+1 to OP's book, which is the best beginner guide I've found for understanding Beancount / plaintext accounting.
I was also confused about double-entry accounting for most of my life until I read the article, "Accounting for Computer Scientists"[0] by Martin Kleppman (author of Designing Data-Intensive Applications). It explains double entry accounting in a surprisingly accessible way by putting it in terms of graph theory. I don't even like graph theory that much or consider myself competent in it, but Kleppman's explanation was extremely effective.
"Quicken is a single-entry accounting system, which means that amounts can appear out of or disappear into thin air. In a double-entry accounting system you can't put amounts in an account without taking it out of another account."
What did you find hard to understand about double entry accounting? Seems pretty straightforward. Every transaction affects at least two accounts, and the total debits must equal the total credits. I can't imagine how introducing graph theory simplifies it, although I trust there are interesting insights none-the-less.
Aside from the fact that writing a book about Beancount is a positive contribution, the author maintains a list of Beancount resources[0] and has written several beancount plugins.[1, 2, 3, 4] I have personally benefited from his contributions to the Beancount ecosystem.
Can you point to some of your contributions to this project?
Dr. Hipp, I love SQLite but also had simonw's misapprehension that the project did not accept contributions. The SQLite copyright page says:
> Contributed Code
> In order to keep SQLite completely free and unencumbered by copyright, the project does not accept patches. If you would like to suggest a change and you include a patch as a proof-of-concept, that would be great. However, please do not be offended if we rewrite your patch from scratch.
I realize that the section, "Open-Source, not Open-Contribution" says that the project accepts contributions, but I'm having trouble understanding how that section and the "Contributed Code" section can both be accurate. Is there a distinction between accepting a "patch" vs. accepting a "contribution?"
If you're planning to update this page to reduce confusion of the contribution policy, I humbly suggest a rewrite of this sentence to eliminate the single and double negatives, which make it harder to understand:
> In order to keep SQLite in the public domain and ensure that the code does not become contaminated with proprietary or licensed content, the project does not accept patches from people who have not submitted an affidavit dedicating their contribution into the public domain.
Could be rewritten as:
> In order to keep SQLite in the public domain and prevent contamination of the code from proprietary or licensed content, the project only accepts patches from people who have submitted an affidavit dedicating their contribution into the public domain.
I've been spending a lot of time experimenting with and learning about Meshtastic and MeshCore recently,[0] and I'm also puzzled by the criticism of Meshtastic.
In the article you linked, there are three paragraphs about Meshtastic in a 150-paragraph newsletter about several topics. The criticism seems to be that they they use digipeating, and then it refers to a Fedi thread[1] which is more coherent but still fairly vague. The upshot seems to be that flood routing doesn't scale, which is a fair criticism but feels disproportionate to the level of vitriol against the project.
The Fedi thread also adds that the Meshtastic founders were rude or unprofessional to him but doesn't cite any specifics or evidence.
I see this a lot with Meshtastic. People keep saying the founders are toxic and disrespectful of the community but it's always in these vague terms so I don't know what's driving it.
But specifically in this thread, I agree with sibling poster that you're being disrespectful and arguing ineffectively by pointing to such poor resources and then blaming other people for being unconvinced or confused.
As I understand it, the section on "what not to do" features many things that Meshtastic does, though it does not say that explicitly. Perhaps the linked post wasn't clear to non hams (it is a newsletter targeted at hams), but the biggest issue is not flood routing, but using the same channel for networking and user access. It, by definition, cannot scale meaningfully. Many commercial networks solve this with either FDMA or TDMA.
Elsewhere in the newsletter, the author advocates for a form of FDMA, where users operate on different, dynamically allocated frequencies and all of them are received at once. P25 trunked radios used by almost all law enforcement in the US operate on a system like this.
I think the vitriol from those who are in the space either professionally or as an amateur comes from the fact Meshtastic is repeating mistakes we knew about in the 80s at the latest, for which reams if literature freely exists.
That's a reasonable take to an extent, but underlying all of that is the assumption that Meshtastic should be trying to scale up to support hundreds or thousands of active nodes on a single mesh. Since that's clearly almost impossible to achieve with an ad-hoc network of low-power LoRa radios, it's not entirely fair to criticize Meshtastic for not inventing a revolutionary solution to a very hard problem.
It would be more fair to criticize Meshtastic for not being clear enough about the tradeoffs and limitations inherent in a low-speed ad-hoc mesh network, and for not actively encouraging people to seek other hardware and software if their use cases are not well-matched to what Meshtastic hardware is capable of. A one size fits all solution simply isn't possible, and Meshtastic can't be the right answer for everyone.
This is also a fair response, however I'd argue that the current architecture, far from supporting hundreds or thousands, won't even support dozens in a small area with meaningful traffic being exchanged (e.g., not just heartbeats and routing data). The solutions exist and no revolutionary approach is needed. That's the crux of the complaints.
Now, for the hobbyist these solutions are harder to implement and that's not nothing, but I don't even see a movement to switch over to something more robust.
> Now, for the hobbyist these solutions are harder to implement and that's not nothing,
I'd argue it's everything. A network architecture that requires serious fixed infrastructure should probably be an entirely separate project from the ad-hoc mesh formed solely by cheap battery-powered portable/handheld gadgets. And everyone should be realistic about what "meaningful traffic" is for a network with a default data rate of ~1kbps; it's not reasonable to expect that to support the kind of chatter a busy IRC server would see.
Have YOU ever tried interacting with the developers? No?
* They made incredibly poorly designed software — the firmware and the mobile apps — and then yell at you for “using it wrong”
* The refuse to admit they made a mistake with the 7 hop limit and call you an idiot for not believing in their garbage “simulator”
* They write nasty responses to app reviews and GitHub issues because they’re petulant children. Just go read the responses, and look at the hissyfit the of the primary app developer in discord.
* They’ve taken down multiple community groups because they decided they needed to be a business rather than an open-source project. Seriously just go look at the history in their discord #trademark channel. They’re on the verge of evil.
All this stuff is available and just because YOU choose to put your head in the sand doesn’t mean it didn’t happen.
While it looks like Meshtastic devs probably made at least some mistakes relating to that underlying complaint, I think that thread provides thorough evidence that banning that particular user was a reasonable choice.
He went off the rails as a reactionary move is how I see it. He got mad because his issue was deleted. I'm banned from the discord for a disagreement with one of the developers; but I've done code contributions to the project as well.
People talk about how productive Fabrice Bellard is, but I don't think anyone appreciates just how productive he is.
Here's the commit history for this project
b700a4d (2025-12-22T1420) - Creates an empty project with an MIT license
295a36b (2025-12-22T1432) - Implements the JavaScript engine, the C API, the REPL, and all documentation
He went from zero to a complete JS implementation in just 12 minutes!
I couldn't do that even if you gave me twice as much time.
Okay, but seriously, this is super cool, and I continue to be amazed by Fabrice. I honestly do think it would be interesting to do an analysis of a day or week of Fabrice's commits to see if there's something about his approach that others can apply besides just being a hardworking genius.
That doesn't mean anything. I quite often start with writing a proof-of-concept, and only initialize the git repository when I'm confident the POC will actually lead to something useful. Common sense says that those files already existed at the time of the first commit.
>The Avelo team was responsive, professional, and took the findings seriously throughout the disclosure process. They acknowledged the severity, worked quickly to remediate the issues, and maintained clear communication. This is a model example of how organizations should handle security disclosures.
Sounds like no bug bounty?
It's great if OP is happy with the outcome, but it's so infuriating that companies are allowed to leak everyone's data with zero accountability and rely on the kindness of security researchers to do free work to notify them.
I wish there was a law that assigned a dollar value to different types of PII leaks and fined the organization that amount with some percentage going to the whistleblower. So a security researcher could approach a vendor and say, "Hi! I discovered vulnerabilities in your system that would result in a $500k fine for you. For $400k, I'll disclose it to you privately, or you can turn me down and I'll receive $250k from your fines."
Yeah, as an American, I'm jealous of many aspects of GDPR. I really appreciate you blogging / tooting about experiences protecting your rights under GDPR. I wish we had 1/10th of the consumer privacy protections you have.
How does security research like this work out in practice, in the EU?
I read a lot of vulnerability writeups like this and don't recall seeing any where the author is European and gets a better outcome. Are security researchers actually compensated for this type of work in the EU?
The GDPR (in art 32) only requires that "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". I expect it's quite common for a company to get hacked even if they meet that level. I think the parent comment was imagining that any leak is automatically fined, regardless of whether the company had met some security requirement.
No it actually doesn't. It just needs someone in the company executive to not have their head up their ass, and read the law, which is fairly straightforward.
Also, it needs your company's business model to not be selling user data. That's why American companies find it hard to comply with.
> it's so infuriating that companies are allowed to leak everyone's data with zero accountability and rely on the kindness of security researchers to do free work to notify them.
This is a matter for lawmakers and law enforcement. Campaign for it. Nothing will change otherwise
>In the past, our customers have asked us how GitHub views third-party runners long-term. The platform fee largely answers that: GitHub now monetizes Actions usage regardless of where jobs run, aligning third-party runners like Blacksmith as ecosystem partners rather than workarounds.
It does? I feel like it implies that they want third-party runners like Blacksmith out of the ecosystem, which is why they're now financially penalizing customers who use them.
1. Services like blacksmith and WarpBuild (I'm the founder) are still cheaper than GitHub hosted runners, even after including the $0.002/min self-hosting tax.
2. The biggest lever for controlling costs now is reducing the number of minutes used in CI. Given how slow Github's runners are, or even the ones on AWS compared to our baremetal processor single core performance + nvme disks, it makes even more sense to use WarpBuild. This actually makes a better case for moving from slow AWS instances running with actions-runner-controller etc. to WarpBuild!
3. Messaging this to most users is harder since the first reaction is that Github options make more sense. After some rational thought, it is the opposite.
Overall - it is worse for Github users, but options like blacksmith and WarpBuild are still the better option.
The statement regarding the better option is as it stands today and does not account for all possible futures.
Reg. hiking it again, they'd have to either be extremely anti-competitive and selectively apply the pricing OR apply the hike uniformly by about double the current value to match our pricing while making it completely unviable for any large co to use self-hosted github actions in the first place.
I checked the WarpBuild website and got excited because the header in the menu says you have macOS Intel runners, but then you click through and it doesn't seem to be so?
Right now at my company our biggest complaint are macOS Intel runners from GitHub which somehow take 15+ minutes to provision and are the slowest of the bunch.
I can assure you WarpBuild has Mac runners that work very well. When I first switched GH only offered 1 Mac runner and it was horribly slow. Literally cut my build times in half by changing 1 line in my workflow file to use the WB runner.
Nowadays GH has more sizes by WB continues to beat them in price and performance.
It’s highway robbery what GH charges for the crap they provide. I can highly recommend WarpBuild for Mac (and Linux) runners.
That's clearly the case, this is a three-pronged manoeuver :
- Introducing a cheap 1-core runner
- Lowering the price of GitHub-hosted runners
- Making it slightly more expensive to use self-hosted runners
- There is actually a fourth one: the vnet integration, which also allows you to run public runners in your own infra
As a bonus, for some people it means something that was free is now not free. Those who are willing to pay rather than go, might prefer to use GitHub-hosted if they are going to pay anyway.
This is clearly an incentive to use github-hosted, and their sales reps are also going this way.
I was also confused about double-entry accounting for most of my life until I read the article, "Accounting for Computer Scientists"[0] by Martin Kleppman (author of Designing Data-Intensive Applications). It explains double entry accounting in a surprisingly accessible way by putting it in terms of graph theory. I don't even like graph theory that much or consider myself competent in it, but Kleppman's explanation was extremely effective.
[0] https://martin.kleppmann.com/2011/03/07/accounting-for-compu...
reply