squar1sm's comments

Asking people to run `pip install` on anything but `poetry` is an anti-pattern to me. Ruby has had bundler for over a decade and this is the pattern that is working for them as well as npm/yarn. Npm comes with node, Cargo comes with Rust so the debate is somewhat reduced.

Since quality of life tools and other soft things are hard to prove, I'll tell my anecdata story point. I sought out any package manager experience in python. I landed on Pipenv which uses pip. It failed to solve the tree. This led me to find poetry and the reason for existing which is exactly my experience. That was 2-3 years ago.

https://github.com/python-poetry/poetry#why

Combine this with asdf and it aligns with most other languages.

  asdf + yarn/npm = javascript
  asdf + poetry = python
  asdf + bundler = ruby
  asdf + cargo = rust
  asdf + mix = elixir
  asdf + shards = crystal
  asdf + go.mod (others) = go
  asdf + composer = php

In legacy (don't break anything) mode, there's still no reason to not switch. I export `requirements.txt` with poetry just for pip legacy reasons and it works great. If I just update some scripts, I could avoid it. It's running all the time in CI, it's exercised quite a bit.

What's wrong with just using pip and requirements.txt? There's no dev section. In addition, bumping deps is not the same. I have a blog post explaining semver updates to a python dev:

https://squarism.com/2021/09/10/sciencing-out-updates/

my strong assertion: Python and Go missed it from the start. That's why it is so confusing. There's no other choice in Rust but Cargo. Rust devs are never confused on how to add a package, semver it. The answer is always Cargo. It's in the tutorial. It's in the book. It's in the culture.

I think I've heard that pip might support the pyproject spec, poetry already does. If you want scripts like npm, you can have that too with "taskipy". You don't have to.

Gobuffalo is close but it's been a while since I've looked at it. What you said is has been my experience too.

Here I go about the batteries included vs micro thing. People pick Flask because it looks approachable but then DIY features in. The same thing happens with Sinatra+Rails. If the python ecosystem grows and other communities come in, maybe they will bring their culture and standards in.

Take poetry for python. It's basically, "hey ... cargo/yarn/mix/bundler all kind of figured out these ergonomics". Poetry's "why" section in the README really resonated with me. Cross pollination of ideas across tribes is _good_.

But then, I'm biased/blub-paradox of course. And it's definitely in line with the productivity/DSLs/rapid vs types/verbosity/slower modes discussion.

Gamedev is full of interesting problems. The industry scares me because of a few friends. Fun to hack on, on the side and I’m jealous of the story and mystery this team got to chew on for a while. I know it’s hard but still jealous of these gems.

Sun was ahead of its time in many ways. I used a Sunblade and never thought of it again until this article and its relation. Interesting.

I've thought a lot about zones and Docker. I remember booting a zone for the first time on Solaris (copies the kernel) and was amazed at how fast it booted. It had a lot of the same things (volumes that are mounted). I used to explain Docker as Solaris zones sometimes but no one knows what Solaris is.

AMD motherboards can do TB3.

https://www.asrock.com/mb/AMD/X570%20Taichi/#Specification Supports an add-in card (connector). It's coming more generally since Intel dropped the licensing fees for TB. But yeah, only a few AMD boards do it (without hacks).

I wonder if Akka will be a part of scala native? It's sort of considered stdlib? When our team spiked on Akka, we liked it and got our near-reality proof of concept to work. It'd be awesome to have such a high level library like Akka compile to a binary.

I probably wasn't being clear about STDOUT on the ruby version. I just didn't do it in this particular project for the ruby version. I just tested that the flags didn't throw anything. I had tests on other production tools and yeah $stdout saving is nice.

Someone mentioned on reddit me about a CLI testing framework that perhaps does a more holistic job of testing STDOUT.

--> https://bitheap.org/cram/

it's written in python but it's not for python projects per se.

I think of Rake/Rails as dev tools that are executables. In the post, I mentioned passenger because that was using Rubygems as a distribution mechanism and then they stopped doing that. I don't know if it's a hard / fast rule or even who would enforce that rule ... I was just mentioning that maybe it's an anti-pattern?

Yeah, that's what I meant. :)

I'd also just like to call positive attention to the bravery and openness Mike has shown by publishing his revenue/business numbers (which maybe some would hold as precious private information). He's been very open in hopes of inspiring and giving back. It's not just the code that he's open sourced but a path and pattern. This is pretty special in the best use of the word.

Anything that increases feedback and visualization is great. It's not about the storage of the code it's about the communication paths between the programmer and the computer and making that higher bandwidth and quick turn-around. I love what I see with saving the session (lisp state) and replaying it.

If not this, then this idea. Or this idea with more time and features. Impressive already.

I don't think it does. I'm trying to find flags or anything to make it know what gb is. In the gopath, things just work. In a gb project it just says "no buildable files" because it doesn't know to do `gb build`. Tried some other projects like atocker but then they don't seem to play nice with docker-machine.

I've been using neopixels to great success in combination with particle.io chips. They have cloud events and you can send whatever data to them. I'm sending a payload like `{ "color":"blue" }` and then all listening LEDs change. Plus they are individually addressable and are reusable for other projects. It's not the same level of brightness I'm guessing.

Adafruit has a 24 neopixel ring with a particle slot. It's like $45 for everything for one. No hub.

Just call it piano tab. It's fine for chords and pop songs. There's no way it's going to work for complicated music. I love the project though. It's a fantastic job, I hate to be negative. You did a ton of thinking on this.

For pop music, fake books are easier. That's how you play pop music.

About "ok". You're right. I probably used a loaded word without context. I too use whatever default package repo, followed by "extras" or whatever is available. You described a sane and nice process. I guess my point is, at some point we are are assuming "many eyes" (the binaries might be built with the previously mentioned make;configure steps) unless you are auditing all sources which is unlikely. Especially unlikely on dev machines. Even after that it seems like there is an infinite continuum of paranoia.

I find it interesting that binary packages have existed for decades and yet `rpm etc` knowledge is rare. Why did curl sh become popular? Why doesn't every project have rpm|deb download links for every distro version? Why don't github projects have binary auto-builds hosted by github? I'd argue that it's too difficult. Binary packaging didn't succeed universally. For deployment, containers are (in the end) easier.

But the original article is conflating container concepts and user behavior (not wrongly). If docker hub does end up hosting malware-laden images, it would be interesting emergent behavior but it would be orthogonal to containers. Like toolbars. Toolbars probably aren't evil. A vector for evil maybe?

Good point. I guess you could still wget the script though. It's maybe like ./configure over http? I guess even if you could do it, it's probably not culture. A Dockerfile would probably just curl sh the thing and not wget it. So the default culture probably does depend on whatever.io being up.

Funny tumblr but makes me care-confused.

I understand that curl pipe sh could have security problems but I also don't see it as that much different than the "normal" and "ok" way of doing things. I would consider something like the below pretty normal.

  wget https://whatever.io/latest.tgz
  tar xzf latest.tgz
  cd whatever-stable
  ./configure && make
  sudo make install

Because of familiarity, we aren't going to be too worried about what we are doing. If we are on a secure system (like a bank or something) then we've probably already gone through a bunch of hoops (source check, research) and we mitigate it like anything else.

What is so different about

  curl https://whatever.io/installer.sh | sudo bash

We didn't check the md5s in the first example, so yolo, we don't care about the content of the tarball we just `make install`-ed. We're assuming the webserver isn't compromised and that https is protecting the transfer. Is it because the tarball hit the disk first? Does that give us a warm fuzzy? Is it because "anything could be in installer.sh!!!?! aaaaah!". Well, anything could be in Makefile too right? Anything could be in main.c or whatever.

I agree that curl sh | sudo bash makes my spidey sense tingle. But if I really cared, I would read the source and do all the normal stuff anyway. So I think it's some kind of weird familiarity phase we're all in.

I agree, I think accessibility made it popular. Security and ease of use are usually opposing forces.

The article has some interesting discussion points. I don't understand the absolute fear of | bash installers. It's open source, read the script. That's the argument people make for `./configure; make; make install` programs. I think it's because it's new, or it's too easy.

But the article does have a point about trusted containers. But security isn't a download or a product anyway. Security isn't even guaranteed.

Good tutorial. Setting up the whole stack can be tricky. If you wouldn't mind doing a `bundle exec gem list guard vcr rspec rails` etc to show the major gem versions that were used in the post. When docs like this go stale, it can be confusing.

Great list. I wish this list and ones like it had a name other than "modern java" to distinguish tools/projects/people/interest/books. Because it's hard to name something that's a synonym for "new". Eventually "more modern java" is needed. And then "most modern".