-
The notion of this article actually resonates with my thoughts when I played ET for the first time a few months ago. I thought that it is not even half as bad as I imagined it after everything I read about it.
-
Same. I enjoyed it as a child.
-
-
-
My personal experience corroborates this research; I tend to come up with ideas/solutions to problems while walking the dog or mowing the grass. Then again I also do a lot of good thinking in the shower. So, perhaps its not just walking but rather not sitting that enhances the idea flows. :)
-
My personal experience as well.
I walk 3 miles to and from work every day and in addition to provide a nice chance to transition from “home to work” and back again, I find that most breakthroughs I have come during those 2 hours that I spend walking.
-
I’ll third this; if I don’t end up walking on the way to / from work, I’ll take time out at night to go for a walk. I also make sure to leave my phone behind, and just disconnect for a bit (until I get to work, it’s in airplane mode). I also tend to do this if I’m working on something particularly challenging.
-
-
-
RNHurt
4 years ago
|
link
| on:
Rails 4.2 will have AdequateRecord, improving AR performance through caching
I love the idea that Tenderlove merged it into master live on stage. :)
Seriously, I can’t wait to get this in my production code. It seems like a no-brainer to speed up my queries.
-
While I like the concept and love the fact that its hosted on Github, it’s striking how big a role “design” plays in a sites attractiveness. Gogs looks vaguely like Github.com but has much less usablity; the font choice alone is enough to make me not want to use it. It just reinforces in my mind how valuable a designer can be.
-
I agree that adding this type of complexity is wrong in a security context. However, what type of impact with this have on LibreSSL? Will this restrict adoption of a more secure framework? Will Government groups just throw up their hands and go back to OpenSSL? Will open source be banned from .mil networks because it no longer fully conforms to regulations?
I think Mozilla’s NSS is FIPS compliant so that is one option for software creators. What are the downsides to using NSS instead of LibreSSL? If NSS is a viable platform, why not just put the LibreSSL effort into helping the NSS project?
-
(1) lots of software expects the openssl api (2) if libressl can kill openssl then they can use the leverage of a monopoly position to change things.
i think the second point is what is most interesting here. openssl actually did a reasonably good job with the resources they had. they made compromises, for sure, but those compromises also helped (as you argue) make secure(ish) software more widely available. it seems to me that the biggest criticism of the openssl folks is not technical, but tactical. they didn’t recognise that they had got to a point where they had the strength to push back. to make changes. to fix the crap. and that is what is so good about libressl. it’s not the grandstanding and egos. it’s the idea that once you are popular you have power (and the moral duty to use it). you can (and should) push back.
you see this at work every day in the small. as a developer you have to know when to cut corners and when to claw back the debt. bad developers either never fix the compromises or never ship. good developers do both.
-
I don’t think the problem is that they didn’t push back; I think the problem is that they didn’t take responsibility for making OpenSSL secure, even in the absence of anything they’d need to push back against, and it’s not clear at this point that using OpenSSL in the last couple of years actually made things more secure than just sending stuff over the network in plaintext. Depends on your threat model, probably.
-
oh come on, your saying (excepting the long words) i may as well have done all my banking over http? if you really believe that then i think we’re on such different planets that communication is likely impossible.
(or you’re saying that you’re smart enough to invent a threat model where you’re right; i don’t doubt that for a minute, but surely we should weight by something reasonable…)
-
If the people who want to rob your bank account knew about Heartbleed but weren’t able to route your traffic through their sniffers, then unencrypted HTTP would have been better than using OpenSSL on your bank’s servers. Now, some adversaries were in fact in that position, while others were in the opposite position (e.g. the Great Firewall of China, assuming China didn’t know about Heartbleed), and the vast majority are irrelevant to this discussion because they could neither sniff nor bleed.
The question is, how do we weight the small number of relevant adversaries reasonably?
From my perspective, there are things more important than your bank account: for example, protecting political dissidents and victims of human-rights abuses, in their communications with Wikipedia and Wordpress and journalists, from snooping by the police and intelligence agencies operated by their oppressors. So I weight “possible people who found Heartbleed early” more highly than “people who sniffed plaintext transactions”, but I recognize that this weighting is arguable.
That’s why I said “it’s not clear that…OpenSSL…made things more secure…than plaintext…depends on your threat model” rather than “OpenSSL was less secure than plaintext”.
I know:
- one person currently jailed by a dictatorship (for the Nth time) for his political activism,
- one person who fled the US to escape persecution for his political activities,
- one person who committed suicide to escape obscenely overzealous prosecution for his political activities,
- a group of people whose phones were apparently tapped 24/7 in case they knew something about a criminal conspiracy,
- a person who was forced to explain hundreds of his vacation photos from India to a CBP agent,
- a person who was kidnapped by US CBP and sent to Syria to be tortured for several months in case he was a terrorist,
- and any number of people who have been kidnapped or raped by the police;
and
- I’ve had my ATM card cloned, and
- a friend of mine lost thousands of euros from her bank account to an apparent theft of credentials.
Rightly or wrongly, the differing magnitudes of these experiences informs my weighting of the risks.
As my friend Brandon Harris wrote on Facebook:
Consider this scenario: the Chinese government breaks Heartbleed. They then use it against Wikipedia to get the passwords of administrators with CheckUser privileges. They can then use those accounts to discover the identity and location of Chinese dissidents who are editing Wikipedia “illegally”. And then find them. And execute them.
He was talking about Chinese dissidents inside China, for which one might think they would also be able to snoop using the Golden Shield — but presumably if OpenSSL didn’t exist, they’d be using some non-SSL VPN protocol (PPTP?) to access Wikipedia just in order to be able to edit controversial pages at all. And Heartbleed also allows them to hunt down Chinese dissidents outside China.
-
-
-
-
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FIPS_Mode_-_an_explanation
The whole thing is a crock of shit. You’re allowed to use Firefox, but only if you promise to use it in the right mode. That mode happens to require you login (to the browser!) before you can view https sites. Like Lobsters.
I wonder what happens if you turn off FIPS mode. Are you fired? Can you be sent to prison? Do you get put on the terrorist no fly list?
To the extent that FIPS mode is runtime configurable, and you can just lie about enabling it, nothing stops you from using libressl and telling anybody who asks that it’s FIPS validated. Unsure what dire lifestyle consequences that will have for you.
Honestly, I don’t care if the military can use OpenBSD or not. I’d like for them to use it, but this is about their rules, not mine. It’s their process that’s wrong. (Or rather, I actually do care. But they need to move out of the stone age and this “how do we know that we know what we know about the product we just bought” mentality.)
-
-
This is cool, but is Acid2 really valid anymore? In fact are any of the Acid tests really used anymore?
-
-
Just as one wouldn’t judge a child on what his first words were, Servo cannot be judged on what tests it can pass in the months or years before being released to the public.
-
-
Speaking as someone who bills and performs as a “Full-stack” developer who tends to end up doing a lot of Devops, there is some truth, and some falsehood to this article. I can’t give scientific data, but in my experience I will say I wear a lot of hats – I work in a team making the slow transition from a waterfall-style to agile methods, so I end up being the de facto agile coach. We’re making a transition to using Ruby, replacing Java. As the guy with the Ruby experience, I’m the de facto (and to some extent de jure) Ruby coach. I’m the liason to the IT/Ops department, and a primary mover in the ‘script all the things’ department. It’s true, I don’t get to do anything for a long time, I would say that I’m a jack-of-all-trades, and though I would say I’m not a master-of-none, I wouldn’t say that I’m nearly as masterful as I could be, because of my split focus.
The falsehood here, or at least the fallacy – is the assumption that being a jack-of-all-trades is bad. Every team needs masters, but it also needs people who can effectively play the field. I’m the sweeper (like the soccer position), I’m the guy who runs all over the field to apply the extra oomph needed to get something done. We have a ton of very smart developers on our team, and each have mastery over different parts of a large and complex codebase. The problem is load balancing – new requirements effect different parts of the codebase, and having few masters covering each section, the workload spikes for different people at different times. It’s my job to help pick up the slack and make their jobs easier.
Is it true that it leads to burnout? Sure, but so does mastery – burnout isn’t caused by a kind or variety of work, it’s caused by a large quantity of work applied constantly. Without someone to help balance the load, the few people who work in a specific area will burn out. Rather, allowing the so-called ‘full-stack’ developer to jump in and help minimizes the burnout for everyone, including me.
Burnout, furthermore, is not something that can be avoided by less variety – indeed, I’ve found that it’s precisely the opposite, more variety keeps the work interesting, free from drudgery, and that helps to mitigate the effects of burnout.
Burnout can’t be ‘solved’ by simply focusing on less or more variety, it can’t be solved by any one person on the team, it has to be a collaborative effort. Your managers need to recognize burnout and react to it, your teammates have to come to support your efforts when your workload spikes, you need to concentrate on keeping the machine working smoothly via the use of automation and good working standards. That is to say, avoiding burnout is a team effort, Software development is a team sport.
Like any good team, not everyone can play the sweeper, or the goalie, or whatever. Everyone plays different positions and building a good team doesn’t mean hiring a bunch of sweepers, it means understanding how the different specialties of each team member will interact and produce the most value at the lowest cost – both monetary and personal.
In short, I don’t agree that DevOps is killing me personally, nor do I agree that it kills developers in general; but since I have no evidence, you have only my word for that – and since OP has no evidence, you’ve only his word too.
-
I agree with everything you said. I consider myself a “full-stack” developer and I love it. We recently moved a medium sized property to AWS and I’m having a ball reworking things to operate in the cloud.
Am I good at writing code? Sure, but I’m not the best programmer out there. Is my SQL passible? Yup, but there are plenty of others that are better than me. Can I design an API? Absolutely, but it won’t be perfect on the first try. However, I can do all of those things (and more) much better than most people. I’ve spent years studying networking, database scheme design, programming languages/patterns, deployment systems, hardware, messaging protocols, and a thousand other things that make a complete system work and I’m not burnt out yet.
There are new things constantly being developed that excite me and make me yearn for the future. In the beginning of my career it was client/server GUI programming (Powerbuilder). Several years later it was large EAI systems, then it was building RESTful interfaces, then cloud services came on the scene. The future holds other exciting things like modular deployment (docker, linux containers) and mobile development. I can even see “gaming” technologies making inroads to my development process. Things like Oculs-Rift and Leap Motion might change the way we build software and/or manage resources. Can you imagine deploying new code by picking it up out of a Github repo and dropping it onto AWS?
The point is that being a “full-stack” developer gives me the freedom to move quickly and do something different every day. Sure I can’t concentrate all my energies into becoming a guru DBA or rock star programmer, but I think the tradeoff is well worth it.
-
-
As an employee of Amazon, which is probably the biggest offender when it comes to making developers performs ops roles, I’d like to explain the reasoning behind the decision.
Making engineering teams responsible for managing their code in production gives engineers an incentive to write code that is fault-tolerant and easy to deploy. You are less likely to write code that may cause issues in production and shove the problems off to the ops team if you are also on the ops team. Being a developer also helps you perform the ops tasks better, since you have worked on the codebase and are therefore more likely to find the root cause of problems. Also, issues discovered while working operations drives improvements to the software to mitigate those issues.
-
I’m a developer that has been on teams where developers were not allowed to touch production systems, and it is absolute hell. Do I want to touch production systems all the time? No. Do I sometimes need to get onto a production system and look at something (logs, memory usage, etc.)? Yes.
In my experience barring a developer from production systems gives them license to create things that are less supportable. We would build stuff and throw it over the wall; if there was a problem with something, it wasn’t my concern. I could prove that it worked in dev, QA but since I couldn’t see production, I couldn’t help. That was a toxic environment and I’m glad I’m no longer subjected to it.
-
-
This is yet another reason I like using frameworks when possible. Someone else is (almost) always looking to upgrade it for me, for free. :)
-
I can’t imagine why a fundamental piece of the Internet’s infrastructure is so poorly written. Even passing the source code through a code formatter would make it 10x easier to read and support. Is everyone that afraid of touching crypto code that they won’t even fix the most minor “problem”? Is the test coverage not good enough to permit code cleanup? If I had any ‘C’ proficiency at all I would give it a go, but would the changes of an “outsider” be accepted?
I love (and paid for!) Sublime Text, however I’m afraid that it will follow the path of previous closed source solutions. To me this means getting massive amounts of features that no one wants, or worse being abandoned (see TextMate). The only way to combat both of these is to open the source fully and let the community nurture and grow the platform.
For these reasons I’m very happy that Github decided to open source Atom. It means that if I choose to start using it I can be comfortable in the knowledge that I can continue to use it in the future, even if Github stops developing it. The big question is whether it will get enough traction and polish to replace ST for my code slinging ways. :)
TextMate is not abandoned. Infact you can build it yourself. https://github.com/textmate/textmate. The last commit was 9 days ago.