Not really. A different place to look for this is in chemical reactions and things biological life does.
You may have some simple chemical life needs, and life may have some other simple chemical it can use to get the needed simple chemical, but the processing steps are complex and limited by physics themselves. Evolution almost always finds a path of using the minimum activation energy to let these reactions occur. Trying to make the process simpler just doesn't get you what you need.
Not really. If the solution has less complexity than is inherent in the problem, it can't possibly work. If the solution has complexity equal to or greater than the complexity inherent in the problem, it may work. So if you see complex code handling many different edge cases, you can take that as an indicator the author understood the problem. That doesn't mean they do understand or that the solution does work; only that you have more confidence than you did initially.
It's unclear if you've presented this quote in order to support or criticize the idea that new technologies make us dumber. (Perhaps that's intentional; if so, bravo).
To me, this feels like support. I was never an adult who could not read or write, so I can't check my experience against Socrates' specific concern. But speaking to the idea of memory, I now "outsource" a lot of my memory to my smartphone.
In the past, I would just remember my shopping list, and go to the grocery store and get what I needed. Sure, sometimes I'd forget a thing or two, but it was almost always something unimportant, and rarely was a problem. Now I have my list on my phone, but on many occasions where I don't make a shopping list on my phone, when I get to the grocery store I have a lot of trouble remembering what to get, and sometimes finish shopping, check out, and leave the store, only to suddenly remember something important, and have to go back in.
I don't remember phone numbers anymore. In college (~2000) I had the campus numbers (we didn't have cell phones yet) of at least two dozen friends memorized. Today I know my phone number, my wife's, and my sister's, and that's it. (But I still remember the phone number for the first house I lived in, and we moved out of that house when I was five years old. Interestingly, I don't remember the area code, but I suppose that makes sense, as area codes weren't required for local dialing in the US back in the 80s.)
Now, some of this I will probably ascribe to age: I expect our memory gets more fallible as we get older (I'm in my mid 40s). I used to have all my credit/debit card numbers, and their expiration dates and security codes, memorized (five or six of them), but nowadays I can only manage to remember two of them. (And I usually forget or mix up the expiration dates; fortunately many payment forms don't seem to check, or are lax about it.) But maybe that is due to new technology to some extent: most/all sites where I spend money frequently remember my card for me (and at most only require me to enter the security code). And many also take Paypal or Google Pay, which saves me from having to recall the numbers.
So I think new technology making us "dumber" is a very real thing. I'm not sure if it's a good thing or a bad thing. You could say that, in all of my examples, technology serving the place of memory has freed up mental cycles to remember more important things, so it's a net positive. But I'm not so sure.
I don‘t think human memory works like that, at least not in theory. Storage is not the limiting factor of human memory, but rather retention. It takes time and effort to retain new information. In the past you spent some time and effort to memorize the shopping list and the phone number. Mulling it over in your mind (or out loud), repeated recalls, exposure, even mnemonic tricks like rhymes, alliterations, connecting with pictures, stories, etc. if what you had to remember was something more complicated/extensive/important. And retention is not forever, unless you repeat it, you will loose it. And you only have so much time for repetition and recall, so inevitably, there will be memories which won‘t be repeated, and can’t be recalled.
So when you started using technology to offload your memory, what you gained was the time and effort you previously spent encoding these things into your memory.
I think there is a fundamental difference though between phone book apps and LLMs. Loosing the ability to remember a phone number is not as severe as loosing the ability to form a coherent argument, or to look through sources, or for a programmer to work through logic, to abstract complex logic into simpler chunks. If a scholar looses the skill to look through sources, and a programmer looses the ability to abstract complex logic, they are loosing a fundamental part of their needed to do their jobs. This is like if a stage actor looses the ability to memorize the script, instead relying on a tape-recorder when they are on stage.
Now if a stage actor losses the ability to memorize the script, they will soon be out of a job, but I fear in the software industry (and academia) we are not so lucky. I suspect we will see a lot of people actually taking that tape recorder on stage, and continue to do their work as if nothing is more normal. And the drop in quality will predictably follow.
I enjoy cool features like this, but as usual, I'm wary of the consequences.
Android is becoming more and more locked down like iOS. Even if it weren't, it's still always been more locked down than a standard desktop or laptop machine running an operating system of the user's choice.
With the advent of smartphones and tablets, already I see non- and semi-technical users often dropping their laptop or desktop and just using their phone or tablet. (I know people who don't even have a laptop/desktop anymore.)
Android having a full desktop interface will just add fuel to this fire, and further normalize running a locked-down OS and device that users don't truly own or control as their only computing platform.
The OG Motorola Droid, for example: While it clearly wasn't a design intent, there was really nothing of any gravity to stop people from using it in any way they wished.
Rooting was a simple matter of running a hacked su command, and voila: One becomes root. The bootloader wasn't locked at all. Custom kernels and userlands were normal. It was a great little pocket computer to goof around with for anyone who cared enough to give it a swing.
Just install the "missing" su binary and...done.
At the time, I felt that this was a perfectly acceptable way to keep it working reliably for regular folk.
In a way I don't know what I think about them preventing me from modifying "their" certified OS. Many products do that (if I buy a Marshall smartspeaker, it's not like if I can modify the software, is it?).
What I want is to be able to properly install an alternative OS (just like I don't care about what Windows or macOS do, as long as I can install Linux), and that goes with the bootloader unlocking/locking.
The problem is for every person who wants to do this, there are hundreds (thousands?) who wouldn't want to - and these people are vulnerable various security exploits that would allow someone evil to take over their device.
This isn't just a made up situation: There are nations that have large teams of people who's job is to figure out how to get software installed on your device of their choice/make/design, allowing them to do whatever they want.
This isn't quite true. The Google Pixels allow me to unlock the bootloader, install my own system, and relock the bootloader. As a result, I run an alternative OS called GrapheneOS which is more secure than Android.
The fact that I can unlock and relock the bootloader is not a security issue or a risk. People who don't know what that means cannot possibly do it by mistake.
Now allowing root access to users on Android, that's a security risk because a user can be tricked into giving root access to some evil app. I don't have root access on my GrapheneOS, even though I chose to install it myself. Because it is more secure like this.
So it sounds like a fair compromise to me: they make Android the way they want, and if I don't like it I can install an alternative OS. Just like I can install Linux if I don't like Windows. What I don't like is that most Android manufacturers actively try to prevent me from doing that, and I don't like it.
> The fact that I can unlock and relock the bootloader is not a security issue or a risk. People who don't know what that means cannot possibly do it by mistake.
The second sentence is false. Lots of people blindly follow things and don't understand consequences until they brick their devices. Those who don’t break something won’t notice if they’ve silently backdoored themselves.
People asking for support after getting themselves into some weird hole they never should have been in because some friend or online article said so is super common.
> The second sentence is false. Lots of people blindly follow things and don't understand consequences until they brick their devices. Those who don’t break something won’t notice if they’ve silently backdoored themselves.
"Lots of people", how many though? Can that number be reduced? What number would be acceptable?
I feel like it _has_ to be possible to devise an unlocking procedure that dissuades most people from self-harm.
The problem is often treated as intractable, but intuitively this seems really unlikely to me. I don't think more than a tiny percentage of Xiaomi owners, for example, would go through the bootloader unlock process which often has a mandatory wait period attached to it without a reason more compelling than an impulse to randomly and blindly follow instructions on the internet.
I would like to see user studies with good methodology before other people decide to barter long-term freedoms away for insufficient benefit.
Why do I so rarely see people who are concerned about the security issues of bootloader unlocking calling for designing hassle and warning into the process. Instead, it's more common to hear that in the name of the average user, all escape hatches must be removed.
After a certain point, someone else's insistence on self-harm ceases to be a good excuse to infringe on my freedom. We don't ban hammers because some people accidentally damage their property/body, and it's a lot easier to do that with a hammer than an unlocked bootloader.
The security model of Android and iOS is vastly superior, and for "normal" users it is not so much of a problem if they don't have control they neither need nor want.
On the other hand, I obviously don't like it when I don't have control over my hardware. But what I hate the most is when the manufacturers prevent me from installing an alternative OS. I like being able to install something like GrapheneOS.
Also the fact that I'm forced (in practice) to use the Play Services is not really about the device being locked down.
Vastly superior security doesn't make you give up freedoms for security. But do tell me how successful the war against scams has been for the average user.
Convincing a user to give their password will always be an issue, that's fundamental. But because phishing exists does not mean that security does not matter.
Without security, there is no need to phish, because the system does not protect anything. Once you have a good security, then the best attack is phishing because it's easier to trick the human than the system. This means that the security is good, not bad.
I think one of the points is that all this attestation stuff does not protect against the majority of the ways users are compromised. Its just remote control with real security benefits, just those benefits largely accrue to companies and at the expense of the user.
If my system is signed and verified at every boot, doesn't that guarantee that my system hasn't been tampered with? Meaning that no malware has found a way to get root access and modify it. I find this valuable.
If you can't use your own keys and verify the process yourself, then no, that is not a guarantee.
Malware developers just have their software signed by the gatekeepers your device is programmed to inherently trust, because the gatekeepers don't give a shit.
The App Store and Play Store are the largest vectors of malware out there, and every year they are responsible for letting their users get scammed to the tune of billions of dollars.
> If you can't use your own keys and verify the process yourself
The thing with security is that it is a gradient. Too many people try to win arguments on security by saying a variant of "anyway you have to trust somebody, so it will never be secure". This is exactly what you are doing here.
Say I trust GrapheneOS, the security model guarantees what I said. Obviously I have to trust something, I won't audit every single line of code and assemble billions of transistors myself.
> every year they are responsible for letting their users get scammed
Second tactic for winning a security argument: "but the users get scammed anyway". Sure they do. Because they have to. If you have a system that popular with zero scam, it probably means that the attackers don't even need to attack the human because the system itself is insecure.
I do see the value in this and also note that this feature has largely been kept from users intentionally on most other platforms. Still, this offers very little protection for the vast majority of scams to which people fall victim.
Phishing will always exist. If a system is very secure, the easiest way to attack it is to phish the human that has control over it. Complaining about that is weird... what do the people who complain want? One of those two:
- "Please make the system less secure, so that the attackers don't have to attack the human because they can just compromise the system directly"
- "Please keep making the system secure, and keep removing rights from the users, because the users prove over and over again that they cannot be trusted with anything"
You see where I am going. If you only optimise for security, then you remove all the freedom. But we obviously want freedom. So it's a compromise.
Now this compromise is a choice, and different systems can make different compromises. The freedom I want is the freedom to choose my system. I want to be able to install GrapheneOS on my phone. Complaining about macOS not being Linux would be weird: if I want Linux, I use Linux. If I use macOS, well then I have to live with the design choices of Apple.
This level of security exists on open as well as closed platforms, the problem is the closed platforms not allowing you to do things that aren't giving your password away (like installing fdroid or using beeper easily). I just have a hard time believing this is superior in any way.
I you run GrapheneOS, it is an open source platform built on top of AOSP (the Android Open Source Project). Part of the security model is that you don't run as root. I am an advanced user and I don't want to run as root on my phone, I am happy with GrapheneOS as it is distributed.
Now if you want to be root, you can install an OS that allows you to be root. Just like I unlocked my bootloader, installed GrapheneOS and relocked my bootloader, you can do that and install whatever you please. I will keep using GrapheneOS because that is the most secure OS I can find for my phone.
The problem, IMO, is not that "some OS are opinionated and don't give you root access while other OSes do give you root access". The problem is that on many phones, you are not free to install the goddam OS you want (e.g. because you can't unlock or relock the bootloader).
Meh, I'm ok with not having root on my phone. What I'm not ok with is not being able to flash whatever I want to run on it later without unlocking and wiping. For this reason I have an automated script to verify Graphene's signatures and replace them with my own. This would give me the ability to extract data using root at a later date, for example.
> What I'm not ok with is not being able to flash whatever I want to run on it later without unlocking and wiping.
The wiping is a security feature: if someone installs a new random system ("random" being defined as "not signed by the same entity"), then they can modify the system in order to attack it. The whole secure boot idea is worthless if you allow that.
I don't disagree. I just don't want the trusted entity to be other than me.
Note that secure boot doesn't become worthless just because you can flash something different. The TPM should notice SB is turned off, and should refuse to decrypt, but there should be a way for the user to back up the key and use it to recover the data later.
Root used to just mean knowing an admin password and rarely using it on desktop platforms for making local changes. It's changed definition for mobile if it now means just being able to run and auto-update apps from fdroid or run an app without the attestation of the company that supplies the OS, which in the worst cases takes away control completely from the user.
Mobile platforms and developers solely supporting their attestation should allow other forms of self attestation that the users want. I don't think I'm confused about anything, and I don't need to muddy the definition of security or root to argue having control over my data and apps on platforms I want to use.
That was an example, I was talking about phishing in general. Phishing will always exist: as long as a human has a right to do something, someone else can trick this human into doing it for them.
Passkeys are great, and they do improve the situation. But they won't remove phishing as a concept.
I think a passkey is a good example of how, when the user has a trusted third party grant them limited instead of unlimited permission to do something (e.g. they can use a secret with the site that created it but they can't extract the raw secret from it to send to an arbitrary site), it is possible to make them immune to a particular type of phishing.
As an example of mitigating another type of phishing, if the user only has the ability to log in to a web site from a particular device or country, an attacker tricking them into providing their password gets a much less useful win.
You could argue they have the "right to do" less in that situation. Sure, that's a reasonable perspective. I'm not passing moral judgement here. But I think that it is a factually true statement that it is indeed possible to mitigate (and even entirely prevent) phishing vulnerabilities by giving end users devices that have stronger security policies - with those policies being written by the device creator, and not edited by the end user themself.
I think this principle applies to every single type of social engineering attack. Limiting the context of permissions lessens the risk of a confused deputy.
I am with you, and for this reason I really want them to fail. The PC is currently still a platform where the user has a relatively large amount of control and digital autonomy, and as long as a sizeable part of the population keeps using it, companies and government institutions cannot ignore it and must support it.
Once 90% of all internet clients are iOS or Android the open internet is dead, and the concept of a general purpose computer on which you can run any computation you want is also inaccessible to the average person. From that point on, everything is a service that you rent from either Apple or Google.
I'm also not a big fan of Wayland, to be honest. But that's the way the winds are blowing. X11 has its problems, but even if they are fixable, no one seems to want to work on Xorg anymore. I'm certainly not prepared to maintain it and push it forward. Are you?
Depending on Xorg today is more or less ok, but I do expect distros will stop shipping it eventually.
That's a fair criticism sometimes, but, frankly, if you want things the way you want them, learn to code and dig in. Otherwise it's not really fair of you to complain about stuff that people have built for you for free, in their spare time.
In this particular case, it's not fully a "new and shiny, must play!" situation. I personally am not even a big fan of Wayland, and I'm generally highly critical of it. But Xorg is more or less unmaintained, and frankly, if we don't have a Wayland compositor, we'll become obsolete eventually. That's just the way the wind is blowing.
I am not complaining about what people do in their spare time. If the blog post said "someone does this because he likes to spend his own time on it", I would not complain. I am complaining about a) the justifications given which I think are all nonsense IMHO and rationalizations for something which some likes to do, and b) the use of donations which should be better used to improve the software instead of creating more rewrites.
I also do not agree with the Wayland is inevitable sentiment. There are non-systemd distros, there will also be non-Wayland distros. The idea is that only those things survive which are pushed into the ecosystem by the cooperate bullies is wrong, otherwise Linux would not exist.
The Linux desktop was essentially fine already two decades ago and instead of the needed refinements, bug fixing, and polishments, we get random changes in technology after the other, so nothing ever really improves but we incrementally lose applications which do not keep up, break workflows, sometimes even regress in technology (network transparency),
and discourage people from investing into applications because the base is not stable. My hope was that Xfce4 is different, but apparently this was unfounded.
> I am not complaining about what people do in their spare time.
Re-read your original post. You are absolutely complaining about what we do in our spare time.
> If the blog post said "someone does this because he likes to spend his own time on it", I would not complain.
I mean, that's part of it. I wouldn't do it if I wasn't interested in doing it. I have my own long list of Wayland criticisms, but I think it's interesting.
> I also do not agree with the Wayland is inevitable sentiment.
I think that's where we'll be at an impasse.
There are non-systemd distros because there are viable alternatives. Xorg (the server implementation, I mean, not X11 the protocol/system) is dead. I don't like saying that. I've invested a lot of time into X11 and understanding how it works, and how Xorg works. But no one wants to maintain it. There is the XLibre fork, and I wish them well, and do want them to succeed, but sustaining a fork is hard, and only time will tell if that works out.
But I don't think X11 has a future, unfortunately. And that really does make me sad. You're free to disagree with that, but... well, so what.
> The Linux desktop was essentially fine already two decades ago and instead of the needed refinements
That's a view through rose-tinted glasses if I ever saw one.
> we get random changes in technology after the other
Jamie Zawinski called this the "Cascade of Attention-Deficit Teenagers", and he's right. I do think some of these changes are an earnest and honest attempt to make things better, but yes, people just want to work on what interests them, and what makes them feel good and accomplished.
When we work for a corporation we don't really get to do that, but when it's unpaid, spare-time volunteer work, we have the freedom to do whatever makes us happy, even if it makes other people mad or disappointed or annoyed, or isn't the most "productive" use of our time (whatever that means).
> > I am not complaining about what people do in their spare time.
> Re-read your original post. You are absolutely complaining about what we do in our spare time.
Then I am not sure how I have to understand this sentence: "After careful consideration, we’ve decided on a meaningful way to use the generous donations from our community: funding longtime Xfce core developer Brian Tarricone to create xfwl4, a brand-new Wayland compositor for Xfce."
I trust you understand that some readers may not find (to paraphrase) "I don't like it either but it is what it is." a compelling reason to fix something that is not broken.
I also do not use free software to then have to use something I do not like because the "this is the way the wind is blowing" (just becomes some parts of the industry wants something re-engineered in their interests)
I spent a month or so in 2024 attempting to refactor xfwm4 so it could serve dual purpose as both an X11 window manager and Wayland compositor, and ended up abandoning the idea. It was just getting ugly and hard to read and understand, and I wasn't confident that I could continue to make changes without introducing bugs (crashers, even). We want X11 users to be unaffected by this, and introducing bugs in xfwm4 wouldn't achieve that goal.
Note that we don't have to rewrite all of Xfce: xfce4-session, xfce4-panel, xfdesktop, etc. will all run on Wayland just fine (there are some rough edges that need to be ironed out for full Wayland support, but they're already fairly usable on wlroots-based compositors). This is just (heh, "just") building a compositor and porting xfwm4's WM behavior and UI elements over to it. Not a small task, to be sure, but much smaller than "rewriting all of Xfce".
Absolutely seriously. To me, a big part of what makes Xfce is xfwm4's behavior. Even though most of the other Xfce components will run decently well on wlroots-based compositors, I don't really have an interest in using them, as that's not "Xfce" to me.
But it's not going to be perfect, though, as some things that we take for granted on x11 still just do not have Wayland protocols to enable them. This will take a long time. Alex's blog post says a developer preview around the middle of this year, and I expect I can deliver on that, and maybe (maybe!) even a stable release by next year (maybe!), but full feature parity will take years.
> using smithay, the brand new Rust/Wayland library
Fun fact: smithay is older than wlroots, if you go by commit history (January 2017 vs. April 2017).
> It would have been much easier and cost-effective to use wlroots
As a 25+ year C developer, and a ~7-year Rust developer, I am very confident that any boost I'd get from using wlroots over smithay would be more than negated by debugging memory management and ownership issues. And while wlroots is more batteries-included than smithay, already I'm finding that not to be much of a problem, given that I decided to base xfwl4 on smithay's example compositor, and not write one completely from scratch.
Thanks for the extra info. I'm glad it hasn't turned out to be much of an issue. I've looked at your repository and it seems to be off to a great start.
Personally, I'm anxious to do some bigger rust projects, but I'm usually put off by the lack of decent bindings in my particular target area. It's getting better, and I'm sure with some time the options will fill out more.
Not sure I agree here, assuming you mean "... than X11". With Wayland, you put your display code, input-handling code, compositor code, session-handling code, and window-management code all in the same process. (Though there is a Wayland protocol being worked on to allow moving the WM bits out-of-process.)
With X11, display and input-handling are in the X server, and all those other functions can be in other processes, communicating over standard interfaces.
> you put your display code, input-handling code, compositor code, session-handling code, and window-management code all in the same process
That's an implementation detail. You can absolutely separate one out from the other and do IPC - it just doesn't make much sense to do so for most of these.
The only one where I see it making sense is the window manager, which can simply be an extension/plugin either in a scripting language or in wasm or whatever.
It's not an implementation detail that X11 specifies interfaces between those separate components and Wayland does not - X11 is designed for for the window manager being separate from the display server, Wayland is designed for them being the same.
reply