Reviewing your own PR is underrated. I do this with most of my meaningful PRs, where I usually give a summary of what/why I'm doing things in the description field, and then reread my code and call out anything I'm unsure of, or explain why something is weird, or alternatives I considered, or anything that I would catch reviewing someone else's PR.
It makes it doubly annoying though whenever I go digging in `git blame` to find a commit with a terrible title, no description and an "LGTM" approval though.
Does Matrix have the equivalent of voice chat rooms that Discord has? I find as a user of Discord that being able to see who's just hanging out is the killer feature there. (As are things like game streaming and bots, ofc)
I saw this and got excited but no, this isn't discord voice channels. This is an integrated jitsi meet call. It looks like some sort of prototype has been merged to develop though:
What do you mean it's not discord voice channels? Looking at the screenshot[0] their Jitsi Meet integration is identical, because discord voice channels are essentially voice conference calls.
There's still a "join" page every time before you can actually enter a room. And the participants in the room aren't shown as nicely when you're not in it.
Both are very important for replicating Discord's low friction. Opening a full window when it's just a voice channel anyway is also distracting and increases friction.
$5/user/month = no way in hell I can get all my friends on board to use it. Impossible to get network effects going like that, as much as I wanted to try it.
Going to keep this short since there's so many responses:
That feeling for me came about super prominently when I was trying to ignore other parts of my life that I didn't want to deal with and using work to cope. Not having something to strive for in your work life makes it harder to ignore the other stuff.
So my advice is to really dig in and listen to the parts of yourself you're most scared to unbox. I don't want to get more specific than that, if that's what your problem is, you'll likely have some idea of what I'm referring to. <3
I'd say in terms of relevancy, either facebook or netflix:
- Netflix already feels like an outlier in that list because they're not as technically focused as any of the other ones listed. They feel more like a media company these days, not a tech company, and as time goes on there's less and less differentiating them from any other media company/streaming service.
- If Metaverse doesn't pan out for them, I don't see either FB or Insta having a revival in popularity in the coming years. The only family I have still under 20 have deleted or abandoned FB, and I don't see the younger generation bothering with the "keep up with family" social network, and Insta keeps getting its lunch eaten with all its competitors. It feels like Insta is going to get a competitor at some point that will take its main offering (photographic status updates, basically) and then it'll suffer the same fate of irrelevancy.
I agree that especially in pandemic times this is hugely beneficial, although I'd recommend doing it in the opposite order: quick 1 minute updates followed by casual off-topic chatter for the rest of the meeting. I've found that folks are much more relaxed after giving standup updates :)
I moved to Bitwarden from Lastpass also, and I'm definitely happy for the most part.
The chrome extension leaves a tiny bit to be desired, but definitely still usable:
* Not as good about determining correct sign-in URL and lots of times will send me through the auth redirect from registration
* Launching sites without mouse isn't possible (shortcut exists to open extension but can't select site to launch it using arrow keys, for instance)
* Button locations aren't consistent between search view and opening it on a site you have a password on
Definitely still the best for me though. It's frustrating, though, that I don't feel like the paid plans really give me anything useful, so I'd be paying basically just to support the product (which I'm happy to do!). It's a weird spot for sure, I feel like table-stakes for a free password product is infinite devices + usable browser extension + phone apps + password generation. But figuring out what to add on top of that is always either directed at businesses or families, or things I don't care about like 2FA or an authenticator. I want to support you, damnit!
One other thing I do not like about BW (but not enough to switch) is that when you click out of the bitwarden window, it disappears and loses your place so you have to navigate to the secret again. Kind of annoying if you are on a website that resists autofill or want to copy something from custom fields.
Tip: Pop-out the extension as a window. Even if you close it, your browser’s Ctrl+Shift+N is going to restore that window with the same secret/state, even if the vault locks.
I don’t have issues with the URL, there’s lots of options for how the matching works. I found it to be superior to 1Password (tho I haven’t used that in a few years so I donno if they improved it)
The paid plan support OTP token and allow big file so you can embed stuff like google cloud json token file. The free has 1000character limit(per field) if I remember correctly.
Bitwarden run so much faster than 1password despite being a browser extension.
The CLI is great too. I pretty much use it like a cheap version of Vault to feed secret into K8S.
I use chrome shortcuts.
In extensions, look at the option to assign keyboard shortcuts. I have set it Alt+D combination. The 2FA codes are copied in the background, and when the screen comes, ctrl+v does the magic. Simple.
Longer form than EFaP, but Lindsay Ellis has some great film/TV analysis videos. She's usually more focused on writing than anything else, though. Here's a postmortem she did on the Hobbit films, which was recently nominated for a Hugo award:
Other solid works by her include a postmortem on the last season of Game of Thrones and an analysis of themes in Michael Bay's Transformers. (I know that last one sounds weird, but it's really well done.)
Ellis' hobbit videos are absolutely wonderful. I love the unexpected direction she takes the videos when she [spoiler] visits New Zealand and talks to people involved in the films.
> This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.
Presumably they're both doing the janky web server solution for the same reason. Either way, I'm not sold, that browser behavior exists for for a reason.
> Wow that is really damning, trashing user security in trade to remove a single click
As someone who has had to develop and maintain a similar web-to-desktop bridge I can tell you that this one issue was responsible for around 90% of my company’s total support requests, despite only being a small feature in a optional addon in one of our main products.
For businesses just trying to keep their customers happy, this particular one click is a very real problem.
I can absolutely symphetize with people trying to come up with workarounds.
Did your company try to write an FAQ page on how to accept the double-confirm dialogs in all major browsers (with screenshots) to maybe reduce your "90% of support tickets"? Does your ticketing software redirect you to (or display) an FAQ page that matches the ticket title?
I've come to understand how features like these get built, but I've also come to understand that people that use software are a lot more resilient and savvy than we think.
If 90% of your support tickets are about getting through a standard double-confirm, patio11 would probably recommend increasing your pricing to limit your paying customers to a pool that probably won't have much more trouble with that.
The people who end up calling support often aren't the ones paying the bill, for starters. That's definitely the case for Bluejeans and Zoom.
It also doesn't matter if you make a great FAQ page. Majority of dissatisfied people will never see it. Majorly because they won't call support but instead complain and grumble locally, the second biggest portion because once sent towards FAQ by support.... They won't follow it.
Only the tiny sliver of most dedicated will follow up long enough to reach the FAQ.
That is interesting. What were the support requests, how to remove the confirm step, or what to do if you denied it but didn’t mean to? Or something else?
Most desktop-browsers have in the name of security made it exceptionally hard to accidentally launch external programs through this mechanism.
We’re talking software engineering phd can’t complete it without hand-holding hard (true story!)
So normal users definitely don’t understand nor manage to navigate the dialogs presented by the browser to produce a “successful” outcome.
In the past we used this mechanism to “automatically” provide configuration-data a desktop component, so that it could call back to our application. And our users just didn’t manage to configure it.
In the name of security, browsers made one path so hard to use, without considering what people would then develop instead.
I have to call BS on this. Are you claiming that users can't complete a single prompt of "[Your browser] needs to open an external application to follow this link. (Decline) (Launch Application)"? That seems really unlikely. I've done enough user testing to, at least anecdotally, say with some certainty that this is not true.
It’s a two-dialog process (allow website to use external protocol & what external program should be used for this protocol), with intentionally confusing wording making it easy to choose the wrong choice (disallow) if you don’t read thoroughly.
Unless you already know what to do it’s fairly unintuitive.
Most users don’t even know the difference between a single click and a double click.
Expecting them to even know what an external protocol is, or why it should be launched at all is completely unreasonable.
And this is why the web browser vendors need to simply disallow this behavior. Websites seem to think they seem to engage in awful behavior to compete with each other. If the browsers just block it outright, then everyone will be on a level playing field.
Thats kinda what happened here, Apple made the user confirm that they were going to take an action on an app on their computer and Zoom built functionality in on the app to bypass it.
If they're notarized there's around a hundred pages of terms and conditions you have to agree to. Although I'm not sure this gets in the way of any of them except on one of the blanket ones that Apple keeps intentionally vague.
I literally just went through them at work in preparation for Catalina. They're hidden behind the developer account stuff you need to get your certs registered.
And you are not forced to abide by the developer terms to release a program for the Mac just as I said. Despite all of the HN conspiracies, you can develop for and release code on the Mac without Apple’s permission. You don’t have to abide by those terms.
The Zoom and BlueJeans apps are both signed, which indicates they're part of Apple's Developer Program, and thus bound by its terms.
If you want to distribute an unsigned app and guide users into bypassing Gatekeeper for it, by all means, do so... but that's not what's happening in this case, nor is it particularly common due to the intentional hoops they make you (or more accurately, every single prospective user of your app) jump through.
Wait a while. Holding one's breath not recommended.
For those who don't want to (or cannot, due to the nature of their application) use the Mac App Store to distribute software, the requirements will only continue to get more specific until (to the extent possible) all executable code and resources are notarized and signed with an identity.
<Insert Perry the Cynic rant about unsigned code - "What the hell is wrong with you!?">
This same prediction has been going on since 10.6 - over 7 versions ago. How do you propose that Apple forces code signing on programs that run on top of a VM like the CLR or JVM? How do you propose they enforce it for programs run using a scripting language? The best they could do is force signing on the runtimes.
But my point still stands. Today on July 9th 2019 you are not forced to be part of the developer program to distribute apps on the Mac. Despite all of the pollyanish the sky is falling type that has been going on for over a decade.
Not to put too fine a point on it, but those examples don't pass muster.
- If you're not using .NET, the CLR doesn't affect you, and although Microsoft has done well with ,NET, I wouldn't necessarily expect Apple to make Redmond's job easier.
- Java is much the same boat, and is perhaps in even worse shape as it used to be included by default in macOS releases but now isn't.
Read: security nightmare.
- From 10.16 on, scripting languages also aren't included by default. This seems less adversarial than the situation with Java, but for things like Homebrew, it's a stumbling block they will need to overcome.
Apple introduced the Mac App Store over a decade ago. Since then, conspiracy theorists have been predicting that Apple will force all apps to be signed.
Are you predicting that Apple will disallow all scripting language runtimes and all VM based development environments? So if these same predictions have been wrong for over a decade - and still aren’t happening with 10.13, exactly when will this happen?
As far as Apple not including (outdated) versions of various scripting languages or Java - neither does Microsoft. That hasn’t been a major impediment to adoption.
I have NO TROUBLE imagining that Apple will continue to tighten the screws on this, enforcing signing through Developer TOS and requiring MAS apps to pay for distribution certs.
Direct download isn't going away, not after all the work that's gone into securing it, but if you think you can sell an app off your own site without giving Apple some identifiable info about who you are and what your code does, prepare to be disappointed.
Runtimes won't be disallowed, just that you (the user) are responsible for installing them and keeping things updated.
Oh, and for record, my reference to "Perry the Cynic" is no accident...he literally invented how code signing works.
So you realize you’re kind of arguing against your point? He made a prediction that still hasn’t come true over a decade later.
And citing the patent office isn’t helping either. Every company patents everything they can.
Direct download isn't going away, not after all the work that's gone into securing it, but if you think you can sell an app off your own site without giving Apple some identifiable info about who you are and what your code does, prepare to be disappointed.
Well today you can. As you have been able to do since the info-Mac archives since before the World Wide Web existed. So unless you can bring back some proof from either your time machine or visiting some other world in the multiverse, I would rather talks about facts as they exist today.
And code signing still won’t stop you from being able to run code that runs on top of a VM or scripting languages without them being signed and you won’t have to do the ctrl-click bypass.
Why is it wrong for Apple not to bundle extra runtimes (scripting/JVM) software that increases the attack surface? Should they also start back bundling Flash?
> Well today you can. As you have been able to do since the info-Mac archives since before the World Wide Web existed. So unless you can bring back some proof from either your time machine or visiting some other world in the multiverse, I would rather talks about facts as they exist today.
> And code signing still won’t stop you from being able to run code that runs on top of a VM or scripting languages without them being signed and you won’t have to do the ctrl-click bypass.
It is easy to do this? No, in many cases I'd expect it to be a serious P.I.T.A, but it's unquestionably the right move going forward.
That has nothing to do with distributing the programs that run on top of VMs/runtimes. The operating system only sees the JVM/CLR as an executable. Even if that has to be signed, there is no way of enforcing the programs that run on top of them to be signed.
My statement was very clear “developers are not forced to be part of the developer program.” Meaning that unlike ios, there are ways to distribute your app without signing it. “Notarization required by default” != “there is no method to distribute unsigned apps”.
Catalina still runs apps which haven’t been notarized or even signed, including those built after 1 June 2019. But you may find them more complex to run, and they don’t of course benefit from any of new security protection unless they’re signed and hardened.
What part of Catalina still runs apps which haven’t been notarized or even signed, including those built after 1 June 2019. But you may find them more complex to run
Is difficult to understand? In Catalina just like in the current OS, there is a built in method for the end user to bypass code signing for any app. The user can choose to run unsigned third party code.
The article states that code you create doesn’t have to be signed and you don’t have to go through the “complex” process to run it.
Third party code forces you to go through the “complex” task of ctrl clucking.
I'm fairly certain you have to agree to some to join the Apple Developer Program, which is (sort-of) required if you want people to be able to run your app.
First, the dialog doesn't give any indication it can be bypassed in that fashion. Second, users should rightfully be suspicious of "just bypass the security!" install instructions - especially non-technical ones.
User willingly installs their software, they are not backdooring it. There are plenty of services running on every computer, including TCP servers and web servers. If you're going to call them backdoors, you've got a long list.
If I think I have installed your software and it's secretly running a web server with the ability to reinstall itself, I am calling it a backdoor. I think that list is pretty short, but perhaps I am wrong.
I resisted the urge to vote you down simply because their response you quoted pissed me off so much. I'm going to remind my CTO of this when our contract expires and it's time to evaluate alternatives.
Everyone I knew was against UAC popups, including security professionals.
They were likened to California Prop 65 warnings: so prolific as to be ignored, and arguably causing more harm than good, because just as apparently since EVERYTHING causes cancer one can't make decisions about avoiding things that actually do, so to does EVERYTHING trigger a UAC popup and so who gives a fuck, one more thing to quickly ignore and click through.
UAC is the correct idea (elevated user privilege levels), but implemented in the worst way possible. As I understand it, things have gotten MUCH less annoying since Vista, but it still left a bad taste in people's mouths.
It pops up with exactly as much frequency as a normal user account in most Posix-like systems would require "su" of one form or another. For exactly the same reasons. It's just expected behavior for those systems, but completely unacceptable for Windows.
And we wonder why Microsoft sucks so bad at securing Windows.
It was the collision of Microsoft trying to limit "run as admin" and Windows developers taking users running as admin for granted for too long. There had to be a period of pain as "if it ain't broken don't fix it" developers got around to not asking for unnecessary permissions.
These days you mostly see the prompt when you're installing or updating an app, which makes a lot of sense.
What I mean is, this is Microsoft's fault so far as users got in the habit of running in admin in the first place, but I doubt you would've been able to do better given where Microsoft was with its software ecosystem going into Vista.
Sounds pretty awesome. I'd especially love it if frameworks like Spring offered releases via this channel.
I'd be curious to see how composability works with this, too: if for instance I wanted to make a React+Rails boilerplate, it'd be awesome if users could cherry-pick a commit to use it with their Bugsnag+Rails boilerplate.
It makes it doubly annoying though whenever I go digging in `git blame` to find a commit with a terrible title, no description and an "LGTM" approval though.