-
diff:
1. Do you use source control? -2. Can you make a build in one step? +2. Can you build and deploy your software in one step? -3. Do you make daily builds? +3. Do you build on every commit? 4. Do you have a bug database? 5. Do you fix bugs before writing new code? -6. Do have an up-to-date schedule? +6. Do you measure your progress in terms of value delivered? -7. Do you have a spec? +7. Do you have a runnable spec? -8. Do programmers have quiet working conditions? +8. Does your environment foster collaboration? 9. Do you use the best tools money can buy? -10. Do you have testers? +10. Is testing everyone's responsibility? 11. Do new candidates write code during their interview? 12. Do you do hallway usability testing?-
I agree with the changes to (2) and (3).
The change to (7) seems to misunderstand what Joel originally meant by spec, which is a more thorough formal communication than at least the vast majority of automated specs or “BDD” implementations I’ve seen in the wild.
The changes to (6), (8) and (10) seem to be direct disagreements with Joel.
-
The change to 10 is incorrect. The best way to make sure that nobody is responsible for testing is to make everyone responsible for testing.
Few people I think have worked with a proper QA/testing group…if they had, they would not dismiss the utility of same so easily.
-
I see your point here, and I think I could have worded it better.
I’ve worked with (what I believe to be) an excellent testing group, however I stand by my claim that testing should be part of everyone’s role. That’s more of what I was thinking, and maybe that’s how I should have worded that one.
-
While I agree, I do think that having programmers write tests for their code is essential. Our current arrangement:
- Developer delivers feature to QA with specs (of the runnable variety)
- QA finds crazy bugs, the way that only QA people can.
- Developer duplicates and creates a regression spec, GOTO 1.
QA is invaluable in my opinion, especially for large systems with a good deal of ins and outs. In my experience, the developer (i.e. me) is not always able to see the edge cases. At the same time, having regressions and specs and programmers writing their own tests also ensures that QA isn’t finding the same bug repeatedly.
-
A good QA group can definitely be beneficial, but they need to be supplemental not the main test effort. It’s easy to make everyone responsible for testing with policy. Landing new code without a functional test? Fixing a bug without a regression test? Your patch doesn’t get past review.
-
-
-
-
Quality Assurance is a reporting organization.
Their job is to provide evidence that the quality of the product is understood, and to predict how the product will perform when it is deployed, so that the business can make an informed decision on when to release product. Their performance is measured by the strength of that evidence and the accuracy of that prediction.
As such, a QA team is responsible for checking that software matches its requirements, and that those requirements make sense. The QA team provides oversight for both the development and product management teams, and is the third side of the DEV-PM-QA product development structure.
QA is NOT the same thing as “making certain the product works”- that would be Quality Ensurance. If what you have is a group of engineers who are measured by defects found over time, then you have a QE team. You might still ship software, but your developers and testers are likely at odds with each other all the time. Do QA and Dev hate each other? You’ve probably confused QA with QE.
QA is certainly NOT there to provide a group of scapegoats to take the blame when bugs happen in the field- that would be Quality Insurance. If you think your QA / test people are somehow lower on the ‘old totem pole, and its their fault if crummy product ships, then what you have is a QI team. Does the shit hit the fan every time software ships, and it never gets any better? You’ve probably confused QA with QI.
-
-
-
-
-
-
-
-
-
olivier
1 year ago
|
link
| on:
400,000 GitHub repositories, 1 billion files, 14 terabytes of code: Spaces or Tabs?
I frankly don’t get why people insist on spaces. Please, someone, enlighten me. Please. I wanna understand why a single resizeable character is inferior to a small pile of unresizeable ones.
-
- tabs (and all other invisible characters, see dos2unix) have consistently proven to be difficult-to-understand and error-prone among computer users
- resizing is easy in an environment you’re familiar with, but in practice people often operate in environments that they are unfamiliar with, so the lowest common denominator (i.e. what I can do without thinking in Notepad.exe) wins.
-
The biggest problem is that they get mixed inadvertently. Go has shown that a program can actually fix it. As a result, my editor reads tabs, I often type spaces, and gofmt makes it standard tabs on save. This is legitimately the best feature of the Go tool chain.
Years ago when I programmed in Python, there would always be that one committer who would insist on tabs, or use 3 spaces instead of 4 in some places, and all hell would break loose in the commit history–annoying, but not the end of the world. The shameful person, btw, didn’t do the cleanup, cause they didn’t give a shit.
In summary, this is the least of our problems and can be automated incredibly effectively if it means enough to you, but if not, who cares?
-
Nowadays, tooling has improved in Python, too. You can also use tools like autopep8 or yapf (https://github.com/google/yapf) to autoformat Python code (yes, that is a thing ;) )
-
-
-
The problem is the assumption that allowing it to be resized is even desirable in the first place. If you are working on a specific codebase, you need to stick with the style that the codebase dictates. Imagine if people thought it was a good idea to allow “flexible brace styles” to let you use your preference. Why must indentation be different?
If you want the code to be displayed differently according to your preference, it should be implemented as a rendering-time hack (for instance, showing “lambda” as “λ”, etc) rather than changing the actual bytes on disk. Rendering 4 spaces on disk as 8 spaces on screen is a trivial config change in any decent editor.
-
Some languages are whitespace sensitive and a tab doesn’t always represent the same number of characters so making everything done with spaces is the simple, easy way out when dealing with vertical alignment. Gofmt does vertical alignment pretty nicely and it works well across different editors and even with doublewidth characters involved etc but most developers don’t like using a formatting tool outside of what its editor does on its own and most languages don’t even have an agreed upon format so there lacks formatters for those languages, because adoption would stumble.
-
-
In order to allow tab characters in your code, you have to disallow certain coding styles to prevent misalignment when tab sizes change. It’s much easier to simply disallow all tab characters, especially as the team size increases.
-
-
That’s the trick about a lot of the modern languages…I just don’t know of any that I expect to be around for 50 years. So far only Fortan, Cobol, and C seem to hold that staying power. And MUMPS, for some godforsaken reason.
Java was looking good, but with Oracle and the J2EE thing going down, maybe not. JS, Ruby, Python? Hell no.
-
-
Lisp is 58. There will be Perl and TCL scripts around until cockroaches conquer the world, and I’m quite certain a few Rails 2.0 apps will still be puttering along for at least the next few decades, to say nothing of frankenstein upgrades of Struts and other Java frameworks.
Things that are “old” in the computing world are still around not only because they are still useful, but because change is difficult.
-
-
-
common lisp
all the common lispers were purged by the believers of the One True LISP. Even knowledge of the false LISP is forbidden, how would you know of such thing?
-
-
-
Sure, sure, but that’s exactly the point, right?
All those languages had commercial support and customers that were willing to keep burning money to keep them alive. I’m not sure any of the modern languages have the same. A lot of academic languages–good languages!–died out and were supplanted. Python might well end up being Pascal, while COBOL trundles on.
-
-
I disagree. Once a programming language is popular enough, it’s basically around forever.
In 50 years JS, Ruby, and Python will be in the same position as Cobol today. Nothing new and exciting going on, but there will be plenty of big systems that work well enough that are too big and expensive and risky to replace, but require maintenance and upkeep.
-
-
So basically, you already run code you personally never reviewed or tested, HTTPS is enough, our script is good, we will continue to recommend this install method.
Gotcha.
compared to maintaining (and testing) half a dozen package formats for different distros.
Again with that bullshit. Let. Packagers. Do. Their. Jobs.
-
compared to maintaining (and testing) half a dozen package formats for different distros.
Again with that bullshit. Let. Packagers. Do. Their. Jobs.
I’m torn on this. On the one hand, yes. Having 3rd party packagers is great for pretty much everyone and ideally f/oss software organizations should maintain and license their software so that repackaging is possible.
The problem with this view is that user maintained packages lag upstream, often by quite a lot, and as an engineering org having lagging user packages means having to deal with innocent users who are stuck with fixed bugs. See a classic rant on this from jwz.
So yes. By all means I want package managers (or
/optmonodir installs) so I can uninstall your software eventually and update it sanely along with everything else, but really that means that the developing org does have to take on packaging responsibilities or else pay the costs associated with not taking them on. For all that I dislikecurl | bash, it definitely seems to be a local optimum.Disclaimer: this is my view as a user, I’ve never participated in the community as a (re)packager or distributing an original package except in publishing Maven artifacts which don’t require repackaging and thus don’t count.
-
Again with that bullshit. Let. Packagers. Do. Their. Jobs.
I certainly agree with letting packagers do their jobs. However, it seems many users see this as the project’s responsibility, rather than the distribution’s. I read this part of the post as being about that sentiment.
-
From the perspective of a young project trying to gain traction, taking on this responsibility can noticeably help with uptake. Unfortunately, individual projects - even very large ones, like languages - are not in a great position to make things work smoothly at the scale of an entire distribution. (I’d count Linux distributions and also things like Homebrew as basically the same sort of thing, here.)
I think the ideal is for projects to keep offering these “fast start” setups, but recognize that they are not going to be the long-term solution, nor the solution for everybody.
I wish they would at least encourage users to even think about the security implications, but focusing on that aspect isn’t the heart of why this keeps happening.
-
As an (occasional, part time) packager, the ideal would be to get some frozen version of the uptream release (or a reference to same) that I can transform into the package. A magic button I can press whenever I like to get the latest version at that time does not meet that need.
If a young project wants to get into distros (I don’t know whether that’s the kind of traction you’re thinking of, if not then obviously disregard) I’d suggest that’s what they should be thinking about doing, and the curl|sh should be a wrapper over that
-
I was mostly thinking in terms of mindshare - users and contributors. I think a lot of developers don’t necessarily think of distros as part of their plan at all. That’s exactly what I wish were different. :)
It makes a lot of sense, now that you say it, that getting a frozen version is the biggest need there.
-
-
-
-
This has come up before - https://lobste.rs/s/ejptah/curl_sh
I still haven’t seen a strong argument against this mode of installation, but I still hear a lot of “you’re doing it wrong” anger. I’d be very interested in a cogent argument (comment or link pointer) about why this is bad, as it feels to me like the culture has been shifting in the direction of curl | sh
Shell-based installations for people who want to run the “arbitrary” code from the developers doesn’t prevent you from using packages and dependency management. What’s the problem here?
-
Often times these scripts are targeted at give OSs (often the big 3, which excludes things like NixOS, OpenBSD, FreeBSD… etc), or more commonly, send flags to commands that aren’t available on all systems (
sedon OpenBSD for example, was missing-iup until recently).These missing flags can be disastrous. No one ever writes scripts to handle errors that pop up from missing flags. The result of which can be clobbered files, removed /’s.. or really anything..
-
-
If the connection fails during the middle of the script download, whatever has been downloaded will already have been executed. Imagine if you’re on a system that doesn’t utilize the –no-preserve-root option to rm, and the script called for
rm -rf /some/directory/here, but the connection terminated atrm -rf /, your system would be hosed.There’s no way to audit that what was performed during one
curl | bashinstance will be the same thing performed in another instance, even if done only seconds later. There’s no way to audit what exactly was done without taking a forensic image of the system beforehand.Simply relying on HTTPS for security doesn’t protect against all threat actors. Certain actors can, and have in the past, performed man-in-the-middle attacks against SSL/TLS encrypted connections. There are companies like Blue Coat, who provide firewall and IPS appliances, and who also are CAs and can perform man-in-the-middle attacks of every SSL/TLS connection for those sitting behind its appliances. This can also be done in any enterprise setting where the client has a corporate CA cert installed and the corporate firewall can do SSL/TLS inspection. Often times, the private key material for the corporate CA certificates are stored insecurely.
The same holds true, and is especially grievous, when the installation instructions say to use
curl | sudo bash.No, thank you. I’ll stick to my package manager that keeps track of not only every single file that is placed on the filesystem, but the corresponding hashes.
edit[0]: Fix typo
-
connection fails
TFA addresses this.
audit
Download the script and look at it. If you have reason to believe that the upstream is gonna serve you something malicious on subsequent installs, then you should audit the entire source you are installing, not just the installer.
HTTPS
If you don’t already have the package in your distro’s repositories, then you will need to use HTTPS or a similar mechanism to download it. There is no way to verify it against a hash either, because you will need to use HTTPS or a similar mechanism to download the hash. I’m sure there are more reliable (and exotic) ways of bootstrapping trust but in practice nobody will use them.
This also has nothing to do with curl | bash in particular; this attack applies to, say, downloading a tarball of the source and ./configure && make && make install.
-
This is what I love about FreeBSD’s ports tree: it solves all of what you just brought up. Each port entry (like www/chromium) already contains a list of hashes for all files it needs to download. Additionally, when using the binary package repo, the repo is cryptographically signed and the public key material is already on my system. No need for HTTPS in the slightest.
-
I don’t disagree with you here, using packages with your distro is preferable to curl | sh when the option is available. I see curl | sh as a convenient way of performing an installation when that option is not available. There is a lot of paranoia over curl | sh though that would lead one to believe that is more insecure than other forms of non-package installation, and I think having an article that counters these misconceptions is valuable.
-
-
-
If the connection fails during the middle of the script download, whatever has been downloaded will already have been executed. Imagine if you’re on a system that doesn’t utilize the –no-preserve-root option to rm, and the script called for rm -rf /some/directory/here, but the connection terminated at rm -rf /, your system would be hosed.
The sandstorm script is specifically designed to avoid that failure case:
# We wrap the entire script in a big function which we only call at the very end, in order to # protect against the possibility of the connection dying mid-script. This protects us against # the problem described in this blog post: # http://blog.existentialize.com/dont-pipe-to-your-shell.html _() { set -euo pipefail
-
-
-
-
Oh wow, let’s see:
- Running arbitrary code that is probably in no way tested with your distro, unless you’re running something very popular. So it can pretty easily mess something up if used on a system where there is something the authors of the script did not expect.
- If it does fail in some unexpected way, cleanup can become a nasty issue.
- There is no clear uninstall procedure. You can’t just pacman -R the thing.
Basically it’s the same reasons why you shouldn’t just blindly do make install from source, only there are no DESTDIR and PREFIX.
-
I see where you’re coming from now.
I think one of the drivers for people not considering those reasons (with server-side software, anyway) is that while package management tries to solve the issues you’ve identified, it hasn’t been particularly successful or reliable. A common solution which does work is to use installers and shell scripts to build an image and replace the whole system when you need to upgrade/downgrade/cleanup/uninstall – this is perfectly compatible with sandstorm’s position.
In this case the end user is responsible for their system and its administration (which is exactly what every license says anyway). The idea that people should only install things provided by their distro feels a bit paternalistic/outmoded.
-
You seem to think that my position is “install from packages or else”. No. There is a plethora of valid approaches to administering your system. My problem is that Sandstorm are recommending end users do something that can pretty easily shoot their foot off and then defend it with hand-waving and and arguing with paranoid strawmen.
I’d really have no problem if they’d even mention at some point in their install instructions something like “or look in your distro repos, it might be packaged already, yay!”, but no. They specifically ignore distro repositories altogether.
That and they recommend building from HEAD despite even having regular tagged releases, which is also a small red flag for me.
UPD: To be clear, this is very relevant:
In this case the end user is responsible for their system and its administration
They deliberately recommend an installation method that requires the user to really know what they are doing. That can be valid, just not as the default option. Recommending such a volatile approach as the default install method for end users is at the very least irresponsible.
-
-
-
-
-
The only real argument I read against
curl|shis the one regarding network issues. let’s say the script you’recurling include a line as:CONFDIR=".coolsoft" rm -fr $HOME/$CONFDIR/tmpAnd
curlget aconnection resetright after the first ‘/’, you’ll loose your whole$HOME. I do agree that there are way to prevent this kind of things to happen, by using “guideline”, “best practice”, “defensive programming” or whatever, but if you don’t read the script you’re pipingi.tosh, this is something that can happen to you.Another grief against this method is that sometimes, the devs ask you to run
curl | sudo shBut that’s a different topic
-
I’d be very interested in a cogent argument (comment or link pointer) about why this is bad
This reddit link and discussion cover some of the evil possibilities.
-
-
Again with that bullshit. Let. Packagers. Do. Their. Jobs.
“Software should only be distributed through official distro channels” (the only consistent interpretation I can find of your statement) is far from universally held idea, so I’d expect an opinion stated this forcefully to come with some reasoning.
-
-
Their “own damn choice” was to sidestep the distro packages thing and create a shell script installer. You appear to have an issue with that, since you called it “bullshit.” I doubt Sandstorm cares if others package their software differently (packagers can Do. Their. Jobs!), since it is Apache licensed. What exactly is your objection?
-
Wait what. It’s a simple case of a false dichotomy. Look. They are saying that they only have two choices, and two choices only: an installer script that you pipie into your shell or building and testing half a dozen packages. Like someone is forcing them to. It’s pretty obvious hand-waving.
Those are not the only two possible choices for the project. They know it, you know it, I know it. Don’t get caught on a simple fallacy.
Sure, no one stops packages from packaging the thing. But they are telling users to bypass the repos. That’s not helping.
-
Where in the article are they telling people to bypass the repos? In fact they even say
However, once Sandstorm reaches a stable release, we fully intend to offer more traditional packaging choices as well.
Also, I am confused to what any of this has to do with whether curl | bash is secure or not.
-
Also, I am confused to what any of this has to do with whether curl | bash is secure or not.
That’s the hand-waving part. They’ve mentioned the packaging issue for no reason other than confuse you even more, which is why I initially said it was bullshit. No one is forcing them to build packages for all or even all major distros, but they go out of their way to use it as an argument for… what exactly?
-
What irks me about this discussion is that if sandstorm.io had provided a URL for a Debian/RPM repository no one would bat an eye. And yet those packages would be just as “arbitrary” as this shell script, and certainly harder for to read for those inclined to do so.
I’m all for using distro-provided packages - but let’s acknowledge that installing third-party software depends on some combination of trust and technical know-how, and
curldoesn’t measurably change the quantities.-
And yet those packages would be just as “arbitrary” as this shell script, and certainly harder for to read for those inclined to do so.
I actually agree. A package built by the distro for the distro is at the very least tested and signed by people with at least some track record. I’m almost as much against devs providing their own packages as the main way of installing their shit because my distro’s maintainer would almost always do a better job of making sure the package works and is consistent with the distro’s guidelines. In short: a package from the repos has a much smaller chance of surprising me.
It’s just that a script is even worse because packages you build for distros, and even if you don’t know the distro as well, you will probably at least superficially test the package on the target distro. A script is supposed to be run by whoever on whatever system out there, which has so many ways to fail.
-
-
-
-
-
-
-
-
-
-
-
[Comment removed by author]
-
-
a) linux only, b) 64bit only, c) includes shellcode in the shell script it runs, d) sets scary sysctls, e) sets dev-mode by default, g) is hella interactive
a, b: These have nothing to do with whether curl | bash is secure.
c: Trusting an upstream to provide you a safe program but not a safe installer is security theater.
d, e, g: Probably bad, but doesn’t have anything to do with curl | bash in particular.
-
-
I deeply dislike how both this and SemVer 2.0 require that characters in the string must be ASCII-only.
It’s the 21st century folks; how is it we are still so tied to ASCII?
-
-
e.g., the use of an actual
αinstead ofa. Or, for example, non-arabic numerals for those not programming in English-speaking countries.-
Do you have a set of Unicode category properties you’d like to see? Might make for a nice PR.
-
The language of commerce was once Arabic, the language of Chemistry German, of fields of mathematics Russian…I think it’s only reasonable that the language of software development be English.
-
-
The optional metadata in the spec allows more than digits and hyphens and full stops. Consider the ‘unstable’ in 0.9+unstable. Requiring the appended identifier to be ASCII-only is needlessly restrictive to non-ASCII-based languages. UTF-8 has solved this problem well (since 1993) and sorts just as easily lexicographically.
-
-
Because both this and SemVer are designed to provide reliable information to automated systems, simpler systems tend to be more reliable, and a good way to limit implementation complexity is to limit the complexity of the inputs the system must process.
ASCII has the advantage of being very simple, widely implemented, and broadly compatible with non-ASCII systems, so it’s an excellent choice for machine-readable data.
-
-
flyingfisch
edited
2 years ago
|
link
| on:
On the unreasonable reality of “junior” developer interviews
Question to lobste.rs here: Is it necessary for a Ruby developer to know how to implement a linked list at all?
To me that sounds like a weird thing to test for in an application developer since practically all application languages have their own list object.
-
Actually, I have an interesting data point there. I just had a friend join me at Google, after they’d spent more than a decade at a large defense contractor well-known for both software and hardware. Google’s interviews are famous for involving algorithm questions - slightly more complicated than linked-list implementation, but it would be hard to pass them without knowing it as background knowledge. The other company’s are not.
According to my friend, many of the highly productive programmers they know from the other company will cheerfully talk about how glad they are to leave their undergrad algorithms courses in the past and forget everything from them. Googlers… have a contrasting attitude, which was a large factor in coming here for this friend, and for myself.
My conclusion is that whether data structures and algorithms knowledge is important to programmers depends on the nature of the work, and is also a culture question. It would be a surprise here to meet a coworker who wasn’t at least interested in discussing algorithms topics, even though they are only occasionally of direct importance.
-
Depends on the work you’re doing. Plenty of developers can do their jobs perfectly well without understanding fundamental data structures.
It would seem impossible to do effective performance analysis & many other tasks without understanding how basic data structures & algorithms work, though.
-
-
Depends wildly on what you mean by successful, and what you’re working on in the day to day. Does seem like a waste of money to take a bunch of algorithms/programming classes and still be unable to implement a linked list.
-
There’s an implicit assumption here that the primary goal of a college education is to be marketable. For many I would imagine that becoming marketable is not in fact their primary goal, and is superceded by things ranging from fulfilling the desires of some real or imagined societal or familial pressure, to broadening their cultural and intellectual horizons through interaction with people of varying backgrounds and fields. That’s not to say that being marketable isn’t important (I think it is quite important for long term happiness, as much as we’d like to imagine we can all be happy making low wages working with a non-marketable degree), but that we in professional STEM fields may overestimate the degree to which others value the marketability of their degree.
-
-
-
-
It’s important to know how it’s implemented, so that in the event you find yourself using one (even if it’s fundamental as in erlang or in a stdlib somewhere), you understand its characteristics. Actually performing the implementation is, however, as you say, utterly pointless now, just like implementing any sort or any tree.
-
I think its also important to know from a communication perspective. When I’m working with other developers I expect some basic fluency with the fundamental data structures and algorithms. I wouldn’t expect someone to implement a linked list but I would expect them to understand when the business problem can be well modeled like a linked list or tree and be able to communicate the idea using those terms.
Writing a simple version of either is a easy way to demonstrate that understanding.
-
I don’t know about ‘utterly pointless’ – understanding how different trees or sorts are implemented is valuable in recognizing other datastructures you have to build that are near-copies. It’s perhaps not super relevant to CRUD-building, but if you’re doing anything nontrivial behind that CRUD (for instance, many of the applications I’ve worked on have had very nontrivial business layers, involving stuff like decision support trees, etc). Understanding how to structure those trees effectively relied heavily on my understanding of abstract datastructures.
I’m certainly not saying it’s the most important thing, but ‘utterly pointless’ is maybe a bit overzealous. This goes for things like knowing how to implement depth-first vs. breadth-first search, too – or understanding the complexity of a custom merge-and-balance operation vs. implementing a self-balancing tree (the aforementioned decision support tree program involved a fair amount of theory in how to effectively implement, whether via a M&B approach, or an online/self-balanced approach).
-
I agree you need to know how to use trees, and communicate about their use; and that some stdlibs don’t have exactly the right tree types for every possible use case. But the context here is what questions you’d ask in a developer interview. Asking for a de novo implementation of an online red-black tree implementation merely tests whether the interviewee has recently completed an algorithms course in college.
-
-
-
-
As just one data point, I am a Ruby programmer of 4 years now and I do not know how to implement a linked list.
-
That’s awesome. I bet there are a very large number of python and php programmers who have the same experience, and i bet most of you folks can go to your graves with fulfilling careers and lives without that ever being an issue. All of those languages are mutable and strongly prefer arrays and hash tables/dictionaries over linked lists anyway in their stdlibs.
-
-
If the answer is “no”, should they know how to implement anything? On the other hand, it seems really strange they asked for it to be implemented in Java.
I wouldn’t expect them to know all the details off the top of their head, but it’s not a very difficult problem at all. Even if they’ve never heard of linked lists before, they should be able to code it up once they know it’s a series of linked nodes. It’s not like they’re asking for some exotic balanced tree with tons of pointer juggling.
That said, 30 minutes to implement the whole List
API for a junior developer is a little tight. Hearing it was 25 public methods sounded unreasonable, but looking at the docs, most of them are just wrappers around some variation of a while(…) loop, so it ends up not being too bad. If I had to use it as an interview question I’d probably bump it up to 60 or 90 minutes, though. I’d be interested in seeing the code the author and his co-workers came up with. 6 hours seems like a really long time to not get the whole thing working.
-
-
Or use cut.
# Only display 80 columns: grep whatever myfile | cut -c 1-80-
Ignoring the 2edgy schtick below, there is a good point to be made about learning the tools we have.
I watched a pretty good developer write ~50-75 lines of C# to iterate through all files in a directory, open only those ending in .XML, and change
<foo>bar</foo>to<foo>baz</foo>. This took him about 15 minutes, between reading the manual (was String.Replace needle, haystack or haystack, needle…), testing it, etc. He was stunned when I showed him that the Cygwin shell on his Windows box let him do this in literally one line.I also remember being schooled by an old UNIX-head who, after seeing my hand-rolled Ruby based data transformer, proceeded to bang out one that was faster, more robust, and probably a tenth of the code with judicious use of
paste,cut,trandsed.There’s nothing wrong with reimplementing a tool for the purposes of learning, for sure - but I think lots of people could benefit from digging in to the tools we’ve got at hand and learning them well before writing something new.
-
I went through a period of using the traditional Unix tools for as much as possible, and while I still have a soft spot for them, I’ve found myself not really using them much anymore for new projects, for a few reasons:
The base set of standard and quasi-standard tools has some really awkward omissions. Something like Google’s crush-tools can fill some of the holes, but the base Unix set doesn’t really come “batteries included”.
Too much data copying through pipes can sometimes cause poor performance (though it depends a lot on what you’re doing). You can sometimes spend all your time just pushing terabytes of data through pipes. This is exacerbated if you end up having to make diamond-shape flows in your pipeline with
teeandpaste/jointo get the desired semantics, or else have to insertsortandreversein various places to munge data in the way a subsequent call wants. Especially common if you don’t use something like crush-tools and insist in sticking to base POSIX functionality, but it ends up sometimes necessary even with the addition of niceties likefuniq.Base performance is often not great, unless you’re comparing to something really slow. I’ve even found Perl to be faster than the awk/sed/tr combination for many things, and Perl isn’t really a speed king. Also, performance varies hugely between implementations and platforms, which adds another annoyance if you run stuff on more than one platform: your stuff can speed up or slow down by 10x because you moved from GNU/Linux to FreeBSD or vice versa. This is all especially bad if you want Unicode support. If you don’t, the LC_ALL=C hack can often make things more reasonable.
Entirely subjective, but once you get past one-liners, I find the scripts and pipeline chains more difficult to read and maintain than a program where you get actual data structures. I have to have comments everywhere reminding myself that at a particular point in the pipeline, the data is sorted numerically by column 3, and by the way what’s in columns 1, 2, and 4 here anyway? When we
pastesome things that had to beteed for separate processing, are we sure that the two sides of thepasteare sorted the same way so we’re not making Frankenstein records? Etc.
Those are all of course less of a worry if you’re doing small-scale, one-off stuff though.
-
Indeed. That said, I believe using Cygwin on Windows to do regexp replace is no less an “anti-pattern” than using C#. Modern Windows ships with a robust shell (PowerShell) that can do such things easily. Additionally, for a good C# developer it gives access to the power of .net they already know and (maybe) love.
Installing a beast of a package to emulate an environment you are more comfortable with feels little better than using C#, and is suffering from the same problem of “not learning the right tool for the job {on the platform}”. For a long time I fought learning PowerShell because I am an old grumpy graybeard, but in the end I realized how ridiculous I was being – that would be like refusing to learn paste, cut, tr and sed on Linux. Being willfully ignorant or the tools your platform provides is silliness. So, I uninstalled my crutches on Windows and learned PowerShell – and now on a random Windows box – I have console tools I can use – no installations needed.
foreach ($file in (gci . *.xml -r)) { (gc $file.PSPath) | foreach { $_ -replace “<foo>bar</foo>”, “<foo>baz</foo>” } | sc $file.PSPath }
-
-
“Digging in to the tools we’ve got at hand” is literally a never-ending task, and you’d never build anything if you stopped to do that before writing something new.
I’m all for people getting familiar with the
/usr/binof their particular distribution, but let’s remember the significant variance of implementations of those “standard” tools between distributions… many developers like to idealize just how good/reliable/standard the unix toolset is.The thing I like about building things in shells / command-lines is that there’s absolutely nothing wrong with building a handy utility like the OP’s. And we needn’t dismiss it as a “learning project” - it’s working software - kudos to the author.
-
-
I was just about to write it. I can’t +1 your comment more. ^^ To completely replace “sll”, use:
cut -c 1-1024
Are people really this retarded not to come up with just using the tools provided by the system? Where have we gone? …
EDIT: I think this is just a troll. Let’s just move on. :P
-
kb is right that your tone is abusive and dismissive, even though your comment does contain a useful, if redundant with jlarocco’s comment, implementation of
sll. Your comments will be more welcome in the future if you leave out the personal abuse and name-calling (“Are people really this retarded”, “dirty bunch”, “Cultural Marxist”, “SJW’s”) and indirect personal abuse by implication (“Where have we gone?”, “Crying like a sissy”, “the glibc-devs…are scared of simple…interfaces”) and dismissal of people’s learning process as “just a troll”.Please don’t write such comments here any more. Instead, write better comments that don’t include personal abuse.
-
Good day FRIGN.
I’m glad to see /u/sin invited you to lobste.rs. I’ve gotten a lot of value out of suckless.org, and I appreciate being in the same community as a member of that site. Given how productive I’ve found suckless.org to be, I’m surprised by how unproductive you recent comments are here.
I’ve had the experience of searching for a piece of software, only to find some projects that sucks so bad they are fully expressed as a configuration switch somewhere else in my stack. Why would someone waste so much time writing useless garbage like that? Well, even I write useless garbage, and doing so was an incredible learning experience. On par with what I’ve learned browsing suckless.
You and I are both well aware that all software sucks, and all hardware sucks. It’s not what we’re here to debate. Please make this site better for your participation by improving the quality of your comments, as I’d love if you would continue to contribute to this site with us.
-
-
-
Hey, no, it’s not a troll. Just recognized a problem and wrote a solution for it. I added a section to the README where you can add your own implementation: https://github.com/kevinburke/sll#other-ways-to-implement-this
Don’t forget to call it “pointless” in your PR
-
-
-
“people telling people to execute arbitrary code over the network”
I’ll play devil’s advocate. :) Very nearly everyone executes arbitrary code over the network to some degree.
My knee-jerk reaction for a very long time was to be shocked and appalled by this practice. “What?! I have a carefully curated list stored inside my
apt-key!” – really? How’s your chain of trust? How many key-signing parties have you been to lately? Did you chroot that arbitrary code you pulled from github before you ran it?If the script is wrapped in https and the curl/wget/etc uses certificate trust, I’m not sure why this is bad. For those of us who care, we pull down the script and read it as we know how to, and then execute the script if we want to, understanding the security implications as best we know how (which is as good as anyone can do). For most people, it’s not significantly different than downloading an .exe or an OSX package or an rpm or a deb or whatever other ways people have decided to zip up bits.
Honest question, though - how is
curl https://xxx | shthis any worse than apt or yum or homebrew or pip or gem or InstallShield or whatever else? Almost every installation system I’ve ever met allows me to execute arbitrary code. The exceptions virtually always have security holes. What’s really being added by package management (to security) beyond TLS?edited to add: “I’m not sure why this is bad” should be replaced with “I’m not sure why this is worse than the previous norms”. I think there are tremendous opportunities for improving UX for security, and this is just one small example.
-
I’ve read about one problem with
curl | sh: ifcurlfails with an error in the middle of a download, the incomplete script is still sent toshto be executed. So a line “rm -rf /usr/bin/some-app” might be truncated into “rm -rf /”. The solution is to download the file completely first, and then run it withsh.However, this blog doesn’t look like it thinks failing downloads are the only problem with
curl | sh.-
You can mitigate this hazard by wrapping the “bulk” of the script in a function which is then executed at the very end of the file. Of course there’s no way of knowing whether an install script does this without inspecting it first anyway.
-
-
My knee-jerk reaction for a very long time was to be shocked and appalled by this practice. “What?! I have a carefully curated list stored inside my apt-key!” – really? How’s your chain of trust? How many key-signing parties have you been to lately? Did you chroot that arbitrary code you pulled from github before you ran it?
If you’re using vanilla Debian then one can’t become a packager without having had one’s key signed by a member of the project (which they’re at least supposed to check your identity against a government-issued ID before doing - certainly the two who signed my key did), and those packagers in turn are supposed to read the source/changes before packaging (which happens with a script they write, not something from upstream). No way to guarantee that they are, but that’s what signing off on it’s supposed to mean, and everyone I’ve known has taken their duties seriously.
-
-
-
Are any of these actually particularly common? I am graduating soon – are these behaviours I’m likely to run into in the general Silicon-Vally/software/tech company arena? (I’ve been lucky enough to work at great places for internships so far, and don’t think I’ve seen anything like these.)
-
It depends entirely on the company. The only real way to try and determine whether these things occur at a given company is to ask the people that work there questions to that effect. Really, the best way is to work there, but this is a solid second-place choice ;)
Questions to ask during the interview process to suss out details (by applicable question number):
- 2) What does the process for committing code look like? How effective is it/how often is it followed?
- 4) What’s your least-favorite project you’ve been on since you’ve started?
- 10) What kind of hardware do you develop on?
- 17) How well do you feel like you understand the company’s direction?
When spread out over several different interviewers (who likely aren’t communicating their specific answers between each other), you can start to get a good idea of what the people that work there really think about their company.
The interviewers probably won’t lie to you outright (would you?), but they may not tell the whole truth either. Asking a bunch of times gets you answers you can synthesize into a picture of the environment. If things sound too shady, or you can’t get a straight answer, passing on the job might be a good idea!
Edit: Asking these kinds of questions is always a good idea, as well. Not only does it get you a good idea about the company as a whole, but it marks you as somebody who’s actually thought about the kinds of things they’d like to see in a company. From first-hand experience as an interviewer, this makes a great impression!
-
There’s a little truth in all of them, but the ones I see most commonly are #1, #4, and #14.
-
As someone who is working in a start up, has worked in 2 previous start ups, several months at enterprise, one tremendous personal failure, and has friends in start ups around ~10-20 people that are vocal about the problems. I will say that you will encounter at least a few of these. A company that has all of these is a company you should leave immediately without question.
If you are planning to work in this wonderful profession (no sarcasm, this is a beautiful profession with the right people) for many years, be prepared to:
- Work for someone who won’t treat you the same way a recruiting document may suggest.
- Work for someone who has little to no understanding of software development.
- Work for someone who has little to no understanding of how to build a team.
- Be in a situation where the business is struggling and stress becomes a daily thing.
Also remember as you work, you change and develop new perspectives. You will also inevitably make mistakes and see a new side to people.
Ideally you never have to deal with any of these, and you can focus on building awesome things that explore your creativity as well as the needs of people you care about.
-
-
-
-
5 is pretty common when an exec has been sold technology before a project starts, thinking it will make everything easier. Then 5 becomes a requirement for the project or it is a) money wasted b) makes said exec look bad. The piece should be renamed to, “How Bureaucracies Function.”
-
-
-
Bad management is very widespread within sv / tech companies, because fast-moving companies inevitably end up with managers with little experience/training.
You can dodge some of these issues by working for larger / more-established companies, but even the most well-respected companies have bad managers thriving on some teams. Sometimes top-performing teams can be managed by complete assholes of some form or another (e.g. many of the stories about Steve Jobs).
Learning to “manage up” with inexperienced managers, or change positions when the situation is untenable is a reality of business, and not unique to tech.
Just to be clear, though – this is a managerial problem and not something you should suffer through! There are plenty of fantastic people out there to work for. As a tech worker you hold sway and can try to seek out places that don’t have these antipatterns, and work to reverse them when you see them.
-
-
Seems like quite an impressive achievement already - but the docs leave me wondering: with several narrowly-defined init schemes already out there, what are the parts of systemd that are worth keeping?
The ‘motivations’ section mentions “socket activation, parallel execution, resource limiting, cgroups, the declarative configuration syntax, etc.” – but that “etc” is precisely the pit that systemd has itself fallen into.
-
The whole soup to nuts approach here is interesting to read. I love attempts to make things easier for beginners, but some of the details here seem to be at odds with one another. Does a person who doesn’t have Ruby installed actually want to build a gem?
Seems rather like starting a recipe for frying an egg with instructions on how to install a stove. I love the idea of bridging the gap between the setup and the tutorial, but wonder if it’s possible to more clearly delineate “Hey I did everything up to this point three and a half years ago and it never crosses my mind in day-to-day development”
-
The purpose isn’t (just) to teach beginners. It’s to show other Rubyists exactly how I do things. There are five or six tools that help you install Ruby, and I’ve shown you the one I use.
-
-
It seems like many of the issues in this article and those like it can be attributed to the absurdly low barrier to entry for software companies. If you have no money, no likely revenue, and nothing holding you accountable, are you a company or a club? Bio-tech startups certainly don’t work this way.
Tangentially related: I don’t remember ever hearing anyone say “How can we get more people into chemical engineering?” or seen any Learn-to-play-with-deadly-chemicals-in-12-weeks “engineering” courses.
-
The article’s critique was anchored specifically on the comments of the founders of Paypal, Facebook and 42Floors. “No money, no likely revenue, and nothing holding you accountable” doesn’t really seem to apply.
Bio-tech startups would seem to have diversity problems that mirror those of software startups fairly closely.
-
-
-
-
Yup.
-
Based on?
-
-
-
I don’t remember ever hearing anyone say
There are certainly efforts in other fields to encourage more people to get into them.
But, and maybe this is just personal bias, chemical engineering does not underlie so much of modern socio/political/economic power in the way that software does. Software is eating the world, and without some kind of base literacy, it’s increasingly hard to understand what’s going on around us. That’s why I think more people should have at least a tiny understanding of how computing works.
-
I would maybe argue that this is personal bias. Understanding chemistry is the basis of petroleum engineering, pharmaceuticals, materials science, and a bunch of other really important stuff (generating and storing electrical energy efficiently, fertilizers/pesticides, etc.). Between them those things underlie a vastly larger fraction of socio/political/economic power in the world than software.
I think it’s easy to get an inflated idea of the importance of something (e.g. software) when you live and breathe it every day.
If I had to guess why there’s such an outsize effort to get people into software I would probably say it’s just because there happens to be a labor shortage at the moment, but I don’t really know ¯_(ツ)_/¯.
-
Replying to both you and your sibling, computing is what ends up controlling all those important things, however. And communication is a greater power than any particular physical good, and that’s all computerized at this point.
I do think all fields are important, regardless.
-
Supporting @steveklabnik’s point, from the original Software is Eating the World essay:
Oil and gas companies were early innovators in supercomputing and data visualization and analysis, which are crucial to today’s oil and gas exploration efforts. Agriculture is increasingly powered by software as well, including satellite analysis of soils linked to per-acre seed selection software algorithms
-
Fair point, although you can’t communicate on any modern medium without oil and electricity to power it (nor can you even make a computer!); there’s sort of a chicken and egg thing here :P
I guess I don’t really see the argument that computing is a more reasonable thing for everyone to understand the basics of than chemistry or physics or biology or what have you; all of it is important and runs the the world in some way. Maybe we should encourage people to learn a bit of everything :)
-
you can’t communicate on any modern medium without oil and electricity to power it
This is absolutely true, and something I worry about way more than I should, probably.
Maybe we should encourage people to learn a bit of everything :)
Yes, very much this. This over-focus on STEM is incredibly harmful :(
-
From here it looks like most jobs over the next century will require skills we currently think of as software skills. In the same way that most jobs today require some kind of “functional computer literacy”, and most jobs last century required ordinary literacy. The skills of programming seem generally applicable, in a way that something like materials science (while fascinating, and underlying lots of recent engineering advances) isn’t. Will knowing chemistry/physics/biology make you a better accountant/architect/artist? Maybe, but the connection seems more direct and obvious for computing.
-
I’d tend to agree, which is what I posited in my OP: the push for people to learn computing is more about the labor market than anything else.
-
-
-
-
-
-
I think that the importance of software lies on the fact that it works as a tool to enhance people’s capabilities. While other fields may be directly involved in the production of good and services that are fundamental to support our modern lifestyle, software not only has an impact on these fields but in almost everything else we do, be it big or small. Because of this, its reach is, at least, much larger than any other field I know of.
-
-
-
I’m finishing up a blog post about Lua and Redis. Beyond that, most of the week will be spent planning out system configuration and deployment issues around some new Go-based services. Microservice-driven architectures are proving challenging to reason about in practice. So…. reading what I can and validating assumptions with tests when feasible.
-
I’m working on a new blog post about using Lua scripting in Redis to implement analytics algorithms. Also working on an internal Go app to better manage software defined networks.
No, no, no. We have the best tools money can’t buy.
So many projects I have seen derailed by….
How about instead, “Pay’s upstream devs / contributes to the best tools money can’t buy.”
There are a lot of great open source software tools, but that blanket isn’t enough to cover you. Having the best tools money can buy includes support contracts (possibly to upstream devs), service management (datacenter or various IaaS/PaaS services) and excellent dev hardware (laptop?)
This is more what I was thinking about when I wrote the article. I think that open source tools, software definitely has it’s place in engineering, and should probably be preferred in a lot of cases.
I’ve always been attracted to the idea of 80/20 time, and I know that (especially at Google) the implementation never lives up to the idea.
Still, I think that the intent is noble: give the developer some ordained “free time” to get their creativity going again. In that spirit, I think that experimenting with different development tools (IDEs or editors, continuous integration tools, etc) should be encouraged and discussed. After a milestone, as the team has a retrospective on what worked and what didn’t, I think tools should be a part of the discussion. Did Sarah discover that Jenkins is more useful than Bamboo? Hey, look, Chuck learned about oh-my-zsh, you know that sort of thing.