Pinboard (jefframnani)
https://pinboard.in/u:jefframnani/public/
recent bookmarks from jefframnaniRe: The Case for Rust (in the base system)2024-01-24T02:19:00+00:00
https://lists.freebsd.org/archives/freebsd-hackers/2024-January/002876.html
jefframnaniprogramming rust cpp concurrency os freebsd safety software quality compiler c kernelhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:c5449cba89ca/‘Like the Sixth Finger in an AI-Rendered Hand’2024-01-20T22:18:59+00:00
https://daringfireball.net/2024/01/the_sixth_finger
jefframnaniI’m up to at least half a dozen instances now where group chat discussions have turned to concerns that Apple might assert the same demand for a 27 percent cut of all Mac software. Meaning not just apps in the Mac App Store, but apps from outside the Mac App Store — even apps that are only available outside the Mac App Store. Even apps from developers who don’t have any apps in the Mac App Store. There’s now genuine concern that Apple is going to declare that they want a 27/12 percent revenue cut from all Mac software, full stop.]]>apple software macOS monopoly business AppStore mac ios enshittificationhttps://pinboard.in/u:jefframnani/b:4e0b64d18507/q3k :blobcatcoffee:: "I can finally reveal some research I've been involved with over the past year or so." - Warsaw Hackerspace Social Club2023-12-06T00:40:20+00:00
https://social.hackerspace.pl/@q3k/111528162462505087
jefframnanitransportation security fraud software copyright repairability government research mastodonhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:ee780e619092/See the History of a Method with git log -L2023-11-10T23:22:56+00:00
https://calebhearth.com/git-method-history
jefframnanigit programming dvcs software archaeology database search StaticAnalysishttps://pinboard.in/https://pinboard.in/u:jefframnani/b:42955a659c0b/Bitten by the Black Box of iCloud2023-10-29T17:24:47+00:00
https://mjtsai.com/blog/2023/10/27/bitten-by-the-black-box-of-icloud/
jefframnaniux software apple quality icloud cloud devopshttps://pinboard.in/u:jefframnani/b:29f44d163441/Tool Safety: A Beautiful Soup zine2023-09-28T18:43:00+00:00
https://www.crummy.com/software/BeautifulSoup/zine/
jefframnaniTool Safety is a zine I wrote in 2017 about what writing Beautiful Soup taught me about software development.
]]>ethics software programming pythonhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:78d0e11995e1/Unit-testing a web service in Rust - Julio Merino (jmmv.dev)2023-07-13T16:40:57+00:00
https://jmmv.dev/2023/07/unit-testing-a-web-service.html
jefframnanirust testing solid software design programming qualityhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:0a293d38516d/CITCON2023-06-20T01:39:50+00:00
https://citconf.com/
jefframnanicontinuousintegration testing software programming conferencehttps://pinboard.in/https://pinboard.in/u:jefframnani/b:09d57b210fce/The Python Language Summit 2023: What is the Standard Library for?2023-05-30T22:01:34+00:00
https://pyfound.blogspot.com/2023/05/the-python-language-summit-2023-what-is.html
jefframnanipython software evolution opensourcehttps://pinboard.in/https://pinboard.in/u:jefframnani/b:537b6c0b4607/The evolution of React APIs and code reuse2023-05-28T01:49:15+00:00
https://frontendmastery.com/posts/the-evolution-of-react-patterns/
jefframnaniFunctions and hooks simplified this by removing the outer class shell, allowing us to focus solely on the render function. Where everything gets recreated each render, and so we rediscovered that we need to be able to preserve things between render cycles.
For those familiar with classes, this revealed a new perspective on React that was there from the beginning. APIs like useCallback and useMemo were introduced so we could define what should be preserved between re-renders.
Having to explicitly manage dependency arrays, and think about object identities all the time, on top of the syntax noise of the hooks API, felt like a worse developer experience to some. For others, hooks greatly simplified both their mental model of React and their code.]]>javascript react ui software evolution design patterns oop FunctionalProgramminghttps://pinboard.in/https://pinboard.in/u:jefframnani/b:2fed21980e32/MotherDuck: The Simple Joys of Scaling Up2023-05-19T16:26:03+00:00
https://motherduck.com/blog/the-simple-joys-of-scaling-up/
jefframnaniIn order to be able to index every website everywhere, Google invented a new model for computation; by applying functional programming and distributed systems algorithms, they achieved almost infinite scale without requiring the purchase of “big iron” hardware. Instead of bigger computers, they could just tie together a lot of small computers with clever software. This was “scaling out” to more machines instead of “scaling up” to bigger ones.
Google published a series of three papers in rapid succession that changed the way people build and scale software systems. These papers were GFS (2003) which tackled storage, MapReduce (2004) which handled computation, and BigTable (2006) which had the rudiments of a database.
Doug Cutting, who implemented the techniques in these papers and released them as open source, said, “Google is living a few years in the future and sending the rest of us messages.”
It is difficult to overstate the impact of the architectural change heralded by the scale-out revolution. If you’re building “serious” infrastructure, these days, you have to scale out via a complex distributed system. This has led to popularization of new techniques for consensus protocols, new ways of deploying software, and more comfort with relaxed consistency. Scale up was limited to legacy code bases that clung to their single-node architectures.
This seems like where it has come full circle. Over ten years after the Dremel paper was published, core counts and memory have finally achieved enough density to do a lot of work on one machine.
The Dremel paper, written in 2008, included some benchmarks running a 3,000 node Dremel system against an 87 TB dataset. Today you can get equivalent performance on a single machine.
At the time, Dremel’s capabilities seemed impossible without indexes or pre-computed results; everyone else in the database world was trying to avoid table scans, but they said, “Nah, we’re just going to do table scans really fast and turn every query into a table scan.” By throwing huge numbers of machines at problems, they were able to achieve performance that seemed like black magic. Fifteen years later, we can get similar performance without resorting to any magic at all, or even a distributed architecture.
On availability. This has been my experience as well. The results have been mixed for the distributed systems I worked on. Meanwhile, at the stock exchange, our uptime was excellent while I was there.
Scale out architectures are generally considered to be more reliable; they are designed to be able to keep running despite lots of different types of failures. However, scale out systems haven’t significantly improved reliability, and you can get good enough reliability from scaling up.
Availability in the cloud is often dominated by external factors; someone fat-fingers a configuration and resizes a cluster to 0 (this happened briefly in BigQuery several years ago), network routing gets messed up (the cause of historical multi-service Google outage), the auth service you rely upon is down, etc. Actual SLA performance can be dominated by these factors, which can cause correlated failures when failures happen across multiple systems and products.
In general, it's easier to diagnose performance issues on a single, large node than a distributed system. Although individual machines can be a kind of big city to find an issue in, too. But the debugging tools are often much better. e.g. dtrace, eBPF, etc.
Deploying and maintaining single node systems are generally a lot easier. They are up or they are down. The more moving parts you have, the greater the number of things that can go wrong and the higher the likelihood. Single nodes have one place to look for problems, and the problems they have are easier to diagnose.
]]>programming architecture performance distributed bigdata google history software evolution hardware BestOfhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:be3995e575fe/XUL Layout is gone | Words2023-04-03T00:25:04+00:00
https://crisal.io/words/2023/03/30/xul-layout-is-gone.html
jefframnanibrowser firefox software evolution uihttps://pinboard.in/https://pinboard.in/u:jefframnani/b:286f6ce2180a/The Unix process API is unreliable and unsafe2023-03-23T17:04:53+00:00
http://catern.com/process.html
jefframnaniprocess linux api software evolutionhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:30a2f997678b/A Color Coded Guide to Ports and Adapters | 8th Light2023-03-14T23:34:44+00:00
https://8thlight.com/insights/a-color-coded-guide-to-ports-and-adapters
jefframnaniprogramming design patterns software architecturehttps://pinboard.in/https://pinboard.in/u:jefframnani/b:bdf604cb473f/endoflife.date2023-01-25T17:16:38+00:00
https://endoflife.date/
jefframnanisecurity software support opensourcehttps://pinboard.in/https://pinboard.in/u:jefframnani/b:317a4bc5dff1/Rethinking Classical Concurrency Patterns.pdf - Google Drive2022-12-28T21:51:42+00:00
https://drive.google.com/file/d/1nPdvhB0PutEJzdCq5ms6UI58dp50fcAN/view
jefframnanidesign asynchronous pattern golang concurrency softwarehttps://pinboard.in/https://pinboard.in/u:jefframnani/b:f705569b19d2/The Syntax Cliff2022-12-26T19:41:04+00:00
https://elm-lang.org/news/the-syntax-cliff
jefframnaniTrying to improve error messages seems like a worthwhile idea, so why is it uncommon for compilers to have syntax error messages like this? And why did it take so long for Elm to prioritize this project? I think part of the answer is survivorship bias.
Syntax errors are highly concentrated in the first weeks with a language, and people are particularly vulnerable in this time. When a beginner asks themselves why something is hard, it is easy to think, "Because I am bad at it!" And it is easy to spiral from there. "I heard it was hard. I was not super confident I could do it anyway. Maybe I just suck at this. And if this is what programming feels like, there is no chance I want to be doing this with my life!" People who fall off the cliff cannot share their perspective in meetups, online forums, conferences, etc. They quit! They are not in those places!
As for people who make it past the cliff, many do not shake off that initial confidence blow. They use the language, but not with enough confidence to think that their problems should be handled by a language designer. "Oh, that again. I will never learn!"
]]>elm programming learning education debugging compilers design softwarehttps://pinboard.in/https://pinboard.in/u:jefframnani/b:8d7548ff0393/Software Engineering Intelligence - CodeScene2022-11-04T15:34:02+00:00
https://codescene.com/
jefframnaniprogramming software StaticAnalysis metrics architecturehttps://pinboard.in/https://pinboard.in/u:jefframnani/b:83adda9c481b/Quality Is Systemic - Jacob Kaplan-Moss2022-10-19T14:19:33+00:00
https://jacobian.org/2022/sep/9/quality-is-systemic/
jefframnaniSoftware quality is more the result of a system designed to produce quality, and not so much the result of individual performance. That is: a group of mediocre programmers working with a structure designed to produce quality will produce better software than a group of fantastic programmers working in a system designed with other goals.]]>programming quality software management culture SystemsThinking BestOf leadershiphttps://pinboard.in/u:jefframnani/b:8e913d68b22e/Historical Dates2022-09-24T19:22:12+00:00
https://xkcd.com/2676/
jefframnanihistory technology software anthropology evolution archaeologyhttps://pinboard.in/u:jefframnani/b:8aa2223f2671/Episode 520: John Ousterhout on A Philosophy of Software Design : Software Engineering Radio2022-09-17T17:08:12+00:00
https://www.se-radio.net/2022/07/episode-520-john-ousterhout-on-a-philosophy-of-software-design/
jefframnanipatterns evolution complexity software design solid interview audio BestOfhttps://pinboard.in/u:jefframnani/b:a5b2b7705517/Software Mimicry • Hillel Wayne2022-08-30T19:51:21+00:00
https://www.hillelwayne.com/post/software-mimicry/
jefframnaniprogramming language design patterns software evolutionhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:bf28b6887842/Principles Wiki [Principles Wiki]2022-08-06T00:17:18+00:00
http://principles-wiki.net/start
jefframnaniprogramming design software engineering patterns wikihttps://pinboard.in/https://pinboard.in/u:jefframnani/b:8abad4783ee5/The Codeless Code: Case 154 A Bridge To Nowhere2022-07-17T16:34:57+00:00
http://thecodelesscode.com/case/154
jefframnaniThe builder said to Kaimu: “I have heard your monks speak of themselves as ‘software engineers.’ As a true engineer I find such talk absurd...
]]>engineering humor software programminghttps://pinboard.in/u:jefframnani/b:c4987420633f/PowerPhotos - Merge Mac Photos libraries, find duplicate photos, and more2022-07-04T18:35:20+00:00
https://www.fatcatsoftware.com/powerphotos/
jefframnanimacos software photographyhttps://pinboard.in/u:jefframnani/b:36877c949c6c/Sharetribe Go becomes source-available after being open-source for 8 years | by Juho Makkonen | Better sharing | Medium2022-05-28T19:34:28+00:00
https://medium.com/bettersharing/sharetribe-go-becomes-source-available-after-being-open-source-for-8-years-bb43c410da53
jefframnanilicense coop legal software business opensourcehttps://pinboard.in/u:jefframnani/b:77c3552a14b0/Software Art Thou: Glenn Vanderburg - Real Software Engineering - YouTube2022-05-28T00:19:25+00:00
https://www.youtube.com/watch?v=RhdlBHHimeM&list=WL&index=99
jefframnaniprogramming software engineering video presentation career sciencehttps://pinboard.in/https://pinboard.in/u:jefframnani/b:4864399066d3/SOLID: the next step is Functional2022-05-21T17:07:53+00:00
https://blog.ploeh.dk/2014/03/10/solid-the-next-step-is-functional/
jefframnanidesign solid oop functionalprogramming software programminghttps://pinboard.in/u:jefframnani/b:d2aa17f76228/The Google Incentive Mismatch: Problems with Promotion-Oriented Cultures | Warp2022-05-18T02:29:07+00:00
https://www.warp.dev/blog/problems-with-promotion-oriented-cultures
jefframnaniThe main problem with promotion-oriented culture is that it’s very hard to align promotion-criteria with business objectives, and so engineers end up doing a lot of work that doesn’t necessarily most benefit the product, users, or business – or even potentially their own growth.
For instance, when I was leading Google Sheets, we had a lot of small bugs and usability issues, often in areas where we weren’t at parity with Excel. Users wanted us to implement disjoint selections, fix our charting UI, add the ability to insert and delete ranges of cells – pretty standard spreadsheet fare, and very reasonable requests.
However it was a constant struggle to prioritize these types of issues vs. “bigger impact” projects. Our engineers cared about the product and wanted to polish it. But they also wanted to be promoted. And so we would deprioritize product polish for projects that looked better to a promotion committee.
A summary of the problems.
To sum up the problems…
From a business perspective, promotion-driven cultures decrease productivity and increase cost per engineer.
From a product perspective, managers create new, confusing, internally competing products while existing products languish or are sunset, because one of the best ways to get promoted is to launch something new.
From a cultural perspective, for engineers who really care about the products they are building, promo-culture creates a demoralizing situation, sometimes forcing engineers to choose between doing what’s best for users or what’s best for their career.
]]>google software management qualityhttps://pinboard.in/u:jefframnani/b:a93b5c6c04fd/I want off Mr. Golang's Wild Ride2022-04-29T04:42:35+00:00
https://fasterthanli.me/articles/i-want-off-mr-golangs-wild-ride
jefframnaniOver and over, Go is a victim of its own mantra - "simplicity".
It constantly takes power away from its users, reserving it for itself.
It constantly lies about how complicated real-world systems are, and optimize for the 90% case, ignoring correctness.
It is a minefield of subtle gotchas that have very real implications - everything looks simple on the surface, but nothing is.
This fake "simplicity" runs deep in the Go ecosystem. Rust has the opposite problem - things look scary at first, but it's for a good reason. The problems tackled have inherent complexity, and it takes some effort to model them appropriately.
]]>golang quality software programminghttps://pinboard.in/u:jefframnani/b:36eea1234faa/Hector Martin on Twitter: "Well, this is unfortunate. It turns out Apple's custom NVMe drives are amazingly fast - if you don't care about data integrity. If you do, they drop down to HDD performance. Thread." / Twitter2022-04-24T14:00:19+00:00
https://mobile.twitter.com/marcan42/status/1494213855387734019
jefframnanimacos apple quality softwarehttps://pinboard.in/u:jefframnani/b:716f4cf33390/It Will Never Work in Theory2022-04-23T04:37:57+00:00
https://neverworkintheory.org/
jefframnaniThe aim of this blog is to be a bridge between researchers and practitioners. Each post highlights some useful results from studies past and present in the hope that this will encourage discussion of what we know, what we think we know that ain't actually so, why we believe some things but not others, and what questions should be tackled next. ]]>research papers programming ComputerScience software engineering videohttps://pinboard.in/u:jefframnani/b:bc3dfad47ff4/Moving from 1Password to KeePass - TidBITS2022-04-17T01:50:38+00:00
https://tidbits.com/2022/04/11/moving-from-1password-to-keepass/
jefframnaniIt was some trouble to set up, but for me, it was worth it to gain sovereignty over my password database. It’s now held right here in my home, with multiple encrypted backups both here and off-site. I don’t have to worry about a cloud service being taken offline or going out of business.
So, if you’re unhappy with 1Password’s direction and want more control over your data, check out KeePass and its open-source brethren.
]]>password security opensource 1password software qualityhttps://pinboard.in/u:jefframnani/b:89221df34e76/Are We Really Engineers? • Hillel Wayne2022-03-27T03:41:42+00:00
https://www.hillelwayne.com/post/are-we-really-engineers/
jefframnaniIn the US, you don’t need a license to practice any kind of engineering. You need a license to be a “principal engineer”, a.k.a. the person who formally signs off on plans as valid. But the engineers working under the principal engineer don’t need to be accredited and often are not. In fact many of them don’t even have formal training as engineers.
I agree with this assesstment about why this question is important.
Many people have asked me why I care so much about this project. Why does it matter whether or not software is “really” engineering? Why can’t we just say that “software is software”? It’s because of these misconceptions. People have a stereotyped notion of what engineering looks like. Because software doesn’t look like the stereotype, they assume that we are wholly unlike engineering. The engineering disciplines have nothing to teach us. We are breaking pristine ground and have no broader history to guide us.
In contrast, if we are doing engineering, then we have a landmark. We can meaningfully compare and contrast the work we do as software engineers from the work that others do as traditional engineers. We can adapt their insights and watch for their pitfalls. We can draw upon the extant knowledge of our society to make better software.
]]>professional programming engineering software BestOfhttps://pinboard.in/u:jefframnani/b:bdc554c8835b/1Password 8: The Story So Far2022-03-14T19:47:01+00:00
https://blog.1password.com/1password-8-the-story-so-far/
jefframnani1password software evolution business macos ios linuxhttps://pinboard.in/u:jefframnani/b:0e5c8a8fea90/Don't Let the Internet Dupe You, Event Sourcing is Hard2022-02-08T16:37:26+00:00
https://chriskiehl.com/article/event-sourcing-is-hard
jefframnaniIn practice, this manages to somehow simultaneously be both extremely coupled and yet excruciatingly opaque. The idea of a keeping a central log against which multiple services can subscribe and publish is insane. You wouldn't let two separate services reach directly into each other's data storage when not event sourcing – you'd pump them through a layer of abstraction to avoid breaking every consumer of your service when it needs to change its data – However, with the event log, we pretend this isn't the case. "Reach right on in there and grab those raw data events", we say. They're immutable "facts" after all. And Immutable things don't change, right?
Debuggability is a challenge that needs to be considered.
If you fight through the above obstacle and manage to successfully wire a fleet of services together via an event stream, you'll be rewarded with a new problem: opacity. With multiple systems just reading an event stream sans any coordination layer, how these system actually work and connect together will eventually be completely baffling. You've basically got all the problems that come with Observer heavy code, but now on the system level.
You’re swimming upstream and need to build everything yourself. There isn’t a framework for this architecture pattern you can choose.
And once you're into the implementation stage, you'll realize something else: the shear volume of plumbing code involved is staggering. Instead of your friendly N-tier setup, you've now got classes for commands, command handlers, command validators, events, aggregates, AND THEN your projections, those model classes, their access classes, custom materialization code, and so on. Getting from zero to working baseline requires significant scaffolding. Now, admittedly, how much this hurts is somewhat language dependent, but if you're is an already verbose language like Java (like I was), your fingers will be tired at the end of each day.
As a final point on the Getting Started side of things, there's a certain human / political cost involved. Getting an entire development team onboard philosophically is non-trivial.
The immutable log of events is a feature for auditing and point in time queries. But information evolves over time as requirements change.
Software changes, requirements change, focuses shift. Those immutable "facts," along with your ability to process them, won't last as long as you expect.
We made it about a month before a shift in focus caused us to hit our first "oh, so these events are no longer relevant, at all?" situation. Once you hit this point, you've got a decision to make: what to do with the irrelevant / wrong / outdated events.
]]>programming software architecture design patterns EventSourcing distributed BestOfhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:2007491841ec/Apple turns the legislative contempt up to 112022-01-22T21:19:42+00:00
https://world.hey.com/dhh/apple-turns-the-legislative-contempt-up-to-11-7c65eeec
jefframnani"Apple, along with Google, has gambled that by technically allowing developers to charge a credit card through a different processor, but retaining the right to extract their obscene cut and eviction privileges under new names, they'll be in compliance with the letter of the law, even as they violate its spirit and intention.
Take this story on Apple's response to the Dutch competition authorities by whom they were handed a clear if narrow demand: No more forcing dating app developers to pay your obscene take! To which Apple responded, like Google in South Korea, that sure, they'll allow such apps to run transactions through their own payment processor, but it'll still be through Apple's APIs so they can monitor all payment flows, and they'll just take their cut as a "platform fee" instead of a "payment fee". Rendering the entire exercise to allow developers competitive options moot, and making a fool out of the Dutch.
It's a clear sign that monopoly power has metastasized when it feels this confident in its ability to mock and embarrass the democratic institutions that it in theory must answer to. The practice of trillion-dollar might is that it'll yield political rights too. Which of course is the classical warning about letting monopoly power grow unchecked: Eventually it's not just about the capture of economics, but soon too the capture of politics."
As with oil, railroads, trusts, and telecoms, the fight against monopoly capture is the fight against a many-headed hydra. Even if you cut off one head with a new law, it might well grow back two heads of new transgressions. That's what we've seen so far in South Korea and The Netherlands. Developers extraordinarily end up worse than were they were, if they try to take advantage of the statutory relief they were granted by lawmakers and regulators.
]]>monopoly appstore apple software business mobilehttps://pinboard.in/u:jefframnani/b:3254aa7aee53/Michael Tsai - Blog - iOS 15 Autocorrect2021-12-30T23:42:23+00:00
https://mjtsai.com/blog/2021/12/27/ios-15-autocorrect/
jefframnaniios apple software quality MachineLearninghttps://pinboard.in/https://pinboard.in/u:jefframnani/b:d1a24e036470/Apple needs to throw away their crowd sourced machine learning model for autocorrect2021-12-28T00:54:24+00:00
https://mobile.twitter.com/stroughtonsmith/status/1469187109169037313
jefframnaniquality apple software machinelearning twitter ioshttps://pinboard.in/u:jefframnani/b:1f80fe5b11a2/PhotoStructure2021-12-14T06:44:09+00:00
https://photostructure.com/
jefframnaniphotography software management library selfhosted linux macos windowshttps://pinboard.in/https://pinboard.in/u:jefframnani/b:c49b190f17ff/JUXT Blog - Abstract Clojure2021-11-26T17:59:47+00:00
https://www.juxt.pro/blog/abstract-clojure
jefframnaniclojure design patterns solid software quality programminghttps://pinboard.in/https://pinboard.in/u:jefframnani/b:e1c37fa2ff06/Cassidy on GNOME, Themes, and More ⋅ elementary Blog2021-11-26T02:02:43+00:00
https://blog.elementary.io/linux-experiment-interview-cassidy-james-blaede-gnome-themes-libadwaita/
jefframnanignome desktop linux ui software design qualityhttps://pinboard.in/u:jefframnani/b:d5c1fc0e2a5c/That grumpy BSD guy: What every IT person needs to know about OpenBSD2021-10-17T17:59:35+00:00
https://bsdly.blogspot.com/2021/09/what-every-it-person-needs-to-know.html
jefframnaniAll of those features have been integrated in the OpenBSD source tree, and with the developers admonished to adhere to the rule
> "where it is possible to spot damage, fail hard".
which means that poorly written software will crash a lot more often on OpenBSD than elsewhere. That in itself should make the platform attractive to developers. Exposing your code to a hostile environment and see it perform or fail can be quite entertaining and enlightening.
OpenBSD started in a different time. This was early in the crypto wars.
Security is a many-faceted topic. Early on, OpenBSD stood out as the system that included real crypto in the base system, to the extent that exporting OpenBSD source code from the United States was technically illegal under that country's munitions export restrictions as they were defined at the time.
Fortunately for us, the project was always coordinated from Canada by undisputed project leader Theo de Raadt who lives in Canada. There is anecdotal evidence that US based developers would trek across the border for hackathons with clean slate equipment to install OpenBSD while in Canada and hack, that is, work on the system and would then legally bring the result back with them.
Interesting. LibreSSL didn’t cross my radar until Heartbleed.
People tell me they think that the reason LibreSSL was created was the Heartbleed bug, but no, actually not, just damn close.
The LibreSSL project was in fact started a few weeks before heartbleed became common knowledge. LibreSSL is the result of a group of OpenBSD developers taking the existing OpenSSL code and starting to fix it.
This time it was not a matter of a bad license. No, this was the result of the number of OpenBSD developers who took a look at the OpenSSL code that had been part of the OpenBSD base system since quite early on, and turned away in disgust and with symptoms of physical pain, reached a critical mass of sorts. I had heard OpenBSD developers complain about the absolute horror of the OpenSSL code for at least ten years. The code quality was just that bad.
]]>software quality openbsd opensource bsd history securityhttps://pinboard.in/u:jefframnani/b:9be9ca6e454d/The Sourceware Operating System Proposal2021-10-09T16:59:11+00:00
https://www.landley.net/history/mirror/unix/srcos.html
jefframnaniThe Sourceware Operating System Proposal "This document is an assessment of the condition of Unix, and a proposal to improve the condition of Unix on the desktop. To get a quick reading, the reader may scan for the high lighted bars; they are a summary of the key points of each section. The organization of the document is background on the state of Unix, background on the efforts to fix Unix, a digression on why bother with fixing Unix, a suggestion for how to start Unix on the path to healthiness, more details on the health plan, details on managing the resulting system, alternatives to this plan, questions and answers, and finally, acknowledgments."
The document summary pretty much nailed it. The author thought if Unix companies couldn’t get their act together, then Microsoft and Linux would replace them.
Microsoft is a big threat to all Unix vendors. We have a chance of beating Microsoft by changing the rules, by insisting that basic enabling software be freely available. This will do nothing but improve Unix platform sales while at the same time devaluing Microsoft's cash cows: DOS and Windows.
The business model for software, particularly enabling software such as operating systems and windowing systems, is changing. The customers and the developers are no longer willing tolerate anything other than high quality, well supported operating systems at low cost. People have become so impatient with the vendors that they are reinventing their own versions of what was once only available from the vendor.
Free software could make the Unix market a vibrant thriving market once again. The current model of incompatible proprietary version of Unix is clearly not working, millions of marketing dollars notwithstanding.
We should move forward towards the sourceware model. There is much work to be done; Solaris 1.x on Intel, system administration, small footprint desktops, embedded Solaris, etc., etc. Rather than arguing amongst ourselves, lets work out an agreement now and move forward. To delay is to give Microsoft time enough to own the entire market.
]]>unix history sun opensource software oshttps://pinboard.in/u:jefframnani/b:2c371baf6e76/How Big Tech Runs Tech Projects and the Curious Absence of Scrum - by Gergely Orosz - The Pragmatic Engineer2021-10-01T01:12:21+00:00
https://newsletter.pragmaticengineer.com/p/project-management-in-tech
jefframnaniTeams with dedicated project managers typically recorded lower satisfaction ratings at public or venture-funded tech companies. However, at non-venture funded companies and consultancies, several respondents were very happy with project management, and called out these people as a reason for their satisfaction.
This lines up with what Dan Pink lays out in Drive. Autonomy is a big part of job satisfaction.
Team autonomy and high satisfaction seemed to be correlated. Many people rating their satisfaction as 4 or 5 mentioned autonomy, freedom and flexibility, and the putting of quality first at the team level, as a positive.
Lol at how much people hate on JIRA.
JIRA has been mentioned mostly with negative associations: all 13 mentions of JIRA were in this setting. Being able to get things done without working much with JIRA was mentioned as a positive. Additionally, a recently IPOed, high-growth tech company moved over to JIRA and ran a survey among engineers. It measured a Net Promoter Score (NPS) of -83. This is staggeringly low, and means that 83% of engineers would advise against JIRA.
Approaches that do not work well. This one sounds familiar.
Engineers not involved in estimations that the team then committed to, is a frequent pain point. In my view, it’s one of the easiest ways to demotivate engineers – to the point of some leaving – and also to get a false sense of what a team can achieve.
The difference between tech-focused companies and traditional companies that happen to be doing some tech work in the environment. A high-trust environment encourages curious problem-solving.
Curious problem solvers, not mindless resources. A motivated engineer easily makes multiple times the impact of a "factory worker" who only does what they’re told. For organizations with a factory worker attitude, this approach will bias towards more heavyweight project management approaches that leave little room for interpretation, on purpose.
When I talk about Industrial Scale Tech companies with people. They often don't get the metaphor. This sums it up quite well. Does your little company have the resources to invest in tooling the way these billion dollar monoliths can?
Much of Big Tech has recognized how first-class infrastructure and developer tooling make a big difference to the productivity for engineering teams. This is why 30-40% of engineering often works on platform teams and is why Uber invested heavily in platform teams. With first-class infrastructure and platforms ready to use, teams can focus on their core work goals, over figuring out how to set up infrastructure, or how to make a service compliant.
]]>agile management projectmanagement scrum programming BestOf business technology softwarehttps://pinboard.in/https://pinboard.in/u:jefframnani/b:693980303af0/Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program / Habr2021-09-24T16:04:50+00:00
https://habr.com/en/post/579714/
jefframnaniapple security ios software qualityhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:af1e5d93b3c2/Michael Tsai - Blog - More Big Sur UI Refinements2021-07-24T17:44:21+00:00
https://mjtsai.com/blog/2020/10/30/more-big-sur-ui-refinements/
jefframnanimacos BigSur configuration software design qualityhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:09bb1cfd091d/State of the Windows: How many layers of UI inconsistencies are in Windows 10? – NTDEV2021-06-25T03:15:07+00:00
https://ntdotdev.wordpress.com/2021/02/06/state-of-the-windows-how-many-layers-of-ui-inconsistencies-are-in-windows-10/
jefframnaniwindows microsoft software evolution design patterns uihttps://pinboard.in/u:jefframnani/b:007a635d6eaf/Computer Security and the Internet: Tools and Jewels2021-06-19T03:26:01+00:00
https://people.scs.carleton.ca/~paulv/toolsjewels.html
jefframnaniebook book security software programming tutorial cryptographyhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:214e6a66b7fd/Safari 15 and Chickenshit Minimalism2021-06-18T05:42:23+00:00
https://pxlnv.com/blog/safari-15-chickenshit-minimalism/
jefframnaniOver the past several releases of MacOS and iOS, Apple has experimented with hiding controls until users hover their cursor overtop, click, tap, or swipe. I see it as an extension of what Maciej Cegłowski memorably called “chickenshit minimalism”. He defined it as “the illusion of simplicity backed by megabytes of cruft”; I see parallels in a “junk drawer” approach that prioritizes the appearance of simplicity over functional clarity. It adds complexity because it reduces clutter, and it allows UI designers to avoid making choices about interface hierarchy by burying everything but the most critical elements behind vague controls.]]>apple design software quality macos ioshttps://pinboard.in/u:jefframnani/b:c11ab6e1db25/Software Design for Flexibility: How to Avoid Programming Yourself into a Corner | IndieBound.org2021-06-08T23:29:08+00:00
https://www.indiebound.org/book/9780262045490
jefframnanilisp book sicp software programming evolutionhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:81cca72c182b/Michael Tsai - Blog - On Walled Gardens2021-06-08T01:39:48+00:00
https://mjtsai.com/blog/2021/06/07/on-walled-gardens/
jefframnaniapple monopoly business software culture AppStorehttps://pinboard.in/u:jefframnani/b:91547e59e2a8/On the Diverse And Fantastical Shapes of Testing2021-06-06T17:20:03+00:00
https://martinfowler.com/articles/2021-test-shapes.html
jefframnaniThe terms “unit test” and “integration test” have always been rather murky, even by the slippery standards of most software terminology. As I originally understood it, they were primarily an organizational issue. Let's go back to the days of large waterfall software projects. I'm working on a hunk of code for several months. I may be working on it alone, or in a small team. Either way I think of this hunk as a conceptual unit which we can work on in relative separation from its neighbors. Once we've finished coding it we can hand it off to the unit testing team, who then test that unit on its own. After a month or two to make those tests work, we can then integrate it with its neighbors and carry out integration tests against a larger part of the system, or indeed the entire system. The key distinction is that the unit tests test my/our code in isolation while integration tests how our code works with code developed separately.
Of course, the technology is the easy part, the humans are the hard part. Because these terms are poorly defined people will use the same words but mean something very different.
This semantic picture is made even muddier by the definition of Integration Test, which makes “unit test” look tightly defined. The take-away here is when anyone starts talking about various testing categories, dig deeper on what they mean by their words, as they probably don't use them the same way as the last person you read did.
]]>programming testing software history MartinFowlerhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:dc4b9261bc68/ongoing by Tim Bray · Testing in the Twenties2021-06-05T20:06:22+00:00
https://www.tbray.org/ongoing/When/202x/2021/05/15/Testing-in-2021
jefframnanisoftware programming testing qualityhttps://pinboard.in/u:jefframnani/b:22c6dada55a8/Against Packaging Rust Crates — Firstyear's blog-a-log2021-05-29T17:56:25+00:00
https://fy.blackhats.net.au/blog/html/2021/02/16/against_packaging_rust_crates.html
jefframnani"We need to stop thinking that Rust is like C. We have to accept that language native tools are the interface people will want to use to manage their libraries and distribute whole applications. We must use our time more effectively as distributions.
If we focus on supporting vendored Rust applications, and developing our infrastructure and tooling to support this, we will attract new contributors by lowering barriers to entry, but we will also have a stronger ability to contribute back to upstreams, and we will simplify our building and packaging processes.
Today, tools like docker, podman, flatpak, snapd and others have proven how bundling/vendoring, and a focus an applications can advance the state of our ecosystems. We need to adopt the same ideas into distributions. Our package managers should become a method to ship applications - not libraries.]]>rust software packaging deployment linux sysadmin programminghttps://pinboard.in/https://pinboard.in/u:jefframnani/b:f5fd785ad2e3/Context – React2021-05-22T17:35:47+00:00
https://reactjs.org/docs/context.html
jefframnanijavascript react software design patterns FunctionalProgramminghttps://pinboard.in/https://pinboard.in/u:jefframnani/b:892913029964/The Full Story of the Stunning RSA Hack Can Finally Be Told | WIRED2021-05-22T02:32:07+00:00
https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/
jefframnaniIn the decade that followed, many key RSA executives involved in the company’s breach have held their silence, bound by 10-year nondisclosure agreements. Now those agreements have expired, allowing them to tell me their stories in new detail. Their accounts capture the experience of being targeted by sophisticated state hackers who patiently and persistently take on their most high-value networked targets on a global scale, where an adversary sometimes understands the interdependencies of its victims’ systems better than victims do themselves, and is willing to exploit those hidden relationships.]]>security software 2fa historyhttps://pinboard.in/u:jefframnani/b:694ca700237b/Buffer overruns, license violations, and bad code: FreeBSD 13’s close call2021-03-28T17:45:01+00:00
https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/
jefframnani
How did so much sub-par code make it so far into a major open source operating system? Where was the code review which should have stopped it? And why did both the FreeBSD core team and Netgate seem more focused on the fact that the code was being disparaged than its actual quality?
Lol at Netgate trying to accuse people of “irresponsible disclosure of zero days” while pointing out bugs during code review of a *release candidate* beta build. Nice try losers. Your fault for shipping it to customers when it *clearly* hadn’t been reviewed by anyone at Netgate.
Look if you're trying to integrate your broken code into an upstream project and someone says "this is broken" then complaining that you've already deployed your broken code elsewhere isn't a reason for them to give you a break
People seem shocked, shocked that code reviews are hard to come by. But the truth is that they’re hard to get in open source projects. These projects are often worked on in people’s spare time and there often isn’t enough spare time to go around. Especially a smaller project with fewer members. Hell, I’ve worked at companies where it was hard to get code reviews from colleagues on internal projects for work. Not even open source. Everybody is always focused on their own work. Seems to be a common pattern.
Several FreeBSD community members would only speak off the record. In essence, most seem to agree, you either have a commit bit (enabling you to commit code to FreeBSD's repositories) or you don't. It's hard to find code reviews, and there generally isn't a fixed process ensuring that vitally important code gets reviewed prior to inclusion. This system thus relies heavily on the ability and collegiality of individual code creators.
]]>freebsd wireguard security kernel software quality business opensourcehttps://pinboard.in/u:jefframnani/b:3b995ef11efd/Hyrum's Law2021-03-04T20:07:25+00:00
https://www.hyrumslaw.com/
jefframnaniprogramming software culture evolution architecture apihttps://pinboard.in/https://pinboard.in/u:jefframnani/b:bdc2e3eb3ffc/1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app? • The Register2021-02-27T19:02:01+00:00
https://www.theregister.com/2021/02/25/lastpass_android_trackers_found/
jefframnaniLastPass has many free users – is it a problem if its owner seeks to monetise them in some way? Kuketz said it is. Typically, the way trackers like this work is that the developer compiles code from the tracking provider into their application. The gathered information can be used to build up a profile of the user's interests from their activities, and target them with ads.
Even the app developers do not know what data is collected and transmitted to the third-party providers, said Kuketz, and the integration of proprietary code could introduce security risks and unexpected behaviour, as well as being a privacy risk. These things do not belong in password managers, which are security-critical, he said.]]>password software privacy securityhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:5860fa76a446/Open Broadcaster Software®️ | OBS2021-02-22T18:29:09+00:00
https://obsproject.com/
jefframnaniopensource software streaming video screencasthttps://pinboard.in/https://pinboard.in/u:jefframnani/b:3b87f9a34741/Apple Platform Security Guide Reveals Focus on Vertical Integration - TidBITS2021-02-20T19:56:01+00:00
https://tidbits.com/2021/02/18/apple-platform-security-guide-reveals-focus-on-vertical-integration/
jefframnani
The future of cybersecurity is vertical integration. By vertical integration, I mean the combination of hardware, software, and cloud-based services to build a comprehensive ecosystem. Vertical integration for increased security isn’t merely a trend at Apple, it’s one we see in wide swaths of the industry, including such key players as Amazon Web Services. When security really matters, it’s hard to compete if you don’t have complete control of the stack: hardware, software, and services.
Apple controls the entire stack, including what OS’s you can install on your computer. I have a 2011 MacBook Air that is a useless brick now because Apple refuses to let me reinstall any operating system on it from the recovery boot volume. The most secure computer is one that can’t get on the network...
This process builds a secure chain of trust from the read-only boot memory all the way until the user logs in and their data is unencrypted. All the different low-level software components are cryptographically signed by Apple and tied to an encryption key burned into the Secure Enclave hardware before it leaves the factory. Apple then leverages the embedded digital certificates and security policies on the devices to ensure that only Apple operating systems can be installed, only the latest versions of those operating systems (depending on device and settings), and only when obtained from Apple.
In other words, the hardware root of trust enables the secure boot process, which relies on Apple’s cloud servers to provide the right operating system and prevent the installation of older or unauthorized/compromised operating system versions.
]]>apple security hardware software ios macoshttps://pinboard.in/u:jefframnani/b:aa7f7ff1cf63/Public media owners agree to sell Pocket Casts podcast platform | Current2021-02-15T07:44:33+00:00
https://current.org/2021/01/public-media-owners-agree-to-sell-pocket-casts-podcast-platform/?wallit_nosession=1
jefframnanipodcasting business nonprofit software apphttps://pinboard.in/u:jefframnani/b:c838ae9c202f/3 Ways to Mitigate Risk When Using Private Package Feeds - Microsoft Azure Whitepaper2021-02-10T19:32:57+00:00
https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/
jefframnaniopensource software security SupplyChain microsofthttps://pinboard.in/https://pinboard.in/u:jefframnani/b:df8a763c26f1/Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies | by Alex Birsan | Feb, 2021 | Medium2021-02-10T18:59:38+00:00
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
jefframnaniWhile attempting to hack PayPal with me during the summer of 2020, Justin Gardner (@Rhynorater) shared an interesting bit of Node.js source code found on GitHub.
The code was meant for internal PayPal use, and, in its package.json file, appeared to contain a mix of public and private dependencies — public packages from npm, as well as non-public package names, most likely hosted internally by PayPal. These names did not exist on the public npm registry at the time.
The idea was to upload my own “malicious” Node packages to the npm registry under all the unclaimed names, which would “phone home” from each computer they were installed on.
Apparently, it is quite common for internal package.json files, which contain the names of a javascript project’s dependencies, to become embedded into public script files during their build process, exposing internal package names. Similarly, leaked internal paths or require() calls within these files may also contain dependency names. Apple, Yelp, and Tesla are just a few examples of companies who had internal names exposed in this way.
I originally thought that this issue would be easy to fix by exclusively using an internal package repository. But, most repositories you'd run internally are proxy-caches that would be vulnerable to an attacker squatting on your name and publishing a higher version number. Information leakage of internal package names is still an issue with internal repositories that use a "highest version number" algorithm to determine which package to hand out to the user.
JFrog Artifactory, a piece of software widely used for hosting internal packages of all types, offers the possibility to mix internal and public libraries into the same “virtual” repository, greatly simplifying dependency management. However, multiple customers have stated that Artifactory uses the exact same vulnerable algorithm described above to decide between serving an internal and an external package with the same name. At the time of writing, there is no way to change this default behavior.
]]>security software packaging dependency SupplyChain BestOfhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:ed02cb52cca2/Accused murderer wins right to check source code of DNA testing kit used by police • The Register2021-02-08T21:19:05+00:00
https://www.theregister.com/2021/02/04/dna_testing_software/
jefframnaniThe maker of the software, Cybergenetics, has insisted in lower court proceedings that the program's source code is a trade secret. The co-founder of the company, Mark Perlin, is said to have argued against source code analysis by claiming that the program, consisting of 170,000 lines of MATLAB code, is so dense it would take eight and a half years to review at a rate of ten lines an hour.]]>software science legal opensource matlabhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:664773cc1f8c/Another SolarWinds Orion Hack - Schneier on Security2021-02-05T02:28:17+00:00
https://www.schneier.com/blog/archives/2021/02/another-solarwinds-orion-hack.html
jefframnaniTwo takeaways: One, we are learning about a lot of supply-chain attacks right now. Two, SolarWinds’ terrible security is the result of a conscious business decision to reduce costs in the name of short-term profits. Economist Matt Stoller writes about this: ...]]>security software finance business culture BruceSchneierhttps://pinboard.in/u:jefframnani/b:60378fe20f56/Stripe’s payments APIs: the first ten years2021-01-01T18:54:11+00:00
https://stripe.com/blog/payment-api-design
jefframnani
This means we built support for new payment methods on top of a set of abstractions that were designed for the simplest payment method of them all: cards. Naturally, abstractions designed for cards were not going to be great at representing these more complex payment flows.
The bright side is that when you do need to go back and redesign, you have the benefit of experience and hindsight from customer usage and issues. A point below is really important. During a rewrite of an API, it’s going to be easy for the engineers to fixate on things that make their lives easier, not necessarily the customer. There are some good tips after this section on brainstorming in this context.
It was much easier because we had a chance to learn from users over the years, and deeply understood the issues they encountered with our existing integration paths. We also accumulated payments domain expertise, having had years of experience iterating on our APIs. Taken together, our API design had a better chance to not repeat past mistakes.
We locked ourselves in a conference room for three months with the goal of designing a truly unified payments API. If successful, a developer would only need to understand a few basic concepts in order to build a payments integration. Even if they hadn’t heard of the payment method, they should be able to just add a few parameters to a few specific points in their integration. To enable this, the states and guarantees of our APIs had to be extremely predictable and consistent. There shouldn’t be an array of caveats and exceptions scattered throughout our docs.
A common pattern is for an api to have a god object in the domain. It’s often a User object, but there’s always something.
We didn’t like how cluttered the Charge resource had become over the last seven years, so this was not ideal. Between 2011 and 2018, the Charge resource grew from having 11 properties to 36 properties and Charge creation grew from accepting 5 parameters to 14 parameters! To make sure we don’t make the problem worse as we add more payment methods, we introduced payment_method_details, a polymorphic, typed hash on the Charge that contains payment-method-specific data.
]]>api architecture design software evolution payments brainstorminghttps://pinboard.in/u:jefframnani/b:0c530a4f23da/Evan Czaplicki - Convergent Evolution2020-12-24T01:15:42+00:00
https://youtube.com/watch?v=jl1tGiUiTtI&feature=share
jefframnanielm programming react javascript video evolution software FunctionalProgramminghttps://pinboard.in/u:jefframnani/b:cdaca9a7957a/How to run a small social network site for your friends2020-12-17T00:47:36+00:00
https://runyourown.social/
jefframnanisocial community media distributed software opensource communicationhttps://pinboard.in/https://pinboard.in/u:jefframnani/b:d3ba4ef70d26/