UML: My Part in its Downfall
https://tratt.net/laurie/blog/2022/uml_my_part_in_its_downfall.html [tratt.net]
2024-03-15 23:15
tags:
development
standard
swtools
With the benefit of hindsight, I think UML had quite possibly reached not only its actual, but also its potential, peak in 2000: as a medium for software sketching, people only ever needed the basics from it. However, the standardisation community developed an ambitious vision for UML that far exceeded sketching. Whether or not that vision could ever be realised can be seen as a matter of genuine debate: what seems unarguable to me is that such a vision was deeply unsuited to any standardisation process.
The case of the application that used thread local storage it never allocated
https://devblogs.microsoft.com/oldnewthing/20221128-00/?p=107456 [devblogs.microsoft.com]
2024-03-15 22:42
tags:
bugfix
concurrency
development
malloc
programming
windows
Upon closer inspection, the real problem was not that the application’s TLS was being corrupted. The problem was that the application was using TLS slots it never allocated, so it was inadvertently using somebody else’s TLS slots as its own. And of course, when the true owner updated the TLS value, the application interpreted that as corruption.
Check Your Email
https://thedailywtf.com/articles/check-your-email [thedailywtf.com]
2024-03-13 16:50
tags:
development
Every night, their application was supposed to generate a set of nightly reports and emailed them out. These reports went to a number of people in the company, up to and including the CEO. Come Monday morning, the CEO checked his inbox and horror of horror- there was no report!
Given that it involved sending emails, Branon was ready to spend a long time trying to debug whatever was going wrong in the chain. Instead, finding the problem only took about two minutes, and most of that was spent getting coffee.
List of 2024 Leap Day Bugs
https://codeofmatt.com/list-of-2024-leap-day-bugs/ [codeofmatt.com]
2024-03-11 07:32
tags:
bugfix
development
links
Well, it’s 2024 and leap day has come once again. As I’ve done in prior leap years, I’ve captured as many bug reports and outages as I can, along with links to the source where possible.
source: trivium
Supercharge compression efficiency with shared dictionaries
https://developer.chrome.com/blog/shared-dictionary-compression [developer.chrome.com]
2024-03-06 18:50
tags:
browser
compression
development
web
Shared dictionaries can supplement Brotli and ZStandard compression to deliver substantially higher compression ratios for websites that frequently ship updated code, and can—in some cases—deliver 90% or better compression ratios. This post goes into more detail on how shared dictionaries work, and how you can register for the origin trials to use them for Brotli and ZStandard on your website.
source: HN
Bugs I’ve filed on browsers
https://nolanlawson.com/2024/03/03/bugs-ive-filed-on-browsers/ [nolanlawson.com]
2024-03-04 05:28
tags:
browser
bugfix
development
web
As such, I’ve filed a lot of bugs on browsers over the years. For whatever reason – stubbornness, frustration, some highfalutin sense of serving the web at large – I’ve made a habit of nagging browser vendors about whatever roadblock I’m hitting that day. And they often fix it! So I thought it might be interesting to do an analysis of the bugs I’ve filed on the major browser engines – Chromium, Firefox, and WebKit – over my roughly 10-year web development career.
source: HN
An interactive study of common retry methods
https://encore.dev/blog/retries [encore.dev]
2023-11-23 04:00
tags:
development
networking
visualization
In this post we’re going to visually explore different methods of retrying requests, demonstrating why some common approaches are dangerous and ultimately ending up at what the best practice is. At the end of this post you will have a solid understanding of what makes safe retry behaviour, and a vivid understanding of what doesn’t.
source: L
Running the “Reflections on Trusting Trust” Compiler
https://research.swtch.com/nih [research.swtch.com]
2023-10-26 19:09
tags:
c
compiler
development
programming
retro
security
turtles
unix
In October 1983, 40 years ago this week, Ken Thompson chose supply chain security as the topic for his Turing award lecture, although the specific term wasn’t used back then. (The field of computer science was still young and small enough that the ACM conference where Ken spoke was the “Annual Conference on Computers.”) Ken’s lecture was later published in Communications of the ACM under the title “Reflections on Trusting Trust.” It is a classic paper, and a short one (3 pages); if you haven’t read it yet, you should. This post will still be here when you get back.
In the lecture, Ken explains in three steps how to modify a C compiler binary to insert a backdoor when compiling the “login” program, leaving no trace in the source code. In this post, we will run the backdoored compiler using Ken’s actual code. But first, a brief summary of the important parts of the lecture.
source: L
Arena allocator tips and tricks
https://nullprogram.com/blog/2023/09/27/ [nullprogram.com]
2023-10-01 18:51
tags:
c
development
hash
malloc
programming
Over the past year I’ve refined my approach to arena allocation. With practice, it’s effective, simple, and fast; typically as easy to use as garbage collection but without the costs. Depending on need, an allocator can weigh just 7–25 lines of code — perfect when lacking a runtime. With the core details of my own technique settled, now is a good time to document and share lessons learned. This is certainly not the only way to approach arena allocation, but these are practices I’ve worked out to simplify programs and reduce mistakes.
See also: https://nullprogram.com/blog/2023/09/30/
An easy-to-implement, arena-friendly hash map
source: L
Add extra stuff to a "standard" encoding? Sure, why not.
http://rachelbythebay.com/w/2023/09/19/badlib/ [rachelbythebay.com]
2023-09-24 02:14
tags:
development
library
turtles
Hold on. protobufs do not work that way! They don’t have their own framing. That’s why recordio was invented, and countless other ways to bundle them up so you know what type they are, how long they are, and all of that other stuff. The actual binary encoding of the protobuf itself is bare bones! So what’s up with this length byte?
Capslock: What is your code really capable of?
https://security.googleblog.com/2023/09/capslock-what-is-your-code-really.html [security.googleblog.com]
2023-09-17 02:39
tags:
development
security
Avoiding bad dependencies can be hard without appropriate information on what the dependency’s code actually does, and reviewing every line of that code is an immense task. Every dependency also brings its own dependencies, compounding the need for review across an expanding web of transitive dependencies. But what if there was an easy way to know the capabilities–the privileged operations accessed by the code–of your dependencies?
source: L
Shamir Secret Sharing
https://max.levch.in/post/724289457144070144/shamir-secret-sharing [max.levch.in]
2023-08-06 21:38
tags:
auth
c
crypto
development
programming
security
unix
It’s 3am. Paul, the head of PayPal database administration carefully enters his elaborate passphrase at a keyboard in a darkened cubicle of 1840 Embarcadero Road in East Palo Alto, for the fifth time. He hits Return. The green-on-black console window instantly displays one line of text: “Sorry, one or more wrong passphrases. Can’t reconstruct the key. Goodbye.”
This is the story of a catastrophic software bug I briefly introduced into the PayPal codebase that almost cost us the company (or so it seemed, in the moment.)
Today, should you try to read up the programmer’s manual (AKA the man page) on getpass, you will find it has been long declared obsolete and replaced with a more intelligent alternative in nearly all flavors of modern Unix.
source: Dfly
When Good Correlation is Not Enough
https://hakibenita.com/postgresql-correlation-brin-multi-minmax [hakibenita.com]
2023-07-28 02:39
tags:
database
development
perf
sql
Choosing to use a block range index (BRIN) to query a field with high correlation is a no-brainer for the optimizer. The small size of the index and the field’s correlation makes BRIN an ideal choice. However, a recent event taught us that correlation can be misleading. Under some easily reproducible circumstances, a BRIN index can result in significantly slower execution even when the indexed field has very high correlation.
source: HN
Shoot ’em up in style: the making of Gun Trails on Playdate
https://news.play.date/news/gun-trails/ [news.play.date]
2023-07-21 21:04
tags:
c
development
gaming
perf
programming
retro
Enter Playdate. I had wanted to build a shmup for years, but for various reasons—primarily bad scoping—the efforts always sputtered out. This little yellow device could provide the constraints needed, with the added bonus of a programming challenge to hit consistently high framerates.
source: L
What Happened to Dolphin on Steam?
https://dolphin-emu.org/blog/2023/07/20/what-happened-to-dolphin-on-steam/ [dolphin-emu.org]
2023-07-21 20:56
tags:
business
development
gaming
policy
update
virtualization
Well that blew up, huh? If you follow emulation or just gaming on the whole, you’ve probably heard about the controversy around the Dolphin Steam release and the Wii Common Key. There’s been a lot of conclusions made, and while we’ve wanted to defend ourselves, we thought it would be prudent to contact lawyers first to make sure that our understanding of the situation was legally sound. That took some time, which was frustrating to ourselves and to our users, but now we are educated and ready to give an informed response.
source: L
The day my ping took countermeasures
https://blog.cloudflare.com/the-day-my-ping-took-countermeasures/ [blog.cloudflare.com]
2023-07-12 00:08
tags:
development
investigation
linux
networking
swtools
While this doesn’t happen too often, a computer clock can be freely adjusted either forward or backward. However, it’s pretty rare for a regular network utility, like ping, to try to manage a situation like this. It’s even less common to call it “taking countermeasures”. I would totally expect ping to just print a nonsensical time value and move on without hesitation.
Ping developers clearly put some thought into that. I wondered how far they went. Did they handle clock changes in both directions? Are the bad measurements excluded from the final statistics? How do they test the software?
source: L
Culture eats policy
https://www.niskanencenter.org/culture-eats-policy/ [www.niskanencenter.org]
2023-06-23 19:47
tags:
article
business
development
policy
turtles
There’s a convenient punching bag for many of these failures: outdated government technology, and outdated approaches to tech by the bureaucracy. But try to fix that through policy change and you’ll find it’s turtles all the way down. The levers leaders use to fix tech are the same ones they use to steer the economy, improve government-funded healthcare, manage immigration, and even strengthen our national defense. We increase budgets, cut budgets, make new rules, and hold hearings, but the tools we use to fix our tools aren’t working either.
The people on this project knew quite well that using this ESB was a terrible idea. They’d have been relieved to just throw it out, plug in the simple protocol, and move on. But they couldn’t. It was a requirement in their contract. The contracting officers had required it because a policy document called the Air Force Enterprise Architecture had required it. The Air Force Enterprise Architecture required it because the Department of Defense Enterprise Architecture required it. And the DoD Enterprise Architecture required it because the Federal Enterprise Architecture, written by the Chief Information Officers Council, convened by the White House at the request of Congress, had required it. Was it really possible that this project was delayed indefinitely, racking up cost overruns in the billions, because Congress has ordered the executive branch to specify something as small and technical as an ESB?
Jack beat them all, winning the contest and demonstrating not only his enormous skills in securing critical national security systems, but an incredible enthusiasm for serving his country. He was a dream candidate, and the Defense Digital Service (DDS), the team that had sponsored the Hack the Pentagon contest, encouraged Jack to apply for a job. But the resume Jack submitted described his experience developing “mobile applications in IonicJS, mobile applications using Angular, and APIs using Node.js, MongoDB, npm, Express gulp, and Babel”. This would have given a technical manager a good sense of the range of his skills, but no one technical reviewed his resume. DoD’s hiring protocols, like those of most agencies, required that it be reviewed by an HR staffer with a background in government hiring rules, not technology. The staffer saw what looked like a grab bag of gobbledygook and tried to match it to the job description, which required “experience that demonstrated accomplishment of computer-project assignments that required a wide range of knowledge of computer requirements and techniques pertinent to the position to be filled.” The fact that he’d just beat out 600 other security researchers meant nothing. His resume was deemed “not minimally qualified” and didn’t make the first cut.
Tech debt metaphor maximalism
https://apenwarr.ca/log/20230605 [apenwarr.ca]
2023-06-18 19:57
tags:
business
development
finance
life
I really like the “tech debt” metaphor. A lot of people don’t, but I think that’s because they either don’t extend the metaphor far enough, or because they don’t properly understand financial debt.
Pretty good financial debt explainer, too.
source: trivium
You didn’t just do that, Heroku
https://openfolder.sh/heroku-anti-dx [openfolder.sh]
2023-04-18 05:50
tags:
cloud
development
I inspected Heroku’s logs again and saw that it wasn’t just this specific task that was being dispatched twice, all of them were:
See, at this point the celerybeat dyno shouldn’t even exist. It was nowhere to be found on my list of dynos. But here it is, alive, well, and scheduling tasks.
source: HN
gotraceui - an efficient frontend for Go execution traces
https://github.com/dominikh/gotraceui [github.com]
2023-03-31 02:29
tags:
development
go
perf
swtools
Gotraceui is a tool for visualizing and analyzing Go execution traces. It is meant to be a faster, more accessible, and more powerful alternative to go tool trace. Unlike go tool trace, Gotraceui doesn’t use deprecated browser APIs (or a browser at all), and its UI is tuned specifically to the unique characteristics of Go traces.
source: L