grobbie's comments

grobbie | 4 years ago | on: Terraform is currently not reviewing community pull requests

I'm assuming that there's a communications lockdown and freeze ahead of an IPO, and that extends even to reviewing pull requests. But I know jack and perhaps I'm just seeing ghosts.

grobbie | 4 years ago | on: Ask HN: What could a modern database do that PostgreSQL and MySQL can't

CockroachDB is getting a lot of interest these days.

It has broad PGSQL language (and also wire I think) compatibility yet has a clustered peer architecture well suited to running in a dynamic environment like cloud or k8s. Nodes can join dynamically and it can survive them leaving dynamically as long as there's a quorum. Data is distributed across the nodes without administrator needing to make any shard rebalance type interventions.

PGSQL is designed for deployment as a single server with replica servers for HA. It's not really designed for horizontal scalability like Cockroach. You can do it - the foreign data wrappers feature and table partitioning can give you poor man's scale out. Or you can use Citus which won itself a FOSS license earlier this year. And there are other Foss and proprietary approaches too.

MySQL is similar - you can do it, like with their recent router feature, but it has been retrofitted, and it's not as fluid as Cockroach. IIRC MySQL router is similar in configuration to Galera - that is, a static config file containing a list of cluster members.

Listen I'm sure that the design approach of Cockroach could be retrofitted to PGSQL and MySQL, but I'm pretty sure that doing a good job of it would be a lot of work.

So in answer to your question, I'm not sure that there's all that much RDBMS can't be made to do. Geospatial, Graph, Timeseries, GPU acceleration. Postgres has it all and often the new stuff comes to Postgres first.

By the way I love MySQL and PostgreSQL, and the amazing extensions for PGSQL make it extra awesome. Many are super mature and make pgsql perfect for many many diverse use cases.

For XXL use cases though, CockroachDB is taking a very interesting new path and I think it's worth watching.

grobbie | 4 years ago | on: Ask HN: What advice would you give about feeling stuck and helpless in a job

There's an adage that when there's a shakedown, and the tree is being rocked wildly by management, all the best folks quickly leave. Only the people who aren't good at their jobs cling to the tree.

If I was in your shoes I'd have already started looking for something else to do. It won't be the company you joined six months from now, you won't recognise it anymore. And whilst that isn't implicitly bad per-se - who knows, the outcome might be that it becomes a better workplace with more opportunities and fairer staff appraisals - it will mean starting afresh whilst still carrying all of the politics and baggage that has come before. I would think it's better to start afresh without that.

But don't just blindly do what I or anyone else says you should do. It's good to seek external opinions, but in the end you should think it over and do what you feel is right for yourself. It's you that needs to live with your decision, not me.

grobbie | 4 years ago | on: What is the answer to “Who are you?” (Philosophically)

If the past is something you cannot have back, and the future is something that has not yet been given to you, then you are now - nothing more, and nothing less. You should therefore, not allow the past to discolour your now any more than you should allow fear of what may come to influence your judgement, your thoughts, and your actions.

You are a being.

grobbie | 4 years ago | on: LXD VM Desktop Images

Could you elaborate please. Personally I think snaps are great. The solution sandboxes the application with AppArmor and seccomp mandatory access policies, and the application's dependencies are bundled into cgroups namespace, meaning few to no cross dependency versioning conflicts and a consistent experience. Snaps run a read-only filesystem and updates are transactional, with full rollback to last good state support if necessary. Actually the snap strict confinement system architecture is so good, it's influence appears to be slowly starting to permeate into unrelated solutions like Kubernetes, which adopted running under seccomp in r1.22. Sure for graphical desktop apps, snapd is seeing some improvement effort ongoing, but for LXD, I think strictly confined snap adds a needed additional defense-in-depth layer that brings the entire Ubuntu solution up to a reasonable standard for a secure computing deployment following the zero trust paradigm.

grobbie | 4 years ago | on: Back Orifice (1998)

I can remember one called Code Red causing a bit of mayhem at work not that long after.

Interesting to read on Wikipedia that work on Sub7 resumed in June this year.

grobbie | 4 years ago | on: Ask HN: Is it legal to create a commercial emulator for proprietary hardware?

IANAL and my understanding is quite limited.

But I can direct you to Hercules which is an IBM Mainframe emulator. It is open source under an OSI approved license (not GPL but rather QPL). Their problem appears not so much that they emulate the s390 architecture (I think that the Oracle v Google Java API case set rather a conclusive precedent there, in the US at any rate, but perhaps I will be corrected), but that the license terms of IBM mostly prohibit running any of their operating systems on the emulated hardware.

Of course there are exceptions and workarounds (IBM System/360 is public domain software in the US, but MMV in other territories, and some customers have a disaster recovery contract clause that could perhaps justify their running stuff on Hercules). But my point is that this project might be a good place to start when investigating the legitimacy of commercial/proprietary emulators of others' hardware.

HTH and good luck.

http://www.hercules-390.org/hercfaq.html

grobbie | 4 years ago | on: Ask HN: What are your non-tech hobbies?

I would say mindfulness is perhaps the biggest empathy amplifier, but it is reading that has the biggest empathy growth impact for me.

Reading feeds my empathy by helping me to build and maintain a broad perspective; practising mindfulness helps me to apply it.

Many say that even reading pulp fiction can help to build empathy, so you probably need not read philosophers and economists if that's deterring to you; I can't personally testify to that though because fiction doesn't really hold my interest.

grobbie | 4 years ago | on: Ask HN: What are your non-tech hobbies?

Reading - lots of philosophy, sociology, economics, even some theology - anything that triggers my neurons

HIIT, 10ks, resistance training, Yoga

Mindfulness and meditation

Painting and drawing, visiting art galleries

Weekend travel

Playing musical instruments very badly

Similarly started feeling that I was overdosing on tech and becoming a bore with too little perspective and a lack of emotional empathy, so I made a big effort to balance out my life. But the struggle is real and ongoing : )

grobbie | 4 years ago | on: PGP Is Dead? (2018)

https://keyserver.ubuntu.com/

Still going strong.

grobbie | 4 years ago | on: PGP Is Dead? (2018)

https://signal.org/docs/specifications/x3dh/

The Signal protocol, which is the one all the big service providers are licensing for the instant messaging encryption part of their service offering, is actually supposed to be designed for store and forward scenarios because messages can be sent when users are offline.

It is founded on Diffie-Hellman, a key exchange algorithm developed in the 1970s (the stuff in the article about PGP being developed "before we really knew anything about cryptography" seems bogus at best) that has very much managed to weather well.

I understood that elliptic curve Diffie-Hellman has been widely adopted primarily because it's just a compact way to represent the large numbers needed in order to make the key exchange process robust (I think the second coordinate of the curve can be represented with just a single bit, so more efficient than other approaches), but perhaps I am wrong or misguided on that.

Anyway, regardless - I don't trust the claims of perfect forward secrecy in services like WhatsApp and Signal for a moment - any more than I believe that Crypto AG sold devices that really worked. Perhaps the protocol implements PFS. But does WhatsApp really implement the protocol?

Besides, I recall reading that running the Unix command `strings` over the popular Signal messaging app revealed a static encryption key hardcoded into the application binary, which was used to encrypt all the attachments downloaded to the phone. Gaining access to the phone meant easily reading the messages (using Android accessibility features to "read them out loud") and with the hardcoded secret, easily decrypting the attachment storage too.

I've never read of a police force anywhere in the world actually shutting down citizen access to WhatsApp, at least not unless they're non-allies or otherwise considered hostile to the US. But I have heard of modified, PGP enabled BlackBerrys being seized by police forces all over the world because they really can't break them.

So my working method, fwiw: if I have something private to say that I do not wish to be snooped upon, I do send it over Signal or WhatsApp, but I say it with PGP, and then I delete it and ask the other party to do the same.

grobbie | 4 years ago | on: PGP Is Dead? (2018)

Just because it's quicker and easier to pop it in the microwave, doesn't mean that it's healthier than a home cooked meal.