47 comments

[ 4.2 ms ] story [ 95.0 ms ] thread
Don't see this happening scientists are totally happy installing R or Matlab etc. Often a lab even sticks with windows b/c of some drivers for a sensor that only exists for windows
One thing that I found mind blowing initially was that unbricking my pixel 5 involved simply going to Google's install page for it in Chrome with the usb connected and it reflashed successfully.

Of course, there's nothing fundamentally new there, I'm sure Java applets could have done it on a serial port if somebody tried, but it was impressive given how gimped most os-level access is in a browser.

So I would imagine you could write just enough webusb code to get new instruments to work that you wouldn't need local apps as a manufacturer.

> So I would imagine you could write just enough webusb code to get new instruments to work that you wouldn't need local apps as a manufacturer.

Yes, delivering device control software in a browser with webusb from a cloud platform will usher in a whole new chapter of keeping people from truly owning the scientific research equipment they have procured!

Which means I'll never ever buy it with my own money! But it'll be cross platform for orgs that decide to invest in them.
This is the process for the Stadia controller unlocking tool as well.
The knife cuts both ways, though: webusb / webhid / webmidi allow raw access to physical devices which weren't designed for it, and therefore don't have any protections for it. You're just one nag screen away from having your devices be permanently hacked by some random website.

It's quite worrying seeing the Chrome team have such blatant disrespect for basic security. Rather than using an allowlist for known-good devices or using some kind of handshake to validate the device is okay with a certain website talking to it, they use a blocklist to prevent a website from messing with things like keyboards/mice/u2f keys. It's a massive footgun waiting to go off.

Firefox refuses to implement those APIs due to security concerns, and until they do a serious design overhaul it'd probably be better if Chrome hid it behind a default-off feature switch too.

Not to mention how data can be leaked back to the hoster via steady stream of URLs.
I'm pretty sure I did have to give permission for this to work, and my default instinct for such requests is to say no or close the page immediately, unless it's something I actively want, like in this case. I take your point though, I'd prefer that there were a whole other page I had to go to and enable something like this.

On the other hand, I've always hated how even something I've written for myself can be hobbled at the alter of security out of religious zeal. At one point you really couldn't access local files, although the orthodoxy has now shifted. I just wish it were easy to just point to a directory and say that's all you're getting, but do whatever you want in there.

From what I see helping some friends not well versed with programming doing their PhDs, FORTRAN still has a lot of penetration with scientists. Lots of climate models are FORTRAN code.

Also, through helping them I can see the dire state of scientific code, it's a mess, if departments had the budget to employ 1-2 professional programmers to help them mentor staff it could be extremely helpful for science code to be more easily shared and reasoned about, some of the code I've seen is basically throw away code after the contributors aren't around anymore...

A lot of scientific code is worse than a mess, it outright doesn't work and yields incorrect results, a problem which is then routinely covered up. I've seen this first hand :( The worst part is that universities don't realize how much they don't know. On the rare occasions outsiders notice what's going on they are faced with a wall of baffling excuses and justifications for why so much doesn't work, like "if it didn't crash it must be correct" or "scientists don't need unit tests, we just look at the results and know they are right because we're experts". Academics are happy to pronounce that professional coders can't judge the correctness of their work and do so loudly and publicly.

As for money, well departments do have the budgets to hire developers. Science funding is in the high billions in most western countries. The problem is not departmental budgets, it's a social problem. Universities love the practice of spreading money amongst as many professors and tiny departments as possible in order to lay claim to every possible area of human knowledge/experience. Combine that with a culture of low standards and coverups and you've got a recipe for disasters (e.g. invariably critical bug fixes that corrupt data are described as not affecting the final results even when that clearly can't be true).

I have the same experience in a psychology faculty. I helped a PhD student who was working on some MATLAB code. The amount of code I had to write for something similar as they were doing was orders of magnitude lower, and faster to write. But they spent months hurting their brains and therefor thought they were doing something really smart. There was a lot of micromanagement of clueless researchers, and the consequence is that everything had to be done the exact same way as the more experienced members of the lab did previously. This was the most wasteful work organization I've seen in my life, but there was little awareness of it, compared to other state-subsidized projects.
Some departments are starting to hire programmers. There's an effort to define this as a (broad) job category under the heading "Research Software Engineer":

https://society-rse.org/ https://us-rse.org/

Institutional support varies widely; some projects or teams are rather well funded for big projects and senior talent, while at other schools, the cost structure is more aimed at "one off" projects staffed by more recent graduates.

A recent grant is trying to fund this work at several schools with a history of well organized services: https://www.schmidtfutures.org/our-work-old/virtual-institut...

That's been around for a while but the pay for these roles is very uncompetitive, and universities don't care if professors don't do it. It doesn't make any difference to whether you get published or not so it'll probably remain niche.

Now, if journals start rejecting papers because the code isn't provided or because it was provided but professional software engineers reviewed it and gave it a thumbs down, that'd change. But journals struggle to keep obviously AI generated material out of their pages, so they aren't going to do anything like that.

It depends. Some of the foundation-funded positions are competitive, and a few centers have surprisingly professional leadership. People are trying to organize, and- even if it's an uphill climb- there's been some improvement at the edges.

Anecdotally, some of the RSE leads I've spoken to are seeing more long-term demand than they predicted, which might lead to more room for senior roles. Currently quite a few teams (outside the big centers) seem to be priced way too low, usually explained as because they're testing the waters.... so "cheap student labor" and "one off project" is what they can afford.

Minor heretical aside: one thing I miss about old twitter is that academia was developing a real "second layer" on top of journals, where things like reproducibility could be discussed publicly. PubPeer is a partial solution, as are GitHub issues... if enough gatekeepy people really see value in code quality, norms will shift with or without mandates.

What's different about current Twitter/X in that regard? I see reproducibility and other science problems discussed there sometimes.
A lot of the audience fragmented for various reasons, and even within the same discipline, not everyone has converged in a new place yet. I'm told mastodon got more CS/phys science people, and Bluesky got more social scientists. That's a shifting landscape though.

There was one obvious place to look for these discussions; now there are many. Changes to search tools and API access didn't help discoverability either.

Some of the departures are for practical reasons: Twitter regularly changes the rules around logged-in viewing, direct links, and promotion/ordering of posts in ways that create friction for people trying to engage in public outreach. ("this method worked yesterday" should refer to the software, not the communication, thank you very much!)

Possibly something about the way women and blacks and jews and gays and trans people and other minorities are being regularly and systematically and reproducibly attacked and harassed by neo-nazis and MAGA trolls who Elon Musk retweets and supports instead of discourages and bans that turns academics off from Twitter/X.
Research software engineers are paid what they are worth. Typically a bit more than a postdoc, but not that much more. The problem is that the academia is a cash-starved environment, and everyone's work is worth much less than similar work in the industry.

Another problem is the PI-centric model. Most of the funding goes to individual labs. If a typical grant is $200k/year, you are not going to pay competitive salaries. And you're probably not going to hire a software engineer, because then you won't have anyone doing the actual research.

I think that's the rationale behind organizing separate teams as service organizations (mini contractors who serve multiple PIs).

Other option is research "centers" with multiple PIs. Not an option for most fields, but a few, like bioinformatics, can justify both the cost and the shared employee.

Uh, why would "profession coders" be able to check the work? Given "floating point is weird" articles appear here regularly, and the comments show widespread misconceptions about how they work, I'm not sure adding random software engineers to the process would help in some way.

Also, most research funding is tied to specific projects, and the amounts tend to be quite small.

The buggy model I reviewed had, amongst other problems, floating point non-determinisms. The average software dev is going to be better at this stuff than someone who only learned enough to make some numbers appear on screen, and are those numbers right? Well, hard to say, probably doesn't really matter.
I get the impression that you think that Fortran is a bad language for science.

Modern Fortran is a nice language for many scientific computing tasks. For me, I like Fortran because it's basically the easiest statically-typed compiled language (I rarely have to think about pointers, for instance), it's basically as fast as C, it has some good features for my variety of scientific computing (arrays in particular), and it has many compilers. Certainly, a better language could be designed without the legacy baggage and some features I'd like (better generics in particular), but I haven't seen anything better yet myself.

Now, legacy FORTRAN (note caps) is often a mess. It wasn't until the Fortran 90 standard that the capitalization changed, and the language changed a lot with that standard as well. I suspect the issues that you're seeing are more from many scientists not modernizing, and not from Fortran in itself.

No, not at all, I didn't want to imply that, simply noted that Fortran is still used a lot in science and that scientists would greatly benefit from programmers to mentor them on how to write code in whatever language in a better way.
https://software-carpentry.org/ has been around for over 10 years.

Also, software engineers without the requisite background are usually worse for a project (and for teaching researchers) than anyone else.

Enterprise companies have huge issues with installing, securing and maintaining open-source software though. Using browser based tools doesn't really resolve the underlying organizational and competence issues, but at least it lets people do their jobs.
> For instance, modern operating systems can handle 64-bit numbers. WebAssembly, however, is limited to 32 bits, and can access only 232 bytes (4 gigabytes) of memory. Furthermore, it cannot directly access a computer’s file system or its open network connections. And it’s not multithreaded; many algorithms depend on this form of parallelization, which allows different parts of a computation to be performed simultaneously. “A lot of older code won’t compile into WebAssembly, because it assumes that it can do things that can’t be done,” Stagg says.

I am surprised by the memory and 32 bit limitations... Are there plans to overcome them?

Edit: found it, https://github.com/WebAssembly/memory64

The quote is a bit misleading. Traditional WASM (wasm32) does have 64-bit numbers (both a 64-bit integer type, and 64-bit floats), but the address space is limited to 32-bits (and thus pointers are 32-bits too).

AFAIK the downside of wasm64 is that it cannot use some virtual memory tricks to get rid of software range checks, so if memory access performance matters and a large address space isn't needed it probably still makes sense to stick with wasm32 even when wasm64 is available.

PS: see discussion here: https://github.com/WebAssembly/memory64/issues/3

>Furthermore, it cannot directly access a computer’s file system or its open network connections.

Those are its two strongest features, not bugs. If you're not going to respect those, just use native code, and the broken ambient authority model of computing, which never works out in the long run.

Edit: The article doesn't focus much on these limitations, but I think that putting up with the current limitations of WASM in terms of memory size or lack of threading might suck, but it's worth the ability to just try things out and run them without risking your whole computer.

Younger folks who never had a PC with only write protectable floppy drives missed out on a wonderful care-free period when you could just TRY OUT any new software, and your other data was safe, no matter what.

I agree about the disk and networking access limitations, was mainly concerned about the 32/64 bit limitations and the memory
> Younger folks who never had a PC with only write protectable floppy drives missed out on a wonderful care-free period when you could just TRY OUT any new software, and your other data was safe, no matter what.

This goes so far now with sandboxing and virtual machines. I think the experience spawning VM to run and test new software is annoying but I guess it is still better than the annoying stuff from that era.

Disclaimer: I am one of those younger folks and probably naive in terms of that era.

We didn't have magical slabs of glass that could emulate a whole VAX VMS 11/780 system as a fun exercise in nostalgia, like my cheap ass Motorola phone can ;-)

We were living in an era where floppy disks were so much faster than punch cards, paper tape, cassettes, or just typing in programs after boot.

VMs and Sandboxes get close, but there's always the danger of virtual machine escape. WASM should be able to get us there, if we can keep people from wanting to make it Posix compatible and giving it file/network access.

It's so appalling to me to see such brazen advocacy for read only computing. This is such a teenie tny narrow little window of computing. Nothing should be consigned to sch irrelevances.
Back in the read-only OS days, we had a crude, but extremely effective capability system. I'm not asking for a return to 1985, but I do want things to be as safe now as they were back then. While there are places for things to hide in hardware now that didn't exist back then, the operating system models haven't been updated in 40 years, in terms of the use of the users authority.

It's equivalent to handing your wallet to the cashier any time you make a cash transaction... which nobody does except as a last resort in extenuating circumstances.

Strangely enough wasm might get support for 64 bit ints, but their native R code won't.
Wait, can't web assembly use workers? It would be the same kind of architecture like with workload shared over a range of devices and receiving responses in random order, but in this case from worker threads
> Some would use laptops, others would opt for tablets or mobile phones. Not all of them could even use the programming language that was the subject of the test: the statistical language R. “We had no control, really, over what devices those students were using,” says Stagg.

Surely the problem here is much bigger than WebAssembly vs native code. What does it even mean to give students a test on using a software package if they aren't even willing to buy a computer? How are you supposed to do professional stats work after university on a mobile phone? They don't even expose a file system.

Learning how to use a full workstation-class computer is a basic pre-requisite of doing science and many other types of professional work; these universities are just hopelessly lost if they're not making that clear to students up front and requiring or provisioning the equipment they need. Degrees awarded on the back of tests like these are worse than useless, they're outright deceptive to future employers. If someone claims they studied scientific computing and then turned out to not understand files, folders, packages, multiple windows and other basics then they'd be completely unable to do the job.

> How are you supposed to do professional stats work after university on a mobile phone? They don't even expose a file system.

Mine does.

>How are you supposed to do professional stats work after university on a mobile phone?

Generally your employer or institution will supply you with a computer (or access to one in the case of students)? The test described was devised during the lockdown because people didn't have had access to the university's facilities.

Doom can run on anything...
At my university we were able to use an RDP client to log into windows machines with all the engineering software installed on them. Performance sucked, which is why people only did it if they had too. But it was manageable. R was one of the software packages.
While I mostly agree on the computer comment, I largely disagree on phones (not apple, iphones are pretty IoT paperweights without a lot of hoop jumping and prostrating to apple). You can absolutely do some amazing things on a phone. I've been living in terminal (via termux) on my phone (android) for a while now as a little personal challenge, using micro to write python TUI apps as I need them. I have file system, etc. and since I have access to sensor data I can make some pretty nifty things happen fast. Need an app to remind me to set parking app so I don't get another fine? Easy done, can do it on my walk to the office. I think we're all ignoring phones a bit due to the learning curve and inconvenience when compared to traditional computing.

Now I couldn't imagine doing some serious analysis via phone but also with things such as jupyter notebook or similar for R, it isn't a stretch to believe you could get some rudimentary step by step kinda stuff going.

Hands down, I would choose a proper keyboard and multi-monitor setup any day of the week, but the difference expressed through metaphor in terms of working cars puts phones more in line with a hatchback than a scooter as most people seem to think. A hatchback is often perfectly sufficient and at times, preferable.

Right, but that's really using Linux not Android. You can also run Linux on Chromebooks or just SSH to a Linux server using iOS, but someone has to teach students those skills. Just knowing how to use a smartphone in general won't work.
Yet another advocacy article with absent of what came before.
We had code execution in the browser over 25+ years ago, with Java applets. Sure, they were bloated and sluggish back then. On today's hardware, you wouldn't even notice.