Holy Dev Newsletter October 2022

👓 Mitigating Spectre and Other Security Threats: The Cloudflare Workers Security Model [security]
A fascinating read about how Cloudflare makes its Workers function as a service platform secure by disabling file system and network access, forcing all communication over a Unix socket and through a proxy and about its multilayer defense against known and unknown Specter attacks.

👓 Dylan Beattie's musical parodies of developers' lives [fun]
Very entertaining songs & musical performances inspired by developers' lives. A ballad about a bad C developer who did not free his mallocs and is still sitting in the cellar trying to debug the system and such 🤣

👓 Talon - write code with your voice (for when hands fail you) [accessibility, tool]
A free, cross-OS, programmable application that enables you to write code and control your computer with voice. It asks have surprisingly accurate eye tracking for moving the mouse. Demonstrated to us by a user at a conference. Of course slower than writing but great when your cannot write.

👓 PostgresML is Moving to Rust for our 2.0 Release - PostgresML [rust, machine learning, tool, library]
PostgresML is replacing most of Python with Rust for v 2.0. in its ML extension for Postgres because it is up to 10-30x faster in some cases. The Rust ML ecosystem is young and under development but already provides good value. Moreover lot of ML libraries are actually implemented in C/++ and only used by Python, so they can just add well be used from Rust. Interestingly the time to move data between Pg and NumPy data structures might dominate the algorithm time so using Rust is another win here.
They mention tw Rust ML projects: Linfa is a comprehensive toolkit for statistical learning, providing algorithms for optimal model and density estimation.
It contains common learning algorithms such as Elastic Net, Support Vector Machines, Kernel Methods, Linear Decision Trees, etc. and bundles them together. SmartCore is a comprehensive library for machine learning and numerical computing. The library provides a set of tools for linear algebra, numerical computing, optimization, and enables a generic, powerful yet still efficient approach to machine learning.

👓 Why We Chose Rust - a balanced report [rust, experience]
Summary:
If we were starting over again, would we have used Rust again? We're still not sure. While we are glad we picked Rust instead of C++ for our memory peace of mind, we still wonder whether Go may have been sufficient for our purposes. Go seems to address all of the challenges listed:
1. It has a much simpler learning curve.
2. It is easier to find programmers that have deep experience with it.
3. Its garbage collection means dramatically easier rearchitecting.
Regarding 3.: In our experience, heavily rearchitecting a design in a Rust codebase can be agonizing. Rust's strict rules to support safety without garbage collection force you to adhere to Rust-friendly architecture. As a team, we have not yet developed the experience with Rust to foresee what is cleanly implementable in Rust and what isn't.

57 CSS shapes examples - CSS Scan

https://getcssscan.com/css-shapes
CSS for 57 different shapes from basic ones up to checkmark, yin/yang symbol, octagon, cylinder, and such.

👓 Falsehoods Programmers Believe About Names - With Examples - Shine Solutions Group
Such as People have exactly one canonical full name. People have exactly N names, for any value of N. People’s names fit within a certain defined amount of space. People’s names do not change. People’s names are written in ASCII.

👓 The Web’s Next Transition [webdev, trends, framework]
A good analysis of how our approach to creating web apps developed and where we are going now. There is an explanation and pros & cons for each of them:

1. Multi-Page Apps (MPAs)
2. Progressively Enhanced Multi-Page Apps (PEMPAs, aka “JavaScript Sprinkles”)
3. Single Page Apps (SPAs)
4. Coming: Progressively Enhanced Single Page Apps (PESPAs)

👓 GIFs Without the .gif: The Most Performant Image and Video Options Right Now | CSS-Tricks - CSS-Tricks [webdev, media] - So you want an auto-playing looping video without sound? In popular vernacular this is the very meaning of the word GIF. The word has stuck
Multiple good options with pros & s. You can use
Also a good overview of the current best image & video formats and their support.
Containers: MP4 (since 2001) is supported by all web browsers. WebM (since 2010) works in all browsers except for iOS Safari (which added supert for WebM audio in 2021 so perhaps video is coming too).
Codecs: H.264 works in all browsers. VP9 is supported by all the browsers that support WebM. The newer and best AV1 codec has been supported in Chrome since 2018 and Firefox since 2019. It has not yet shipped in Edge or Safari.
Images: WebP (which can be animated) is now twelve years old. The more modern AV1 Image File Format (AVIF), released in 2019, is the best image format for most use cases on the Web but it's support varies - eg. Firefox doesn't support animated avif yet.

👓 The Decentralized Package Network | Pyrsia.io [security]
Pyrsia is an open-source, decentralised package network supported by major companies to fight supply chain attacks by building the packages itself from source and keeping them in a distributed network with a single point of control. Currently building support for Docker images and Maven artifacts, but planning to support all common packages and to integrate seamlessly with your existing package manager.
The network consists of build nodes that build and sign the artifacts and regular nodes that form the entry point to the network for build tools. Both type of nodes participate in the peer-to-peer distribution of artifacts.
Pyrsia solves two problems: There is no way for you to verify the binary artifact is in fact the result of the given source so one malicious entity with publication access to a central repository can publish anything it wants. A central repository is controlled by a single entity, which could take decisions you do not agree with (eg retract a package).
Pyrsia is driven by leading companies in the software industry and a prospective project of the OpenSSF. Learn more about how our works at What is Pyrsia?

👓 Devbox by Jetpack.io | Devbox [productivity, terminal]
Create an isolated shell for your project with just the OS-level dependencies it needs via the power of Nix (without needing to learn Nix). You can then pack your project into a Docker container without dealing with dockerfiles.
Pros: everybody gets a shell worth the correct dependencies (and versions) without affecting your global env. Cons: All the code still runs on your machine so not suitable if you do not trust it.

👓 restic · Backups done right! [backup, terminal, tool, devops]
Restic is a modern, open source backup program that can back up your files from Linux, BSD, Mac and Windows to many different storage types, including self-hosted and online services. It's a single executable that you can run without a server or complex setup. It's effective - only transferring the parts that actually changed in the files you back up. It aims for security by careful use of cryptography in every part of the process. It's easy to check that the files can be restored.

👓 Meilisearch [tool]
Search as you type, typo-tolerant, customizable, supports multi-tenancy and fine-grained access control. Rest API. I haven't tried it but some users seem quite happy about it. Open-source, beta cloud option.