This is written by analogy with all software sucks.
|Less harmful alternatives
|daemontools, runit, s6
|Bloated enormously huge complicated crap with awful track of
security issues and privacy concerns, that does completely
unacceptable things. Look how
it sucks. I do not want
to say that SysV/RC-style init systems are a good thing, but at
least they are less harmful.
daemontools is the proper
way you should start your software.
|The whole GNU/Linux ecosystem is overbloated bunch of frameworks with mediocre quality. You can create something secure and working out of them, but with tons of spent time of torture and struggle. Generally those systems are technologically inferior to most BSD-based systems (of course macOS is an exception) and implement similar things many years later. If something is told to be ready to use and production ready, then wait for 5+ years to be sure that it really is. Of course there is worthy software in GNU, but in general there is a zoo of highly incompatible pieces.
|GNU/Linux, *BSD, illumous
|Does anybody really want to run proprietary non-free closed-source backdoored DRMed software?
|Software must be free. Copyleft enforces and ensures that.
|IPsec, CurveCP, Noise
|If people were smart and experienced, then IPv6 would took the world a long time ago, making automatic host-to-host IPsec transport connections the reality, providing transparent secure network layer. But people are so dumb, that they protect networks by harshly breaking the communications with the NAT, not remembering what firewalls were made for. So we have got per-connection per-application user-mode transport layer security overlay. Most TLS versions, up to 1.2, suffered from serious security issues and flaws. Cryptographic protocols have to be simple and created by wise cryptographers.
|Do not know, GnuTLS?, crypto/tls
|Linus’es law claims that "given enough eyeballs, all bugs are shallow", but OpenSSL library proves that dozens of years and billions of users means nothing for security. Fatal critical and catastrophic bugs are here. OpenSSL source code is awful from architectural point of view and quantity of assumption where developer has to be precisely accurate.
|certificate pinning, Web-of-Trust
|PKI can work on enterprise-level scale, with single definitely trusted anchor. Global scale PKI can not be secure by definition, because anyone from dozens and hundreds of imported authorities are told to be trusted for some reasons. It is business and nothing more.
|DNSSEC offers no privacy (no encryption) and friendly to censorship. It leaks zone contents through NSEC*. It is vulnerable to replay attacks. It requires both client and server software modification, additional DNS records and changing the registrars, greatly increasing packet sizes, requiring to work over TCP as a rule. Moreover it is PKI with single US/NATO-based trust anchor. DNSCurve has none of that problems.
|DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), DNS-over-DTLS, DNS-over-QUIC
|DNS over IPsec (any VPN), DNSCrypt
|Why do you need to use additional transport security protocol if you want to secure communication between two hosts? IPsec transparently offers that. If you are not able to use it, then at least there is no need in TCP-based PKI-poisoned solutions – use DNSCrypt that just slightly increases packet sizes with end-to-end encryption.
|XFS, ZFS, UFS2, probably JFS2
|GNU/Linux is known to have long history of lack of stable, high performance, reliable filesystems. ext4 is even can not keep files more than 16 TiB (4KiB blocksize), that is less than single modern LTO tape can hold. XFS, ZFS, JFS2 were created outside GNU/Linux, being much more versatile and stable ones.
|BTRFS is still not stable enough, having no working RAID5/RAID6 analogue. It is just toy parody on ZFS, that can not be considered seriously. APFS even lacks checksums – only Apple fanboys can agree to use that (however it could be better that their HFS+). ZFS sucks in Linux? Well, use adequate operating system!
|Everyone used big-endian, except for Intel and some other minor companies. It is way more convenient to by used by human. There is reason that it is also known as "network-order".
|+R is simpler, technologically cheaper and more reliable.
|XML, JSON, YAML, TOML
|Hjson (for configuration files)
|XML and JSON are not indented to be used directly by humans. YAML is monstrous beast of complexity. Most libraries even do not implement all of its features, meaning that you can not expect your file will be working at all. TOML is simple for parsing, but completely unusable for human understanding, looking comprehensible only with tiny and trivial structures. Hjson is tiny superset over JSON, with conveniences exclusively made for human, transparently converting it to JSON as machine friendly format.
|Even the strictest ASN.1 DER codec has many coding rules, meaning that codec-library will be pretty complicated thing, harming the security. All that lack of clearness of being able to work with some schemaless structures and unable to work with implicitly tagged another ones is pointless complication. Either use completely schemaless solutions like MsgPack/BSON/JSON/whatever, or completely schema driven ones, like XDR, that is very trivial to implement and work with. XDR library exists in all OSes out-of-box as a rule. XDR can be encoded/decoded very fast, because of its alignment and simplicity.
|JSON parser is pretty complicated thing to write. Bencode is much more simpler schemaless solution. It can be encoded/decoded very fast. JSON structure has many possible valid representations, that complicates its usage with the context where cryptography is involved. Bencode has only single valid representation.
|C++, Ruby, Java, Python, Rust
|Complexity is the main enemy. You can easily write complex, hardly understandable and unmaintainable code with languages giving you wide abilities to express yourself.
|anything else, Lua, Tcl
|Hardly anyone knows AWK at all. Moreover there are several dialects of it, meaning bad portability of its code. Perl is faster, has no dialects (portable), pretty compact and has way more number of features and people knowing how to program it. There is just no use-cases where AWK could be more convenient to use, even with oneliners.
|POSIX shell, Z shell, Korn shell
|Bash is huge, slow, has very few features for convenient interactive usage, lacks flexibility and extensibility. It is just the lamest and stupidest shell I have ever seen, that gives literally no advantages over many other much more simpler (from code perspective) and feature rich shells. It is awful for interactive usage and awful for scripting, because it even lacks reliable variable escaping (like POSIX shell too, but at least POSIX is portable).
|Make, Waf, SCons
|There is not much I can comment there. Make is unportable in
practice, completely unworking (due to mtime, recursive make
issues), non-atomic thing to deal with.
redo is literally
better in all-cases, requiring no additional language learning,
using the implementation that can be written at one day. Solutions
requiring additional declarative language learning already suck with
|Autotools is completely unsupportable bloated piece of software,
that was helpful when there were dozens of highly incompatible
commercial Unices. Nowadays there are C-standards, POSIX,
pkgconf, higher quality OSes and ability to parallelize
detection tasks with
|Dynamic linking has damned high load time overhead. It brings various security problems and flaws. It complicates software support and maintaining because of "DLL hell". It heavily complicates debugging and profiling. In general everything is just slower with it, often consuming much more memory comparing to statically linked programs with unused sections thrown out. If you want to update statically linked pile of software, because of some dependant library, then just take all that programs and recompile, what is the problem? Are you using some closed-source one? That is the problem.
tmux is much more lightweight and feature rich, having
pretty comprehensible and easy to understand documentation.
|BSD libc, musl, jemalloc
|Glibc is bloated low code quality and slow software, having huge scalability and resource consumption issues with multithreaded applications.
|Info files are real hypertext documents. Why I prefer Texinfo+Info.
|What is the point of multibyte encodings when each (user-visible) character can be made of grapheme cluster, consisting of multiple codepoints anyway? UTF-8 just greatly simplifies everything.
|MP2, MP3, AAC, AC-3, EAC-3
|Formats and codecs must be free and open, like software. Moreover Opus and Vorbis are just technically superior to proprietary analogues.
|ALAC, Monkey’s Audio
|WavPack, FLAC as a fallback
|Free and open formats are the only acceptable choice. Personally I love WavPack more, because of its simpler bitstream format, slightly better compression ratio and less technical restrictions.
|Free and open format is better anyway. Theora is relatively lightweight for modern hardware, so can be used for real-time tasks.
|AVC, HEVC, VVC
|VP8, VP9, AV1
|VP8/VP9 have comparable quality to non-free patented H.26x codecs and are already widely used in YouTube. AV1 is superior to them.
|Matroska, WebM, Ogg
|Matroska has low overhead, is feature rich and can contain virtually anything, comparing to MP4 that is not friendly to free and open codecs. WebM is just its subset. Ogg is an acceptable choice comparing to non-free ones.
|cpio, tar, GNU Tar
|pax format, that fallbacks to UStar
|GNU Tar is vendor-locked in. cpio and non-pax tar formats have many practical limitations on what they can store.
|gzip, bzip2, xz
|Zstandard is faster than gzip and has better compression. It is ultra-fast at decompression. Its highest compression levels are comparable and close to xz ones, but having magnitudes faster decompression.
|tar + Zstandard
|RAR is proprietary non-free format/software. 7z does not store file’s ownership, making it useless in Unix.
|GNOME, KDE, Xfce
|dwm, awesome, i3, xmonad
|All desktop environments are just completely useless resource consumption crap for Windows/macOS users. It helps user in no way. Tiling managers are much better at resources utilization (including display workspace). Experienced Unix user spent most of his time in terminals.
|slashpackage, GNU Stow
|Software must always exist with the source code nearby (to be able to recompile it, because of yet another update). There should not be complex tracking system of port’s files location – they just should be located in isolated separate subdirectories. There should be ability to use multiple versions of the same software.
|IPv4, NAT, DHCP, ARP
|IPv6 + SLAAC
|IPv6 (with its supplementary protocols like ICMPv6) is beautiful, elegant and clever designed thing. IPv4 has never been intended to be used as global-scale solution. Its NAT crutch just breaks nearly all protocols (except for two or three) workability and availability. IPv6 is more lightweight, faster, easier, simpler and convenient to work with.
|Forum, Social network
|With web-based solutions you have to use inconvenient (everyone has its own preferences) interface. You can not work with them offline, can not create local indexable archive. Each forum/social network is completely independent and separate user experience. MUAs are much more superior in flexibility and filtration/processing abilities.
|GNU Mailman, Sympa
|mlmmj is very minimalistic, simple, written on pure C, having neither heavy dependencies, nor bloated web-interfaces. But it supports: archives, bounces handling, moderation, digests, VERP. public-inbox can act as a perfectly fine archiver with rich set of access methods.
Mon, 06 Sep 2010-like date formats, seriously?
|Thunderbird, Outlook, Apple Mail
|Mutt, mailx, s-nail, Notmuch
|GUI is useless for MUA. Apple Mail and Outlook even do not have ability to reply to maillist. Thunderbird probably was acceptable many years ago, but it inherently sucks as everything Mozilla does now.
|Zathura is much more lightweight and supports PDF, DjVu, EPUB, XPS.
|pure TCP, SCTP
|This is pure insanity to create another obfuscated TCP-like layer on top of already existing one, just because browser’s API is limited.
|Technically OSS4 and sndio just superior by features and low-delay in real life experience.
|PulseAudio is like systemd in the world of audio. Useless crap.
|Convenience and simplicity are nearly always better in BSD/Solaris.
|FictionBook is made by people for people, but EPUB by companies with DRM in mind.
|JPEG, PNG, HEIC, AVIF, JPEG2000
|JPEG XL is patent free, virtually has no technical limitations (like number of layers, resolution, HDR/WCG support), supports progressive decoding, has 60% better compression ratio than JPEG, 40% better than PNG, 10% than lossless JPEG2000 for photographs. At q>40 has better compression than AVIF. Its decoder is very fast (can be even faster than JPEG). Can losslessly transcode JPEG.
|MD5, SHA-1, SHA-2
|SHA-3 (SHAKE variant), BLAKE2, Skein, BLAKE3
|MD5 and SHA are already insecure/broken. SHA2 is damn slowest. SHA3 is simpler and can faster on hardware. Skein is faster than SHA2/3, having very high security margin. BLAKE2 is even more faster, not talking about BLAKE3.
|AES has lower security margin and is pretty slow without hardware acceleration.
|ECDH, DH, RSA
|Curve* are much easier to implement correctly. They are faster and much more safer in general.
|EdDSA is much easier to implement correctly. It is much faster and has compact keys. It does not need entropy during signing. It is much more safer in general. Proper and correct side-channel resistant RSA implementation is the ultimate challenge.
|Using of non textual format, that can not be diff-ed and placed in Git? Where you can not use your ordinary powerful text editors and hundreds of available tools?
|POD, Texinfo, reStructured Text
|When people talk or note Markdown, they hardly realize that there is no Markdown! There are plenty of incompatible subsets of it. The common denominator is very tiny and completely unsatisfactory for every-day needs of documentation and websites writing.
|Telegram, WhatsApp, Viber, Skype
|XMPP, IRC, OMEMO, OpenPGP, OTR
|Centralized censored insecure solutions are always not an option. And none of them provide real end-to-end encryption you can verify.
|OpenPGP (GnuPG) is included in most OS distributions out of box and is already widely used. S/MIME is made with PKI in mind.
|GNU Privacy Guard
|age and OpenSSH
ssh-keygen -Y sign are just magnitude
times simpler, can be written from scratch for several hours.
Simplicity is treasure and basis for security.
|UTC is non monotonous. TAI64 also suggests easily parseable long-term format for time storage.
|Daemonized UCSPI software is more scalable, reliable under high
loads and much more flexible in general – every service is a
separate daemon process with its own logging and layers of utilities
softlimit and similar.
curl ... | sudo bash
|For any agency it is more convenient you to run Windows or macOS
curl|bash is just a complete compromise of your
computer. Too dumb and silly to be true, but unfortunately
people seems to do that kind of things.