quicklisp-client VS githut

Yes, that's clear.

I'm not very familiar with how quicklisp works. I thought that “updates once a month” implies a separate update channel (distribution, ...).

Looking at the relevant issue, https://github.com/quicklisp/quicklisp-client/issues/167 , it's not clear that even hashes are in place.

I recently found out that most Nix fetchers use https, but do not actually do verification (`curl --insecure` or equivalent libcurl settings). Channel updates do verify and include hashes, so the overall chain is authenticated.

The latest comment I see about this here from Oct. 2022 says they're working on it. There's also comment by the developer in 2016 saying want to improve the security soon, so it doesn't really seem this will actually happen soon. I realise making signature verification work cross platform in pure lisp without external dependencies isn't easy but from latest comment it seems they have that working, in a branch written 4 years ago? The simplest no-code solution is just since quicklisp is published every month or so, on each new update publish a file with sha256 hash of every package contained in quicklisp signed with same developer's pgp key they are already using to sign download of the initial quicklisp.lisp, yes then users if they care about security would have to manually download the file and verify signature every month or so but it's at least some solution that can be done now.

> That's what regular devs do, they don't even bother writing articles or commenting on HN :-)

I'll take the bait, and roll up several of my comments into one.

First, the support contract costs from the commercial vendors can make sense. It's one of the most expensive parts of software. We joke about fixing relatives' printers, but its not false. Support costs introduce a counter-balance.

Second, a message to everyone looking into or using QuickLisp, it uses http instead of https: https://github.com/quicklisp/quicklisp-client/issues/167

You can patch your version to fix this. I'd also recommend adding firewall rules to deny in case your patches roll back. And any other mitigation. Or stricter policies, such as not using it, if it makes sense for your organization.

And the AI bots? I hope there aren't people herding them who don't want to, that's how you get unloving brats and a crappy world.

I found this github issue about it, open since 2018: https://github.com/quicklisp/quicklisp-client/issues/167

I agree 100% about needing to test and audit for security. But based on the information I've seen and public activity in repos, I assumed Xach was going for home-grown CL implementation. https://github.com/quicklisp/quicklisp-client/blob/pgp/quicklisp/openpgp.lisp

This is the best measure I've found:

https://madnight.github.io/githut/#/pushes/2023/4

Unfortunately it doesn't have new projects, but it does seem like C++ peaked a couple of years ago and is starting to trend down. "Plummeting" is clearly an exaggeration though.

>There's a lot of misinformation, bad arguments and bad conclusions in this post. Let's pick it apart.

No, there really isn't, but I had fun answering :-)

> But, past isn't a guarantee of the future. It was stable before, but who's to say it will be in the future?

Whos to say C will be stable tomorrow? Well, the fact that the C compiler is a standard, and has an official document outlining what a C compiler does. And go is the same.

If anyone was to change that, all I have to do is check out an earlier version of this open source language, and use that. And since tons of code rely on this, that is what would happen.

Languages don't become unstable because they suddenly change trajectory, they are unstable if feature upon feature is heaved upon them, along with codebases relying on these features, necessitating constantly keeping up to date with the language version.

Go, explicitly, has a completely different design trajectory. And as a result, Go code that was written in Go 1.8 will still compile today.

> Go has no standard

Here is the official spec of the language: https://go.dev/ref/spec

Which is a de-facto standard, even according to this listing: https://en.wikipedia.org/wiki/Comparison_of_programming_lang...

Btw. if you look at the listing, MOST languages, including commonly used ones, don't have an international or national standard. Many don't even have a de-facto standard. Among them are many tried and battle tested languages.

> and nobody will hold them responsible for the discrepancy.

Anyone unhappy with the implementation is free to fork the project and take it in a different direction. He who writes the code makes the rules. If people are unhappy with that, they can fork, or use another language. And people seem to be very happy with the language: https://madnight.github.io/githut/#/pull_requests/2023/3

> By who? How did you come to this conclusion? There's only evidence to the contrary of your argument.

What evidence is there for the assumption that Go would vanish if Google lost interest?

> This is demonstrably false.

No, it is not, as demonstrated by the example I gave regarding C. The language didn't change much from C99, which itself wasn't that big a step away from ANSI-C. C99 was a quarter century ago, and C remains one of the most used languages in existence.

> To further illustrate this point: today, versions of Python

I am pretty sure I never used Python as an example for this. If you disagree, quote where I did.

> In more broader terms, I have no idea why did you bring C into this argument.

For a very simple reason: To show that languages that a language that is mostly feature-freezed, and so stable that I can run a modern compiler on decades-old unchanged code, and still get a runnable executable, can be, and are, incredibly successful. Go has been called "C for the 21st century", and for everything other than System-Programming, that statement holds true.

fad - an intense and widely shared enthusiasm for something, especially one that is short-lived and without basis in the object's qualities; a craze.

---

I don't think Ruby is a fad. The drop off Ruby had since early 2010s is dramatic, but it stabilized around 5% of all PRs on GH in the last few years:

https://madnight.github.io/githut/#/pull_requests/2023/2

It's still one of the most popular languages for web development.

I would beg to differ.

On Github[0], Go currently sits at #3 for pull request volume (C# is at 10), #3 for stars (C# is at 8), #6 for pushes (C# is at 10) and #6 for stars (C# is at 9). By each of those metrics, Go has a much more vibrant ecosystem than C#.

[0]: https://madnight.github.io/githut/#/pull_requests/2023/2

One measure is git pushes on GitHub. By that measure[0], in Q1 2023, we have Emacs Lisp (2995 pushes) > Clojure (2135) > Scheme (1350) > Common Lisp (236) > Racket (below detection; latest in Q1 2022: 102).

[0]: https://madnight.github.io/githut/

> 20 years ago I might've agreed with you. But I do not think that PHP, BASIC and shell scripting are popular beginner languages in 2023.

PHP and shell scripting are still massively used in 2023 (eg https://madnight.github.io/githut/#/pull_requests/2023/1). You have a point about BASIC but it was the de facto standard for computers at a time when people didn't have the web to quickly look up problems and thus learning to code was much harder. Yet we (in fact I) managed just fine.

> Quotation marks and especially parentheses after function calls don't fit TFA's definition of a sigil because they aren't at the beginning of the word and (arguably only in the latter case) don't communicate meta-information about the word.

I didn't say they are sigils. I said they're tokens. My point was that removing sigils doesn't remove meta-information encoded in magic characters:

- You have `foobar()` where the braces denote (call the function rather than pass the function reference

- "" == string which allows escaping and/or infixing vs '' which doesn't (other languages have different tokens for denoting string literals, like `` in Go)

- # in C and C++ is a marco

- // is a line comment in some languages. Others use #, or --

- Some languages use any of the following for multi-line comments: ```, /* /, and even {} is used. Whereas it's an execution block in some other languages

My point is you have to learn what all of these tokens mean regardless of whether they sit as a prefix or not. The that that they're a sigil doesn't change anything.

The real complaint people are making here is about specific languages, like Perl, overloading sigils to do magical things. That is a valid complaint but, in my opinion, it's a complaint against overloading tokens rather than sigils specifically. Much like a complaint about operator overloading doesn't lead to the natural conclusion that all operators are bad.

> don't communicate meta-information about the word.

We need to be careful about our assumption about whether a token effectively communicates meta-information because while I do agree that some tokens are more intuitive than others, there is also a hell of a lot of learned behaviour involved as well. And it's really* hard to separate what is easier to understand from what we've just gotten so use to that we no longer give a second thought about.

This is a massive problem whenever topics about code readability comes up :)

> I'll agree with you that the line between sigils and general syntax/punctuation is a bit of a blurry one - where do you stop?

shrugs...somewhere...? You can't really say there should be a hard line that a language designer shouldn't cross because it really depends on the purpose of that language. For example the language I'm currently working on makes heavy use of sigils but it also makes heavy use of barewords because it's primary use is in interactive shells. So stricter C-like strings and function braces would be painful in a read once write many environment (and I know this because that was my original language design -- and I hated using the shell with those constraints).

In a REPL environment with heavy use of barewords, sigils add a lot to the readability of the code (and hence why Perl originally adopted sigils. Why AWK, Bash, Powershell, etc all use them, etc).

However in lower level languages, those tokens can add noise. So they're generally only used to differentiate between passing values vs references.

But this is a decision each language needs to make on a case by case basis and for each sigil.

There also needs to be care not to overload sigils (like Perl does) because that can get super confusing super quick. If you cannot describe a sigil in one sentence, then it is probably worth reconsidering whether that sigil is adding more noise than legibility.

> sing my definition above, I think wrapping strings in quotation marks is a clear win because it fits our widely-held shared understanding that quotation marks demarcate and group a sequence of words. Single and double quotes behaving differently is unintuitive for the same reason while not conferring a corresponding benefit on experts.

Here lies the next problem for programming languages. For them to be useful, they need to be flexible. And as languages grow in age, experts in those languages keep asking for more and more features. Python is a great example of this:

- ''

- ""

- ''' '''

- """ """

- f""

...and lots of Python developers cannot even agree on when to use single and double quotes!

I tried to keep quoting simple in my own language but I ended up with three different ways to quote:

- '' (string literals)

- "" (strings with support for escaping and infixing)

- %() (string nesting. For when you need a string within a string within a string. Doesn't come up often but useful for dynamic code. A contrived example might look like: `tmux -c %(sh -c %(echo %(hello world)))` (there are certainly better ways you could write that specific code but you get the kind of edge case I'm hinting at).

As much as languages do need to be easy to learn, they shouldn't sacrifice usability in the process. So it is a constant balancing act trying to make something easy to learn, yet also powerful enough to actually have a practical use. Not to mention the constant push and pull between verbosity where some claim fewer characters (eg `fn` as a function keyword) improves readability because it declutters the screen from boilerplate, while others say terms like `function` are more readable because it is closer to executable pseudo-code. Ultimately you cannot please all of the people all of the time.

The official julia user developer survey for 2022 lists GitHub as the largest platform of people using julia which intuitively also seems fitting to me as it seems like the community is very pro "open code, open science". But checking the GitHub language trends (via https://madnight.github.io/githut/ and https://tjpalmer.github.io/languish/) you can see that Julia has been rather stagnant since 2019 w.r.t. some measures and only slowly growing w.r.t. others.

It seems to me they made the same mistake that I did in my GitHub archive queries, they do not filter bot accounts. JavaScript, without filter, is on top 1 because of dependabot. If you filter all bots then Python is number 1, see: https://madnight.github.io/githut/#/pull_requests/2023/1