Posts by doublelayer

The normal version of Signal identifies users by their phone number, so it may do this by deactivating any accounts with Swedish phone numbers. You could use the code to build a different version and use that, but that's not easy for everyone.

Re: One of many ironies

Then cut out the extra step and just use PGP, because you'll have the same security as just PGP if the message was intercepted. Using PGP also means you have the typical problems with key management and exchange.

Not that your underlying point is wrong. Encryption that doesn't fit with the assumptions that the law can bypass mathematics exists. Governments can't eliminate it, they can't detect it fast enough to block it, so all they can do is punish people for using it which would be a bad idea. As usual, politicians don't understand how any of it works or how pervasive it is on everything today and thus how hard it would be to take it away.

Re: Why?

Or, perhaps, for the same reason that these major cloud and software providers are major everywhere else: they have a bunch of products that are easy to get in to and hard to get out of. It is easy to decide you need a device management system, you've got Windows machines, you'll use Microsoft's software. Now that you're doing it, changing to anything else runs into the problems that the alternatives have fewer features and you'll be spending a lot of time and money to get to the same place you are now, so it gets put off. It's easy to decide you need email, calendars, and shared documents, so you'll sign on with Google Workspace. It's hard to get all your data out of that and transferred to somewhere else. It's hard to find somewhere else that could take all that data if you did transfer it, meaning you're either switching to another company that's quite similar or you have to set up several replacement services instead of one.

You are right about most of these, and I don't think the risk is as high as described. However, the risk would be a lot lower if the EU bothered to enforce any of those things. If GDPR were enforced as written, it would be incredibly scary to all the large companies with massive bank accounts in Ireland that could easily be fined for what they do. When it was passed, they did seem to fear that someone would enforce it, hence all the scrambling to update terms of service documents and stop certain programs. But then nobody ever did anything with it and those programs started back up again. The DMA did get used as a big stick a couple times against Apple, and Apple started to comply, but then someone got distracted, Apple noticed, Apple halfheartedly finished a couple things, breaking them so they wouldn't have much effect, and nobody did anything about them. The many powerful incentives available will do no good if companies assume they'll never be used, and it makes it harder to change their mind and use them once because the numerous examples of everyone else who gets away with violating them can be used to delay or derail the process.

Re: The problem is more fundamental than just Cloud

DNS is distributed. European DNS requests rarely go to DNS servers in the US unless it's specifically for a US entity. If the attack you describe just happened to things hosted there, it would have little effect. Even if it extends to any DNS server operated by a US company, that would be more severe because Google and CloudFlare's resolvers are the most often used, but there are lots of DNS resolvers hosted in the EU by EU companies, none of which would have done this. Root servers are operating in many countries. The protocols in use are standard, so at worst, people who used 8.8.8.8 would have to enter a new IP address. Consumer ISP users might not notice, having always used their ISP resolver.

Cloud providers are much more concentrated and are much harder to substitute. However, many of them operate from EU-based subsidiaries, if not EU-based parent corporations to avoid paying as much tax to the US. There is a lot that EU governments could do to prevent damage being done, or at least to make the companies suffer if they complied, and the companies are smart enough to know the risk to their cash flow. I expect that they would resist things likely to antagonize the countries in which their valuable servers and customers are, even if they try to hide that they are doing so.

Re: It's STUPENDOUS how short sighted they are.

That was the point. It's easy for people to convince themselves that there is some other problem when the alternative is that they've made a bad decision. It's common to ascribe any bad decision, whether or not it was obvious beforehand, as stupidity. People don't want to feel stupid or to have others view them as stupid, so in defense, they find reasons why that's definitely not what is going on.

I've seen lots of people do it, for example a person who doubled down on a massively expensive contract they could have cancelled at will because doing so would suggest they didn't pick right the first time. I've also done it myself. This is why, while I'm not concerned about the comments made in the original post of this thread, I'm concerned about people trying to identify the lazy before the tool can improve productivity.

Re: It's STUPENDOUS how short sighted they are.

If it actually worked, then at least some people would be expecting more performance out of people and penalizing lazy ones who didn't do it. It has worked before. When computers sped up certain operations, most workers, either by choice or by management started doing more things. The problem is that this might also happen now, when the tools don't actually improve productivity but some have come to believe that they do. If someone has been convinced to buy expensive LLMs, they will probably conclude that they must improve productivity, otherwise they wouldn't have bought them, and that if they're not seeing productivity increases, it must be because someone is being lazy.

Re: So they made a desktop that's LESS repairable/upgradeable??

I agree with you that it's not very impressive, but don't go overboard in your quest to prove it. They didn't have an option to use replaceable RAM with the CPU they used, but that might have been an indication that they should consider using a different CPU. Unlike their laptops, there is not any repairability benefit to their desktop.

But you've decided to go compare it to a Mac Mini, so let's do that.

"A Mac Mini with M4 Pro is going to handily beat that, and cost less too. Quite a trick for them to be underpriced by Apple lol"

The Mac Mini with M4 Pro starts at $1,399 (I'm using dollars to avoid including tax in the comparison). The Framework Desktop starts at $1,099. That cheapest Framework has 32 GB of RAM. The cheapest Mac Mini has 24 GB. Not looking great for your comparison. If we want identical amounts of RAM, we can do that. For $1,599, you can get a Framework Desktop with 64 GB of RAM. To get 64 GB in a Mac Mini, the price jumps to $1,999. Not cheaper after all. But, of course, there's more to a computer than RAM. Let's compare CPUs. The 12-core M4 Pro receives Passmark benchmarks of 4623/33153. The CPUs used in the Framework haven't been benchmarked yet, but the one in the comparison is a 16-core CPU with a 55 W TDP. AMD does have one of those that has benchmarks: last year's AMD Ryzen 9 7945HX (4062/54826). The Mac's storage is significantly more expensive and proprietary, so to have more than the default 512 GB, you'll be adding a lot more to that price (a 2 TB SSD does not cost $600 elsewhere).

Your price comparison is wrong on all levels.

Re: Rather have an UPTON ONE

Out of curiosity, why would you prefer that? There are several problems with the model that make it less interesting to me. Compared to the Framework, the Pi 5 is a lot slower. Four A76s is not very much in comparison to modern CPUs, and it maxes out at 8 GB of RAM (there are 16 GB full Pi boards, but not compute modules that this laptop uses). There are some tasks I want to run on a laptop that use more.

Perhaps my biggest problem is power management. The Raspberry Pi uses a lot of power to deliver the performance it does, and it doesn't have lower power modes, or at least not support for them in software. This means that, whenever I connect one to a battery, it takes a very big battery and I have to perform a full shutdown any time I want to leave it for a while and come back with some charge still in the battery. That makes a laptop based on it much less interesting.

Re: $899 is not cheap

The prices we have are for the 13-inch laptops with significantly faster processors. The prices for the lower-power convertible will be lower, although they haven't said how much lower and I'm expecting it won't be as lower as we might want. I don't expect the convertible hinge and touchscreen to be cheap additions at their scale, though.

I'm also waiting to see how repairable the 12-inch model is. Since it's Framework, I'm expecting it will be significantly more than any other manufacturer, but I have their laptops as a point of comparison so I'm expecting to find fewer replaceable parts in the new model than exist in their laptops. Still hoping that Framework will prove me wrong.

Re: Self Checkout

The theory is that, because you get your purchases for so much less, the data about what you buy must be worth at least that much to the business.

I don't believe it. I think they are earning plenty from that arrangement, but the data has little to do with it. Instead, it becomes a method of price discrimination. Someone who goes into the shop and simply chooses what they want, then pays whatever number comes up on the display can be made to pay more by putting up the prices, whereas those who would balk at the higher prices can get the card that makes them low again. It is a perfect way of identifying who doesn't care about price increases and getting money from them. Of course, to figure out how well it works, you would have to know how many people simply stopped shopping there altogether, and if they did that calculation, they aren't telling us the result. In addition, they sometimes try to have a loyalty program where consistent shopping results in some kind of reward, which could be a way to collect more data but is probably a way to convince people to choose that shop over others when they need some more things.

Part of the basis for my belief is that the shops near me that have such an arrangement seem uninterested in attaching that membership to me. They could easily demand a verified phone and email address, but in at least some of the ones where I have a membership, the process for getting one is "Do you want to be a member? Okay, here's a plastic card.". One of them did ask for a phone number, but they had no problem accepting a string of digits that isn't a valid phone number. If I want the price savings at those shops but I don't want my purchases associated with one another, I can just tell them I'm not a member several times and get several cards.

Re: what's wrong with them?

It really could be either, because neither is designed to last forever, but in my experience, it's usually the USB socket if one of those has failed. Perhaps the most common is mechanical problems. The plug and flash are fine, but something nasty has happened to the middle. It's easy to bend one by accident, which is why there have been so many recommendations for metal-cased drives here.

Re: Value

I've done the substandard USB disk thing. It never works out in the end unless you're willing to treat any USB disk as temporary only, for moving files between two computers that are in very close proximity. Otherwise, you'll eventually rely on it the day it breaks for something too important. For example, the time I had one of those and I needed to install a firmware update on something that only accepted them on a USB disk. It chose halfway during firmware installation as the time to give up, and even though the disk wasn't permanently broken, the device was doing a good imitation of broken. Fortunately, I was able to restore it, but it took a lot longer than using a different disk would have.

License changes, such as those described in the article, is why CLAs are getting less popular these days. The FSF having one probably helped give people confidence in them because they trusted that whatever the FSF did with the copyright you gave them, it was probably something you'd be at least okay with. They did do the same things, but, for example, to change from GPL 2 to GPL 3, not from GPL to proprietary.

Nowadays, I see more resistance to CLAs. Theoretically, any copyright holder should be able to enforce it, so you don't need to own all the code in a project to enforce that license. Having more different people means more who can defend against violations at the cost of making it much more difficult to change the license. In the early days, needing to change the license seemed more logical as it hadn't been thoroughly tested in courts, but now that any license you're likely to choose has gone unchanged for over a decade if not three, this is less of a concern.

Re: A solved problem for laptops -> just buy a Framework

I'm also a happy Framework user, but before we get too enthusiastic, the keyboard is not watertight. If just the keyboard got hit in that disaster, your description of how easy it is to replace is correct. If the drink made it through the keyboard onto other parts, that is going to be a more expensive repair. There's at least some chance that the keyboard might catch all of it, but it is possible for liquid to leak further.

Re: It's odd to award an "A repairability score"

Because, in a world where basically nobody does that, people might still want to know how easy it will to repair some things. At the level we're at now, one of the most important questions for me is, when I want to replace the disk in the laptop, is it soldered in or not, is it a standard part or not, is there a bunch of adhesive or a fragile part in my way or not, none of which have anything to do with schematics for some other board. In fact, should Apple choose to release schematics showing what parts are on their board, schematics that, although they don't release, others have already created, it wouldn't help the fact that their storage is soldered on and not replaceable even if you obtain identical chips because, if you don't write certain data to it first, the computer won't boot. That's why repairability scores are a thing. It's not odd in the slightest. I assume this is another example of you asking for perfect or nothing, but although I'd like perfect too, I sometimes live in a world where that isn't an option and I still want to know about my imperfect options.

Re: Top Cover

Yes, history has shown me that there is no good idea that can't be overdone by someone who doesn't understand what the point is. I'm imagining an environment where you don't know what anyone is doing because meetings about it are considered harmful. Probably that's not what they meant.

Re: Scrum

I'm not a fan of Agile, but in this case, the point is that you split projects into smaller teams specifically so these things work better. The "scrum master" isn't supposed to be another person. If you need one at all, that would just be one of the members of the team, but you can do these meetings without anyone to facilitate it, so eliminate them from the set. Product owners at this level would also be people working on it in some way, and testing is supposed to be done by everyone. That means you can have five programmers and one person who mostly interacts with other teams. That is if you're trying to do the original idea of a standup, which got its name specifically to tell people to do it really quickly. Now that we have hour-long standups with shared screens, it's something completely different that achieves none of the goals of the original thing.

Re: Obligation to maintain?

The understaffing issue is correct, but not exactly relevant to the discussion about upstreaming things because, if people were developing patches for it, they would have lots of reasons to want them upstreamed. If nobody is doing it, that's a completely separate issue.

The FUTO license is not my favorite, and I can explain why. While it's not as bad as most faux-open licenses, it has the same central problem that they all do, just not right now. To require payment from an unclear set of people, it restricts the ability to modify and distribute modified versions. I am not allowed to remove certain parts of the code, and I am not allowed to perform any commercial activities if I'm modifying it. Why is this a problem? Here is an example. To demonstrate my problem, I will compare it to the GPL/AGPL, the other licenses they have used.

FUTO, the company, is privately owned. The code they make is owned entirely by them. This means they can change the license if they want and they can add whatever they want. Fortunately, its current owner and those who work there are public-spirited, so they make useful things without abusive features. One day, as all of these people are having a meeting, a meteor comes through and destroys the building, killing those people who were doing this. The company is inherited by someone who is not interested in the privacy, freedom, or anything else that drew people to this company. They want money, and they only have the rights to some code. So they modify the code to introduce surveillance and advertising. What can we do about this?

For projects using the GPL or AGPL, this is easy. We say goodbye to the organization that no longer has our interests at heart, and we fork the project. Someone else can continue development of the code. In fact, we can form a new organization to do that if we want. We can accept donations or even continue to ask for payment for this. This is what open source software allows. What happens with the FUTO licensed stuff? We are allowed to modify the code, but we are forbidden from removing any of the FUTO-added commercial code. Right now, that just means that we can't remove the part where FUTO asks for money nor redirect that money to ourselves, but in the world where FUTO has gone bad, that could easily include their other commercial stuff such as the advertising. But maybe we can argue that we forked before that happened, so we just have to leave in the part where people are asked to pay new-FUTO. Still, we are forbidden from acting in a commercial way, meaning it is probably impossible to collect donations or form an organization. Not only does our version, forked specifically to get away from new-FUTO, have to ask users to pay them, our users cannot help with donations or we've violated the license.

In fact, this applies even without the threat of a rogue organization. If I am writing extra code for one of their projects, unaffiliated with FUTO itself, and you want my feature added, you are not allowed to donate to me to help get that written. In practice, I'm sure they would ignore this and let me collect that donation, and I would probably still accept it because I'm that confident about it, even though my typical policy is that I don't violate the letter of the license even if I don't expect it to be enforced. They may not really know this is what their license does. It follows similar not open licenses that have been used in exactly this way as previously open source projects try to keep more of the funding to themselves, and I don't see any way that their license avoids what those licenses have done. There is a reason why people got angry when they called it open source. By the way, this doesn't mean that there's anything wrong with what they've done; it's their code, and I am perfectly happy with people making their code proprietary, so less open than I'd like is not something I object to. I still prefer something truly open to this, and those reasons are why.

Re: Subtitle: "Overworked, under pressure, and subjected to abuse – is it really worth it?"

For context for the following, let me first say that I have taken your approach for requests made to me, for family and friends, requests of most types, for a long time. I help people as soon as requested and I have neither asked for nor received something in exchange. I am still happy to keep doing this. However...

Your comment blames someone for an attitude that can make sense in a number of cases, and they did not say enough to determine whether those cases apply. They may be reacting to this from people who make reasonable requests politely and respond with gratitude, but this is not the only type of user you face while doing it. Read comments on articles that discuss this and you'll see many other cases, such as the "you have to fix it now" guy, the "why is it taking so long" guy, and the "you broke everything" guy. Part of the reason why I've continued to work for my friends and family is that I've at most gotten the low levels of this. While I too have had the experience of someone calling me to figure out how I broke their computer a few weeks after I fixed it, weeks in which it was working fine, I have not had anything extreme. If I did, I too would have dropped that person from my free support.

Not that I don't get unreasonable requests. I recently was asked to obtain a free computer, set it up, and teach a user how to use it. The user concerned was a friend of the daughter of someone I have helped before and would help again. The person to receive this free computer was someone I had never met. I did it. However, I must say that, when I was chided for my slowness in the process of repairing an old machine so I could give it to them, I did start to get annoyed with people who took my ability to do free labor and provide free equipment for granted. Incidentally, they also thought I could obtain a free Microsoft Office license. They got LibreOffice and that's all they're getting. Since I am a programmer, people have also requested, in the same way that they request help with a computer problem, that I write mobile apps or websites for them or their business. These I have occasionally done if they are small enough, but even I will reject some of them even if I could do them.

You don't know whether the person concerned has been the recipient of unreasonable demands and reactions, but it might be helpful to consider that they might have. It is also helpful to consider whether there is a double standard. I provide computer help for free, but I do not ask my friends to do work for me for free, and they do not offer to do so. I mostly do this because a lot of it is somewhat short and because I agree with you that other options are not great.

Re: Obligation to maintain?

"You are the maintainer of a useful piece of FOSS software. You have a slowly increasing bug/feature backlog created by corporate employees."

No problem. I'm going to not fix any of those things unless someone I care about wants it fixed. People I care about include myself, people I like, people who did other work which I'm willing to reward with some from me, people who pay money. Otherwise, the feature will just sit there. It's that company's problem and they can solve it in many ways.

"All that will happen is a patch file used by that corporation will be compiled in as part of the build process (coincidently point 4 in the OSI's open source definition) and neither developer time or money is donated to your project."

That is not point 4. Point 4 is that I cannot stop them from modifying the software. There are three restrictions permitted for how I may restrict them, but they are allowed to modify it. Which is what I want, because people being able to modify it is how such software grows in the first place. If they never upstream changes they made, that's their choice and their problem because I won't know it exists and won't have any problem accidentally breaking it with updates on my side. I'd also be interested to know how you think heartbleed happened as a result of this given that it was an oversight in the original codebase, not something that was patched in or out of it.

"Usually the problem isn't insufficient funds, it's lack of fair/transparent disbursement & hoarding."

This was the same suggestion that came up when Bruce Perens came up with his post-open disaster. It will have the same problems. For the moment, I'm going to skip over the required payment bit, whether that's a good idea, how you would implement it, and how you would prevent abuse of it. Those are massive problems, and I could write at length about why, but for the moment, let's stick to only one major problem: how you allocate the proceeds after you get them.

When I make my payment, does it go just to open source code I use, or to everything? If it's only what I use, then I have to report that, but how does it get split up? Does every project get an equal share of it, from the massive program that has a hundred full-time equivalent developers on it to the library written by one person who hasn't committed anything to it in over a year (I have a few of those)? Or do we have to allocate it based on its importance or scope to me, which would probably fund complex projects more, which is probably necessary, but would be an administrative nightmare. But if we don't use my funds for code I use, but instead make a general pot, then how do we decide who gets the support? If we support everybody, then that means that plenty of funding will go to people who make open source code that isn't much used and may not be well-supported. I have a project that I think is somewhat good, but I think it's probably got about ten users worldwide. I don't know that for sure, but it mostly doesn't matter because I wrote it for myself. Do I get funding for that one? If we leave some projects out, how do we tell what counts? If we give the organization control over that, they could allocate funds to things they support and ignore projects they don't like. If we try to set a standard for size and support anything larger than that, expect that to be gamed. For example, if you only get funding if you have more than X active users, then you'll need to build in some telemetry to prove that you do, and you could get some fake users to put you over that total.

This is not the only reason why it's a bad idea, but it is certainly one of them.

Re: Especially galling are large corporates ...

This can be a problem, and the best way to respond to it is to show them exactly how important a feature request is when the justification is "we want it". I've been in both positions to some extent. If a request like that has been sent to a project of mine, I'll respond if it's a security issue because I can't bear to leave that in, but if it's a feature request, then they'll get a message that it has been added to the suggestions list but I cannot guarantee when or if it will ever be implemented. They can see from the suggestions list that I'm not joking about that. They get to choose whether they do something about this.

Fortunately for me, my employers have been, while not any more generous about paying for features, at least willing for an employee to write them. If we want something bad enough, I'll make the point that the thing we're trying for may not be used by anyone else, and requesting existing maintainers to add it may never go anywhere. They are usually receptive to the suggestion that I or one of my colleagues write the thing and upstream it, which is not as good as paying a maintainer to do it, but at least it reduces the annoyance to maintainers asked to do something they have no intention of doing for free.

Re: Obligation to maintain?

What alternative do you propose? Because the alternative you'll get if you remove that is that you can forbid anyone from modifying your source, which doesn't do very much to improve it, and is not easy to enforce anyway because anyone who wants is going to modify it anyway and not tell you. When you propose your alternative, consider why open source (or free/libre software or whichever term you like the most) is better than proprietary, and consider whether it would still be with your new standard.

The problem, sir, is that we get a tremendous amount of data about potential customers of our products. Before you bought one, you showed interest in it, so you would have been a great person to advertise to*. But we don't get everything there is to know in real time. If we had access to everyone's purchasing records, we could advertise even more efficiently. We would like you to authorize this extra funding for access to a database of payment information** so we can prevent that little bit of waste. But know that, even though we do occasionally show advertisements to people who have already bought, this is all needed to focus on the ones who are most likely to buy.

* Probably advertising to someone who already likes the product isn't the most helpful advertisement as compared to people who don't know that they would like it, but they can say it.

** Not actually all of people's payment data, but they can always ask for more funding and access later. Once they get the funding, they have to buy the data so it shows up in the budget, but the rest of the funding, explained as needing to use that data, can go to bonuses. Improving advertising targeting can be left for later or never. Since they did pay for the data, companies that specialize in getting it come to the conclusion that there is a market for this data, so they collect more.