Category: Programming

What I wish I had known about single page applications – Stack Overflow Blog

I settled on JHipster, a development platform for building web applications using modern technology: Angular, React or Vue for the client side, and Spring plus Gradle or Maven for the server side. It’s been around for years, is very well documented, and has great community support.

Source: What I wish I had known about single page applications – Stack Overflow Blog

I think the author hit at least one nail squarely on the head: Team size is an important consideration for the tech stack. I would argue that a Java/Angular stack is probably only appropriate for large teams, which wouldn’t need jHipster anyway. I tried it once, and it took FORTY-FIVE minutes to bootstrap a site on my top-of-the-line Dell laptop. There are an astonishing number of moving parts buried inside of it.

I’ve been using Rails for 15 years or so now, and one can argue about its strengths and weaknesses compared to other webdev toolkits, but it works really, really well for one-person “teams” writing highly-focused internal tools. I’ve spent the past month writing a single-page app in VueJS inside of my current tool, and it’s been an interesting experiment. I may have more to say about it later.

CADT Model in Action

JWZ, the arguably-most-infamous developer of Netscape, has a theory called the CADT: Cascade of Attention Deficit Teenagers. I got an email this morning as another example of the model in action.

I posted the problem to serverfault.com and opened the bug report. In my opinion, it was a good example of a fully-documented bug, which was easy to replicate. In their bug system, there were 12 “upvotes” of people saying that the bug was affecting them as well. Today, 6 years and 4 months later, the person the bug was assigned to is asking a rhetorical question to document that it’s going to be closed because the version of PHP it applies to is being sunsetted.

I still have no idea why an unavoidable bug in the stock PHP install in a major distribution didn’t cause more of a fuss, but it clearly wasn’t a show stopper. I don’t remember what I did about it as a workaround, but I guess everyone else did it too. I think I just gave up, and decided that I didn’t need a local dev instance of WordPress for this blog.

My Pre-Ruined Programming Typing

I use a “grip” on the keyboard that’s off-by-one. My right index finger hovers over the K key instead of the J. I can touch type if I concentrate, but this is just how I learned on the Vic-20, when I was 10. I convinced myself a long time ago that this was fine, as it gets me closer to all of the special keys for programming. However, several of the special keys (notably the *, @, and &) were in different places on the Vic-20 and the C64 than on a standard, modern keyboard, and it still occasionally throws me, 40 years later.

Trusty Rusty

I think I lost a programming job because, in the interview, they put me in front of a computer, and I didn’t fly through the editor with nothing but keyboard shortcuts, but it’s my weird typing method that pushes me to just use a mouse for a lot of it.

Software disenchantment @ tonsky.me

Programs can’t work for years without reboots anymore. Sometimes even days are too much to ask. Random stuff happens and nobody knows why.

What’s worse, nobody has time to stop and figure out what happened. Why bother if you can always buy your way out of it. Spin another AWS instance. Restart process. Drop and restore the whole database. Write a watchdog that will restart your broken app every 20 minutes. Include same resources multiple times, zip and ship. Move fast, don’t fix.

That is not engineering. That’s just lazy programming. Engineering is understanding performance, structure, limits of what you build, deeply. Combining poorly written stuff with more poorly written stuff goes strictly against that. To progress, we need to understand what and why are we doing.

Source: Software disenchantment @ tonsky.me

About 20 years ago, I was working as a Unix sysadmin, and sat in on a meeting about moving an internally-developed application from another data center to mine. It ran on Windows, and died, literally, every day, and required a restart of the whole machine to fix. The manager in the meeting (who, I note, I recommended not be hired, and who was fired for sexual harassment just a few months later) said, “OK, we’ll just schedule it as part of maintenance tasks to preemptively reboot the machine every night.”

I literally snorted. I asked if it were not possible to, you know, actually fix the program? Find the memory leak, or whatever was the problem? I mean, it was written by us; couldn’t we get the programmer to fix their own program? The answer was, of course, no, with the added insinuation that it ridiculous that I suggest that the programmer still had work to do!

About 4 years ago, I wrote a program that helped a lot of people get their jobs done much more easily and efficiently. Per Douglas Adams, “This has made a lot of people very angry and been widely regarded as a bad move.” I was forced to hand the program over to another team, where it has run, with only one tiny patch, for 4 years now. It is not a trivial program, or architecture. To my knowledge, neither the clients nor server ever crash, or need to be restarted. I’m very proud of this.

How 4 Chinese Hackers Allegedly Took Down Equifax | WIRED

While the operation had a certain degree of complexity, Equifax itself made their job much easier than it should have. It should have patched that initial Apache Struts vulnerability, for starters. And an FTC complaint from last summer also found that the company stored administrative credentials in an unsecured file in plaintext. It kept 145 million Social Security numbers and other consumer data in plaintext as well, rather than encrypting them. It failed to segment the databases, which would have limited the fallout. It lacked appropriate file integrity monitoring and used long-expired security certificates. The list goes on. Equifax didn’t just let the alleged Chinese hackers into the vault; it left the skeleton key for every safe deposit box in plain sight.

Source: How 4 Chinese Hackers Allegedly Took Down Equifax | WIRED

This whole incident deeply offends me. I don’t like that our capitalistic society has given these credit-reporting companies so much control over our lives. I don’t like that they seem to be completely unaccountable for being so integral to so much of our economy. I don’t like that they hold all the information you would need to ruin someone’s life by impersonating them online. I don’t like that they are not being prosecuted for being so flippant with personally-identifying data.

I don’t like the fact that a sovereign foreign power committed industrial espionage on a critical part of our economy. I don’t like that they already did basically the same thing to a government personnel database the year before. I don’t like that China’s government exists to begin with, given their treatment of their own people, Hong Kong, and the Uighers. I also don’t like that China has been committing wholesale intellectual property theft for many decades. I don’t like the fact that we all know it, and nothing seems to be getting done to stop it.

The initial vulnerability the attackers leveraged was a problem in Apache Struts, which implies that Equifax’s web application uses Java. Using Java for a web application in 2017 is like driving a Model T in 1950. Sure, it was a reliable means of transportation, and revolutionary when it was introduced, but it’s 20 years out of date. It requires an inordinate amount of maintenance, spare parts are more difficult to find. Mechanics can be lazy, because they know they have the owner of the car over a barrel, and they can charge a premium for service, and take their time. There are many better options available, which start quicker, go faster, have safety features built in, and are far more comfortable.

Not all applications require encrypted this, and sharded that, and intrusion detection systems, and real-time monitoring, and everything else, but if any application needed these sorts of treatments, it would have been this one. Also, if any application needed its owners to stay on top of CVE disclosure reports, and fix affected layers of their stack, as appropriate, it would have been this one.

In sort, there’s literally no good news here. Nothing will happen to China, its government, or the actual individuals named in the indictment. The punishment to Equifax is a slap on the wrist. Everyone jumped on the settlement, and now no one will get anything. Everything about this is wrong, and nothing good will come of it.

n-gate.com. we can’t both be right.

Python dicts are now ordered

February 07, 2020 (comments)

A webshit has something to say about Python internals, but I couldn’t focus on the article, because the first comment on the blog post involves the text “it brings Python on par with PHP,” which is such a monumentally alien thought that I think I need medical attention. Hackernews argues about who already knew this, why, and how. Another argument breaks out about whether this is the Correct and Natural approach to data structures, or if it’s Completely Wrong and Stupid because of some ridiculous edge case nobody cares about. Most of the complaints are from people who are deeply concerned that (entirely hypothetical) existing code might break in the case its author made extremely specific assumptions about one particular data structure in a programming language directly aimed at people who do not give a shit about these topics.

Source: n-gate.com. we can’t both be right.

Arguably one of the pithiest comments on this site yet.

Nibble Stew – a gathering of development thoughts: How about not stabbing ourselves in the leg with a rusty fork?

When faced with this kind of pointless and harmful routine, one might suggest not doing it any more or replacing it with some other, more useful procedure. This does not succeed, of course, but that is not the point. The reasons you get back are the interesting thing, because they will tell you what kind of manager and coworkers you are dealing with. Here are some possible options, can you think of more?

Source: Nibble Stew – a gathering of development thoughts: How about not stabbing ourselves in the leg with a rusty fork?

I can think of another…

The Sock Puppet of the Auditor
“We hired auditors at great expense of time and money, and we’re going to do what they told us that ‘all’ companies do, no matter how inappropriate it is for us and our particular workflows.”