Friend who is not a software person sent me this tweet, which amused me as it did them. They asked if “runk” was real, which I assume not.
But what are some good examples of real ones like this? xz became famous for the hack of course, so i then read a bit about how important this compression algorithm is/was.
GNU readline is a library that handles text input
Imagemagick.
Every website that supports avatar images and has multiple sizes of the avatars uses imagemagick.
Another one is OpenSSL.
I like the imagemagick .desktop file that is always created when you install the package. It opens up a really terrible and dated paint-like program that no one ever uses.
Curl comes to mind. Libcurl is at the foundation of almost all networking.
And they still get emails from randos when some program that uses curl doesn’t work (the Readme is top notch).
I cannot for the life of me find what you’re referencing. I only remember the
sqlite/etilqsfiasco with McAfee.https://github.com/mackyle/sqlite/blob/a009acaca1fe25d909d8b5180c0120af1abc2b82/src/os.h#L56-L79
Here’s an example from NASA
I feel a bit split about this. Seems it is an actual law, and it kind of makes sense. You probably don’t want random components from unknown people and places in your multi million dollar space equipment. But it feels rather arrogant to just demand such things.
Is NASA actually a customer? Did they pay for a license to use curl (genuine question - I’m not familiar enough with it to know if enterprises and organisations require a paid license)? Are they planning on becoming a paying customer? Do they make donations to the project? If not, it feels kind of rude to send a demand letter to the lead developer of a free piece of software straight up demanding a formal letter stating where the free software is being developed and maintained (for free), or if outside the USA, that the free software has been tested in the USA. Oh, and a bonus demand that such information be returned within 5 business days (naturally with an implied “or else”, just to really make sure those pesky people maintaining open source software for free really get the memo)
In any case, why don’t all their scary 3 letter spy agencies go and figure it out on behalf of NASA themselves? It’s open source, they could just like, read the source, test the source, and audit the source themselves. Or fork it and make any modifications they’d like to ensure its safety
I don’t blame the person sending the emails, obviously, they’re just following orders, but the whole email reads as very entitled and arrogant, assuming NASA don’t provide any compensation to the project and projects maintainers for their use of curl
https://daniel.haxx.se/blog/2020/12/17/curl-supports-nasa/
https://daniel.haxx.se/blog/2023/02/07/closing-the-nasa-loop/
Their process for validating software doesn’t have a box for “open source”, and basically assumes it’s either purchased, or contracted. So someone in risk assessment just gets a list of software libraries and goes down it checking that they have the required forms.
As the referenced talk mentions, the people using the software understand that all the testing and everything is entirely on them, and that sending these messages is bothersome and unfair, and they’re working on it. Unfortunately, NASA is also a massive government bureaucracy and so process changes are slow, at best.
The TLAs don’t generally help NASA, and getting them involved would unfortunately only result in more messages being sent.As for contributions, I think that turns into an even worse can of worms, since generally software developed by or for the US government isn’t just open source, but public domain. I think you’d end up with a big mess of licensing horror if you tried to get money or official relationships involved. It’s why sqlite is public domain, since it was developed at the behest of the US.
Mostly just context for what you said. NASA isn’t being arrogant, they’re being gigantic. Doing their due diligence in-house while another branch goes down a checklist, sees they don’t have a form and pops of an email and embarrassing the hell out of the first group.
The time limit thing is weird, but it’s a common practice in bureaucracies, public or private. You stick a timeline on the request to convey your level of urgency and the establish some manner of timeline for the other person to work with. Read the line again, but extremely literally: “we have a time frame of 5 days for a response”. “Our audit timeline guessed that it would take a business week for you to reply, so if you take longer we’re behind schedule”. The threatening version is “your response is required on or before five business days from the date of this message”.
The presumption is that the person on the other end is also working through a task queue that they don’t have much personal investment in, and is generally good natured, so you’re telling them “I don’t expect you to jump on this immediately, but wherever you can find a moment to reply this week would keep anyone from bothering me, and me from needing to send another email or trying to find a phone number”
https://bagder.github.io/emails/ has the email collection.
Thank you!! I knew I must have been missing something.
Thanks for sharing these gems. I can almost feel the exasperation in some of the emails and their replies.
curl is most definitely not developed solely by one person though, it has thousands of contributors. in fact, there is so much red tape around curl that you can’t even discuss making a change to it without first writing an RFC and having it approved by a committee.
Libcurl is at the foundation of almost all networking.
That’s not remotely true, but it is nevertheless outstanding work and very much deserving of recognition and support.
Is-even and is-odd on npm.
For a while, openssl was maintained by 1 or 2 people.
The popularity of these two packages shows that something is very wrong with JavaScript.
No, it shows people are lazy.
Well, that as well, but it’s an also bit tricky to safely check if a number is even because JavaScript uses floats for numbers.
It’s not tricky. Modulus operator works fine.
Like half of the npm is maintained by a single, arguably awful, person who writes his microprojects into large pieces of software to maximize how often his code gets installed.
Sindre Sorhus?
That’s them, yup!
Jon Schlinkert, I believe. Sindre has a lot of stuff as well, but has a better reputation afaik
Just looked them up… holy hell. How does one have so many repos! And all the apps he’s made.
What’s the story on them?Edit: just looked it up myself. Seems to be a well liked person in the open source community. Idk. Regardless, props to them for the work they put in.
Sounds like a fork is in order
I would love this even more if one depended on the other and just did a “not even” for example.
I thought that was the case tbh, has it changed?
Edit: is-even depends on is-odd.
It would be even better if each one depended on the other.
Well good news! Time to let yourself love again!
deleted
left-pad
Is-even and is-odd are the stupidest packages ever written. Except for all the others that guy wrote.
curl
There is a guy named Arthur David Olson who maintains a small database of all the time zones in the world, including things like leap seconds and such. It’s used by everybody and it is updated several times a year. See here:
If we could all just stop making changes to time zones, that would make my job very slightly easier.
I don’t understand why we don’t just all use UTC and just wake up at different hours depending on the country 🤷🏻♀️
Perhaps we’ll move to UTC+10¼, and then move forward 45 minutes in the summer.
If the day number is a prime, then we’ll go back π hours.
Hope that will help!
I bet he’s paid nothing to do it. Then one day, when a timing attack happens that can be traced to the DB, some knobhead CTOs and tech influencers will start talking about “securing the supply chain”. They’ll want other such bullshit and responsibilities to be shoved unto volunteers.
Two quotes come to mind “Fuck you, pay me” and “Open source maintainers owe you nothing”.
It would make sooo much more sense for the ISO to set something up, and make governments each responsible for keeping it updated, since they’re the ones doing the changing.
Require all participants to amend their law/regulations, so there’s a note to prompt whoever is in power and changes it next.
I’m sure some places would still neglect to do it… Haha
It has organizational support from ICANN, so it’s not done in total isolation.
Oh neato, then all good!
Wasn’t there also very recently a whole thing about the single guy who maintains the NTP spec threatened to retire so he could get a “real” job, which caused a gigantic internet-wide panic as pretty much everything we do relies on computer’s clocks being perfectly synced?
It’s also worth pointing out that this was sued in a copyright lawsuit some time ago. The wikipedia article mentions it, but here’s the slashdot discussion if you want to feel like stepping into a time machine: https://m.slashdot.org/story/158778
It caused a momentary panic when everyone realized that this thing runs the system clocks for everything everywhere, and if it got taken down by a copyright suit it would be disastrous for, well, everybody.
Pretty much every basic terminal command for linux. Grep is the one that comes to mind.
The modern man uses
ripgrep👍deleted by creator
What does that offer offer grep/egrep
-
much faster
-
proper unicode (and other encodings) support
-
automatic recursion (no extra flags needed)
-
can search inside compressed files/archives like gz/xz/zip (also see ripgrep-all) for even more archive support)
-
honors
.gitignoreand ignores binary/hidden files
probably a lot more things too
-
Speed and memory efficiency, mostly. If you ever have to grep for something in a large number of files ripgrep will be done while regular grep will only be reaching the 25% mark.
But it’s three more letters. No deal.
Alias. To
gr, even!Its going installed binary is
rg.I shall begrudgingly consider it then, with much begrudgement.
You joke but this is facts
Huh… My dad is a software engineer and his name is Ronald. He also secured several software patents when he worked for a big chip wafer manufacturer. He might actually be the Ronald in this meme… 🤔
NTP is the one that comes to mind for me.
Basically every device uses it and until fairly recently was maintained by a single person
So they have a donation/support page?
Though OpenNTPD, Chrony or timesyncd if you’re on Systemd, are usually better suited.
Network Time Protocol? Cool, didn’t know that!
Oh dear, that post from the core-js guy made my blood boil. He’s been taken advantage of by the whole world.
The
core-jsstory always makes me sad. Sure, he’s developing an open source project and no one HAS to pay him. But the meager amount of donations and the tons of hate he receives isn’t justifiable.I had seen the hate before and foolishly just assumed he was deserving of it. Its a horrible situation he’s in and he is being cast in a bad light because he reached out for help.
It’s especially sadder when a substantial amount of the donations vanished when Open Collective and others stopped operating to Russians.
left-pad was the first thing that came to mind for me
Azer did nothing wrong.
Laurie Voss made a bad call and should feel bad.
The principals of free software was, is, and always will be more important than every single dollar in silicon valley combined.
No arguments there, if you’re gonna depend on a piece of code, you better own it or have a rock solid plan b.
I think he overreacted a bit, not to having his package name forcibly taken from him, but to being asked to give it up in the first place. Kik explained to him that they have to fight this or lose their tradmark because thats how trademark law works. His response was basically “haha fuck you”. He probably could’ve asked for a couple thousand and just changed the name of his project and everything would’ve been fine.
being asked to give it up in the first place. Kik explained to him that they have to fight this or lose their tradmark because thats how trademark law works.
I’m not a lawyer but from what I know that’s a load of shit. There’s nothing stopping a trademark holder from granting licensing rights to third parties, without charge, to use their trademark in specific ways.
They chose not to because its easier, and most people won’t know better, so they roll over.
His response was basically “haha fuck you”. He probably could’ve asked for a couple thousand and just changed the name of his project and everything would’ve been fine.
This is the correct response, even if Kik would’ve given him money. It’s his package, he got the name first. Corpos can eat shit, just because its not the easy choice, or the choice you would’ve made doesn’t mean it was wrong. That package should’ve stayed down on principal.
Yeah that debacle still pisses me off. Especially the fact that someone could possibly trademark and enforce a trademark a name that’s already in use. It’s made even worse that the package that now uses the stolen name is defunct.
I hope all of the bad actors burn in Hell.
What pisses me off is that NPM thought it would be okay to remove something from their repository.
What did NPM remove? My understanding is that NPM restored the deleted package. If you’re referring to giving the author the ability to delete their packages, I’m on the fence about that. On the one hand, if it’s open source, it’s a part of the community. On the other hand, it’s also still the author’s code, and if they are the only author, then it’s their sole decision if they want to host their code under their account.
But at the same time if the code is properly licensed under an open source license (I would assume/hope NPM didn’t allow non FOSS code) then NPM can refuse to take it down. Yes, they put it back up, but I think it’s important for public repositories (as in packaged code repositories, not got repositories) to never remove things (barring legal requirements, sure).
For what it’s worth, the policy they adopted after the fact seemed pretty sensible. I think it was something like you can’t take things down once they have ~100 downloads or x number of dependents.
The do-nothings vs the did-somethings.
Sqlite isn’t quite one person, but it is a very small team and is extremely widely used. https://www.sqlite.org/mostdeployed.html
And their website is quirky
As is their code of ethics.
Have something to share?
SQLite devs are trolls to their suppliers that’s great 😂
They said they’re quite serious about it, actually. While it’s quirky, I don’t see anything wrong with it. It’s… weirdly charming? I’d never use anything like it, but it’s fun to see something different amidst a world of copy-pasted contributor covenants.
I mean, to make such a point that the only point of the page was simply to satisfy a requirement of someone else’s volition and yet creating that page and apparently saying what you’re saying—seems like there’s something misaligning here :P
Also I no doubt that they hate people who talk too much and hate making jokes — there’s some seriously unserious stuff inside of the rules they posted. They are serious folks who have zero tolerance for laughter apparently :D
My headcanon is they’re a bunch of people who have a super religious supplier with strict checkbox rules and they are fucking with them.
- Be a stranger to the world’s ways.
one out of 72 isn’t bad
Jesus Christ
I see you like the first rule.
“be not drowsy”
Lmao yo wtf
It looks pretty decent to me, at least on mobile. Definitely better than 95% of websites.
Damn, I wanted to mention sqlite.
It’s not too late. Mention it!
Furthermore, “RUNK” was originally made in the 1980s to take over from a program written on punch cards in the 1960s. Finally, it’s missing some important functions that the original 60s program had because "RUNK"s developer doesn’t see the purpose of those functions and refuses to add them; and no one has publically released a fork of “RUNK” that adds those functions back in, so you have to do it yourself. Thank God it’s open source.
Edit: oh yeah, and back in 2005 there was an effort to make a GUI for it, but “RUNK’s” sole developer got mad because “back in the 80s we didn’t need GUIs; command line is infinitely faster” and kept intentionally breaking support for the GUI with each bug fix, leading to the project eventually being abandoned.
that really sounds like a case where someone ultimately says “fuck you, runk’s developer”. why didn’t that happen?
Because frankly, Ronald (the current maintainer, not the original author) is very competent. I say this as somebody who has personally been yelled at by Ronald at a kernel summit; I didn’t deserve it, but none of his technical points were wrong. I like to think of myself as the kind of person that, given enough time and documentation, can maintain anything; I think it’d still take three of me to do Ronald’s job. (Well, “job.” I think he technically works for Red Hat or something?) Not to excuse his conduct, just to explain why he’s not been replaced yet.
Wait if it stands for Ronald’s Universal Number Kounter, does that mean both the creator and current maintainer are named Ronald? Is it a dread pirate kinda deal where whoever holds the hat takes the name?
I’d love to link you to their Wikipedia pages, but both of them are redlinked. As far as I can tell, Dr. V. Ronald was an educator who moved from Canada to the USA as part of the whole Xerox PARC thing and probably was valued for mainframe experience; does anybody have a full bio? The current maintainer is Ron Sunk, who did a full run at MIT up through postdoc before going to Red Hat. The names are a coincidence;
runkimplements what we now call Sunk summation, after Sunk’s thesis. (As you might guess, that’s an instance of Stigler’s law, since clearly Dr. Ronald discovered Sunk summation first!)Also, as long as we’re here, I want to empathize a little with Sunk. The GUIs that folks have placed on
runk, like GNOME’s Gunk or Enlightenment’senk, look very cool, and there’s rumors of an upcoming unified number-counting protocol that will put them all on equal ground. But @[email protected] wasn’t joking; Dr. Arnold’s code literally only reads punch cards, and there’s a façade to make it work on modern Linux and BSD transparently. It predates X11, if that’s any help. The tech debt is real.Fun fact, there was actually a man named Ronald Numbers.
it’s a case where he knows a guy just like Ronald but he’s not naming him, so he’s just talking about “Ronald”
