It means you take responsibility of maintaining the server forever, i.e. dealing with TLS certificates, SSH keys, security updates, OS/package updates, monitoring, reboots when stuck, redeploy when VPS retired, etc. Usually things work fine for a year or two and then stuff starts to get old and need attention and eat your time.
As someone who runs a such a VPS this is all a non-issue. Running HTTP service is so trivial that once I set it up I don’t even spend an hour in a year maintaining it. Especially with Caddy which takes care of all the certs for you.
And this is also bearing in mind that I complicate my setup a bit by running the different sites in docker containers with Caddy acting as a proxy.
With storage volumes for data and a few Bash scripts the whole server becomes throw-away that can be rebuilt in minutes if I really need to go there.
And for sure any difficulty and ops overhead pales in comparison to having to manage tooling and dependencies for a typical simple JS web-app. :)
I really doubt that people who can’t install an ssh key should be able to practice software engineering. Sometimes, I think that software engineering should be a protected profession like other types of engineering. At least it will filter out the people who can’t keep their OS up to date.
This is not about how easy or difficult it is to issue TLS certificates, to configure SSH keys or to update the OS. It's about having to actively maintain them yourself in every possible situation until eternity, like when TLS versions are deprecated, SSH key algorithms are quantum-hacked, backward-incompatible new OS LTS versions are released, and so on. You will always have new stuff come up that you need to take care of.
This is all trivial, and can and should be automated. Furthermore, all of your arguments can easily be applied to NodeJS version deprecations, React realizing they shipped a massive CVE, etc.
I will die on this hill: parent is correct - the ability to manage a Linux server should be a requirement to work in the industry, even if it has fuck-all to do with your job. It proves some basic level of competence and knowledge about the thing that is running your code.
I'm curious about this trivial automation. Let's say the new OS LTS version no longer includes nginx, because it was replaced by a new product with different config. How does the automation figure out what the new server package is and migrate your old Nginx config to the new format?
I agree with Node.js version deprecations being a huge problem and personally advocate for an evergreen WebAssembly platform for running apps. Apps should run forever even if the underlying platform completely changes, and only require updating if the app itself contains something that needs updating.
If an LTS of an OS replaced nginx with something else, a. it would be announced with great fanfare months in advance b. if you don’t want to do that, add apt / yum / zypper install nginx to your Ansible task, or whatever you’re using.
The things that you just described are not automation, but human activities needed to tackle the new situation by following news and creating new automation. Which kind of proves my point that you cannot prepare for every unexpected situation before it actually happens. Except maybe with AI in the future.
When AWS announces that they’re EOL’ing the Python or NodeJS version in your Lambda, or the version of your RDS cluster, etc. you also are required to take human action. And in fact, at any appreciable scale, you likely want that behavior, so you can control the date and time of the switch, because “zero downtime” is rarely zero downtime.
Yes, and like I mentioned in another comment, I consider this a major painpoint and problem with Node.js based applications. I have high hopes that eventually there will be an "evergreen" WebAssembly based Lambda function runtime.
I keep reading posts like this, but the people who say this never actually seem to enlighten the rest of us troglodytes by, say, writing a comprehensive, all inclusive, guide to doing this.
If it's so easy, surely it's no big undertaking to explain how one self hosts a fully secured server. No shortcuts, no "just use the usual setup" (we don't know what it is!), no skipped or missed bits. Debian to Caddy to Postgres, performant and fully secure, self upgrading and automated, from zero to hero, documenting every command used and the rationale for it (so that we may learn).
The parent I responded to was discussing issuing certs, configuring SSH keys, and updating an OS. Those are all in fact trivial and easily automated.
What you have stated requires more knowledge (especially Postgres). You’re not going to get it from a blog post, and will need to read actual source docs and man pages.
The original claim was "People shouldn't even be in the industry unless they can administer a Linux server, even if that has nothing to do with their role." It is a very significant moving of the goalposts to now suggest this is all about "updating an OS". That's not a good faith claim.
This whole thing is merely cheap online snark masquerading as wisdom. No, not all SWEs know how to maintain Linux servers, and many (most?) SWE roles have all of zero overlap with that kind of work. If businesses could fire all their expensive server admins and replace them with some college kid and a $5 VPS, they would long since have done so.
If this is anything more than poseur snark, put your money where your mouth is and either write a comprehensive resource yourself, or at least compile a list of resources that would suffice for someone to be able to securely run and maintain a live server in production. No, not Hello Worlds, actual prod. Then, when next this comes up, link us to your guide rather than just spraying spittle on the plebs who lack your expertise.
Do something more constructive than low effort snark.
They don't write the guide because by the time they've written the guide to an appropriate level of specification, the result they've produced is an off-the-shelf service provider not unlike the ones they're railing against.
I self host my own server and this isn't something that takes much time per year. You're making it sound like a day job. It's not really. As long as you have a solid initial config you shouldn't have to worry.
Exactly. Also, being that my specialty is writing software and not server maintenance, no matter how much of an effort I put forth there's substantial risk of blind spots where holes can lurk.
I felt more comfortable maintaining a VPS back between 2005 and 2015, but at that point attackers were dramatically less sophisticated and numerous and I was a lot more overconfident/naive. At least for solo operations I'm now inclined to use a PaaS… the exception to that is if said operation is my full time job (giving me ample time to make sure all bases are covered for keeping the VPS secure) or it's grown enough that I can justify hiring somebody to tend to it.
Caddy runs on top of Go's excellent acme library that handles all of the cert acquisition and renewal process automatically.
I get that if you get a problem then it'll take a bit of work to fix, but all of this seems like a lot less work than dealing with support for a platform you don't control.
They shouldn't, that's why self hosted PaaS already do it for you, it's not a differential reason to use cloud services instead just because they do it for you too.
Now you have to maintain the automation. There is nothing wrong with that. There is nothing wrong with building your own server. There is nothing wrong with colocation. There is nothing wrong with driving to the colo to investigate an outage. There is nothing wrong with licensing arm and having TSMC fab your chip. There is nothing wrong with choosing which level of abstraction you prefer!
You clearly haven't tried doing that in quite a long while.
Using SSH keys + fail2ban means that for a simple static site, it will be sufficient for a decade at least.
TLS certificates get auto-renewed with letsencrypt every 3 months via certbot.
Installing security updates depends heavily on what is your threat model, if you're just displaying some static content you fully own, you'll be usually fine.
Literally never seen a VPS being "retired", if it happened to you, change provider.
I've got a bunch of VPS running for 10+ years, I never need to touch them anymore.
My homelab has been going strong for the past 8 years. I did have to do some upgrade/maintenance work to go from being an old laptop without screen to a minitower low power machine, and when I added 30TB of storage. Other than that, it's running smoothly, it also uses TLS and all the rest.
just ask claude to do all that :), he is excellent and installing & managing new servers and making sure all security patches are updated. Just be careful if its a high risk project.
When buying the infrastructure as a managed cloud service, yes, I trust that they've got people handling it better than I could myself. The value proposition is that I don't even see the underlying infrastructure below a certain level, and they take care of it.
This is the kind of stuff a software develop should have absolutely no problem managing. It's crazy to me that so many software developers hate the idea of maintaing a computer.
This is extremely easy with tools like dokploy tho... I use dokploy locally to manage all my VPSs + home server. Truly good stuff and I don't believe your quip at the end, it feels like poisoning the open source waters for consolidated anti democratic cloud platforms.
It's way way way way easier managing a basic VPS that can be highly performant for your needs. If this was 2010, I'd agree with you but tooling and practices have gotten so much better over the last decade (especially the last 5 years).
Maybe you're right - I've never tried dokploy, but from documentation it sounds like mostly a deployment, monitoring and alerting tool. For me the problem has always been that once you get the alert (or something just stops working), a human needs to react to it and make things work again. In cloud services you mostly pay for them providing the human, and in self-hosting you're the human.
I can see though that today's AI models could eventually replace the human in the loop and truly automatically fix every possible situation.
yeah i've had more downtime on managed db's & cloud servers then on my own managed VPS. And if it happens, with VPS i can normally fix it instantly compared to waiting 20-60 min for a response, just to let you know they start fixing it. And when they fix it, it doesnt always mean your instance automatically works.
You might be right. I've been mostly using serverless / managed cloud services such as AWS Lambda, API Gateway, S3, DynamoDB for the past 10+ years. When I've needed to respond, it's been because I myself deployed a bad update and needed to roll it back, or a third party integration broke. The cloud platform itself has been very stable, and during the couple of bigger incidents that have happened, I've just waited for AWS to fix it and for things to start working again.
IDK, I only found out about Dokploy six months ago. The tools nowadays for managing small hosted solutions is absolutely amazing. You can do a lot with a single VPS if you avoid bloated software choices.
People often forget there is a massive economy out there for niche solutions and if you're a small team you don't exactly need a large slice to make a nice life for yourself.
I don't even bother setting up VPS instances by hand. If you have gmail then you have access to Google Cloud, and they offer a free tier of Cloud Run that comfortably covers anything you might do on a personal project.
You basically create a github, put a dockerfile inside it with your nginx config, frontend files, backend etc., then push and the Cloud Run instance is built for you then deployed into production. By default you are paying only for active requests, when a http request hits your box GCP will wake it up, charge for the CPU time used for serving it, then leave it idle for free for about 15 minutes. If another hit comes in that interval, you have instantaneous response because the instance is warm, otherwise it will wake up again and see a few seconds of latency (ie. during the night, when you have few visitors etc).
It also scales up automatically if you have substantial traffic, you don't have to do anything other than design your application so that multiple instances hitting the same data storage (ex. Firestore) will play nice. It of course handles all security, versioning, HTTPS certs etc. for you, you are simply serving plain HTTP traffic within the GCP internal network and just make sure your own application (what you push to git) is secure.
The things you pay for are outbound traffic (for obvious reasons like warez etc.) as well as storage of docker images (Artifact registry, i think you only have 0.5GB free, about 3 alpine images), but you can easily set up a rule to auto-delete old images.
Overall, you can run a small business with daily/weekly updates for less than a dollar a month and hit 5 nines availability, which you will never achieve for a self-administered VPS. Sorry if it sounds like an advertisement, but it's just enormous value for a small builder.
I still think you described using a VPS but with a tons of extra steps, expenses and then being tied to an evil corporation people are trying to move past.
You get a generic VPS and you can do whatever the hell you like, not paying bigG for some "obvious reasons" like outbound traffic.
And a small business will never need 5 nines availability, that's just the propaganda from big tech to over engineer and pay them for that. You can run a small/medium business and be offline for 1 hour every day (makes it 95.8%) and still be fine. It's when you're worldwide and not that small that you want better availability.
Also, you know all those AWS outages? My VPSs were never impacted to the slightest!
A docker image host is NOT a VPS with extra steps, because a VPS is a server and needs to be administered professionally as a server by someone competent for that job, that excludes 90% of developers who are willing to spend only one hour per year for this task. Think about running mail servers, you can do it manually but to do a good job you need to invest so much time and effort that almost everyone doing it will throw in the towel eventually.
And while I agree with the sentiment of resisting encloudification, you can take your docker image to any other host if you want, it's a generic service. in a pinch, you can build your own and have 100% control just like the VPS case.
The point is that you don't have to, you just git push into production and forget about it. that's a good few dozens less "extra steps" than the VPS route.
I just did this over at Hetzner and Claude admins it for me so I don't need to learn the CLI or anything, describe the proxying I want, and it setups up a bunch of small side project pages for me.
It feels like you probably went too deep in the LLM bandwagon.
An LLM is a statistical next token machine trained on all stuff people wrote/said. It blends texts together in a way that still makes sense (or no sense at all).
Imagine you made a super simple program which would answer yes/no to any questions by generating a random number. It would get things right 50% of the times. You can them fine-tune it to say yes more often to certain keywords and no to others.
Just with a bunch of hardcoded paths you'd probably fool someone thinking that this AI has superhuman predictive capabilities.
This is what it feels it's happening, sure it's not that simple but you can code a base GPT in an afternoon.
Wait, you're asking to find and produce a example of a feasible and better alternative to LLMs when they are the current forefront of AI technology?
Anyway, just to play along, if it weren't just a statistical next token machine, the same question would have always the same answer and not be affected by a "temperature" value.
Thats also how humans behave.. I don't see how non determinism tells me anything.
My question was a bit different: if were not just a statistical next token predictor would you expect it to answer hard questions? Or something like that. What's the threshold of questions you want it to answer accurately.
Well, large models are (kinda) non-deterministic in two ways. The first is you actually provide many of them with a seed, which is easy to manage--just use the same seed for the same result. The second part is the "you actually have very little control over the 'neural pathways' the model will use to respond to the prompt". This is the baffling part, like you'll prompt a model to generate a green plant, and it works. You prompt it to generate a purple plant, and it generates an abstract demon dog with too many teeth.
Anyway, neither of these things describes human non-determinism. You can't reuse the seed you used with me yesterday to get the exact same conversation, and I don't behave wildly unpredictably given conceptually very similar input.
There are bugs and undocumented behaviors that need to be understood in order to be worked around - I wish it wasn't the case but such is life developing for closed-source platforms.
Then you're using it more towards vibe coding than AI-assisted coding: I use AI to write the stuff the way I want it to be written. I give it information about how to structure files, coding style and the logic flow.
Then I spend time to read each file change and give feedback on things I'd do differently. Vastly saves me time and it's very close or even better than what I would have written.
If the result is something you can't explain than slow down and follow the steps it takes as they are taken.
AI assisted coding makes you dumber full stop. It's obvious as soon as you try it for the first time. Need a regex? No need to engage your brain. AI will do that for you. Is what it produced correct? Well who knows? I didn't actually think about it. As current gen seniors brains atrophy over the next few years the scarier thing is that juniors won't even be learning the fundamentals because it is too easy to let AI handle it.
Strongly disagree. If the complexity of your work it the software development itself, then it means that your work is not very complex to begin with.
It has always been extremely annoying to fight with people who mistake the ability of building or engaging with complicated systems (like your regex) with competency.
I work in building AI for a very complex application, and I used to be in the top 0.1% of Python programmers (by one metric) at my previous FAANG job, and Claude has completely removed any barriers I have between thinking and achieving. I have achieved internal SOTA for my company, alone, in 1 week, doing something that previously would have taken me months of work. Did I have to check that the AI did everything correctly? Sure. But I did that after saving months of implementation time so it was very worth it.
We're now in the age of being ideas-bound instead of implementation-bound.
Trivia was always the hallmark of an insufferable programmer. Remembering the syntax to regex always struck me as a detail of programming, not a fundamental. I'm glad I no longer have to waste my life debugging it.
>> AI assisted coding makes you dumber full stop. It's obvious as soon as you try it for the first time. Need a regex? No need to engage your brain. AI will do that for you.
Regex is the worst possible example you could have given. Seriously, how many people do you know who painstakingly hand-craft their own regexes as opposed to using one of the million tools out there that can work backwards from example inputs and outputs to generate a regex that satisfies the conditions?
I agree. In the beginning when I was starting, I let the AI do all of the work and merely verified that it does what I want, but then I started running into token limits. In the first two weeks I honestly was just looking forward for the limit to refresh. The low effort made it feel like I would be wasting my time writing code without the agent.
Starting with week three the overall structure of the code base is done, but the actual implementation is lacking. Whenever I run out of tokens I just started programming by hand again. As you keep doing this, the code base becomes ever more familiar to you until you're at a point where you tear down the AI scaffolding in the places where it is lacking and keep it where it makes no difference.
I agree that being further along the Vibe end of the spectrum is the issue. Some of the other ways I use Claude don't have the same problems.
> If the result is something you can't explain than slow down and follow the steps it takes as they are taken.
The problem is I can explain it. But it's rote and not malleable. I didn't do the work to prove it to myself. Its primary form is on the page, not in my head, as it were.
I'm on the same path as you are it seems. I used to be able to explain every single variable name in a PR. I took a lot of pride in the structure of the code and the tests I wrote had strategy and tactics.
I still wrote bugs. I'd bet that my bugs/LoC has remained static if not decreased with AI usage.
What I do see is more bugs, because the LoC denominator has increased.
What I align myself towards is that becoming senior was never about knowing the entire standard library, it was about knowing when to use the standard library. I spent a decade building Taste by butting my head into walls. This new AI thing just requires more Taste. When to point Claude towards a bug report and tell it to auto-merge a PR and when to walk through code-gen function by function.
> I can explain it. But it's rote and not malleable.
The AI can help with that too. Ask it "How would one think about this issue, to prove that what was done here is correct?" and it will come up with somethimg to help you ground that understanding intuitively.
This is the approach I’m taking, along with being much more verbose than my normal style with comments in the code and commit messages (including snippets of the prompts/insights that inspired the change).
It's a spectrum and we don't have clear notches on the ruler letting us know when we're confidently steering the model and when we've wandered into vibe coding. For me, this position is easy to take when I am feeling well and am not feeling pressured to produce in a fixed (and likely short) time frame.
It also doesn't help that Claude ends every recommendation with "Would you like me to go ahead and do that for you?" Eventually people get tired and it's all to easy to just nod and say "yes".
Chill, they will soon send robots because everybody else is going to give'em the finger or they're too slow and hard to replace. Look at Russia/Ukraine. Russia is sending minorities and North Koreans to war and they get blown up by drones assembled and flown by Ukrainians. I would totally assemble drones rather than dig trenches or crawl through mud infested with mines. Guess what the North Koreans are now doing in Kursk? De-mining.
There is a birth crisis. Modern, liberal women are not actually reproducing, they are not keeping their end of the evolutionary bargain (men protecting, sacrificing and dying, while women giving birth). Therefore, there is no need to maintain the old-fashioned, patriarchal system with women as a more protected group. Everyone should contribute equally, pull their own weight. Equal rights, equal lefts (responsibilities).
Western women are already only producing ~1.5 kids (many with none!), you could send 50% of young women to die in war, then have the other half have a fertility rate of 6, like what their great great grandmothers had, and we would be far far ahead already.
50 men and 50 women. You have to send 50 people to the front. You'd send 49 men, leave one behind for reproduction purposes, have 50 women at home and be short of 1 person.
Or we could embrace equality and send 25 men and 25 women, leaving behind 25 of each to do whatever they want.
We're not having this conversation in a cultural vacuum; men figure out at a young age that if things go to shit, their lives become expendable for the sake of the community. I view conscription as a form of slavery; something that I hope never happens to me or anybody, but could conceivably happen. That's the way the world has worked for thousands of years, and the Bayesian meme asks me to therefore bet on it continuing to be this way. But it doesn't have to be this way for women too. Why should it be, misery loves company? If men are going to be dying, we should draft women to die too? That's not feminism, that's insanity.
Why should men sacrifice and die for nothing, by not getting anything in return, not even a simple appreciation? Why should only men die when things get tough? I also would much rather see other unknown women die, than to send myself or my son to die for them.
Women need to pull their weight. And since they aren't doing that from the evolutional POV, neither in practice (birth crisis) nor in theory (not like giving birth is a legal duty, unlike a draft), then they can at least be useful for a society as a cannon fodder. The more women start pulling their weight and contribute, the less weight there will be for men to pull. What not to love about this equality!
The right reaction about bad things happening to a percentage of the population is to get rid of it if at all possible, not making everybody suffer from it.
If you don't expect males to voluntarily sacrifice and die for the country, why would you expect women to suffer nine months of body horror (provocatively stated) and expend multiple years of full-time care to raise children?
> And since they aren't doing that from the evolutional POV, neither in practice (birth crisis) nor in theory (not like giving birth is a legal duty, unlike a draft), then they can at least be useful for a society as a cannon fodder.
Women already contribute to society by being in the work force. If you think that's not enough, then you should probably think about rewarding them for doing something else.
> The right reaction about bad things happening to a percentage of the population is to get rid of it if at all possible, not making everybody suffer from it.
This is not an argument, neither from theoretical nor practical point of view. This is akin to saying "Yeah, you want a universal health care for everyone, but I want everybody to be so rich that they can buy any insurance and bear any sudden health-costs". Not an argument, is it.
The reality is the way it is. Wars are always going to be fought and no amount of toxic peace wishing will change that.
If anything, adding women to the equation would:
1. make the force stronger. Therefore, a higher probability of not being attacked, and a higher probability of dominating the enemy (thus decreasing the total amount of victims).
2. make the political decisions to start wars much harder (in a good way).
This is exactly the reason why I am against the current American fight-for-money military and am for compulsory army service (like Finland), and for both sexes at that.
> If you don't expect males to voluntarily sacrifice and die for the country, why would you expect women to suffer nine months of body horror (provocatively stated) and expend multiple years of full-time care to raise children?
That's my point exactly. If women are not doing their evolutionary job, why should men? There can only be 2 possible solutions:
1. no sex has any sex-specific obligations (be it giving birth or going to war)
2. or impose similar sex-specific obligations to both sexes.
Men already contribute to society by being in the work force (and do a much more important foundational work than women), and it is unfair to impose additional unilateral sexist obligations on only one sex.
I am against the hypocrisy and want equality between sexes (they don't have to be the same for both sexes, but if one has more obligations, they should be appropriately compensated by additional rights/privileges).
>Why should men sacrifice and die for nothing, by not getting anything in return, not even a simple appreciation?
Because a bunch of pissed off men is destabilizing, and what has worked in the past is sending them off to conquer/die under some glory laced pretense. The young men naturally vibe to it, the older men recognize the pattern and know it works.
>Why should only men die when things get tough? I also would much rather see other unknown women die, than to send myself or my son to die for them.
Women are incubators, and cannot be utilized as such if they are dead. Men are seeders, and can have measures taken to fulfill that role without being physically present.
Look, the rest is just fucking cope, man, not even good cope. Let me drop some facts to help you out. Until you're really willing to put your ass on the line for someone else, you don't really have the moral position to ask someone else to do it for you. Period. That's the thing you need to be angry about right now. You might get what you give. You give it all, you might get something back; you might get a hole in the head or somewhere else equally problematic; you might get a shot at white picket fence, wife, & three kids. You're being asked to give it all by assholes who have done nothing but take and demand. Sit with that idea for a bit, then recompute where you stand. It isn't about men vs. women. That's a distraction. It's about givers vs. takers, and takers are desperate to keep the givers from realizing that they are the ones being played/harvested. If the Givers actually wake up to the fact they are being manipulated, it is a guarantee the manipulator is the next target on the chopping block; because for the Givers, it's a moral imperative to protect their own. To wake up, you have to stop assuming benevolent intent and question really hard anyone who tells you to assume it. Good people don't need to tell you to assume good faith. They just act in good faith, and you reciprocate. If someone tells you to assume good faith, it is almost certainly because there isn't entirely good faith at play. It's exhausting, but sadly necessary. Now what you need to ask yourself, is am I speaking as a Giver or a Taker? Answer is, both. I want you to be more free. I want those who'd chain you to be less free to do so. I'm asking you to become less easy to govern. What am I giving up? Time, I guess, and the ability to as easily Take from you in the future. I'd rather live in a world of endless squabbling/questioning of motives than in one where assholes run roughshod over everyone because no one ever calls them on their bullshit. Acting trustworthy to gain trust isn't unbearable to me. Cost of doing business as they say. There are those however, who do find it unbearable, and those are the ones we should be targeting. Not each other.
> Because a bunch of pissed off men is destabilizing, and what has worked in the past is sending them off to conquer/die under some glory laced pretense.
Such was the way in the old times. At the same time when women were taking their own feminine role and were giving birth.
But this does not apply anymore. Check the population pyramids for various countries. Having a lot of young men that need their energy to be put somewhere is not a problem in modern Western societies.
Taken to its logical conclusion, you cannot have gender equality without either making the draft cover everyone or abolishing it entirely.
The fact that women losing their lives is so much larger a risk for the nation only serves to test the resolve of those people claiming to want gender equality, but this is not the only time you'll find a conflict between idealism and reality, even within the scope of gender equality.
It would be equality if there were a law forcing women to have children during a war. Which is insane and no one would support it.
But young men maybe dying after being forced to fight against their will? Completely fine.
It's honestly just very telling how in modern Western egalitarianism, gender essentialism is factually wrong and evil unless we're explaining why men need to die for their country.
Yeah, birding can be such fun once you have a small repertoire of birds under your belt. Some people get that from their culture or family but I didn't, so made a little game to get me going.
It's so satisfying to hear/see a bird and actually have a chance at getting it right
I certainly don't feel entitled to anybody's effort, and I appreciate the project itself!
It's just these flashy LLM-generated webpages are really misleading.
It's filled with attention-grabbing LLM-filler. It presents itself as high-effort content, but in reality is unclear if it's accurate, unclear how much the author even put into READING the content they're asking me to read, and overall just really unclear what parts of the page are important to the author and what are just stuff the LLM inserted into a marketing card to make it look like a SaaS sales pitch.
Then you can even run multiple projects off the same server.
reply