> the real continuing inexcusable outrage is that Windows, even today, grants all applications full access to read the titles of all windows with no way to disable it.
IIUC, X11 had the same problem, but Wayland allows sandboxing to prevent this?
And MacOS has some degree of sandboxing? But many applications require "Accessibility" permission that similarly gives far too many privileges?
> But many applications require "Accessibility" permission that similarly gives far too many privileges?
I haven't run into too many applications requesting that permission, outside of desktop automation and window management tools (Hammerspoon, Magnet, etc) which need it to do their job.
Yeah, but any application with that privilege can log all keystrokes and upload it to a third party. Obviously this privilege needs to be far more fine grained and have limitations, i.e. registering a hook on particular key combinations, rather than listening on all key events.
The accessibility permission isn't just for listening to key events. It's for looking at and manipulating content on screen, e.g. moving windows around, sending synthetic keyboard/mouse events, etc. Registering hooks on a specific key combination is a separate API which doesn't require elevated permissions.
How do you implement an app that displays all the keys you type on screen then no matter which Wayland compositor? (For when you're making video tutorials of an app)
What you are suggesting is overstepping 2 security boundries for unpriviledged apps/processes:
1. Reading global key presses
2. Drawing in an always-on-top window with transparent content
Both these things would require that process to get special user/compositor opt-in permissions and integration. Your best bet would be using compositor plugins/native integration, or maybe you could hook into some toolkits (this is usually what FPS overlays do, hook into the graphics APIs).
That is at least my current knowledge and there might be already some wayland extensions/XDG-portal that allows it, but not to my knowledge.
> IIUC, X11 had the same problem, but Wayland allows sandboxing to prevent this?
Wayland to my knowledge is isolated by default, with non-isolation being opt-in by both compositor and application via FD shenanigans, but don't quote me on the specifics.
I know of Py-Red[1] which is an attempt to do the same but with Python. Using Node-RED as a frontend and something else as a backend, no I haven't heard of anything similar.
Main problems with visual flow based programming is the tooling: there aren't any good tools for doing visual comparison nor visual version control. Things like GitHub aren't able to render flow code as seen in the editor.
For Node-RED that means that the Json that defines a flow can be compared but that soon becomes meaningless because semantic changes get mixed with visual changes, i.e., that the x,y coordinates of a node have changed - is meaningless for the logic of the code.
This means that code sharing and collaborative development is difficult purely visually but only because tooling is missing. Compared to textual programming before things like SourceForge or Git and we had the same issues as we do with visual coding now.
Node-RED has a bunch of features to make large programs maintainable. Things like link nodes that allow jumping between flows also allow code reuse. There also subflows which encapsulate repeated code and can be referenced from anywhere.
That's also why I chose Node-RED for this because it seems to be the most mature and best maintained low-code visual flow-based programming tool. There are others such as n8n (which seems to be the other biggie) but they lack the generalness of Node-RED. I can create web sites with Node-RED while and the same time controlling my LEDs via Raspberry installation. Node-RED is extremely flexible.
For function block programming used in control systems in PLCs there are tools like copia.io that are basically GitHub for version control and can do visual diff of the diagrams
Speaking of controlling LEDs, there's also https://www.atomvm.net/doc/main/index.html. From a very quick scan it looks like it would need some fiddling (especially around the filesystem) to get it to work, but being able to scale down to smaller devices than a full pi would be very, very interesting.
> With AtomVM, you can write your IoT applications in a functional programming language, using a modern actor-based concurrency model, making them vastly easier to write and understand!
> It also supports WiFi networking on devices that support it, such as the Espressif ESP32. All of this on a device that can cost as little as $2!
If ErlangRED made it to a $2 chip, I'd be very happy!
How stable are node and edge IDs and their ordering? Could you sort the JSON before saving so the output is more stable and diff-able?
Another thought is, how would you code up a flow like this in your preferred language if you were just writing code in that language (you didn't care about the visual editting). Call most of the same functions, but do it directly. Ok, think about that, then write a transformation from the NODE language to output source in your preferred language.
I have some sense that coding this type of control flow logic doesn't work well with text line based diffs because of the complexity of the problem, less the syntax.
> Could you sort the JSON before saving so the output is more stable and diff-able?
Jsons are definitely diff-able but it's the difference between a change that changes the logic of the flow or a change that is purely visual and has no affect on the logic of the flow that is hard to distinguish by just diffing the JSONs.
Remember the Json contains location of nodes and labels of nodes as well as logic of nodes - if a label of a node changes it doesn't affect the flow logic or how it works.
So if the value of an 'x' changed, that means the node moved along the x-axis. Did the value of 'func' (function value for a function node) change, then that is a logically change. Now what change is important if you only looking at the JSON. So you need to remember that 'x' and 'y' are visual, 'func', 'tmpl', 'rules' are logical. And what is important for each node isn't the same across all possible nodes ...
> this type of control flow logic doesn't work well with text line
Exactly that's why places like GitHub would need a lot work to support visual coding in proper way. Diffs would have to become like image comparisons that line-by-line diffs.
And that is partly why visual coding has taken off - the tooling isn't available.
I wonder what would happen if they structured the JSON so that control-relevant information was just saved in a different place than visual/label-relevant information? EG, seperate form from function and thus more easily determine which has any changes in a diff?
There really isn't a good way to compare visual code textually. It similar to attempting to compare 3D scenes in 2D - textual code and visual code are a dimension apart in their representation.
I created a visual comparison that combines both visual and semantic textual changes for NodeRED[1]. For me that is the only solution: visually comparing visual code.
One star and it gave me the inspiration to create this ;)
The people who use Node-RED aren't the same that can develop those kinds of solutions. Those that can port Node-RED to Python don't need to use a low-code visual environment.
It isn't like Emacs users: Emacs user can also extend Emacs and probably even fix a bug in the lisp code of Emacs. Node-RED users use Node-RED becausae they don't want to program nor learn to program nor understand how Node-RED works.
Hence my attempt to take the whole concept and bring to a collection of developers who might appreciate visual FBP but who could also code extensions to the editor.
My goal is to bring visual FBP to a broader audience, be that developers or non-developers, be that Erlang coders or NodeJS coders, no matter - the ideas of FBP are important to understand, especially in our data-driven digital world.
and the biggest problem is that a strong bound is screen/display size --- any code chunk which won't fit on a single screen becomes hard to follow (which direction does one scroll next?) and if one does the obvious of declaring modules, then one runs into the wall of text which one was presumably trying to escape from --- just each word is wrapped up in pretty boxes and decorated with lines.
My take on this has always been that we don't have an answer for the question:
>What does an algorithm look like?
That said, I work in this style when I can, often using:
This is related to visual programming, not flow based programming.
I modified a python hosted lisp interpreter to read JSON flavored lisp - JLISP. It's much easier to get a web frontend to output JSON then lisp. Then I made a simple Low Code UI built around this language. The editor has operations (invocations of lisp functions) organized left to right like a timeline in CAD software, then you can click on an individual operation to edit the arguments.
Unreal Blueprint is probably the most popular. Its a custom system over a fairly customized C++ framework.
Visual scripting can be highly productive. The major issue is these visual scripts usually do not map cleanly back to text so you're throwing away decades of tooling. They usually don't merge well either.
Isn't it trivial for online poker providers to cheat, i.e. manipulate the cards you receive, and have a fake bot player at the table that can be made to win, etc. ?
That only catches a subset of ways online poker rooms can cheat.
The server knows what cards everyone is holding. Even if the cards were randomly assigned and weren't changed after the fact, users have no logs of the order of cards remaining in the deck. Its pretty trivial to have software that selects community cards that usually lead to a larger pot.
Wouldn't that show up in a statistical analysis of the community cards? How is your algorithm modifying the community cards advantageously but preserving randomness such that over a large sample size every card shows up at the same frequency? Although it wouldn't be exactly the same, presumably some cards that are less often bet preflop, like a 2, would show up at a slightly higher frequency in the community cards, but still.
The much simpler way to cheat is to just give some players more information. Or, run bots that take up guaranteed payout seats in tournaments and such, which I've heard rumors of happening on certain sites. Or both.
Fake players or predefining winners would work as well.
My point was simply that an online casino could seem completely legit even if you can compile audit logs of every players' hands at the table. Controlling the community cards is completely undetectable and more than enough to push larger pots, and therefore larger rakes.
As far as I'm aware, you would have to know the full list of cards in the shuffled deck before the hand was played to know they didn't change the community cards.
That's not exactly true. It's a non-trivial but not exactly difficult task to design a fair shuffling cryptographic protocol that every participant can validate after the fact.
On the other hand, that still doesn't prevent cheating in the form of the server providing information to some participants via a different channel. There's nothing cryptography can say about out-of-band communications.
So maybe fair shuffling is cute but ultimately pointless.
My point wasn't that a fair, auditable system couldn't be built. Only that we don't have that today, and I'd add that online casinos are incentivized to not build that.
I think you can make an analogy with Casinos and their incentives to cheat. They could do all sorts of things and there are plenty of gambling scams that do those things, but most legit looking Casinos are already making money hand over fist, have published odds on their favour and against yours, can kick out anyone who seems to be doing well, have all sorts of non-cheat tricks to squeeze money out if you, and are risking serious reputation and legal damage if found out.
Doubtless there are scummy poker games, but for most of them the money comes plenty easy, and the existential risk of faking cards to increase pot sizes just isn't worth the marginal benefit.
Of course everyone, winners, losers, and impartial bystanders will see these patterns in completely random deals so every site will be accused eventually.
I'm late to this, but we can do without this kind of comment on Hacker News, as it falls under the guidelines about generic tangents and tangential annoyances. It led to a hostile exchange down-thread, which is exactly the kind of thing we're trying to avoid here, but is what happens when people take threads away from the main topic.
Given we're a technology-focused site, Hacker News readers can be reasonably assumed to be technically proficient, and aware of the importance of taking normal security measures.
You sure wouldn't want them spying on you, stealing your data, chewing up your resources for shady profit schemes, or making your machine unbootable. Better to leave that to the experts at Microsoft and FAANG since all those features come preinstalled nowadays.
Snark aside, given the context, this really seems like a baseless attack on independent open source developers, who represent a significant potion of this site's subject matter and target audience. Genuine question: why do you feel that this warning is appropriate here but not the dozens of other solo github projects that make it to the HN front page every week?
There's a bit of gatekeeping from multiple participants in this subthread, but I think it was fair enough of raydiak to push back on a bit of alarmism in the root comment.
Regardless, your comments were needlessly hostile and not in keeping with the style of discussion the guidelines ask of us.
Review the guidelines; this type of slander is well afoul of them. Go ahead and get the last word in if that's important to you, as I won't be wasting any more of my time on this thread or your destructive attitude. Comparing different opinions is acceptable but mean-spirited emotionally driven personal jabs are not.
I'm not convinced that it would make a difference, in terms of protecting against genocide or state-sanctioned discrimination, because such metrics can be derived from a thousand other touch points, including search history, social media history/behavior, social network, and so on.
It does however harm the ability for well-meaning organizations to function.
Given current rhetoric of the current administration, the well-meaning organizations will be destroyed or severely limited. All the while their data will be used to harm people with autism.
The problem with the JVM, compared to Go, is the GC; it requires a lot of reserved memory. Go programs use far less.
And the SDK is bulky, which can be a problem for container images - although arguably it should be considered irrelevant, as you only download base images once, if done correctly.
You're not supposed to use the runtime directly these days. jlink allows you to strip unnecessary things (like documentation for the runtime itself), extract only those parts of the runtime you need (though your project must use modules to support that), and then aggressively compress it all getting a pretty small package that runs on an empty OS with no dependencies other than libc. It's still a bunch of files, so for good user experience you would have to ship it as a container (or something like .exe or appimage), but it's really close to Go in terms of size.
It's a configurable property, and Java has a bunch of GCs to begin with.
Also, not using as much memory in these types of GCs is a direct hit to performance. And this actually shows splendidly on GC-heavy applications/benchmarks.
We were paying a million a month for a custom high performance GC for a little bit but we were able to get off that with a lot of development effort and get our five 9's latency under control.
I tried and gave up on getting Keycloak to use less memory. 500-1500 MB for a server with less than 10 concurrent users is ridiculous. And that's even using an external database.
Much less of a problem in .NET (its GC tuning sits somewhere in between the two, especially when SRV GC + DATAS is in use, like in container scenarios, where Go is funnily unaware of limits set by cgroups and needs an external package to fix it). It does pre-allocate more memory than Go per se but in return yields much, much higher allocation throughput out of box. Java allows for even higher allocation throughput, having multiple more sophisticated GC implementations but as you said is not very good at reducing sustained RSS used by an application.
The over engineering creeps in anywhere there is collaboration. It’s not a Java thing, it’s a corporate thing. The new teammate who refactors the perfectly working sql pipeline; the teammate who makes story points a required field on your trouble ticket system, the teammate who just saw a conference talk on rust and wants to apply it etc. Most engineers are not zen masters seeking out simplicity; they are lost with poor grasp of desired business outcomes so they procrastinate by adding complexity and indirection and focusing on tech as if it were the destination not the journey.
> lost with a poor grasp of desired business outcomes so they procrastinate by adding complexity
I have come to see this as a mix of business people and developers not doing their jobs to protect thier paycheck. Business people, if they want to succeed, need to be converging on a strategy that makes money. Developers need to have a strategy for removing technical barriers to realizing that strategy. The lack of a business strategy often makes an overly general technical platform look attractive.
> focusing on the tech as if it were the destination
So common. Complexity should be considered the enemy, not an old friend.
True, but there's also the bored engineers who just can't force themselves to write enterprise code unless they make it fun for themselves. I'm absolutely convinced this is why Clojure even exists and is so widely used in fintech.
The extreme focus on multiple layers of patterns, where actually a simple function would have sufficed IS a Java ecosystem and culture thing. Just way too many people doing Java, who have never learned another language or ecosystem, let alone paradigm, thinking "I learned Java, Java can do everything, I don't need to learn anything else!" and now feeling they need to solve every problem by applying design patterns mindlessly.
Well, not by talking about AbstractFactoryProxy, that much is for sure. Rather by talking about which parts of the system are modular and what kind of flexibility the system allows for, what capabilities it has. Nowhere in that picture does a low level implementation detail like an AbstractBlaBlubFooBar enter the the conversation.
There is more to computer programming than the OOP clutter.
A simpler explanation is that Americans have succumbed to consumerism to such an extent that the absence of it feels enlightened.
Of course the reality is just that the US has become the axis of evil, and perhaps always was, it just had the best PR.
I think you're doing yourself a disservice by belitting Asian cultures and what insights they may have, that are apparently incomprehensible as more than a trope to Americans.
> Of course the reality is just that the US has become the axis of evil, and perhaps always was, it just had the best PR.
Sigh.
Yes, the Soviet Union really was the worker's paradise with free, prosperous, happy people!
Can we get away from the sophomoric idea the USA was ALWAYS the ONLY source of badness in the world, just because right now it's the most powerful nation in the world and also a complete mess?
I suspect that the communist project has lived under constant fear of the US, that the economy ultimately was bankrupted from having to defend itself against the US war machine.
The US has waged war in virtually every country around the world, for example Afghanistan, Vietnam, and Korea, which were significant threats to both Soviet and China. China has virtually been besieged since the 1950s, with Americans present in Thailand, Philippines, Japan, Taiwan, and South Korea.
How would you feel if the Soviet installed weapons systems in Canada, Hawaii, Mexico, Greenland, and Cuba? And then started a tariff war to hopefully bankrupt your economy?
Wasn't communism influenced heavily by being anti-capitalist? They fundamentally disagreed with the tenants that the United States stood on. Your comment, if I'm understanding it correctly, makes it look like the communists were just trying to do their own thing in their own countries and the big bad U.S came in and bullied them out of existence.
I'm not defending either sides here. I'm not a Reaganot. But to think most communist regimes were not hellbent on the destruction of western capitalism would seem a bit misleading to me.
That is fair; I think the reality is nuanced and that different opinions existed at the same time and were warring internally in the Soviet Union.
In particular, IIUC, Trotsky thought that "a socialist revolution must spread internationally to succeed and cannot be confined to one nation" (OpenAI) - but he was also assassinated by Stalin's order, and the assassin was honored by Brezhnev. Stalin was assassinated as well.
It's a great tragedy if they felt threatened by capitalism, and capitalism by communism, in a self-perpetuating way that could have been avoided.
But I would argue that capitalism has its roots in aristocracy, imperialism, and private ownership (i.e. slavery, colonialism, and systemic exploitation), to an extent that it is fair to say that capitalism cannot co-exist with communist ideals.
But yes, European countries were heavily influenced by communist ideology, which continues to shape our values today, about well-regulated free markets, fair taxation, public service, and so on, which directly threatened capitalist interests, and arguably that's why we're seeing a rise in fascism, in an attempt to remove these communist ideals.
To be clear, I am confused on this matter, but I do think that the Europeans have been foolish to follow US doctrine for the last 50 years (since Reagan/Thatcher), and especially the last 10-20 years have been devastating on virtually every sector of the economy.
> But yes, European countries were heavily influenced by communist ideology, which continues to shape our values today, about well-regulated free markets, fair taxation, public service, and so on
So this is the first time I've seen well-regulated free markets and fair taxation as being associated with communist ideology. Granted, I'm not well-studied here, but I recall being taught quite the opposite.
I did some preliminary research uisng Gemini Research to see if I could surface anything that might suggest this has been universally regarded as true and it came back with the opposite on the first (well-regulated free markets) and ambiguity on the second (not universally associated with communism).
Would you be able to reference a place where I can learn more about these relationships?
I don't remember the original argument anymore. Something about communism being justification for US warmongering.
Personally I think 19th century communism was context-specific to the 19th century; we now have AI, and central planning could be done with the same computational efficiency as the stock market.
For me, communism is more about fundamental beliefs. Like "Do you believe in Jesus Christ as your savior?", the fundamental question is: do you believe that the state should serve all mankind, and that private ownership should never extend over more than what an individual can reasonably consume? Which then necessitates public service infrastructure and market places.
I think "social democrats" have more thoughts on practical applications. "Communism" is more about fundamental beliefs, i.e. the right to nationalize and collectivize private ownership.
For example, it is increasingly clear that Microsoft, Amazon, etc. are becoming tyrants. They should have been broken up into smaller companies years ago.
Imagine if Windows, Office, Xbox, Azure, etc. were each produced by fully independent companies?
And if those companies were fundamentally obligated to serve the public market.
America is the best because citizens can do basically whatever they want all the time. The latest complaints are people took it too far (rampant drug use, camping on sidewalks, and shitting everywhere in San Francisco, etc.).
But if you want to buy a rural cabin on a beautiful mountain, it’s available, and cheap. You don’t need to go to Asia to live like a hermit.
Obviously America refers to the continent, so I'll use the shorthand country name "the US" instead.
> is the best
That may be true, but I do wonder if it was a lucky accident. What if the Irish famine hadn't happened? What if WW2 had been averted (but maybe the EU wouldn't exist...).
> rural cabin
That's nice, but what value is it if the forest burns down, the lake is polluted, the wild life is dead, and there's nothing left but neighboring land full of fracking wells? Glory to god.
Consider New England, where in its early days most inhabitants consisted of farming families. Where there were farms and cow pastures, there is now mostly forest.
There are a few farms remaining in New England, yes, but in general farmers consider the soil there not worth farming compared to places like Iowa and Southern Illinois (where all the land really is utilized for farming) even though in the past most the (sizeable) population of New England made a living farming.
We know that most of the forest in New England is suitable for farming because there are still stone walls running through it: these wall were made of stones encountered by farmers while plowing (when the forest was farmland).
Ehh US farmland usage has been dropping for many decades. That said, it is only because we are more than ever reliant upon fossil fuel derived fertilizer and over utilize a lot of arid/desert farming
I agree about data diodes, but how do you handle data egress? One solution is to have strict data checks on egress, but leaks are still possible.
Data diodes also still suffer from the ability to inject malware that can execute DOS attacks.
I agree about capability-based security, but strictly speaking, the capabilities of current OS are just primitive, i.e. checking file permissions. What capability checks do you mean?
My understanding is that the biggest threat is not capability checking, but capability escalation, i.e. bypassing checks, and hardware hacking, e.g. spectre/meltdown-type attacks that can read arbitrary memory.
There is a step up from diodes called [inspecting] data guards and an adjacent technology called content disarm and reconstruct (CDR) that doesn't rely on signatures or heuristics - it just assumes every document is malicious.
Combining these 3 technologies with certain policies, e.g. 2 man rule, the hw/sw itself developed on airgap you can make it practically impossible to attack, even for nation state adversaries.
Edit to point out that these all work in 2-way configurations as well.
