I greatly dislike the implication that I am personally failing to ensure my happiness because I do not spend enough time learning. It’s like a double insult.
Oh I am really sorry you felt this way by reading the article !
Maybe I should have stressed more in the article that this is not necessarily a personal choice but the organisation you work in may block you from apply this recommendation.
The author leads with “People working in other industries should probably not be miserable at work either, but that is not the concern of this article”. About that:
I spent my 20s working almost-min-wage jobs in kitchens and grocery stores, working as many as 3 jobs (opening + prep work in a cafe in the early morning, cook in a restaurant in the afternoon and evening, and bus dishes on the weekend) and various side hustles to pay for a small room in a crowded house in South Berkeley (~approx 11 other people were living there), with not much hope in sight for anything different.
Sometimes nowadays I find myself getting frustrated with e.g. some of the nasty proprietary or legacy tech I have to work or interface with. But while this work can sometimes feel like slogging through filth, I’ve worked jobs where I literally had to slog my way through actual filth – and this is very far from that. As a knowledge worker, you generally have autonomy and respect and flexibility that is completely unheard of to even a lot of white collar workers, let alone folks toiling away doing physically demanding work for minimum wage. Not to mention you probably won’t deal with the kinds of psychological abuse and unsafe conditions that are part and parcel with many of those lower-wage jobs
Which isn’t to say that tech workers shouldn’t aim to improve their conditions further or try to have more fun at work or that we should put up with bullshit simply because others have it worse – It’s essential that we protect what we have and improve it and even enjoy ourselves. But I do think that tech workers often miss how dire things are for other folks, especially folks working low-wage, manual jobs, and it would be nice to see more recognition of the disparity in our circumstances
I grew up in a restaurant and spent some time working as a bus boy. It really grinds my gears when you go out for a meal with a coworker and they complain about the service. “How hard could it be to get my order right?” Why don’t you work in a restaurant for a couple years and find out! Or when people assume scaling a restaurant is as easy as adding a load balancer and a couple more servers (pun not intended, but appreciated).
Some people have never worked in the service industry and it really shows.
I resonate really hard with this, I’ve come back several times to try to write a reply that isn’t a whole rant about people in tech but:
I’ve done a bunch of not so sexy jobs (legal and not so much, I’ll leave those out): retail, restaurants in various positions, and I was even one of those street fundraisers for the children (where I was subject to physical violence and the company’s reaction was “it comes with the job”). Now I work tech full time, and I’m a deckhand when I’m not doing that.
My perspective is shaped by a couple things, I think:
Being born to teenage parents who worked similar jobs and struggled for a long time
The fact that they “raised me right” – if I talked to / treated anyone the way I’ve seen some folks I’ve met in this industry do to service workers / people they seem to consider as “below them”, they wouldn’t be having any of it
Actually working the jobs and being subject to the awful treatment by both customers and management
The thing is, though, is that I really don’t think you should have to go through any of this in order to just not be a jerk to people…I really don’t know what the disconnect is. The most difficult customers I’ve had (at previous jobs and on the boat) have typically been the ones that seem the most privileged. When it comes to restaurants, the cheapest ones (in terms of tipping) were similarly the people that would come in and order hundreds of dollars worth of food and then leave little to no tip (I’m not here to debate tipping culture, it is what it is here at this point).
I’ve had situations where I take people to a place where I’m cool with the staff and someone picks up the tab (for which I’m appreciative) but then they are rude / pushy / skimp out on the tip, which is really embarrassing to say the least (I don’t hesitate to call people out but I feel like … I shouldn’t have to?)
The boat I work on is in the bay area and so we get a lot of tech people, and a couple of things stand out:
I don’t really know how some of the most intelligent people can be so dumb (literally all you need to do is follow directions)
They talk down to us (the crew trying to put them on fish and, for what it’s worth, keep them alive – won’t get into that here), and when you ask them not to do something for safety or you try to correct something they’re doing wrong, they get an attitude. I want to emphasize, not everyone, but enough to make you stop and ask why.
When they find out that I also work in tech (you talk to people since you’re with them for 8+ hours), the reaction is typically one of “why do you need to be doing THIS?”. Sidenote – the most hilarious thing that I enjoy doing is dropping into a technical conversation (a lot of people come on with their coworkers) and having people be like “wtf how does the deckhand know about any of this?”
They don’t tip … lol … or they stiff us for fish cleaning which we are upfront is a secondary service provided for a fee.
It’s not everyone, but I get a pretty decent sample size given the population here. The plus side of working on the boat (vs a restaurant or retail) is that if someone starts being a major a-hole the captain doesn’t mind if we stand up for ourselves (encourages it, even)
It’s not everyone of course, but it’s enough to make you wonder.
Some people have never worked in the service industry and it really shows.
Yeah, exactly. Or, we have a saying “you can tell whose never pushed a broom in their life”.
That was more of a rant than I wanted to get into but since I’m here it was kind of cathartic. I really just wish people would stop and think about the human on the other end. Of course it’s not just tech people that do things like this, but … yeah.
I’ve done a bunch of not so sexy jobs (legal and not so much, I’ll leave those out)
I worked in eDiscovery for a while (~3 years) so I have a sense of legal. It’s very stratified and stressful. I remember going to bed at 2 AM and waking up at 5 AM to make sure that a production was ready for opposing counsel. Not ideal…
My perspective is shaped by a couple things, I think:
Being born to teenage parents who worked similar jobs and struggled for a long time
By contrast, my father was 39 when he had me. However, he had a hard life. He grew up in Francoist Spain. (One of the few memories of my grandfather was when he told me “La habre es miseria. La habre es miseria.” (Hunger is misery. Hunger is misery.)) My father was a Spanish refuge in France at age 9. He didn’t complete high school. Instead, he did an apprenticeship in a French restaurant where the chefs beat him. He worked 16 hour days for a long time.
The fact that they “raised me right” – if I talked to / treated anyone the way I’ve seen some folks I’ve met in this
industry do to service workers / people they seem to consider as “below them”, they wouldn’t be having any of it
Absolutely. My father always said that everyone was welcome at his restaurant, regardless of what they were wearing. It’s important to respect everyone.
Inter-generational trauma is a real thing. I’m doing okay, but my brothers didn’t fare so well. (A topic for a more one on one conversation.) I hope you are okay. <3
Edit: this has really thrown me through a loop. I don’t mean to be dramatic and I know this is a public forum, but I’m sure there are more people posting than responding. If it means anything to anyone then it’s more important to say so than to be stoic. I hope you are all doing okay.
I worked in eDiscovery for a while (~3 years) so I have a sense of legal. It’s very stratified and stressful. I remember going to bed at 2 AM and waking up at 5 AM to make sure that a production was ready for opposing counsel. Not ideal…
Heh, sorry I meant legal vs not-so-legal in the legality sense, but in any case wow that sounds dreadful!
I appreciate your kind words and you sharing your story, and I’m glad you’re doing okay. I’m also sorry to hear about your brothers, similar thing is true for some of my siblings…kind of weird how that works.
There is a theory in some circles that states that having money enable people to not have to care about other human beings. With money you can feel like you provide for all your needs by just buying stuff and services. If you don’t have so much money, you need to compensate by trying to build mutual understanding. That leads to being more empathic. You also need to respond or even anticipate the needs of people who give you money. Which leads also to some kind of asymmetric empathy (similar to impostor syndrome).
Also there may be the fact that some people are attracted to tech because they fell they are more gifted with machines than with people. So maybe some form of selection bias here too.
Well put. I sometimes ask myself, “How many people are living miserable lives so that I can sit in a cushy chair and think about interesting problems?”
Well, I’ve worked in the oil and gas industry, so I helped keep lots of people’s heat working in the winter, including my own. At the cost of making the world incrementally more fucked though, so that one’s a net negative. I’ve done a fair amount of teaching, so I helped share skills that were useful for people. I’ve worked datacenter tech support, so I helped lots of people keep their online businesses working. So there’s that.
If I really wanted to make the world a better place, I would either work for something like Habitat For Humanity and build houses, or I would get a PhD in nuclear physics or material science and try to make better nuclear/solar energy sources. Or become a teacher, natch, but my sister and both parents are teachers so I feel like I have to break the family mold. Could always do what my grandmother did and become a social worker. Or go into politics, because someone with a brain stem has to, but I’ve had enough brushes with administration to know that I will burn myself out and be of no use to anyone.
Right now I work in robotics doing R&D for autonomous drones, so I’ll hopefully make peoples’ lives better somewhere, someday down the line. Nothing as good as what Zipline does, but on a similar axis – one of my most fun projects was basically Zipline except for the US Army, so it was 10x more expensive and 0.25x as good.
…do people not normally think about this sort of thing?
That there are people supporting cole-k’s job (I don’t know who, maybe car mechanics, cafeteria workers, janitors?) whose work is required for cole-k’s job to be possible, but who are necessarily miserable in their jobs.
Yeah, and I’ve done at least a moderate share of supporting them back one way or another, within the bounds of my aptitudes, skills, and how selfish I’m willing to be – and honestly I’m pretty selfish, ngl. Sometimes I’ve done it directly by serving them back, more often indirectly by trying to do things that Benefit Everyone A Bit. All I can do is keep trying. We’re all in this together.
This should not be controversial, and sometimes I wish I had a button to teleport some of my colleagues where I used to work in Africa to recalibrate their sense of what “hard” means.
This is so true. I try to remind myself of this as much as I can but as I did not experience minimum wage work myself this can be hard to be fully aware of this situation.
Maybe we should try for the condition of everybody to improve. I fear that by insisting a lot on the good conditions we have in the tech industry it would only encourage a degradation on those conditions unfortunately. Tactically, I wonder if we should not focus on the commonalities of the issues we face across all the different types of jobs.
I also paid for college and university working in a large hotel kitchen and then dining room. At the time in the front of the house I could earn enough in tips over a summer to cover a year of state school tuition plus room and board. I’d go back on holidays and long weekends to make the rest of my expenses. It was hard work, long hours, and disrespected in all kinds of ways. Once in a while there was violence or the threat of violence. But it beat doing landscaping or oil changes and tires. There were a number of us who were using it as a stepping stone, one guy from Colombia worked until he saved up enough to go back home and buy a multi-unit building so he and his parents could live in it and be landlords, get a used BMW for himself, and finish his education. His motivation, and taking extra shifts, made mine look weak and I was highly motivated.
I remind myself of that time when I’m frustrated at my desk.
one guy from Colombia worked until he saved up enough to go back home and buy a multi-unit building so he and his parents could live in it and be landlords
This I think was one of Bryan Caplan’s arguments about open borders.
In addition to the moral issue that no-one has the right to curtail the free movement of others[1], there is solid empirical evidence that not only do immigrants enrich the countries they emigrate to (i.e. contribute more on average than locals), they often also help lift their home countries out of poverty by doing exactly what your Colombian friend did.
[1] One frequently occurring example of hypocrisy on the matter of travel: people who simultaneously rail against any attempt by their own Government to control their movement (passports, papers, ID, etc.), but also complain loudly about people crossing the border into “their” country and demand the Government build a wall, metaphorically or literally.
Work doesn’t have to be fun. It can be work and it can be just, well, fine. Learning doesn’t have to be fun. I recently learned some stuff about woodworking. It was not fun. It wasn’t unpleasant either. It was fine.
The insistence that others have some specific experience while working is something we must collectively stop doing. People should not be miserable at work but they also should not feel like they are failing if they aren’t having fun or that management is failing if the employees aren’t having fun.
To require that work instill some particular mental state and particular feeling is kinda weird to me.
To require that work instill some particular mental state and particular feeling is kinda weird to me.
And to me, foisting this “mob programming” nonsense and gamification stuff on people is truly dystopian. I often do my best work in deep thought, alone. It can help to bounce ideas off someone, but seriously, mob programming? That just results in quality that the lowest common denominator could put in. And gamification feels downright manipulative (like the “stars and badges” bullshit that GitHub puts in to increase “engagement”).
I agree with your point on deep thought. I see it more as complimentary to mob. As with the group you can confront your deep thought to the ones of others and get even better thought.
I also agree that there is some trend in the “gamification” movement that feel quite manipulative. It does make me uneasy too. There is also some technics that come from neuro-science that could be qualified as some sort of gamification but do not feel manipulative to me. It just leverages some properties of the human mind.
Fair enough. But keep in mind that this gamification would be done by the employer, where there’s a strong power imbalance. Anything done that could construed as manipulative will be seen as such by at least some people, and that’s not a good look for an employer either.
Yes, people would be absolutely right to be wary of this kind of move.
I can imagine some set-up in some healthy organizations where this kind of ideas could be implemented by employees themselves. Given they have enough autonomy to do so and psychological safety and so on.
What I am trying to say, is not that it would be required. Just that it helps if you can. And it would help our bosses too.
I do not want to inflict guilt on people that do not feel that way. I certainly do not feel that way quite often.
A career counselor I once spoke with said she suggests people consider these four factors when evaluating work:
Values
Interests
Skills
Personality
The amount of each one you are missing will generally decrease your engagement.
I think this article touches on values (learning) and interests (games/learning), but leaves out other things. There are many people who value stability over learning and will be amazingly engaged without that aspect.
I would go at it from a different direction. Are you disengaged with work? Maybe you should consider your largest interests, skills, values, and personality traits and find a job that fits it, or learn to engage with your current job because of those things. “I really love my job because I can trust that I will be able to get a new one in this industry with the experience I am gaining. It gives my family stability and I highly value that over interesting or easy work. I probably wouldn’t do this when I retire, but I think I have more of a chance of retiring if I stay in this industry.” That person may be more engaged than anyone else.
This is one of the big things about the gamification movement, it only deals with interests and maybe personality.
Thanks so much for the feedback ! I find it very interesting. It broadens my point of view on the subject. I think I totally agree with you. I am not sure what you mean by your third point about skills ? People are not engaged if they are not skilled for their task ?
I would answer that the idea of the article is that all other things being equal we should encourage people to feel a little more joy in their work. And it is in the interest of people signing the pay check too. Maybe it did not very well go through my writings. The exercise is a bit new to me and I am not an English native speaker.
Yep, I don’t know if this model of satisfying work is better than yours. It may be overcomplicated for what most folks want.
For point 3, if you were interested your job’s field, felt like it was doing really good things in the world, and it fit your personality, you would still have a problem if you didn’t know how to do it well. I think your model actually touches on this with learning. An example for me is when I really started using vi for more than simple single pane text editing, it really helped large parts of my job feel more satisfying. I want fighting with expressing myself because I had developed a skill.
There are some vocational education systems out there that just focus on the skills area. You need to know X, Y, and Z to be a petroleum engineer. You learn that at a university. You apply that for the next 30 years with a little mentoring and continuing education thrown in there. But generally, you need to know 90% of what is taught in university or else you’re not going to have fun at that type of job.
A big factor many juniors don’t see is sometimes its not you, but your team/company. It can do wonders to be in an environment where thoughtfulness & mental health is respected.
In my experience, the most motivating way to learn is gaining to the confidence to believe you can learn & be great at your job. Unfortunately unless you already have that, it’ll be really hard among the wrong team.
I have it too. Also surrounded by very smart people!
I feel that being self taught at programming played a role in having impostor syndrome too.
And now I wonder if this is not an hint our mind try to give us that we should help each other more learn more things in the trade ?
While this certainly fits with my experience, what about people who don’t get joy from programming, don’t want to learn new stuff, don’t find the puzzle fun?
I find it hard to imagine a professional football player that doesn’t or at least didn’t for a substantial amount of time in the past like playing football. I also can’t do the same for an influential physics professor. I’m willing to believe that not all jobs are equal in this sense. I have a burning passion for programming and I still have to push myself hard in order to endure the mental pain of trying to align a hundred stars and solve difficult programming challenges. I can’t imagine how one could motivate oneself to suffer that 8 hours a day without feeling the kind of joy that comes with finding the solution.
It’s hard to describe this to non-programmers, but I believe I have the right audience here. Programming is a very stressful job. Not stressful like a surgeon or a stock broker who get stressed due to what’s at stake, but stressful because you have to push yourself to your limits to turn your brain into a domain specific problem solving apparatus and find the solution.
BTW, I know that there are a lot of programming jobs out there which don’t resemble what I’m describing here at all, but I know that there are jobs like this too, but we don’t have a different name for them.
I have a burning passion for programming and I still have to push myself hard in order to endure the mental pain of trying to align a hundred stars and solve difficult programming challenges.
There is so much programming out there where you do some boring crud service on some db or where you assemble 4 different json blobs in a different format and pass it to the next microservice or cloud endpoint. That’s not truly exciting or challenging.
I know that and I respect those jobs and programmers, but as I’ve mentioned some programming jobs require constant puzzle solving and creativity. I think my comment would be more agreeable if I said “compiler engineer” or “game AI engineer” or “database engineer”, but I don’t know of any term that can be used about those jobs collectively. Maybe we need a term like “R&D programmer” or maybe I should just have said “R&D engineer” and decoupled my point from programming per se.
I’ve seen clock-in clock-out devs who didn’t give a shit about anything they did. Took no joy nor pride in their work. They were government contractors and so they did the absolute least possible (and least quality) that the gov asked for and would accept, and no more. They didn’t seem to care about what they got personally out of their jobs, they seemed to think it was normal. Drove me nuts, quit the company in 6 months.
I had the exact same experience with some additional slogging through warehouses (cutting cardboard; I wish I were joking) and testing security hardware while waiting for a security clearance shortly after OPM got hacked (~6 months to get the clearance). Then to finally be surrounded by people warming their chairs, I couldn’t stand it. I understand the need to have stability in your job but pride is also important, at least to me.
It depends on why you do it. Let’s not forget that programming is a very well paid profession. Maybe you use the good salary to finance the life-style you want to have (buy a house/appartment, have kids, maybe expensive hobbies). I can certainly imagine a more fun place to work than my current job, but the pay is very good. Therefore I stay because it enables my family and me to have the live we want.
Thanks, that is very interesting points. Indeed, I think there is a lot of reasons to take the job beside fun and this is very respectable. On the other end, I would state that people having fun doing it get a better chance at performing and improve their skills on the long run.
Thanks for the feedback. It would be very interesting to me to understand why I lost you ? Did you not agree with the point ? Or maybe it was not so clear ? I was trying to touch at pair/ensemble programming technics and offer another point of view about why it can be interesting practices.
In my (fairly limited) experience doing pair programming, you need right tools to be able to actually enjoy doing it. A while ago we pair programmed some Unreal Engine Blueprints with a coworker and it was terribly boring, because one of us was just looking at the other’s screen and the other one was throwing in suggestions on what to do, what could be the bug, etc. My experience as the person looking was that I was just tired and bored of looking at them not doing what I wanted to try. The coworker felt the same when we did it the other way (ie. when I was doing the programming and they were the one looking.)
I’m sure pair programming can be fun with tools that make it more like playing a multiplayer game (where each one of us has authority over their actions and we can work independently,) but screen sharing does not work like this and unfortunately most editors we use at work do not have a “multiplayer mode” like that.
I agree you need good tooling.
You also can do with some changes in the practices.
For instance a simple “hack” to avoid feeling what you describe in your experience is to switch keyboard regularly (every 5 or 10 minutes). That can change the dynamic of the session as you are more periodically more engaged.
Also being more than two changes a lot the dynamic of the conversation.
I’m not sure I understand what you mean by “switching keyboards.” We do the pair sessions remotely so switching places with the coworker isn’t possible, and shuttling files between each other would be quite a nightmare due to exclusive checkout (Unreal Blueprints are binary files and only one person can be editing them at a time, this is a restriction imposed at the VCS level) unless you literally mean unplugging my current keyboard and switching to a different one every 10 minutes?
Ah ah not unplugging the keyboard no.
Sorry I was not aware of the specifics of unreal blueprints.
What I meant was switching the driver and navigator roles that are common in pairs.
The driver being the one actually typing and the navigator the one indicating the next change to implement.
Even if you have restrictions with your tooling maybe you can go around this issue by doing very small changes (micro-commit ?). Sorry, I am not sure I do not know much about your set-up.
In my opinion, when you introduce some kind of human aspect in programming, it becomes more a social activity and less technical. I like to focus on the technical side, it gives me the feeling of flow and -success. Dealing with people is hard for me (you may have guessed, I’m not that sociable type) therefore I don’t like it.
Other things is: https://lobste.rs/s/yrc59x/allergic_waiting :) Sometimes even my hands are struggling to keep up with my thoughts. I can’t demand that (not even near) from an other human being. So I expect to be held back.
I think people rely on JavaScript too much. With sourcehut I’m trying to set a good example, proving that it’s possible (and not that hard!) to build a useful and competitive web application without JavaScript and with minimal bloat. The average sr.ht page is less than 10 KiB with a cold cache. I’ve been writing a little about why this is important, and in the future I plan to start writing about how it’s done.
In the long term, I hope to move more things out of the web entirely, and I hope that by the time I breathe my last, the web will be obsolete. But it’s going to take a lot of work to get there, and I don’t have the whole plan laid out yet. We’ll just have to see.
I’ve been thinking about this a lot lately. I really don’t like the web from a technological perspective, both as a user and as a developer. It’s completely outgrown its intended use-case, and with that has brought a ton of compounding issues. The trouble is that the web is usually the lowest-common-denominator platform because it works on many different systems and devices.
A good website (in the original sense of the word) is a really nice experience, right out of the box. It’s easy for the author to create (especially with a good static site generator), easy for nearly anyone to consume, doesn’t require a lot of resources, and can be made easily compatible with user-provided stylesheets and reader views. The back button works! Scrolling works!
Where that breaks down is with web applications. Are server-rendered pages better than client-rendered pages? That’s a question that’s asked pretty frequently. You get a lot of nice functionality for free with server-side rendering, like a functioning back button. However, the web was intended to be a completely stateless protocol, and web apps (with things like session cookies) are kind of just a hack on top of that. The experience of using a good web app without JavaScript can be a bit of a pain with many different use cases (for example, upvoting on sites like this: you don’t want to force a page refresh, potentially losing the user’s place on the page). Security is difficult to get right when the server manages state.
I’ll argue, if we’re trying to avoid the web, that client-side rendering (single-page apps) can be better. They’re more like native programs in that the client manages the state. The backend is simpler (and can be the backend for a mobile app without changing any code). The frontend is way more complex, but it functions similarly to a native app. I’ll concede poorly-built SPA is usually a more painful experience than a poorly-built SSR app, but I think SPAs are the only way to bring the web even close to the standard set by real native programs.
Of course, the JavaScript ecosystem can be a mess, and it’s often a breath of fresh air to use a site like Sourcehut instead of ten megs of JS. The jury’s still out as to which approach is better for all parties.
(for example, upvoting on sites like this: you don’t want to force a page refresh, potentially losing the user’s place on the page)
Some of the UI benefits of SPA are really nice tbh.
Reddit for example will have a notification icon that doesn’t update unless you refresh the page, which can be annoying.
It’s nice when websites can display the current state of things without having to refresh.
I can’t find the video, but the desire for eliminating stale UI (like outdated notifications) in Facebook was one of the reasons React was created in the first place.
There just doesn’t seem to be a way to do things like that with static, js-free pages.
The backend is simpler (and can be the backend for a mobile app without changing any code).
I never thought about that before, but to me that’s a really appealing point to having a full-featured frontend design.
I’ve noticed some projects with the server-client model where the client-side was using Vue/React, and they were able to easily make an Android app by just porting the server.
The jury’s still out as to which approach is better for all parties.
I think as always it depends.
In my mind there are some obvious choices for obvious usecases.
Blogs work great as just static html files with some styling.
Anything that really benefits from being dynamic (“reactive” I think is the term webdevs use) confers nice UI/UX benefits to the user with more client-side rendering.
I think the average user probably doesn’t care about the stack and the “bloat”, so it’s probably the case that client-side rendering will remain popular anytime it improves the UI/UX, even if it may not be necessary (plus cargo-culting lol).
One could take it to an extreme and say that you can have something like Facebook without any javascript, but would people enjoy that? I don’t think so.
But you don’t need to have a SPA to have notifications without refresh. You just need a small dynamic part of the page, which will degrade gracefully when JavaScript is disabled.
Claim: Most sites are mostly static content. For example, AirBNB or Grubhub. Those sites could be way faster than they are now if they were architected differently. Only when you check out do you need anything resembling an “app”. The browsing and searching is better done with a “document” model IMO.
Ditto for YouTube… I think it used to be more a document model, but now it’s more like an app. And it’s gotten a lot slower, which I don’t think is a coincidence. Netflix is a more obvious example – it’s crazy slow.
To address the OP: for Sourcehut/Github, I would say everything except the PR review system could use the document model. Navigating code and adding comments is arguably an app.
On the other hand, there are things that are and should be apps: Google Maps, Docs, Sheets.
edit: Yeah now that I check, YouTube does the infinite scroll thing, which is slow and annoying IMO (e.g. breaks bookmarking). Ditto for AirBNB.
I’m glad to see some interesting ideas in the comments about achieving the dynamism without the bloat. A bit of Cunningham’s law in effect ;). It’s probably not easy to get such suggestions elsewhere since all I hear about is the hype of all the fancy frontend frameworks and what they can achieve.
Yeah SPA is a pretty new thing that seems to be taking up a lot of space in the conversation. Here’s another way to think about it.
There are three ways to manage state in a web app:
On the server only (what we did in the 90’s)
On the server and on the client (sometimes called “progressive enhancement”, jQuery)
On the client only (SPA, React, Elm)
As you point out, #1 isn’t viable anymore because users need more features, so we’re left with a choice between #2 and #3.
We used to do #2 for a long time, but #3 became popular in the last few years.
I get why! #2 is is legitimately harder – you have to decide where to manage your state, and managing state in two places is asking for bugs. It was never clear if those apps should work offline, etc.
But somehow #3 doesn’t seem to have worked out in practice. Surprisingly, hitting the network can be faster than rendering in the browser, especially when there’s a tower of abstractions on top of the browser. Unfortunately I don’t have references at the moment (help appreciated from other readers :) )
I wonder if we can make a hybrid web framework for #2. I have seen a few efforts in that direction but they don’t seem to be popular.
edit: here are some links, not sure if they are the best references:
Oh yeah I think this is what I was thinking of. Especially on Mobile phones, SPA can be slower than hitting the network! The code to render a page is often bigger than the page itself! And it may or may not be amortized depending on the app’s usage pattern.
A good example of #2 is Ur/Web. Pages are rendered server-side using templates which looks very similar to JSX (but without the custom uppercase components part) and similarly desugars to simple function calls. Then at any point in the page you can add a dyn tag, which takes a function returning a fragment of HTML (using the same language as the server-side part, and in some cases even the same functions!) that will be run every time one of the “signals” it subscribes to is triggered. A signal could be triggered from inside an onclick handler, or even from an even happening on the server. This list of demos does a pretty good job at showing what you can do with it.
So most of the page is rendered on the server and will display even with JS off, and only the parts that need to be dynamic will be handled by JS, with almost no plumbing required to pass around the state: you just need to subscribe to a signal inside your dyn tag, and every time the value inside changes it will be re-rendered automatically.
Reddit for example will have a notification icon that doesn’t update unless you refresh the page, which can be annoying. It’s nice when websites can display the current state of things without having to refresh.
On the other hand, it can be annoying when things update without a refresh, distracting you from what you were reading. Different strokes for different folks. Luckily it’s possible to fulfill both preferences, by degrading gracefully when JS is disabled.
I think the average user probably doesn’t care about the stack and the “bloat”, so it’s probably the case that client-side rendering will remain popular anytime it improves the UI/UX, even if it may not be necessary (plus cargo-culting lol).
The average user does care that browsing the web drains their battery, or that they have to upgrade their computer every few years in order to avoid lag on common websites. I agree that we will continue see the expansion of heavy client-side rendering, even in cases where it does not benefit the user, because it benefits the companies that control the web.
Some of the UI benefits of SPA are really nice tbh. Reddit for example will have a notification icon that doesn’t update unless you refresh the page, which can be annoying. It’s nice when websites can display the current state of things without having to refresh.
Is this old reddit or new reddit? The new one is sort of SPA and I recall it updating without refresh.
Old reddit definitely has the issue I described, not sure about the newer design. If the new reddit doesn’t have that issue, that aligns with my experience of it being bloated and slow to load.
In the case where you have lots of buttons like that isn’t loading multiple completely separate doms and then reloading one or more of them somewhat worse than just using a tiny bit of js? I try to use as little as possible but I think that kind of dynamic interaction is the use case js originally was made for.
Worse? Well, iframes are faster (marginally), but yes I’d probably use JavaScript too.
I think most NoScript users will download tarballs and run ./configure && make -j6 without checking anything, so I’m not sure why anyone wants to turn off JavaScript anyway, except for maybe because adblockers aren’t perfect.
I’m not sure if this would work, but an interesting idea would be to use checkboxes that restyle when checked, and by loading a background image with a query or fragment part, the server is notified of which story is upvoted.
One thing I really miss with SPA’s (when used as apps), aside from performance, is the slightly more consistent UI/UX/HI that you generally get with desktop apps. Most major OS vendors, and most oss desktop toolkits, at least have some level of uniformity of expectation. Things like: there is a general style for most buttons and menu styles, there are some common effects (fade, transparency), scrolling behavior is more uniform.
With SPAs… well, good luck! Not only is it often browser dependent, but matrixed with a myriad JS frameworks, conventions, and render/load performance on top of it. I guess the web is certainly exciting, if nothing else!
I consider the “indented use-case” argument a bit weak, since for the last 20 years web developers, browser architects and our tech overlords have been working on making it work for applications (and data collection), and to be honest it does so most of the time. They can easily blame the annoyances like pop-ups and cookie-banners on regulations and people who use ad blockers, but from a non technical perspective, it’s a functional system. Of course when you take a look underneath, it’s a mess, and we’re inclined to say that these aren’t real websites, when it’s the incompetence of our operating systems that have created the need to off-load these applications to a higher level of abstraction – something had to do it – and the web was just flexible enough to take on that job.
You’re implying it’s Unix’s fault that the web is a mess but no other OS solved the problem either? Perhaps you would say that Plan 9 attempted to solve part of it, but that would only show that the web being what it is today isn’t solely down to lack of OS features.
I’d argue that rather than being a mess due to the incompetence of the OS it’s a mess due to the incremental adoption of different technologies for pragmatic reasons. It seems to be this way sadly, even if Plan 9 was a better Unix from a purely technological standpoint Unix was already so widespread that it wasn’t worth putting the effort in to switch to something marginally better.
No, I don’t think Plan 9 would have fixed things. It’s still fundamentally focused on text processing, rather than hypertext and universal linkability between objects and systems – ie the fundamental abstractions of an OS rather than just it’s features. Looking at what the web developed, tells us what needs were unformulated and ultimately ignored by OS development initiatives, or rather set aside for their own in-group goals (Unix was a research OS after all). It’s most unprobable that anyone could have foreseen what developments would take place, and even more that anyone will be able to fix them now.
From reading the question of the interviewer I get the feeling that it’s easy for non technical users to create a website using wordpress. Adding many plugins most likely leads to a lot of bloaty JavaScript and CSS.
I would argue that it’s a good thing that non technical users can easily create website but the tooling to create it isn’t ideal. For many users a wysiwyg editor which generates a static html page would be fine but such a tool does not seem to exists or isn’t known.
So I really see this as a tooling/solution problem, which isn’t for users to solve but for developers to create an excellent wordpress alternative.
for example, upvoting on sites like this: you don’t want to force a page refresh, potentially losing the user’s place on the page)
If a user clicks a particular upvote button, you should know where on that page it is located, and can use a page anchor in your response to send them back to it.
It’s not perfectly seamless, sadly, and it’s possible to set up your reverse proxy incorrectly enough to break applications relying on various http headers to get exactly the right page back.
Well, some of us are in this category (as the article points out):
If you’re building API services that need to support server-to-server or client-to-server (like a mobile app or single page app (SPA)) communication, using JWTs as your API tokens is a very smart idea. In this scenario:
You will have an authentication API which clients authenticate against, and get back a JWT
Clients then use this JWT to send authenticated requests to other API services
These other API services use the client’s JWT to validate the client is trusted and can perform some action without needing to perform a network validation
so JWT is not that bad.
Plus, it is refreshing to visit a website that says ‘there are no cookies here’… in their privacy policy.
Plus, it is refreshing to visit a website that says ‘there are no cookies here’… in their privacy policy.
The EU “Cookie Law” applies to all methods of identification — cookies, local storage, JWT, parameters in the URL, even canvas fingerprinting. So it shouldn’t have any effect on the privacy policy whatsoever.
You still can use sessions with cookies, especially with SPA. Unless the JWT token is stateless and short lived you should not use it. Also JWT isn’t the best design either as it gives too much flexibility and too much possibilities to misuse. PASETO tries to resolve these problems with versioning protocol and reducing amount of possible hashes/encryption methods.
Putting my pedant hat on: technically you can, using blacklists or swapping signing files; But that then negates the benefit of encapsulating a user “auth key” into a token because the server will have to do a database lookup anyway and by that point might as well be a traditional cookie backed session.
JWTs are useful when short lived for “server-less”/lambda api’s so they can authenticate the request and move along quickly but for more traditional things they can present more challenges than solutions.
Putting my pedant hat on: technically you can, using blacklists or swapping signing files; But that then negates the benefit of encapsulating a user “auth key” into a token because the server will have to do a database lookup anyway and by that point might as well be a traditional cookie backed session.
Yes, that was my point. It was just mental shortcut, that if you do that, then there is no difference between “good ol’” sessions and using JWT.
Except it is not exactly the same since loosing a blacklist database is not the same as loosing a token database for instance. The former will not invalidate all sessions but will re-enabled old tokens. Which may not be that bad if the tokens are sufficiently short-lived.
Except “reissuing” old tokens has much less impact (at most your clients will be a little annoyed) than allowing leaked tokens to be valid again. If I would be a client I would much more like the former rather than later.
One of my major concerns with JWT’s is that retraction is a problem.
Suppose that I have the requirement that old authenticated sessions have to be remotely retractable, then how on earth would I make a certain JWT invalid without having to consult the database for “expired sessions”.
The JWT to be invalidated could still reside on the devices of certain users after it has been invalidated remotely.
The only way I could think of, is making them so short-lived that they expire almost instantaneous. Like in a few minutes at most, which means that user-sessions will be terminated annoyingly fast as well.
If I can get nearly infinite sessions and instant retractions, I will gladly pay the price of hitting the database on each request.
JWT retraction can be handled in the same way that a traditional API token would; you add it to a black list, or in the case of a JWT a “secret” that its signed against can be changed. However both solutions negate the advertised benefit of JWTs or rather they negate the benefits I have seen JWTs advertised for: namely that it removes the need for session lookup on database.
I have used short lived JWTs for communicating with various stateless (server-less/lambda) api’s and for that purpose they work quite well; each endpoint has a certificate they can check the JWT validity with and having the users profile and permissions encapsulated means not needing a database connection to know what the user is allowed to do; a 60s validity period gives the request enough time to authenticate before the token expires while removing the need for retraction.
I think the problem with JWTs is that many people have attempted to use them as a solution for a problem already better solved by other things that have been around and battle tested for much longer.
However both solutions negate the advertised benefit of JWTs or rather they negate the benefits I have seen JWTs advertised for: namely that it removes the need for session lookup on database.
I think the problem with JWTs is that many people have attempted to use them as a solution for a problem already better solved by other things that have been around and battle tested for much longer.
This is exactly my main concern and also the single reason I haven’t used JWT’s anywhere yet.
I can imagine services where JWT’s would be useful, but I have yet to see or build one where some form of retraction wasn’t a requirement.
My usual go-to solution is to generate some 50-100 characters long string of gibberish and store that into a cookie on the user’s machine and a database table consisting of <user_uuid, token_string, expiration_timestamp> triples which is then joined with the table which contains user-data. Such queries are usually blazing fast and retraction then is a simple DELETE-query. Also: Scaling usually isn’t that big of a concern as most DBMS-systems tend to have the required features built-in already.
Usually, I also set up some scheduled event in the DMBS which deletes all expired tokens from that table periodically. Typically once per day at night, or when the amount of active users is low. It makes for a nice fallback just in case some programming bug inadvertently creeps in.
But I guess this was the original author’s point as well.
I’ve never done any work with JWTs so this might be a dumb question - but can’t you just put an expiration time into the JWT data itself, along with the session and/or user information? The user can’t alter the expiration time because presumably that would invalidate the signature, so as long as the timestamp is less than $(current_time) you’d be good to go? I’m sure I’m missing something obvious.
That’s not true. You just put a black mark next to it and every request after that will be denied - and it won’t be refreshed. Then you delete it once it expires.
That’s not true. You just put a black mark next to it and every request after that will be denied - and it won’t be refreshed. Then you delete it once it expires.
The problem with the black mark, is that you have to hit some sort of database to check for that black mark. By doing so, you invalidate the usefulness of JWT’s. That is one of OP’s main points.
Well, not necessarily. If you’re making requests often (e.g, every couple of seconds) and you can live with a short delay between logging out and the session being invalidated, you can set the timeout on the JWT to be ~30 seconds or so and only check the blacklist if the JWT is expired (and, if the session isn’t blacklisted, issue a new JWT). This can save a significant number of database requests for a chatty API (like you might find in a chat protocol).
But in that case, you’d be defeating their use as session tokens, because you are limited to very short sessions. You are just one hiccup of the network away from failure which also defeats their purpose. (which was another point of the OP).
I see how they can be useful in situations where you are making a lot of requests, but the point is that 99,9% of websites don’t do that.
For mobile apps, that have safe storage for passwords, the retraction problem is solved via issuing refresh tokens (that live longer, like passwords in password store of a mobile phone). The refresh tokens, are then used to issue new authorization token periodically and it is transparent to the user. You can re issue authorization token, using refresh token every 15 minutes, for example.
For web browsers, using refresh tokens may or may not be a good idea. Refresh tokens, are, from the security prospective, same as ‘passwords’ (although temporary). So their storage within web browser, should follow same policy as one would have for passwords.
So if using refresh tokens for your single page app, is not an option, then invalidating would have to happen during access control validation, on the backend. (Backend, still is responsible for access control, anyway, because it cannot be done on web clients, securely).
It is more expensive, and requires a form of distributed cache if you have distributed backend that allows stateless no-ip-bound distribution of requests…
For mobile apps, that have safe storage for passwords, the retraction problem is solved via issuing refresh tokens (that live longer, like passwords in password store of a mobile phone).
But then why use 2 tokens instead of single one? It makes everything more complicated for sake of perceived simplification of not doing 1 DB request on each connection. Meh. And even you can use cookie as in your web UI, so in the end it will make everything simpler as you do not need to use 2 separate auth systems in your app.
It makes everything more complicated for sake of perceived simplification of not doing 1 DB request on each connection.
This is not really, why 2 tokens are used (authentication token, and refresh token).
2 tokens are used to
a) allow fast expiration of an authentication request
b) prevent passing of actual user password through to the backend (it only needs to be passed when creating a refresh token).
This is a fairly standard practice though, not something I invented (it requires an API accessible, secure password store on user’s device ,which is why it is prevalent in mobile apps).
I also cannot see how a) and b) can be achieved with a single token.
It seems to me that suggesting a command-line-only (unless I’m mistaken?) tool like Hugo is a complete non-starter for, I don’t know, at least 80% of the people who are posting on Medium. I appreciate your effort—and I’m also becoming more irritated by Medium every day—but I think that learning how to use the terminal is just too high of a hurdle for most people to bother with. If your intention was only to convince the kind of people who read Lobsters and know what it means that something is “written in Go,” then it’s fine, but I don’t think this site presents a viable solution for the rest of the users.
The fundamental problem, I think, is that in order for someone to own their digital identity in any meaningful way, they have to have (at a minimum) their own domain name, and even that is a significant technical hurdle—never mind the fact that it costs money. Maybe the most viable “indie” solution we have at this moment is to (1) guide people through the process of registering a domain and then (2) offer an easy-to-use, web-based blogging engine that people can point their DNS records to in order to get started with their own sites. The latter thing could be made cheap enough to host that some benevolent geek could just subsidize it. Even this, though, seems like so much more effort than Medium for the non-technical user.
Or, just point people to one of the many 1-click setup Wordpress hosting services. I know people like to hate PHP and Wordpress but it’s still better than Medium.
Totally agree. I know everyone would rail against this idea because it’s somebody else’s platform, but this is why I host my blog on wordpress.com - They handle the security, I just get the super ease of use and platform with the widest client support of any blogging platform anywhere, and a really nice mobile client.
Being database backed isn’t what makes Wordpress terrible.
However for a lot of sites, I think a SSG would be a better solution, even if that means they run a db backed CMS which then publishes content to a static location. The key thing with a SSG is that the rendered pages are static HTML. It’s incidental what the source format is - static files (eg markdown) is a common pattern but it could just as easily be a regular web app with a DB.
It seems to me that suggesting a command-line-only (unless I’m mistaken?) tool like Hugo is a complete non-starter for, I don’t know, at least 80% of the people who are posting on Medium.
The fundamental problem, I think, is that in order for someone to own their digital identity in any meaningful way, they have to have (at a minimum) their own domain name, and even that is a significant technical hurdle—never mind the fact that it costs money.
Glad to see these remarks already posted!
There’s still room IMO for blogging systems that live closer to WordPress on the Static-Site Gen <-> WYSIWYG CMS spectrum that are — crucially — easy to deploy on a basic LAMP stack. Make it as easy to post as on social media (Twitter / FB), with the admin part much more closely intertwined with the front-end, and you have a winner. (Would also love to know if there’s one already that fits the bill).
Do you know https://forestry.io ?
It seems to me that what they are doing is pretty close to what you describe.
(I am not affiliated in any way by the way).
Generally speaking I think the first generation of web property developers created a monster with the whole idea of “free but not really” websites. Medium is just one example.
Maybe some kind of future where ubiquitous Raspberry Pi like server infrastructure would enable wide scale publishing and data sharing, but we have a LONG LONG way to go before we can get there.
I suspect in the nearer term, something like having pods of friends collaborate at some small cost to them to make their offerings available could work, but expecting everyone to use a command line is certainly a non starter.
We techies need to keep reminding ourselves that the rest of the world is not us. They don’t care that Medium is slow, or that the paywall violates our tender sensibilities. They want to accomplish something and want the shortest path to getting there. Full stop.
And I wouldn’t, since encrypted content on IPFS would be exposed to everyone and brute-forced eventually if anyone cared (once the cipher is broken in the future, etc)
This is kind of my worry with IPFS. I wanted to have a “private” thing where I could also share with my family in a mostly-secure way (essentially, least chance of leaking everything to the whole world while still being able to access my legitimately-acquired music collection without having to ssh home). Turns out that’s not simple to set up.
You just have to add encryption on before transmission. IPFS is kind of a low level thing (Like how you won’t find any encryption in TCP because that comes later), It really needs good apps built on top to be useful.
IPFS is a better bittorrent, which is designed to work very well as a replacement for the public web. Private sharing has different requirements – I use syncthing for a similar semantic in private.
IPFS is basically just a big torrent swarm. Doing that “copyrighted content scan” thing on the bittorrent DHT is already possible (and I’m pretty sure that’s how they send those notices already)
I greatly dislike the implication that I am personally failing to ensure my happiness because I do not spend enough time learning. It’s like a double insult.
Oh I am really sorry you felt this way by reading the article ! Maybe I should have stressed more in the article that this is not necessarily a personal choice but the organisation you work in may block you from apply this recommendation.
The author leads with “People working in other industries should probably not be miserable at work either, but that is not the concern of this article”. About that:
I spent my 20s working almost-min-wage jobs in kitchens and grocery stores, working as many as 3 jobs (opening + prep work in a cafe in the early morning, cook in a restaurant in the afternoon and evening, and bus dishes on the weekend) and various side hustles to pay for a small room in a crowded house in South Berkeley (~approx 11 other people were living there), with not much hope in sight for anything different.
Sometimes nowadays I find myself getting frustrated with e.g. some of the nasty proprietary or legacy tech I have to work or interface with. But while this work can sometimes feel like slogging through filth, I’ve worked jobs where I literally had to slog my way through actual filth – and this is very far from that. As a knowledge worker, you generally have autonomy and respect and flexibility that is completely unheard of to even a lot of white collar workers, let alone folks toiling away doing physically demanding work for minimum wage. Not to mention you probably won’t deal with the kinds of psychological abuse and unsafe conditions that are part and parcel with many of those lower-wage jobs
Which isn’t to say that tech workers shouldn’t aim to improve their conditions further or try to have more fun at work or that we should put up with bullshit simply because others have it worse – It’s essential that we protect what we have and improve it and even enjoy ourselves. But I do think that tech workers often miss how dire things are for other folks, especially folks working low-wage, manual jobs, and it would be nice to see more recognition of the disparity in our circumstances
I grew up in a restaurant and spent some time working as a bus boy. It really grinds my gears when you go out for a meal with a coworker and they complain about the service. “How hard could it be to get my order right?” Why don’t you work in a restaurant for a couple years and find out! Or when people assume scaling a restaurant is as easy as adding a load balancer and a couple more servers (pun not intended, but appreciated).
Some people have never worked in the service industry and it really shows.
I resonate really hard with this, I’ve come back several times to try to write a reply that isn’t a whole rant about people in tech but:
I’ve done a bunch of not so sexy jobs (legal and not so much, I’ll leave those out): retail, restaurants in various positions, and I was even one of those street fundraisers for the children (where I was subject to physical violence and the company’s reaction was “it comes with the job”). Now I work tech full time, and I’m a deckhand when I’m not doing that.
My perspective is shaped by a couple things, I think:
Being born to teenage parents who worked similar jobs and struggled for a long time
The fact that they “raised me right” – if I talked to / treated anyone the way I’ve seen some folks I’ve met in this industry do to service workers / people they seem to consider as “below them”, they wouldn’t be having any of it
Actually working the jobs and being subject to the awful treatment by both customers and management
The thing is, though, is that I really don’t think you should have to go through any of this in order to just not be a jerk to people…I really don’t know what the disconnect is. The most difficult customers I’ve had (at previous jobs and on the boat) have typically been the ones that seem the most privileged. When it comes to restaurants, the cheapest ones (in terms of tipping) were similarly the people that would come in and order hundreds of dollars worth of food and then leave little to no tip (I’m not here to debate tipping culture, it is what it is here at this point).
I’ve had situations where I take people to a place where I’m cool with the staff and someone picks up the tab (for which I’m appreciative) but then they are rude / pushy / skimp out on the tip, which is really embarrassing to say the least (I don’t hesitate to call people out but I feel like … I shouldn’t have to?)
The boat I work on is in the bay area and so we get a lot of tech people, and a couple of things stand out:
I don’t really know how some of the most intelligent people can be so dumb (literally all you need to do is follow directions)
They talk down to us (the crew trying to put them on fish and, for what it’s worth, keep them alive – won’t get into that here), and when you ask them not to do something for safety or you try to correct something they’re doing wrong, they get an attitude. I want to emphasize, not everyone, but enough to make you stop and ask why.
When they find out that I also work in tech (you talk to people since you’re with them for 8+ hours), the reaction is typically one of “why do you need to be doing THIS?”. Sidenote – the most hilarious thing that I enjoy doing is dropping into a technical conversation (a lot of people come on with their coworkers) and having people be like “wtf how does the deckhand know about any of this?”
They don’t tip … lol … or they stiff us for fish cleaning which we are upfront is a secondary service provided for a fee.
It’s not everyone, but I get a pretty decent sample size given the population here. The plus side of working on the boat (vs a restaurant or retail) is that if someone starts being a major a-hole the captain doesn’t mind if we stand up for ourselves (encourages it, even)
It’s not everyone of course, but it’s enough to make you wonder.
Yeah, exactly. Or, we have a saying “you can tell whose never pushed a broom in their life”.
That was more of a rant than I wanted to get into but since I’m here it was kind of cathartic. I really just wish people would stop and think about the human on the other end. Of course it’s not just tech people that do things like this, but … yeah.
I worked in eDiscovery for a while (~3 years) so I have a sense of legal. It’s very stratified and stressful. I remember going to bed at 2 AM and waking up at 5 AM to make sure that a production was ready for opposing counsel. Not ideal…
By contrast, my father was 39 when he had me. However, he had a hard life. He grew up in Francoist Spain. (One of the few memories of my grandfather was when he told me “La habre es miseria. La habre es miseria.” (Hunger is misery. Hunger is misery.)) My father was a Spanish refuge in France at age 9. He didn’t complete high school. Instead, he did an apprenticeship in a French restaurant where the chefs beat him. He worked 16 hour days for a long time.
Absolutely. My father always said that everyone was welcome at his restaurant, regardless of what they were wearing. It’s important to respect everyone.
Inter-generational trauma is a real thing. I’m doing okay, but my brothers didn’t fare so well. (A topic for a more one on one conversation.) I hope you are okay. <3
Edit: this has really thrown me through a loop. I don’t mean to be dramatic and I know this is a public forum, but I’m sure there are more people posting than responding. If it means anything to anyone then it’s more important to say so than to be stoic. I hope you are all doing okay.
Heh, sorry I meant legal vs not-so-legal in the legality sense, but in any case wow that sounds dreadful!
I appreciate your kind words and you sharing your story, and I’m glad you’re doing okay. I’m also sorry to hear about your brothers, similar thing is true for some of my siblings…kind of weird how that works.
Thank you for sharing this.
I meant to write “more people reading than responding” above, but I’m out of the edit window.
There is a theory in some circles that states that having money enable people to not have to care about other human beings. With money you can feel like you provide for all your needs by just buying stuff and services. If you don’t have so much money, you need to compensate by trying to build mutual understanding. That leads to being more empathic. You also need to respond or even anticipate the needs of people who give you money. Which leads also to some kind of asymmetric empathy (similar to impostor syndrome). Also there may be the fact that some people are attracted to tech because they fell they are more gifted with machines than with people. So maybe some form of selection bias here too.
I like to remind my team something that I was once told: “Remember, this work lets us have soft hands.”
Always reminds me of that scene in Trading Places (the “soft hands” part is cut off at the beginning).
Well put. I sometimes ask myself, “How many people are living miserable lives so that I can sit in a cushy chair and think about interesting problems?”
How many people’s misery could you alleviate by switching to a different job and how would that happen?
Well, I’ve worked in the oil and gas industry, so I helped keep lots of people’s heat working in the winter, including my own. At the cost of making the world incrementally more fucked though, so that one’s a net negative. I’ve done a fair amount of teaching, so I helped share skills that were useful for people. I’ve worked datacenter tech support, so I helped lots of people keep their online businesses working. So there’s that.
If I really wanted to make the world a better place, I would either work for something like Habitat For Humanity and build houses, or I would get a PhD in nuclear physics or material science and try to make better nuclear/solar energy sources. Or become a teacher, natch, but my sister and both parents are teachers so I feel like I have to break the family mold. Could always do what my grandmother did and become a social worker. Or go into politics, because someone with a brain stem has to, but I’ve had enough brushes with administration to know that I will burn myself out and be of no use to anyone.
Right now I work in robotics doing R&D for autonomous drones, so I’ll hopefully make peoples’ lives better somewhere, someday down the line. Nothing as good as what Zipline does, but on a similar axis – one of my most fun projects was basically Zipline except for the US Army, so it was 10x more expensive and 0.25x as good.
…do people not normally think about this sort of thing?
Interesting, that’s not the way I interpreted cole-k’s comment!
…how did you interpret it?
That there are people supporting cole-k’s job (I don’t know who, maybe car mechanics, cafeteria workers, janitors?) whose work is required for cole-k’s job to be possible, but who are necessarily miserable in their jobs.
Yeah, and I’ve done at least a moderate share of supporting them back one way or another, within the bounds of my aptitudes, skills, and how selfish I’m willing to be – and honestly I’m pretty selfish, ngl. Sometimes I’ve done it directly by serving them back, more often indirectly by trying to do things that Benefit Everyone A Bit. All I can do is keep trying. We’re all in this together.
This should not be controversial, and sometimes I wish I had a button to teleport some of my colleagues where I used to work in Africa to recalibrate their sense of what “hard” means.
This is so true. I try to remind myself of this as much as I can but as I did not experience minimum wage work myself this can be hard to be fully aware of this situation. Maybe we should try for the condition of everybody to improve. I fear that by insisting a lot on the good conditions we have in the tech industry it would only encourage a degradation on those conditions unfortunately. Tactically, I wonder if we should not focus on the commonalities of the issues we face across all the different types of jobs.
I also paid for college and university working in a large hotel kitchen and then dining room. At the time in the front of the house I could earn enough in tips over a summer to cover a year of state school tuition plus room and board. I’d go back on holidays and long weekends to make the rest of my expenses. It was hard work, long hours, and disrespected in all kinds of ways. Once in a while there was violence or the threat of violence. But it beat doing landscaping or oil changes and tires. There were a number of us who were using it as a stepping stone, one guy from Colombia worked until he saved up enough to go back home and buy a multi-unit building so he and his parents could live in it and be landlords, get a used BMW for himself, and finish his education. His motivation, and taking extra shifts, made mine look weak and I was highly motivated.
I remind myself of that time when I’m frustrated at my desk.
Colombia, or do you mean he was studying at Columbia?
Typo. Fixing.
This I think was one of Bryan Caplan’s arguments about open borders.
In addition to the moral issue that no-one has the right to curtail the free movement of others[1], there is solid empirical evidence that not only do immigrants enrich the countries they emigrate to (i.e. contribute more on average than locals), they often also help lift their home countries out of poverty by doing exactly what your Colombian friend did.
Edited to add: here’s his address on the topic of poverty: https://www.youtube.com/watch?v=K77cGFU36rM
[1] One frequently occurring example of hypocrisy on the matter of travel: people who simultaneously rail against any attempt by their own Government to control their movement (passports, papers, ID, etc.), but also complain loudly about people crossing the border into “their” country and demand the Government build a wall, metaphorically or literally.
Work doesn’t have to be fun. It can be work and it can be just, well, fine. Learning doesn’t have to be fun. I recently learned some stuff about woodworking. It was not fun. It wasn’t unpleasant either. It was fine.
The insistence that others have some specific experience while working is something we must collectively stop doing. People should not be miserable at work but they also should not feel like they are failing if they aren’t having fun or that management is failing if the employees aren’t having fun.
To require that work instill some particular mental state and particular feeling is kinda weird to me.
And to me, foisting this “mob programming” nonsense and gamification stuff on people is truly dystopian. I often do my best work in deep thought, alone. It can help to bounce ideas off someone, but seriously, mob programming? That just results in quality that the lowest common denominator could put in. And gamification feels downright manipulative (like the “stars and badges” bullshit that GitHub puts in to increase “engagement”).
I agree with your point on deep thought. I see it more as complimentary to mob. As with the group you can confront your deep thought to the ones of others and get even better thought.
I also agree that there is some trend in the “gamification” movement that feel quite manipulative. It does make me uneasy too. There is also some technics that come from neuro-science that could be qualified as some sort of gamification but do not feel manipulative to me. It just leverages some properties of the human mind.
Fair enough. But keep in mind that this gamification would be done by the employer, where there’s a strong power imbalance. Anything done that could construed as manipulative will be seen as such by at least some people, and that’s not a good look for an employer either.
Yes, people would be absolutely right to be wary of this kind of move. I can imagine some set-up in some healthy organizations where this kind of ideas could be implemented by employees themselves. Given they have enough autonomy to do so and psychological safety and so on.
What I am trying to say, is not that it would be required. Just that it helps if you can. And it would help our bosses too. I do not want to inflict guilt on people that do not feel that way. I certainly do not feel that way quite often.
A career counselor I once spoke with said she suggests people consider these four factors when evaluating work:
The amount of each one you are missing will generally decrease your engagement.
I think this article touches on values (learning) and interests (games/learning), but leaves out other things. There are many people who value stability over learning and will be amazingly engaged without that aspect.
I would go at it from a different direction. Are you disengaged with work? Maybe you should consider your largest interests, skills, values, and personality traits and find a job that fits it, or learn to engage with your current job because of those things. “I really love my job because I can trust that I will be able to get a new one in this industry with the experience I am gaining. It gives my family stability and I highly value that over interesting or easy work. I probably wouldn’t do this when I retire, but I think I have more of a chance of retiring if I stay in this industry.” That person may be more engaged than anyone else.
This is one of the big things about the gamification movement, it only deals with interests and maybe personality.
Thanks so much for the feedback ! I find it very interesting. It broadens my point of view on the subject. I think I totally agree with you. I am not sure what you mean by your third point about skills ? People are not engaged if they are not skilled for their task ? I would answer that the idea of the article is that all other things being equal we should encourage people to feel a little more joy in their work. And it is in the interest of people signing the pay check too. Maybe it did not very well go through my writings. The exercise is a bit new to me and I am not an English native speaker.
Yep, I don’t know if this model of satisfying work is better than yours. It may be overcomplicated for what most folks want.
For point 3, if you were interested your job’s field, felt like it was doing really good things in the world, and it fit your personality, you would still have a problem if you didn’t know how to do it well. I think your model actually touches on this with learning. An example for me is when I really started using vi for more than simple single pane text editing, it really helped large parts of my job feel more satisfying. I want fighting with expressing myself because I had developed a skill.
There are some vocational education systems out there that just focus on the skills area. You need to know X, Y, and Z to be a petroleum engineer. You learn that at a university. You apply that for the next 30 years with a little mentoring and continuing education thrown in there. But generally, you need to know 90% of what is taught in university or else you’re not going to have fun at that type of job.
A big factor many juniors don’t see is sometimes its not you, but your team/company. It can do wonders to be in an environment where thoughtfulness & mental health is respected.
In my experience, the most motivating way to learn is gaining to the confidence to believe you can learn & be great at your job. Unfortunately unless you already have that, it’ll be really hard among the wrong team.
I cannot agree more ! If only more people running companies could see it is also very well in their best interest !
I constantly have imposter syndrome, always have. It doesn’t help that the rest of my team is really smart.
I have it too. Also surrounded by very smart people! I feel that being self taught at programming played a role in having impostor syndrome too. And now I wonder if this is not an hint our mind try to give us that we should help each other more learn more things in the trade ?
While this certainly fits with my experience, what about people who don’t get joy from programming, don’t want to learn new stuff, don’t find the puzzle fun?
Maybe they are in the wrong industry, i don’t think anyone is happy at a job that sucks the fun out of life
Im not sure people are in general expected to be happy in their job? So long as it pays the bills?
I find it hard to imagine a professional football player that doesn’t or at least didn’t for a substantial amount of time in the past like playing football. I also can’t do the same for an influential physics professor. I’m willing to believe that not all jobs are equal in this sense. I have a burning passion for programming and I still have to push myself hard in order to endure the mental pain of trying to align a hundred stars and solve difficult programming challenges. I can’t imagine how one could motivate oneself to suffer that 8 hours a day without feeling the kind of joy that comes with finding the solution.
It’s hard to describe this to non-programmers, but I believe I have the right audience here. Programming is a very stressful job. Not stressful like a surgeon or a stock broker who get stressed due to what’s at stake, but stressful because you have to push yourself to your limits to turn your brain into a domain specific problem solving apparatus and find the solution.
BTW, I know that there are a lot of programming jobs out there which don’t resemble what I’m describing here at all, but I know that there are jobs like this too, but we don’t have a different name for them.
There is so much programming out there where you do some boring crud service on some db or where you assemble 4 different json blobs in a different format and pass it to the next microservice or cloud endpoint. That’s not truly exciting or challenging.
I know that and I respect those jobs and programmers, but as I’ve mentioned some programming jobs require constant puzzle solving and creativity. I think my comment would be more agreeable if I said “compiler engineer” or “game AI engineer” or “database engineer”, but I don’t know of any term that can be used about those jobs collectively. Maybe we need a term like “R&D programmer” or maybe I should just have said “R&D engineer” and decoupled my point from programming per se.
I think most people strive for being happy in their jobs, but yes the main factor for having one is to not starve or be homeless
I’ve seen clock-in clock-out devs who didn’t give a shit about anything they did. Took no joy nor pride in their work. They were government contractors and so they did the absolute least possible (and least quality) that the gov asked for and would accept, and no more. They didn’t seem to care about what they got personally out of their jobs, they seemed to think it was normal. Drove me nuts, quit the company in 6 months.
I had the exact same experience with some additional slogging through warehouses (cutting cardboard; I wish I were joking) and testing security hardware while waiting for a security clearance shortly after OPM got hacked (~6 months to get the clearance). Then to finally be surrounded by people warming their chairs, I couldn’t stand it. I understand the need to have stability in your job but pride is also important, at least to me.
It depends on why you do it. Let’s not forget that programming is a very well paid profession. Maybe you use the good salary to finance the life-style you want to have (buy a house/appartment, have kids, maybe expensive hobbies). I can certainly imagine a more fun place to work than my current job, but the pay is very good. Therefore I stay because it enables my family and me to have the live we want.
Thanks, that is very interesting points. Indeed, I think there is a lot of reasons to take the job beside fun and this is very respectable. On the other end, I would state that people having fun doing it get a better chance at performing and improve their skills on the long run.
That is interestingly quite controversial in the research and we have solid data pointing to both.
Note also that not having fun does not equate to sucking your soul out of you.
Being meh about a job is ok. That is the case of nearly everyone.
Thanks so much for the reply ! It would be so nice if you could point me to some of this research !
Pretty much liked it, tho it lost me at “…introducing other humans to the game”.
Thanks for the feedback. It would be very interesting to me to understand why I lost you ? Did you not agree with the point ? Or maybe it was not so clear ? I was trying to touch at pair/ensemble programming technics and offer another point of view about why it can be interesting practices.
In my (fairly limited) experience doing pair programming, you need right tools to be able to actually enjoy doing it. A while ago we pair programmed some Unreal Engine Blueprints with a coworker and it was terribly boring, because one of us was just looking at the other’s screen and the other one was throwing in suggestions on what to do, what could be the bug, etc. My experience as the person looking was that I was just tired and bored of looking at them not doing what I wanted to try. The coworker felt the same when we did it the other way (ie. when I was doing the programming and they were the one looking.)
I’m sure pair programming can be fun with tools that make it more like playing a multiplayer game (where each one of us has authority over their actions and we can work independently,) but screen sharing does not work like this and unfortunately most editors we use at work do not have a “multiplayer mode” like that.
I agree you need good tooling. You also can do with some changes in the practices. For instance a simple “hack” to avoid feeling what you describe in your experience is to switch keyboard regularly (every 5 or 10 minutes). That can change the dynamic of the session as you are more periodically more engaged. Also being more than two changes a lot the dynamic of the conversation.
I’m not sure I understand what you mean by “switching keyboards.” We do the pair sessions remotely so switching places with the coworker isn’t possible, and shuttling files between each other would be quite a nightmare due to exclusive checkout (Unreal Blueprints are binary files and only one person can be editing them at a time, this is a restriction imposed at the VCS level) unless you literally mean unplugging my current keyboard and switching to a different one every 10 minutes?
Ah ah not unplugging the keyboard no. Sorry I was not aware of the specifics of unreal blueprints. What I meant was switching the driver and navigator roles that are common in pairs. The driver being the one actually typing and the navigator the one indicating the next change to implement. Even if you have restrictions with your tooling maybe you can go around this issue by doing very small changes (micro-commit ?). Sorry, I am not sure I do not know much about your set-up.
In my opinion, when you introduce some kind of human aspect in programming, it becomes more a social activity and less technical. I like to focus on the technical side, it gives me the feeling of flow and -success. Dealing with people is hard for me (you may have guessed, I’m not that sociable type) therefore I don’t like it.
Other things is: https://lobste.rs/s/yrc59x/allergic_waiting :) Sometimes even my hands are struggling to keep up with my thoughts. I can’t demand that (not even near) from an other human being. So I expect to be held back.
I’ve been thinking about this a lot lately. I really don’t like the web from a technological perspective, both as a user and as a developer. It’s completely outgrown its intended use-case, and with that has brought a ton of compounding issues. The trouble is that the web is usually the lowest-common-denominator platform because it works on many different systems and devices.
A good website (in the original sense of the word) is a really nice experience, right out of the box. It’s easy for the author to create (especially with a good static site generator), easy for nearly anyone to consume, doesn’t require a lot of resources, and can be made easily compatible with user-provided stylesheets and reader views. The back button works! Scrolling works!
Where that breaks down is with web applications. Are server-rendered pages better than client-rendered pages? That’s a question that’s asked pretty frequently. You get a lot of nice functionality for free with server-side rendering, like a functioning back button. However, the web was intended to be a completely stateless protocol, and web apps (with things like session cookies) are kind of just a hack on top of that. The experience of using a good web app without JavaScript can be a bit of a pain with many different use cases (for example, upvoting on sites like this: you don’t want to force a page refresh, potentially losing the user’s place on the page). Security is difficult to get right when the server manages state.
I’ll argue, if we’re trying to avoid the web, that client-side rendering (single-page apps) can be better. They’re more like native programs in that the client manages the state. The backend is simpler (and can be the backend for a mobile app without changing any code). The frontend is way more complex, but it functions similarly to a native app. I’ll concede poorly-built SPA is usually a more painful experience than a poorly-built SSR app, but I think SPAs are the only way to bring the web even close to the standard set by real native programs.
Of course, the JavaScript ecosystem can be a mess, and it’s often a breath of fresh air to use a site like Sourcehut instead of ten megs of JS. The jury’s still out as to which approach is better for all parties.
Some of the UI benefits of SPA are really nice tbh. Reddit for example will have a notification icon that doesn’t update unless you refresh the page, which can be annoying. It’s nice when websites can display the current state of things without having to refresh.
I can’t find the video, but the desire for eliminating stale UI (like outdated notifications) in Facebook was one of the reasons React was created in the first place. There just doesn’t seem to be a way to do things like that with static, js-free pages.
I never thought about that before, but to me that’s a really appealing point to having a full-featured frontend design. I’ve noticed some projects with the server-client model where the client-side was using Vue/React, and they were able to easily make an Android app by just porting the server.
I think as always it depends. In my mind there are some obvious choices for obvious usecases. Blogs work great as just static html files with some styling. Anything that really benefits from being dynamic (“reactive” I think is the term webdevs use) confers nice UI/UX benefits to the user with more client-side rendering.
I think the average user probably doesn’t care about the stack and the “bloat”, so it’s probably the case that client-side rendering will remain popular anytime it improves the UI/UX, even if it may not be necessary (plus cargo-culting lol). One could take it to an extreme and say that you can have something like Facebook without any javascript, but would people enjoy that? I don’t think so.
But you don’t need to have a SPA to have notifications without refresh. You just need a small dynamic part of the page, which will degrade gracefully when JavaScript is disabled.
Claim: Most sites are mostly static content. For example, AirBNB or Grubhub. Those sites could be way faster than they are now if they were architected differently. Only when you check out do you need anything resembling an “app”. The browsing and searching is better done with a “document” model IMO.
Ditto for YouTube… I think it used to be more a document model, but now it’s more like an app. And it’s gotten a lot slower, which I don’t think is a coincidence. Netflix is a more obvious example – it’s crazy slow.
To address the OP: for Sourcehut/Github, I would say everything except the PR review system could use the document model. Navigating code and adding comments is arguably an app.
On the other hand, there are things that are and should be apps: Google Maps, Docs, Sheets.
edit: Yeah now that I check, YouTube does the infinite scroll thing, which is slow and annoying IMO (e.g. breaks bookmarking). Ditto for AirBNB.
I’m glad to see some interesting ideas in the comments about achieving the dynamism without the bloat. A bit of Cunningham’s law in effect ;). It’s probably not easy to get such suggestions elsewhere since all I hear about is the hype of all the fancy frontend frameworks and what they can achieve.
Yeah SPA is a pretty new thing that seems to be taking up a lot of space in the conversation. Here’s another way to think about it.
There are three ways to manage state in a web app:
As you point out, #1 isn’t viable anymore because users need more features, so we’re left with a choice between #2 and #3.
We used to do #2 for a long time, but #3 became popular in the last few years.
I get why! #2 is is legitimately harder – you have to decide where to manage your state, and managing state in two places is asking for bugs. It was never clear if those apps should work offline, etc.
But somehow #3 doesn’t seem to have worked out in practice. Surprisingly, hitting the network can be faster than rendering in the browser, especially when there’s a tower of abstractions on top of the browser. Unfortunately I don’t have references at the moment (help appreciated from other readers :) )
I wonder if we can make a hybrid web framework for #2. I have seen a few efforts in that direction but they don’t seem to be popular.
edit: here are some links, not sure if they are the best references:
https://news.ycombinator.com/item?id=13315444
https://adamsilver.io/articles/the-disadvantages-of-single-page-applications/
Oh yeah I think this is what I was thinking of. Especially on Mobile phones, SPA can be slower than hitting the network! The code to render a page is often bigger than the page itself! And it may or may not be amortized depending on the app’s usage pattern.
https://medium.com/@addyosmani/the-cost-of-javascript-in-2018-7d8950fbb5d4
https://news.ycombinator.com/item?id=17682378
https://v8.dev/blog/cost-of-javascript-2019
https://news.ycombinator.com/item?id=20317736
A good example of #2 is Ur/Web. Pages are rendered server-side using templates which looks very similar to JSX (but without the custom uppercase components part) and similarly desugars to simple function calls. Then at any point in the page you can add a
dyntag, which takes a function returning a fragment of HTML (using the same language as the server-side part, and in some cases even the same functions!) that will be run every time one of the “signals” it subscribes to is triggered. A signal could be triggered from inside an onclick handler, or even from an even happening on the server. This list of demos does a pretty good job at showing what you can do with it.So most of the page is rendered on the server and will display even with JS off, and only the parts that need to be dynamic will be handled by JS, with almost no plumbing required to pass around the state: you just need to subscribe to a signal inside your
dyntag, and every time the value inside changes it will be re-rendered automatically.Thanks a lot for all the info, really helpful stuff.
This link may interest you as well: https://medium.com/@cramforce/designing-very-large-javascript-applications-6e013a3291a3
On the other hand, it can be annoying when things update without a refresh, distracting you from what you were reading. Different strokes for different folks. Luckily it’s possible to fulfill both preferences, by degrading gracefully when JS is disabled.
The average user does care that browsing the web drains their battery, or that they have to upgrade their computer every few years in order to avoid lag on common websites. I agree that we will continue see the expansion of heavy client-side rendering, even in cases where it does not benefit the user, because it benefits the companies that control the web.
Is this old reddit or new reddit? The new one is sort of SPA and I recall it updating without refresh.
Old reddit definitely has the issue I described, not sure about the newer design. If the new reddit doesn’t have that issue, that aligns with my experience of it being bloated and slow to load.
There are lots of ways to do this. Here’s two:
I would’ve thought the exact opposite. Can you explain?
In the case where you have lots of buttons like that isn’t loading multiple completely separate doms and then reloading one or more of them somewhat worse than just using a tiny bit of js? I try to use as little as possible but I think that kind of dynamic interaction is the use case js originally was made for.
Worse? Well, iframes are faster (marginally), but yes I’d probably use JavaScript too.
I think most NoScript users will download tarballs and run
./configure && make -j6without checking anything, so I’m not sure why anyone wants to turn off JavaScript anyway, except for maybe because adblockers aren’t perfect.That being said, I use NoScript…
I’m not sure if this would work, but an interesting idea would be to use checkboxes that restyle when checked, and by loading a background image with a query or fragment part, the server is notified of which story is upvoted.
That’d require using GET, which might be harder to prevent accidental upvotes. Could possibly devise something though.
One thing I really miss with SPA’s (when used as apps), aside from performance, is the slightly more consistent UI/UX/HI that you generally get with desktop apps. Most major OS vendors, and most oss desktop toolkits, at least have some level of uniformity of expectation. Things like: there is a general style for most buttons and menu styles, there are some common effects (fade, transparency), scrolling behavior is more uniform.
With SPAs… well, good luck! Not only is it often browser dependent, but matrixed with a myriad JS frameworks, conventions, and render/load performance on top of it. I guess the web is certainly exciting, if nothing else!
I consider the “indented use-case” argument a bit weak, since for the last 20 years web developers, browser architects and our tech overlords have been working on making it work for applications (and data collection), and to be honest it does so most of the time. They can easily blame the annoyances like pop-ups and cookie-banners on regulations and people who use ad blockers, but from a non technical perspective, it’s a functional system. Of course when you take a look underneath, it’s a mess, and we’re inclined to say that these aren’t real websites, when it’s the incompetence of our operating systems that have created the need to off-load these applications to a higher level of abstraction – something had to do it – and the web was just flexible enough to take on that job.
You’re implying it’s Unix’s fault that the web is a mess but no other OS solved the problem either? Perhaps you would say that Plan 9 attempted to solve part of it, but that would only show that the web being what it is today isn’t solely down to lack of OS features.
I’d argue that rather than being a mess due to the incompetence of the OS it’s a mess due to the incremental adoption of different technologies for pragmatic reasons. It seems to be this way sadly, even if Plan 9 was a better Unix from a purely technological standpoint Unix was already so widespread that it wasn’t worth putting the effort in to switch to something marginally better.
No, I don’t think Plan 9 would have fixed things. It’s still fundamentally focused on text processing, rather than hypertext and universal linkability between objects and systems – ie the fundamental abstractions of an OS rather than just it’s features. Looking at what the web developed, tells us what needs were unformulated and ultimately ignored by OS development initiatives, or rather set aside for their own in-group goals (Unix was a research OS after all). It’s most unprobable that anyone could have foreseen what developments would take place, and even more that anyone will be able to fix them now.
From reading the question of the interviewer I get the feeling that it’s easy for non technical users to create a website using wordpress. Adding many plugins most likely leads to a lot of bloaty JavaScript and CSS.
I would argue that it’s a good thing that non technical users can easily create website but the tooling to create it isn’t ideal. For many users a wysiwyg editor which generates a static html page would be fine but such a tool does not seem to exists or isn’t known.
So I really see this as a tooling/solution problem, which isn’t for users to solve but for developers to create an excellent wordpress alternative.
I am not affiliated to this in any way but I know of https://forestry.io/ which looks like what you describe. I find their approach quite interesting.
If a user clicks a particular upvote button, you should know where on that page it is located, and can use a page anchor in your response to send them back to it.
It’s not perfectly seamless, sadly, and it’s possible to set up your reverse proxy incorrectly enough to break applications relying on various http headers to get exactly the right page back.
Well, some of us are in this category (as the article points out):
so JWT is not that bad. Plus, it is refreshing to visit a website that says ‘there are no cookies here’… in their privacy policy.
The EU “Cookie Law” applies to all methods of identification — cookies, local storage, JWT, parameters in the URL, even canvas fingerprinting. So it shouldn’t have any effect on the privacy policy whatsoever.
You still can use sessions with cookies, especially with SPA. Unless the JWT token is stateless and short lived you should not use it. Also JWT isn’t the best design either as it gives too much flexibility and too much possibilities to misuse. PASETO tries to resolve these problems with versioning protocol and reducing amount of possible hashes/encryption methods.
Why shouldn’t you use long lived JWTs with a single page application?
Because you cannot invalidate that token.
Putting my pedant hat on: technically you can, using blacklists or swapping signing files; But that then negates the benefit of encapsulating a user “auth key” into a token because the server will have to do a database lookup anyway and by that point might as well be a traditional cookie backed session.
JWTs are useful when short lived for “server-less”/lambda api’s so they can authenticate the request and move along quickly but for more traditional things they can present more challenges than solutions.
Yes, that was my point. It was just mental shortcut, that if you do that, then there is no difference between “good ol’” sessions and using JWT.
Simple flow chart.
Except it is not exactly the same since loosing a blacklist database is not the same as loosing a token database for instance. The former will not invalidate all sessions but will re-enabled old tokens. Which may not be that bad if the tokens are sufficiently short-lived.
Except “reissuing” old tokens has much less impact (at most your clients will be a little annoyed) than allowing leaked tokens to be valid again. If I would be a client I would much more like the former rather than later.
One of my major concerns with JWT’s is that retraction is a problem.
Suppose that I have the requirement that old authenticated sessions have to be remotely retractable, then how on earth would I make a certain JWT invalid without having to consult the database for “expired sessions”.
The JWT to be invalidated could still reside on the devices of certain users after it has been invalidated remotely.
The only way I could think of, is making them so short-lived that they expire almost instantaneous. Like in a few minutes at most, which means that user-sessions will be terminated annoyingly fast as well.
If I can get nearly infinite sessions and instant retractions, I will gladly pay the price of hitting the database on each request.
JWT retraction can be handled in the same way that a traditional API token would; you add it to a black list, or in the case of a JWT a “secret” that its signed against can be changed. However both solutions negate the advertised benefit of JWTs or rather they negate the benefits I have seen JWTs advertised for: namely that it removes the need for session lookup on database.
I have used short lived JWTs for communicating with various stateless (server-less/lambda) api’s and for that purpose they work quite well; each endpoint has a certificate they can check the JWT validity with and having the users profile and permissions encapsulated means not needing a database connection to know what the user is allowed to do; a 60s validity period gives the request enough time to authenticate before the token expires while removing the need for retraction.
I think the problem with JWTs is that many people have attempted to use them as a solution for a problem already better solved by other things that have been around and battle tested for much longer.
This is exactly my main concern and also the single reason I haven’t used JWT’s anywhere yet. I can imagine services where JWT’s would be useful, but I have yet to see or build one where some form of retraction wasn’t a requirement.
My usual go-to solution is to generate some 50-100 characters long string of gibberish and store that into a cookie on the user’s machine and a database table consisting of <user_uuid, token_string, expiration_timestamp> triples which is then joined with the table which contains user-data. Such queries are usually blazing fast and retraction then is a simple DELETE-query. Also: Scaling usually isn’t that big of a concern as most DBMS-systems tend to have the required features built-in already.
Usually, I also set up some scheduled event in the DMBS which deletes all expired tokens from that table periodically. Typically once per day at night, or when the amount of active users is low. It makes for a nice fallback just in case some programming bug inadvertently creeps in.
But I guess this was the original author’s point as well.
I’ve never done any work with JWTs so this might be a dumb question - but can’t you just put an expiration time into the JWT data itself, along with the session and/or user information? The user can’t alter the expiration time because presumably that would invalidate the signature, so as long as the timestamp is less than $(current_time) you’d be good to go? I’m sure I’m missing something obvious.
If someone steals the JWT they have free reign until it expires. With a session, you can remotely revoke it.
That’s not true. You just put a black mark next to it and every request after that will be denied - and it won’t be refreshed. Then you delete it once it expires.
The problem with the black mark, is that you have to hit some sort of database to check for that black mark. By doing so, you invalidate the usefulness of JWT’s. That is one of OP’s main points.
Well, not necessarily. If you’re making requests often (e.g, every couple of seconds) and you can live with a short delay between logging out and the session being invalidated, you can set the timeout on the JWT to be ~30 seconds or so and only check the blacklist if the JWT is expired (and, if the session isn’t blacklisted, issue a new JWT). This can save a significant number of database requests for a chatty API (like you might find in a chat protocol).
Or refresh a local cache of the blacklist periodically on each server, so it’s a purely in-memory lookup.
But in that case, you’d be defeating their use as session tokens, because you are limited to very short sessions. You are just one hiccup of the network away from failure which also defeats their purpose. (which was another point of the OP).
I see how they can be useful in situations where you are making a lot of requests, but the point is that 99,9% of websites don’t do that.
For mobile apps, that have safe storage for passwords, the retraction problem is solved via issuing refresh tokens (that live longer, like passwords in password store of a mobile phone). The refresh tokens, are then used to issue new authorization token periodically and it is transparent to the user. You can re issue authorization token, using refresh token every 15 minutes, for example.
For web browsers, using refresh tokens may or may not be a good idea. Refresh tokens, are, from the security prospective, same as ‘passwords’ (although temporary). So their storage within web browser, should follow same policy as one would have for passwords.
So if using refresh tokens for your single page app, is not an option, then invalidating would have to happen during access control validation, on the backend. (Backend, still is responsible for access control, anyway, because it cannot be done on web clients, securely).
It is more expensive, and requires a form of distributed cache if you have distributed backend that allows stateless no-ip-bound distribution of requests…
But then why use 2 tokens instead of single one? It makes everything more complicated for sake of perceived simplification of not doing 1 DB request on each connection. Meh. And even you can use cookie as in your web UI, so in the end it will make everything simpler as you do not need to use 2 separate auth systems in your app.
This is not really, why 2 tokens are used (authentication token, and refresh token). 2 tokens are used to a) allow fast expiration of an authentication request b) prevent passing of actual user password through to the backend (it only needs to be passed when creating a refresh token).
This is a fairly standard practice though, not something I invented (it requires an API accessible, secure password store on user’s device ,which is why it is prevalent in mobile apps).
I also cannot see how a) and b) can be achieved with a single token.
It seems to me that suggesting a command-line-only (unless I’m mistaken?) tool like Hugo is a complete non-starter for, I don’t know, at least 80% of the people who are posting on Medium. I appreciate your effort—and I’m also becoming more irritated by Medium every day—but I think that learning how to use the terminal is just too high of a hurdle for most people to bother with. If your intention was only to convince the kind of people who read Lobsters and know what it means that something is “written in Go,” then it’s fine, but I don’t think this site presents a viable solution for the rest of the users.
The fundamental problem, I think, is that in order for someone to own their digital identity in any meaningful way, they have to have (at a minimum) their own domain name, and even that is a significant technical hurdle—never mind the fact that it costs money. Maybe the most viable “indie” solution we have at this moment is to (1) guide people through the process of registering a domain and then (2) offer an easy-to-use, web-based blogging engine that people can point their DNS records to in order to get started with their own sites. The latter thing could be made cheap enough to host that some benevolent geek could just subsidize it. Even this, though, seems like so much more effort than Medium for the non-technical user.
The IndieWeb community is very interested in breaking down the barriers to doing these things, like purchasing a domain name.
Or, just point people to one of the many 1-click setup Wordpress hosting services. I know people like to hate PHP and Wordpress but it’s still better than Medium.
Suggesting non-technical people manage their own Wordpress site is like suggesting a baby go carve your roast turkey. (It’s not going to end well).
Wordpress is the Internet Explorer 6 of CMS’ and it’s plugins are the toolbars.
Yes there are better things than Medium. No, Wordpress isn’t it.
Totally agree. I know everyone would rail against this idea because it’s somebody else’s platform, but this is why I host my blog on wordpress.com - They handle the security, I just get the super ease of use and platform with the widest client support of any blogging platform anywhere, and a really nice mobile client.
Do you think there is an opportunity for the modern database-backed CMS beyond Ghost?
Being database backed isn’t what makes Wordpress terrible.
However for a lot of sites, I think a SSG would be a better solution, even if that means they run a db backed CMS which then publishes content to a static location. The key thing with a SSG is that the rendered pages are static HTML. It’s incidental what the source format is - static files (eg markdown) is a common pattern but it could just as easily be a regular web app with a DB.
Glad to see these remarks already posted!
There’s still room IMO for blogging systems that live closer to WordPress on the Static-Site Gen <-> WYSIWYG CMS spectrum that are — crucially — easy to deploy on a basic LAMP stack. Make it as easy to post as on social media (Twitter / FB), with the admin part much more closely intertwined with the front-end, and you have a winner. (Would also love to know if there’s one already that fits the bill).
Do you know https://forestry.io ? It seems to me that what they are doing is pretty close to what you describe. (I am not affiliated in any way by the way).
Couldn’t agree more!
Generally speaking I think the first generation of web property developers created a monster with the whole idea of “free but not really” websites. Medium is just one example.
Maybe some kind of future where ubiquitous Raspberry Pi like server infrastructure would enable wide scale publishing and data sharing, but we have a LONG LONG way to go before we can get there.
I suspect in the nearer term, something like having pods of friends collaborate at some small cost to them to make their offerings available could work, but expecting everyone to use a command line is certainly a non starter.
We techies need to keep reminding ourselves that the rest of the world is not us. They don’t care that Medium is slow, or that the paywall violates our tender sensibilities. They want to accomplish something and want the shortest path to getting there. Full stop.
definitely agree here.
Does this mean it’s possible to just watch the DHT on IPFS and pull data people are inserting? It’s not encrypted in any way?
That’s exactly what this is :)
You’re free to publish encrypted content on the IPFS, but you aren’t obligated to.
And I wouldn’t, since encrypted content on IPFS would be exposed to everyone and brute-forced eventually if anyone cared (once the cipher is broken in the future, etc)
This is kind of my worry with IPFS. I wanted to have a “private” thing where I could also share with my family in a mostly-secure way (essentially, least chance of leaking everything to the whole world while still being able to access my legitimately-acquired music collection without having to ssh home). Turns out that’s not simple to set up.
We ([0][1]) are trying to add encryption and other security enhancements, including safe sharing, on top of IPFS. Still pre-alpha though.
[0] - https://github.com/Peergos/Peergos
[1] - https://peergos.github.io/book
You just have to add encryption on before transmission. IPFS is kind of a low level thing (Like how you won’t find any encryption in TCP because that comes later), It really needs good apps built on top to be useful.
IPFS is a better bittorrent, which is designed to work very well as a replacement for the public web. Private sharing has different requirements – I use syncthing for a similar semantic in private.
Do you guys know about upspin ? What do you think of it ? One if its stated goal is security. But it seems to be at quite an early stage for now.
Interesting. I bet a lot of inserters aren’t aware. Sounds like a great opportunity for bots that:
More relevant to the article though, I like the Rust code. Very readable!
IPFS is basically just a big torrent swarm. Doing that “copyrighted content scan” thing on the bittorrent DHT is already possible (and I’m pretty sure that’s how they send those notices already)
I have a friend who runs a French instance : https://infos.mytux.fr/