In the boom times people get too cocky and in the retrenchment they get too pessimistic.
Bill Gates came to my university in 2001 or 2 urging people to major in computer science because the dot-com bust was bad and everyone was convinced coding was going to move mostly offshore. People who followed his advice did well.
Now everyone is convinced coding will be taken over by AI… and move offshore. It seems like ai will change things more than offshoring but once again not as much as everyone seems to think. We still have offshoring but it didn’t stop programmers ramping toward and beyond seven figure salaries.
To the author’s credit this doesn’t read like panic, it’s level headed, but it is inevitably quite dark. In the 90s recession people temped, worked in coffee shops, and made or listened to amazing music. Not to be flip but maybe for a college grad (no kids) getting sidetracked from a tech developer job for a while is a blessing in disguise.
Does not make economic sense, there is still the cost of panels and transmission.
There might be a surplus now but dropping the price to zero will increase use (demand).
I was surprised the story does not even specify "residential," it really says "everyone." That's a great way to exhaust existing supply. Entrepreneurs can presumably be quite creative in the shape of businesses they set up if unlimited free power is on offer during the day.
I'm on 144.0.2 on MacOS and I do have it. Under the hamburger menu in the upper right and near the top of the list. Never set up a profile on this machine before, so maybe that could be related?
100%. I specifically clicked for the “why you should care” and was disappointed I could not find it.
I certainly don’t mind if someone is pushing the limits of what SQLite is designed for but personally I’d just rather invest the (rather small) overhead of setting up a db server if I need a lot of concurrency.
And,if you are into text adventures, there's M-x dunnet and, also, malyon under MELPA,
and you can play some good ones such as the ones from Infocom, or the modern ones made from the community such as Tristam Island, Anchorhead, Spider and Web, Spiritwrak... the IF archive has them all (on Tristam Island, I can send you a better ZMachine V5 version, instead of a shortened V3 one made for the 3rd version of the Z-Machine, the one for small microcomputers such as the C64, MSX, the 8086, the Kaypro with CP/M 2.2...)
And, if you are curious, you can install the inform6 compiler and inform6lib (the English grammar library) and, under Emacs, inform-mode and create your own text adventure in a very easy OOP like language (inform6), much more than Python.
Creating a text adventure might look silly in these times, but if you pay attention
to the article, it's these kind of environments what changed the world back in the day,
from MUDs/MOOs to roguelikes (in the case or Rogue, literally). Curses was a library
to play Rogue and update the terminal lest often (just send what changed in the screen
to the terminal) so the
connection wasn't cluttered back in the day with frequent menu displaying
where the changes were minimal.
With Inform6 you don't need to be a music composer, a drawing artist or some 3D modeller with tons of linear algebra background. Just write.
And, yes, it can be loads of fun with very little.
Look how easy can be the old 'advent' game under Inform6:
Even if the heyday of profitable journalism fact checkers were a magazine thing. Newspapers generally did not use them, they moved too quickly for that and had too much space (newsprint between the ads) to fill.
On the other hand, in that era a much higher proportion of the news in a paper was directly reported by the journalists - things they physically saw, people they physically talked to or called. They weren’t using some half baked thing from the internet because there as no internet. Although they might run something dodgy from another newspaper or wire service, but that was pretty rare, at least outside of the celebrity gossip and film columns (which were, sexist-ly, considered women’s news and thus not held to the same standards).
Why would we work on something we don't care about, for free? If they paid a sponsorship, that would allow us (moreso Matt) to spend the time looking into it. Or, people complaining about it can spend their own time finding a solution rather than making noise like this. (Also - I didn't "pore over", I simply searched for "caddyserver.com." in HN's search and it turned up every time two specific individuals brought this up)
So maybe other people complaining are not using caddyserver.com domain?
I’ve seen people mentioning about dot at the end of the domain a few times this year. Also never knew is a valid domain and should be able to resolve. Some people mentioned before YouTube.com. Won’t load ads. But I think they fixed.
I've read every single Caddy forum post (up until some months ago where I decided I had to slow down for my mental health), every single Caddy issue in the past 7 years, and nearly every thread mentioning Caddy on HN in the a similar time span, and it's only ever been brought up on HN by exactly two people. I know the patterns and I know how to find those comments. You may be talking about threads not relating to Caddy, in which case I don't find that relevant.
Yes, I didn’t mean related to caddy. Just that dot at the end might not be so unusual like you said. TBH I don’t need this feature. I think it’s hard to be so sure only 2 people on hn mentioned this about caddy, unless you used a lot of resources to dig into it. To clarify I’m not against you, caddy is really amazing, just trying to be objective about it.
Caddy always worked well and recommended to other people. So I’m a pro caddy user, don’t get me wrong.
It's served this public to realize that there's obviously some serious flaw somewhere in the software that means fixing this isn't easy, or it would have been done.
We've not seen a good enough argument that it's worth our time investigating. This seems like something that only affects something like 0.00001% of users. It may be simple, but it also means extensive testing to make sure any kind of fix doesn't also break other things. With how extensive Caddy's usecases are, we have to be careful with any change, especially low-level ones involving TLS and host matching. We could accidentally introduce somekind of request smuggling security bug for example if proper care isn't taken.
We've felt attacked by people trying to slander the project due to this specific technical issue. It's exhausting. Either way, like I said, we'd be glad to accept contributions to solve this.
It's an awesome project and I imagine it has saved countless production incidents. The amount of times I've said "it was probably certificate expiry" and been correct is reasonably high.
In my own cases of responsibility, Caddy would have eliminated them had it been around. Instead I've learned to be paranoid, though having things like this are far better in terms of easing cognitive burden.
Cheers for all of the hard work by you and other maintainers.
I too have used Caddy on multiple production systems. It's a great bit of software.
I try to avoid engaging in online flame wars but I will say that the developers - including Francis - have been nothing but helpful and courteous to me personally and I've also learned a lot from their numerous positive contributions to Caddy-related forums.
People are allowed to crticize a project whether or not they want to fix it. It was a mild, brief mention of one issue. Accurate, too, so not slander.
You seem to think there is a conspiracy against Caddy. That seems doubtful. But I could see disproportionate defensiveness like what is on display here causing some people to not be fans.
Two people don’t make a conspiracy. And honestly, the tone came off as pretty snide. Quoting part of the post just to twist it into their own point was clearly deliberate.
I've worked in a technical support forum with usually great guys, but what happened there was that specific complaints and specific users became designated the enemy of the group, by the group. Everything in contact with the specific issues or the specific users became twisted beyond recognition, and the group reacted to it always with aggressiveness. The "problem users" usually left after some time, then the group magically choose the next victim.
From the outside, such a group mechanism is happening here. Your reaction to the issue being brought up is not rational, and from the outside not understandable. Even if it was brought up 18 month before in the same way. And no, the curl post does not match your hostility. And no, the tone did not came off as "pretty snide", even if tribal voting pattern greys out your opposition anyway.
Please reconsider your approach here. If the issue is not fixable in caddy (though Apache seems to handle it fine?) maybe formulate a standard response that says something like "sorry, this is complicated, see the curl explication here" and leave it at that. Have an action plan that recognizes group dynamics and the burnout symptoms existing in the project, as mentioned in the article.
What slander? What grudge? What attack? Until now I’ve been a happy user of Caddy but seeing you overreact like this to a mild mention of a bug is making me strongly reconsider.
If you haven't seen the history of this topic outside of this thread then you wouldn't understand how frustrating it's been to handle. I'd just like it to stop being brought up (without also offering help or a solution). Seriously, every time we either post something on HN ourselves regarding Caddy or find a thread posted from someone else, one of the first thoughts is "oh boy, are we gonna have to find issue brought up again?" Lo and behold, it was brought up again today.
Elsewhere in this thread you point out that he mentioned it in February last year. That was 18 months ago! They weren’t rude or abusive.
That is not a grudge. That is not slander. That is not a hill to die on. That is not an attack.
This makes me wonder how many other minor bugs are dismissed by you as a grudge due to you overreacting like this. It makes me a lot less confident in your project.
It’s perfectly fine for you to say ”this is low priority and we have no plans to fix it in the immediate future”. What’s not fine is treating it like a personal attack because they dared mention it twice in 18 months.
> This makes me wonder how many other minor bugs are dismissed by you as a grudge due to you overreacting like this. It makes me a lot less confident in your project.
This makes me wonder how many other discussion threads are wasted by this kind of complaints.
Overreaction to (alleged) overreaction never solves the problem!
Caddy doesn't hit the front page of HN all too often. But when it does, this issue gets brought up by one of two people. That's why it's annoying. It's so predictable and so annoying. We've already said our piece on the topic repeatedly, being asked to repeat ourselves again is insulting to us. Because "this is low priority and we have no plans to fix it in the immediate future" is clearly not an answer for someone who cares about this issue and mentions it again.
I wish my biggest problem was that two people mentioned (correctly) a minor flaw I have, once every two years.
You’ve explained why you won’t fix it (seems that you don’t feel you’ve got sufficient coverage to be confident to do so, or that it’s not possible to cover this type of change) so just put an faq up about it and do not take it personally. You cannot expect zero criticism.
You are not the sole audience for this discussion. Just because they mention something you have heard before, it doesn’t mean they are deliberately taunting or provoking you. I’m glad they mentioned it. This thread gave me important new information about the project.
We're perfectly within our rights to express how it makes us feel for it to be brought up, especially with the history we've had around it. It's caused us a lot of grief and we'd just like for it to stop being shoved in our face. That's all. If it was brought up by someone totally unique (not repeated by the same person as before, who we've already answered) then I would have had a different, more tactful response.
I really don't think it's fair for you to make a judgement on me or the project from an interaction like this. At least judge the project on its technical merits. I've been very transparent here. But I can't stop you from having your thoughts. It is what it is.
> being asked to repeat ourselves again is insulting to us.
> we'd just like for it to stop being shoved in our face.
This is the comment you are referring to:
> There still remains this simple to reproduce bug where the page doesn't load of you use the full domain name of a site.
They aren’t asking you to repeat yourself. They aren’t shoving it in your face. This is an open discussion thread with many participants. They weren’t talking to you directly. This is information anybody here can find interesting and relevant. I did.
> I really don't think it's fair for you to make a judgement on me or the project from an interaction like this. At least judge the project on its technical merits.
How you are reacting to this is far more important to me than the original bug.
Remember when 37signals suffered data loss because they were using GET requests to delete things? When people pointed out they had a bug, they were offended and blamed GWA. What happened next? The same thing happened all over again, users suffered more data loss.
Or how about when Naomi Wu reported a problem with Signal, where the common use case of third-party keyboards for Chinese people was rendering all of their security worthless? They dismissed that as somebody with a grudge and ignored her for a year. What happened next? People found out that Chinese keyboards were compromised; she was 100% right, and Signal users were in danger.
I’ve seen what happens when people have this attitude towards inconvenient people reporting inconvenient bugs. It’s a danger to users, and you are making Caddy seem dangerous with this attitude. I was a happy user of Caddy right up until this thread, and even halfway down this thread – even after reading the mention of the bug – but your reaction has flipped that to the opposite because I can’t trust that there aren’t more bugs you are handling this way.
This is being blown out of proportion. You're discounting an entire project and your experience of the software over a person expressing exasperation over an inconsequential feature (not a bug) that even the author of curl had his run through and frustration. The request was not dismissed, rather it was discussed at length on our issue tracker. The OP knows it was discussed at length because they linked to the discussion thread in the earlier times they brought this up. Moreover, the way they presented it this time is snide, agree or not. To quote Matt's statement of the project being "stable and mature" just to say "except you didn't implement my niche feature" (yes, editorialized) is not criticism nor a feature request. It's veiled instigation hiding behind plausible deniability.
Anyways, on the feature request, Caddy is not the only software who disagrees with it being valid, and curl had their back-and-forth on it. There's no legitimate bug being dismissed, and you can go through the issue tracker to audit it. Equating this discussion with 37signals or Signal is false equivalence.
It's a repeat complaint from the same person who admits bringing it up before. The way they framed their complaint is, again, snide.
> That’s a long way beyond exasperation, that’s a massive overreaction.
Your reaction to Francis is _the_ overreaction. Francis simply said to OP to put their money where their mouth is. The "slander" comment comes later as a general statement on why this subject has become annoying.
Stop being hung up on Francis' response. The niche feature was discussed at length multiple times. You're welcome to search the web for all the conversations we had on the subject. Caddy has been around for 11 years. We've seen this subject more than you've seen it brought up. Again, OP referenced the discussion on the issue tracker in one of the earlier times they brought it up. They _admit_ it's niche. What's the point of continuously bringing it up?
Okay, so the last time was 18 months ago not two years. But do you really think that mentioning it three times in 3.5 years can fairly be described as a grudge?
> Stop being hung up on Francis' response.
This is the only thing that matters to me in this thread. The bug itself is not that interesting. It’s a big deal to me that your team seems to take even the mildest mention of a bug as some kind of harassment. I’ve seen that kind of attitude before, and it’s dangerous.
Yes calling it a grudge is kneejerk, but no I won't apologize for it because of how intensely frustrating the prior discussions (and today's, no help to you) were to deal with (take today's, multiply it by two for the intensity, then multiply it by ten for the amount of times it happened). You aren't me, you don't know what I've experienced and you don't know all the details, so please stop making assumptions.
It's the fact they bring it up again when we've made it clear our stance is the problem, not so much the actual words in today's post. It's also off-topic (not relating to project maintainership) and it's on a post I submitted myself to HN.
I know you've already made up your mind, but look at our track record of answering support questions on the forums and tickets on GitHub, and you'll see that the picture you've formed in your mind from this thread is not accurate.
Those comparisons are very straw-man and I won't entertain them. As I've already said, IMO there's more risk in introducing a new security bug in trying to fix this issue than there is leaving it as-is (failing fast and hard).
> It's the fact they bring it up again when we've made it clear our stance is the problem
You are still locked into this idea that the sole purpose of bringing it up is for your response. This is an open conversation, not a dialogue between only you and them. It doesn’t matter if you have made your stance clear, them bringing it up gives other people a chance to hear about it and discuss it.
> I know you've already made up your mind, but look at our track record of answering support questions on the forums and tickets on GitHub, and you'll see that the picture you've formed in your mind from this thread is not accurate.
To be clear: my mind was made up that Caddy was a good, reliable choice, and it was your behaviour in this thread that changed my mind, it wasn’t my imagination.
> IMO there's more risk in introducing a new security bug in trying to fix this issue than there is leaving it as-is (failing fast and hard).
I believe that, but I also believe your attitude is a bigger threat to security than either.
And you're still locked into this idea that you'll convince me that I shouldn't care, when I've expressed how it makes me feel due to the history. Can you respect that there are topics I'd just like not to be reminded of in a certain way? If it was brought up in a _constructive_ way, I would accept it (i.e. offering help or a solution via a PR with tests). If it was brought up by someone who I didn't specifically interact with negatively on this topic before, I would accept it.
> I believe that, but I also believe your attitude is a bigger threat to security than either.
I can't change your belief, nor do I care to, but I think that's absurd. Show me an actual security threat relating to this and I will address it. But this problem as stated is not one.
You keep saying that, but you did change my belief! My opinion is not immutable, I listen to what people say, and that is the reason we have ended up here. Because I listened to you and you convinced me to change my mind about Caddy.
> Show me an actual security threat relating to this and I will address it. But this problem as stated is not one.
“This problem” that I’m concerned with is your attitude not the FQDN bug, and I already gave the Signal example. When you start perceiving people reporting bugs as attacks and grudges, it makes it dangerously easy to dismiss real problems.
If that person found another problem with Caddy, I think they are less likely to report it to you because of this. If they did report it, I would think you are very likely to dismiss it because of who they are, not the contents of the bug report. This is a serious problem for my trust in Caddy.
I thought I was clear enough about this already, but clearly not: I encourage anyone who believes there's a bug with Caddy to report it to us on GitHub, where bug reports belong, where we can have focused discussion about it and see it to its natural conclusion. I do not discriminate bug reports based on who makes it.
An HN thread is not the place to report a bug. Nor do I think it's fair to form opinions about project maintenance (which doesn't happen on HN) based on comments in HN.
I say this with some trepidation. I certainly don't want to inflame this.
First, never used Caddy. I have no dog in this fight. I do manage a (closed source) project (which is decades old).
After reading this entire thread and all replies in all branches (I didn't vote on any of the comments), I think it would have been better for you not to reply at all. It would have done less damage to you (the negative emotions it brought out, the perception of others) and no one would remember that top-level comment. It would have been at the bottom of the page, an insignificant utterance. You elevated it, by protesting too much (I won't quote that famous line, but you get the idea).
And I must say you reminded me of my younger self, in the way you wouldn't let go of the issue and wouldn't let others have the last word. I've learned that this behavior is definitely self destructive and unproductive. The trigger was something that lived in me. It was never, I learned, about them. We choose how we respond. I've found one thing to work for me:
When an online discussion makes me emotional, I write a response in a text editor (not in the place where the comment is) and I let it sit for a few hours. Then, I do something completely different. I almost never post that comment, when I return to it, but I sometimes post something much softer. Mostly, I remove all emotion from the comment. Emotions are triggers for others, after all.
Why did I write so many words on this seemingly trivial online dispute? I hope I can help in some way, because I saw myself in your comments. Take them for what they are, me trying to help.
> If that person found another problem with Caddy, I think they are less likely to report it to you because of this.
Given they're aware of previous discussion and the stance on the feature request, I don't think they're deterred by the discussion here. Your addition of fuel to fire here is the very thing that's not helping.
> If they did report it, I would think you are very likely to dismiss it because of who they are, not the contents of the bug report.
Chesterton's Fence - why did everyone start encyrpting their websites?
His critiques of why LE is flawed security wise are spot on and I suspect something like SSH keys as he suggests would be pretty much as good.
But there's a reason we're encrypting everything, and the time when we started encrypting offers a clue as to why. Mass surveillance threat actors are not going to go to the trouble and visibility of MITMing every cert connection, but they will (and in the case of NSA did) happily go to the trouble of hoovering up network traffic en masse and watching how people surf. HTTPS provides some protection there because it at least hides the paths to the specific pages you are reading as you surf online, including things like search engine query terms.
The idea that $3.6m is a lot of money to encrypt a huge chunk of web traffic, or that Google is eagerly guarding the money it makes (?) off web certs, which must be a tiny fraction of its actual income, is a clue that this is maybe not a greedy conspiracy.
I'm far more amenable to the idea that Google didn't want ISPs to start injecting ads on websites. If that is control for Google in your view, then my interests aligned with Google for once in a blue moon.
Very much agree on the last point. Controlling the de facto CA for all non-corporate web sites still gives Google a lot of control over who gets to be visible on the Internet, and that’s where the value in LE is. The direct income from SSL certs are completely insignificant.
Bill Gates came to my university in 2001 or 2 urging people to major in computer science because the dot-com bust was bad and everyone was convinced coding was going to move mostly offshore. People who followed his advice did well.
Now everyone is convinced coding will be taken over by AI… and move offshore. It seems like ai will change things more than offshoring but once again not as much as everyone seems to think. We still have offshoring but it didn’t stop programmers ramping toward and beyond seven figure salaries.
To the author’s credit this doesn’t read like panic, it’s level headed, but it is inevitably quite dark. In the 90s recession people temped, worked in coffee shops, and made or listened to amazing music. Not to be flip but maybe for a college grad (no kids) getting sidetracked from a tech developer job for a while is a blessing in disguise.
reply