The general idea of mixing together filesystems+folders to achieve re-use/sharing/caching.

* The "Dockerfile" approach to this - with its linear sequence of build-steps that map to a linear set of overlays (where each overlay depends on its predecessor).

The "Dockerfile" approach is pretty brilliant in a few ways. It's very learnable. You don't need to understand much in order to get some value. It's compatible many different distribution systems (apt-get, yum, npm, et al).

But although it's _compatible_ with many, I wouldn't say it's _particularly good_ for any one. Think of each distribution-system -- they all have a native cache mechanism and distribution infrastructure. For all of them, Dockerization makes the cache-efficacy worse. For decent caching, you have to apply some adhoc adaptations/compromises. (Your image-distribution infra also winds up as a duplicate of the underlying pkg-distribution infra.)

Here's an alternative that should do a better job of re-use/sharing/caching. It integrates the image-builder with the package-manager:

https://grahamc.com/blog/nix-and-layered-docker-images/

Of course, it trades-away the genericness of a "Dockerfile', and it no doubt required a lot of work to write. But if you compare it to the default behavior or to adhoc adaptations, this one should provide better cache-efficacy.

(All this is from POV of someone doing continuous-integration. If you're a downstream user who fetches 1-4 published image every year, then you're just downloading a big blob -- and the caching-layering stuff is kind of irrelevant.)

Speaking as an elitist left-wing hippie-business-geek-bro-demon in the Bay Area...

Kudos to the Columbus Area! Ohio, build it up!

Ourselves, it seems. A Javascript framework is like a jet, and we are the human payload. You can stay in the jet, zooming over the constantly changing landscape. But if you get tired of this zooming around (or if you get scared of hitting a mountain), then you can activate the ejection seat (https://en.wikipedia.org/wiki/Ejection_seat). Of course, now you're a mile high without a plane, but the ejection-seat comes with a parachute, so the descent will be pleasant (or, at least, non-fatal - which is a style of pleasantness).

Erm, wait, I think you were soliciting a more literal answer. :)

"create-react-app" is the Javascript framework/jet. If you want to go for the ride, then you declare a single-dependency on "create-react-app", and they will decide when/what/how to upgrade components in the framework. If you don't want to ride along with "create-react-app"s framework, then you "eject". They'll give you a little bundle (the concrete list of dependencies) and send you off on your way.

Comments URL: https://news.ycombinator.com/item?id=26688226

Points: 4

# Comments: 0

Consider an analogy to shell-scripting -- there are different shells ("bash", "dash", "zsh") which have substantial overlap (insofar as they largely support traditional POSIX). Someone writing a script/program can target a specific flavor ("#!/usr/bin/env bash") and get more features, or they can write conservative code and let downstream policy determine the shell ("#!/bin/sh"). General-purpose distros (like Debian/Redhat) don't seem to have a problem with supporting them side-by-side.

I'm more than a little rusty on the mechanics of dependency-management in C... but shouldn't it allow some analogous arrangement where an app either (a) signals a requirement for a specific implementation or (b) signals ambivalence/deference (and limits itself to common APIs).

(This, of course, only makes sense if the developers of LibreSSL/OpenSSL and of the distros believe that it's better to coexist+compete than to consolidate. The tenor of the LWN article seems to convey a XOR mentality, but if both projects have independently healthy teams, then... maybe they prefer friendly coopetition...)

But... the article also says:

> ... it is not possible to install both OpenSSL and LibreSSL on the same system.

That combination -- not-compatible and not-coexisting -- sounds rough.

Anecdotally, for the project where I contribute most... the issue about fewer contributors is real. But you do still get contributors, and PR-workflow makes other aspects easier (like broad clean-ups/reorgs/scheduling/versioning). For contributors who come, you also get the opportunity to socialize/engage them during review. Overall, there are drawbacks/risks, but I'd say it was a net-improvement (wrt quality/clarity of the final docs).

Maybe look at it this way: Both workflows provide a way to organize open/community docs. Both workflows have positive role-models. In both, you need capacity+interest for editing, for socialization, etc. If you tend to these, you can do good. But if there's neglect... then that's where you'll see the starkest differences:

* In wiki-workflow, the likely symptoms of neglect are draft-quality content, bad prose, quirky TOC, drive-by edits that are out-of-place, etc.

* In PR-workflow, the likely symptoms of neglect are slow review/feedback, older content, would-be contributors who can't assimilate to the workflow, etc.

Let's make an example. Suppose a "rational investor" in a globalized market is considering whether to manufacture a commodity in San Francisco or Jaipur.

The cost of living in San Francisco is 200%-2000% higher than the cost of living in Jaipur.

https://www.numbeo.com/cost-of-living/compare_cities.jsp?cou...

The rational, by-the-numbers move is to put the factory in Jaipur because exchange rates make it radically cheaper. That's the real driver. Even if the would-be workers in SF made every conscionable concession and slogged for 25 hours a day, it wouldn't overcome the currency differences. Even if the workers in Jaipur had the most generous PTO and the most corrupt union boss, it wouldn't overcome the currency differences.

Of course, if you were pitching a town in South Carolina against a town in Pennsylvania, then maybe you'd consider numerically small differentiators like "how much extra do you have to pay for the 9th hour of work" - because small differentiators are the only differentiators available.

But that's not the issue with globalization. "Globalization" doesn't mean "moved from PA to SC to trim wages by 5% via lax overtime rules". It means they moved to Vietnam or China or Bangladesh to change the basic unit of measure with an aim to slash labor costs by 50% or 80%.

Yeah, no. I mean, I don't know this guy from Bob, but the above has neither citation nor argument, and everything I've seen disagrees with that assessment.

Skim the list of the board of advisors...

https://www.persuasion.community/p/our-board

Several names pop out - and not because they're alt-right / reactionaries / populist right-wingers. Some bios:

https://en.wikipedia.org/wiki/Anne_Applebaum https://en.wikipedia.org/wiki/Francis_Fukuyama https://en.wikipedia.org/wiki/Garry_Kasparov https://en.wikipedia.org/wiki/Sheri_Berman

Again, I don't have any personal knowledge here, but it's interesting to consider, eg, this bit from Wikipedia:

https://en.wikipedia.org/wiki/Yascha_Mounk#Political_positio...

> Mounk stated that he had changed his position on nationalism. He initially considered it a relic of the past that must be overcome, but he now advocates an "inclusive nationalism" to head off the threat of aggressive nationalism. On the German television newscast Tagesthemen, he stated that Germany is on a "historically unique experiment, namely to transform a mono-ethnic and monocultural democracy into a multi-ethnic one."

I suppose words like "nationalism" and "mono-ethnic" might appear in an alt-right missive, but IMHO the above doesn't sound anything like an alt-right perspective.

Suppose the initial implementation chose an ill-suited/fast/cheap hash (like MD5). The developer facepalms appropriately, changes course, and updates the implementation to support an expanded list of 4 hashes (1 old/weak/cheap hash and 3 new/strong/expensive hashes) - and you track the hash in the same way as the counter.

Fast-forward a bit. Mallory eavesdrops, learns an example password, and starts a brute-force attack for the master password. He doesn't know which hash to use, so he has to try all of them. On the surface, the choice of hash is just 1 or 2 bits of entropy... but the resource impact on Mallory is driven by the (in)efficiency of the new hash(es), so it has an outsized impact.

In anticipation of upcoming hardware, the developer issues annual updates with another (slower) hashing option (PBKDF2 w/100k iterations => 150k iterations => 200k iterations). This muddies the waters for new brute-force attacks. It's kind of a neat notion that the mere existence of a newer convention could retroactively raise the cost of a brute-force.

Alas, it's not real. Because we're not just concerned that Mallory is an eavesdroper listening to a random password - we're concerned that Mallory is a website-operator who takes user-registrations. In that case, he can simply log the time when the user or password was created -- and thereby rule-out future hashing conventinos.