I get that they're different, but the whole point is optimization here. They're not gathering performance metrics just to hang them up on a wall and marvel at the number of decimal points, right? They presumably invested all the effort into this infrastructure because they think this much precision has significant ROI on the optimization side.
I'm using "control" in the statistical process control sense, where it means "we can tell if variation is ordinary or extraordinary".
To me it seemed clear that the paper is about detecting regressions, which is control under my definition above. I still think of that as distinct from optimization.
It often isn't to make things go faster for an individual user (often times the driving factor of latency is not computation, but inter-system rpc latency, etc.). The value is to bin-pack processing more requests into the same bucket of CPU.
That can have latency wins, but it may not in a lot of contexts.
I don't agree. This is basically an elaborate form of statistical process control, which has been proving itself useful and effective for nearly a century. We can quibble about the thresholds and false positive rates, but I think the idea of automating regression detection is perfectly sound.
Statistical process control as a concept is a sound idea in theory. When talking about real world complex dynamic systems like operating systems and processes handling random load vs things like assembly lines, it’s less clear it’s on a solid mathematical foundation. Clearly what’s happening in that paper isn’t starting out with some principled idea but instead filtering out patterns deemed “noise” and adjusting the levels for those filters to generate “results”. I think if you read through the lines it’s clear the engineers being supported by this tool aren’t really relying on it which tells you something
SPC gets used on complex dynamic systems all the time. It takes more work and more nuance, but it's doable. I don't see a categorical error here, it's about fine-tuning the details.
Sure, but WP Engine will need to hire people to work on ForkPress. Or people can start a ForkPress foundation that actually includes stakeholders and get grants to work there. Someone will need to maintain the fork which is definitely coming.
After all, let’s say that WP Engine gives in and pays Matt 10% of their revenue. Then… who’s next? Can Automattic be trusted as a steward of the software, ever? I suppose if Matt sells the company it might be possible. Nope, the fork is inevitable and some company(s) will need to sponsor it.
So have I, and I would still be very tempted to take the 9 months severance.
Don't fool around with tyrants:
With something like this going down, I'd wonder if my employer will even be around in 9 months. I'd also worry that my employer could "go for broke" and just close its doors on me, leaving me with nothing.
Yeah this job market sucks, but as far as outside looks at Automattic go now, I have a feeling there is more trouble to come. Considering this, I would take the payout as a cushion to find something new, potentially in a new industry outright
I performed a similar analysis on RubyGems and found that of the top 10k most-downloaded gems, less than one percent had valid signatures. That plus the general hassle of managing key material means that this was a dead-end for large scale adoption.
I'm still hopeful that sigstore will see wide adoption and bring authorial attestation (code signing) to the masses.
I don't think Sigstore is a good example. I just spent half an hour trying to understand it, and I am still left with basic questions like "Does it require me to authenticate with Github & friends, or can I use my own OIDC backend?": it seems like you can, but there are cases where you need to use a blessed OIDC provider, but you can override that while self-hosting, and there are config options for the end user to specify any IODC provider? But the entire trust model also relies on the OIDC backend being trustworthy?
The quickstart guide looks easy enough to follow, but it seems nobody bothered to document what exactly is happening in the background, and why. There's literally a dozen moving pieces and obscure protocols involved. As an end user, Sigstore looks like a Rube Goldberg trust machine to me. It might just as well be a black box.
PGP is easy to understand. LetsEncrypt is easy to understand. I'm not an expert on either, but I am reasonably certain I can explain them properly to the average highschooler. But Sigstore? Not a chance - and in my opinion that alone makes it unsuitable for its intended use.
The important difference is that sigstore enables a "single click" signing procedure with no faffing around with key material. How it works is much less important than the user experience, which is vastly better.
> How it works is much less important than the user experience, which is vastly better.
I disagree. If it requires a Magic Trust Box which can be Trusted because it is made by Google and Google is Trustworthy, it has exactly zero value to the wider community. It doesn't matter how convenient the user experience is when it isn't clear why it provides trust.
Let's say I created an artifact upload platform, where the uploader can mark a "This file is trustworthy" checkbox, which results in the file being given a nice green happy face icon in the index. It is incredibly convenient and provides a trivial user experience! And it's of course completely legit and trustworthy because *vague hand waving gestures*. Would you trust my platform?
1. SPC kit [0]. Once made it to the front page! [1]
It's an SQL library for doing statistical process control (SPC) calculations.
This has been a labour of love for about 2 years now. I work on it sporadically. Recently I got more disciplined about what I am working on and I am slowly closing the gap on a first 0.1 release.
2. Finding work. As much fun as it is to tinker, I am nursing the standard crippling addiction to food and shelter. I am also nursing an increasing loathing for LinkedIn and wish to be free of having to check it.
I remember seeing a VMware-internal presentation on the DDlog work which led to Feldera and being absolutely blown away. They took a stream processing problem that had grown to an hours-deep backlog and reduced it to sub second processing times. Lalith & co are the real deal.
This description isn't too far from bitemporal tables, which are one of my favorite obscure technologies.
I think though that one distinction is that immutability in this case requires cooperation from the client, a commitment not to modify existing records. As compare to the database enforcing it.
I didn't mention it, but in this particular service, no client actually had SQL access to the database. There were create/read/update/delete service functions that clients used instead.
The timestamp for a tuple was returned by reads, so when a client wanted to update/delete a tuple, the service functions all required the client to provide the timestamp from the client read. If that timestamp argument wasn't the most recent, the client had to deal with that. But the actual database insert would fail.
Importantly, this particular service had only a few internal clients who almost 100% "owned" the tuples the client worked with. So there wasn't a lot of contention for any specific tuple by multiple clients.
> There were create/read/update/delete service functions that clients used instead.
Oh! I haven't seen this pattern in a long time - not since I worked on Oracle Application Express apps. In a cousin comment I noted that the bulk of app developers don't think about how to use the database to their advantage.
This could be enforced in the schema via triggers and/or security permissions. Cooperation from the client is not required.
EDIT: Oracle has append-only tables, and can also use "blockchain" to verify integrity. See the IMMUTABLE option on CREATE TABLE[0]. PostgreSQL doesn't appear to have append-only tables, so using security and/or triggers seems to be the only option there.
You're correct, I overlooked triggers. Though that may be a bridge too far for some folks, triggers are only really comfortable for folks who are deep on RDBMSes. For lots of app developers the ORM is the limit of the world.
ORMs could offer a unique advantage by allowing the user to describe an append-only table and generating the required triggers (or the appropriate CREATE TABLE options). They'd also be able to include helpers to make working with the table easier - like defaulting to selecting current rows only, or an easy way to specify that you want rows as-of a certain point in time.
I'm not sure if any ORMs actually support this though.
I suspect there have been a great many examples and attempts at the ORM level - this one with "bi-temporal chaining" springs to mind: https://github.com/goldmansachs/reladomo
> Computer game software, [ computer game discs, ] downloadable computer game programs, computer game software downloadable from a global computer network, electronic games software for wireless devices, interactive multimedia computer game programs, mousepads, computer mouses, headsets for use with computers, computer keyboards
> Printed matter, namely, [ computer game strategy guides, ] comic books, graphic novels, novels, art books, calendars, posters, [ notebooks, ] and stickers
> Entertainment services, namely, providing on-line computer games; Providing computer games that are accessed via a global computer network
> Clothing, and headgear, namely, caps, hats, hooded sweatshirts, jackets, sweaters, and T-shirts
> Toys, games, and playthings, namely, action figures, collectible toy figures, dolls, plush toys, and vinyl toy figures
I'm saying they shouldn't be worried about being sued by Blizzard. This software is not a video game or related merchandise.
Trademarks do not cover all uses of a word -- they only cover the use of a word in relation to a particular field of commerce. This is, likewise, why your grocery store can sell apples without being afraid of the equally litigious Apple Inc.
What about WWF? I always thought you'd have to be a complete imbecile or willfully dishonest to confuse the World Wrestling Federation with the World Wildlife Fund, yet here we are.
Having control lets you see if things changed. Optimization is changing things.
This team seems to be focused on control. I assume optimization is left to the service teams.