> One-way fares from €59.99 second class or €69.99 first class.
The “from” bit is worth to stress here: with DB (German railway company), one-way fares may be up to €233.00 for second class or €384.00 for first class, depending on demand, the cancellation policy you choose, and how long you book in advance. Seat reservations are extra.
I travel from Zurich to Hannover fairly regularly (about 7 hour train journey) and it generally costs 59 to 89 EUR each way first class, booked supersaver (fixed train) a week or two in advance with a 1st class Bahncard 25. The return is usually in the region of 140 to 160 EUR.
From my point of view, DB trains are cheap, and first class is reasonably comfortable with a power point and meals ordered to your seats.
Punctuality is a different matter of course.
(I just checked the prices for a late January return trip I'll be doing, and right now it's 100 EUR return, 53 / 47 for the legs.)
as a frequent and spontaneous traveler, i was never able to book fixed trains so far in advance. this inflexibility adds stress that i really would like to avoid. it ruins the experience because it takes away the spontaneity
I pay more than that to go back to my hometown by TGV which is less than 200km away from Paris and that’s with a subscription giving access to preferential prices.
There is no way Paris-Berlin is going to be this cheap. From experience I expect the train to be at least twice more expensive than flying.
Having worked a few years with SNCF, it can’t be otherwise. It’s the most mismanaged company I have ever worked for, gangrened by unions which fight tooth and nails to preserve advantages which reasons to exist disappeared decades ago. Unions review the full trains planning with management before it’s validated and veto any optimisations which would cut overtime or might impact compensations without any regards for customers. It’s revolting.
Before leaving France I often travelled by train and felt exactly the same way: a total ripoff for the service they offer...In Spain you'll also get trains that arrive late but they're usually cleaner and the price is much more affordable, and they don't go on strike as often as in strike land.
I've read about that, and it definitely seems like a shit show. It's about time these things change. Since I got here I mostly travel by train and I know that it's a privilege, it should be the norm in these developed countries. Anyway, hang in there and good luck.
> gangrened by unions which fight tooth and nails to preserve advantages which reasons to exist disappeared decades ago. Unions review the full trains planning with management before it’s validated and veto any optimisations which would cut overtime or might impact compensations without any regards for customers. It’s revolting
I've heard that before, but usually from the crowd that wants to privatise the whole country anyway. I understand that you're claiming to have witnessed it, but do you have some sources?
Surely, the amount of money they pour onto Cap Gemini and many other consulting firms to rebuild existing systems instead of having teams in-house who could maintain them must have an impact on ticket costs...
> I understand that you're claiming to have witnessed it, but do you have some sources?
I have witnessed that and more like optimisation software being disabled to avoid cutting into overtime. Just go take a look at how drivers are paid and where their comp comes from. It’s all public knowledge. Take a look at the recurring reports from the court of auditors or talk with anyone working there.
We are talking about a company in which the two main unions are openly Trotskyist and which has a permanent strike warning by rotating between union to open one in defiance of French law.
This is not drum beating for privatisation by the way (even if all the formerly public French companies I had the misfortune to work for are fairly mismanaged but nothing as bad as SNCF thankfully). I am sure with enough reforms it could work while being public. I mean Singapore manages so it’s not impossible.
It’s just impossible to wonder why France is in such a sorry state after having working for anything publicly managed in France. The French state carves exception for itself in all the labour laws because they know their administration is so poor they can’t respect them.
As an American reading this I feel like there's some nuance being lost in translation. Taken to their logical extremes we've seen what things like optimization software (East Palestine), banning strikes (PATCO and current ATC staffing woes), privatization (ATC again — see any video on youtube about the KSQL controller), and weak labor laws (pretty much every fatigue related crash e.g. Colgan Air) bring about. And it's not pretty.
Certainly privatization can work. JR seems to have a decent reputation (obviously not without fault). But gaming things like overtime rules is a cultural problem, one that you're not going to solve with mandates or privatization. For quite a while the drivers at San Francisco's public transit agency were forbidden to strike. Instead you'd get sickouts and work slowdowns.
The working conditions at SNCF are not even imaginable for an American.
We are taking unlimited sick days, between 28 and 38 days off a year excluding sick days, 10 bank holidays, retirement between 50 and 60 with pensions calculated on the last few years of work, subvention on train tickets for family members. That’s while working less than 40 hours a week and despite that they still manage to strike at least a week a year generally when it’s the most annoying for people actually working.
> between 28 and 38 days off a year excluding sick days, 10 bank holidays
25 days is the legal minimum, more is common in many industries, including most engineering fields. Of course we all have the same bank holidays in the country.
> retirement between 50 and 60 with pensions calculated on the last few years of work
Yep, that's a good one. A relic from when their life expectancy was much shorter due to coal. Indeed that's hard to justify.
> subvention on train tickets for family members
Annoying too... but I'm not sure it's significant.
> That’s while working less than 40 hours a week
The legal working time in France is 35h/week, if you do more than that your employer must compensate in a way or another. That SNCF abides by that law isn't shocking, what is shocking is that our NHS doesn't.
> they still manage to strike at least a week a year generally when it’s the most annoying for people actually working.
The latest strike was about the freight branch that is being sold to competitors to please the EU commission... Not exactly a request for more champagne next to the coffee machine of the drivers. [0]
I, too, dislike the SNCF because my trains are unreliable and expensive, and their customer support is absolute rubbish, but you clearly are arguing in bad faith and repeating whatever is in our current wave of reactionary media, all without having provided a single source yet.
You do realise that I’m not arguing in bad faith but pointing things which are not obvious to our American friends who often have 10 days of leaves including sick days. I know that the working conditions in France are insane for everyone. Still they are even better for cheminots. Even you have to acknowledge it reading my comment (and no advantages for family members are not negligible).
I have given sources: I told you to go read the reports for the national court of auditors.
Nothing of what I wrote is reactionary by the way. I have actually worked for the damn company which is a lot more than you can say.
> The latest strike was about the freight branch that is being sold to competitors to please the EU commission
The heart of the issue is that the drivers are not going to be cheminots anymore. It’s entirely about champagne and coffee machines. They are worried that it’s going to end like Geodis, which is profitable while being owned by SNCF, because it’s out of the circus and operated like an actual private company, which, Sud and CGT being good communists, is the worst thing imaginable.
The price really depends how much in advance you are booking, DB price are outrages on the same day but unbelivable cheap three weeks before, i really dont get the business logic behind that, the spread is like 19.99 to 240
That's not my experience at all. I live in France with no car and I don't fly domestic (obviously).
I'll do Paris to Lyon (400 km) during peak holidays in next few days. That's €192 back and forth, for 2 persons. And I don't have any preferential prices.
I'll go further than Lyon, right to a ski station actually. That's another €100 for 2 persons, back and forth.
So that's about 1300 km at €150 /pax at one of the most expensive time of the year.
I agree. While it’s probably not possible to settle on defaults that work for each and every scenario, my personal preference is that factory defaults should tend to optimise for safety primarily. (Both operational safety, but also in regards to usage.)
For example, OP suggests setting the `synchronous` pragma to `NORMAL`. This can be a performance gain, but it also comes at the cost of slightly decreased durability. So for that setting, I’d feel that `FULL` (the default) makes more sense as factory default for a database.
While that may be a cute pun (but probably also only if you know the “like tinder but for meal planning” backstory), I think their current name is a much better choice overall, as it’s clear and concise on it’s own.
> Oh God it’s even got a subscription for it. This app is literally garbage.
Can you elaborate on why you think it’s “garbage” when an indie dev is trying to make money off something they created? May I ask what you do for a living? (Just curious.)
First off, great job misrepresenting my point! Secondly, let me ask you this: did you spend the money on the app? I’m going to assume no, just for the sake of argument, since obviously you’ve bought it and will pay for many years to come since you want to support an indie dev.
But again, for sake of argument let’s say you didn’t, why not? Because at its core you didn’t find it valuable. But they deserve to make money off their creations right? So by your logic everyone should buy this, regardless of value, because they deserve the money. Except they don’t. They have a right to charge $20/yr for an app they made in a weekend, and I have every right as a consumer to refuse that and even mock it. Especially when they make poor business decisions such as taking on unnecessary fixed costs and limiting themselves to ~50% of the market. This is what they call the free market, and I suggest you go back to Econ 101 if you don’t understand.
As for what I do for a living: I provide value to others and receive monetary compensation in return, something this app fails to do.
Personally, I think the pricing issue is related to the web app issue from the parent comment.
Even as a free iOS app, there is the $99/year Apple Developer fee, on top of any server costs.
Meanwhile, a web app can be used by anyone on any device, and if designed properly, can be hosted for free on a number of platforms.
If the goal is to make money from casual users, an indie iOS app is the move.
... But that would not fly for what I presume to be a very large fraction of the HN audience that lives and breathes code. What could have been an interesting and tweakable open source project built in a weekend, sold as a closed untweakable app at a $20/year subscription, only for iPhones? That would certainly be quite a bold sell.
That was covered in the article, but as the author was already older than 30 years, it wouldn’t have been applicable for them. It also seems the Working Holiday visa is intended for “employment as an incidental activity of their holidays for the purpose of supplementing their travel funds” [1], whereas the author rather appeared to be looking for a “working full-time with some incidental holidays alongside” situation.
The Elastic license doesn’t use the term “competitor”. To me, the definition of the limitation is actually pretty clear:
> You may not provide the software to third parties as a hosted or managed service, where the service provides users with access to any substantial set of the features or functionality of the software.
It doesn't use the word, but "access to any substantial set of the features or functionality of the software as a hosted or managed service" is a specific kind of competition, and who is a competitor can change at any time depending on what functionality Elastic adds, even if you had reimplemented some of the enterprise functionality in a private fork.
Imo "substantial set of features" is pretty ambiguous. If you're using search software, then you have a search use case in your product. At what point does your product cross the threshold into a competitor?
It seems risky to use in anything exposed as a customer facing feature
Search may be 10% of your software but what if your software is a managed email provider (or really anything) and you're pretty much exposing Elasticsearch directly through a minimal interface?
I think it’s cool how the process of submitting feedback is quite straightforward and low-friction!
One question: is the layout of the widget customisable? I.e., mainly the font and colours? Because while the “splashy” comic-style makes for a refreshing change on the one hand, I could imagine it might not be appropriate in all contexts.
The same is true, by the way, for the entire landing page and the docs. It looks fun and distinct, but I also had some slight troubles to parse the structure and find my way around.
1. What would happen in the event when the private key was leaked? Is there any scenario for invalidating or rotating keys?
2. For verifying the proof file, it seems like the URL for obtaining the signature key[1] is read directly off the proof file[2]. Wouldn’t that allow an attacker to publish proof files that point to their own server, hence allowing the attacker to sign fabricated files and still make them pass the automated validation?
Good questions. I suppose both of these issues could solved using standard x.509 certificates, which may be the next step for TimestampIt. I wanted to avoid using certificates to keep things more simple but it does leave open some issues.
To more directly answer your questions:
> 1. What would happen in the event when the private key was leaked? Is there any scenario for invalidating or rotating keys?
Right now there is no good means of invalidating a key. There is key rotation however, and upon key rotation the private key is completely deleted from all places it is stored. So I am doing everything I can to minimize exposure of the private key, but of course nothing is fool proof.
> 2. For verifying the proof file, it seems like the URL for obtaining the signature key[1] is read directly off the proof file[2]. Wouldn’t that allow an attacker to publish proof files that point to their own server, hence allowing the attacker to sign fabricated files and still make them pass the automated validation?
This is a good call out. The verification scripts should check that the key-url has a trusted domain on it. I will make those changes soon.
For anyone (like me) wondering why PDFs would need to support JavaScript in the first place, the main motivation/use-case appears to be validation and interactivity of embedded forms.
I've seen javascript in PDFs be used for unintended exploits more often than every legitimate use combined. It's kind of like if JPEGs could run arbitrary code by design.
I guess this was specified in a time when nobody thought it would one day be possible to embed an SVG document in an HTML DOM and add animations and interactivity in a performant way there.
ninja edit:
It's also from a time when W3C started to lose focus and authority.
It's amazing that SVG was so successful despite this mess and also the confusion potential of CSS in SVG.
Browsers ignore scripts in external SVG images. Don't know if that is for security reasons (JS sandbox unreliable) or because a full isolated JS context per image would be to expensive...
Wasn't there also a time where you could open a raw socket with SVG? SVG is very much from a time when we didn't know what the web was going to be or how it was going to work.
The core issue iirc was that one of the major use cases for SVG was map/navigation systems where a number of environments required fully standardized systems. But they didn’t want to say implement a full browser stack”, so they just came up with their own “networking api” that was just “sockets!”.
A lot of this work predated html5, and the subsequent rationalization of web specs such that (for example) the xhr API was not fully specified, and it was not a separate specification from the rest of the browser stack, so SVG couldn’t just do what they could (in principle) do now.
The SVG WG was not the most functional - i recall that something a subset of the committee did at one point was to after the end of one person’s work day they rescheduled a meeting to later “that day” (while they were asleep) and took a vote without them present.
A number of other choices were made to the detriment of the spec for specific use cases (the various performance profiles have fundamentally incompatible rendering behavior rather than gradual decay, etc)
Compression: for some images, you can't use SVG's <use>, but a small script can generate the repetitive bits quite nicely. Also, aperiodic animation (e.g. a double pendulum): SGML animations can represent a few minutes, but don't try putting a few hours' worth in.
PostScript, the printer file format, is Turing-complete, for different reasons.
I knew a guy who wrote a PostScript document that was a map of the sky at that moment. If you rendered it an hour later it was different again. It used the `file` capabilities of host-based interpreters.
There are "legitimate use cases" for just about everything imaginable on this planet because there will always be a user that goes "I spend all my day in X software wouldn't it be great if it could read my email/monitor my plants/talk to sales/..".
That's how cursed enterprise software develops email clients and chat services. Just say no.
I understand the motivation, but IMHO a PDF should be a static document, hence, something you can trust without worrying.
Since they can contain code, they can carry malicious code. PDFs have, in fact, been used for exploits. Meaning that you shouldn't really trust them. Which is a shame.
Iphones don't support JS in PDFs, but yet an integer overflow in image decompression code led to a zero-click imessage exploit.[1] So lack of explicit code support doesn't mean you can trust without worrying. Bugs can be anywhere. Iphones have been known to have crash-causing bugs in unicode-handling code.[2] So even just text could be a problem. Disclosure: I work at Google but not on Project Zero.
JS in PDF might be a mis-feature, but any security lapse is indeed a bug in the implementation (made doubly worse by firefox running the JS in a web context).
Yes, removing JS support would get rid of potential security exploits. It doesn't change the fact that said exploits rely on bugs in the implementation.
That's true, but it misses the point that scripting adds orders of magnitude greater complexity to the attack surface.
Fixing other kinds of bugs is fairly straightforward. Update your toolchain, update your dependencies, use the right dependencies, avoid undefined behavior, etc. Fixing scripting issues means participating in an active arms race.
There does seem to be a mismatch between what PDFs are mostly used for, and their full capabilities.
IMO it’s be nice to define a file format for PDFs main use (I think?), papers and documentation. PDF, scripting, but maybe the ability to zoom and pan figures?
In the engineering world outside software, our cad tools generate rich interactive functionality into PDFs, including but not limited to 3d models for those doing mechanical work.
I've known about those capabilities for a long time and I've always wondered: How commonly is that used? For what use case(s)? What makes PDF the format of choice for that purpose and not, for example, a CAD file? What PDF apps are popular for creating and using those files?
The “from” bit is worth to stress here: with DB (German railway company), one-way fares may be up to €233.00 for second class or €384.00 for first class, depending on demand, the cancellation policy you choose, and how long you book in advance. Seat reservations are extra.