Holy Dev Newsletter April and May 2024
Welcome to the much delayed Holy Dev newsletter, which brings you gems I found on the web, updates from my blog, and a few scattered thoughts. You can get the next one into your mailbox if you subscribe.
What is happening
Life happened so I wasn’t able to publish the April & May issues until today. I has been tough time, but I have learned to enjoy all the small pleasures of everyday life.
I had to reset my 3 years old Mac to try to make it less slow when Zooming, and took the opportunity to test and describe my computer setup - the tools I use and the procedures in place to back it up and restore / set up from scratch.
I also finally got more into working on the Clojure - Wolfram bridge, Wolframite, as you can read in its log. There is essentially just one issue remaining before we can release v1, and we know how to solve it. Thomas does an awesome job discovering ways to make it ever more convenient for real-world users.
Finally, I got sucked into reviving my Chromium addon Testofill, the Form Filler for Testers. (Coming soon!) Started originally 10 years ago, it is using outdated APIs and addon manifest version that are being sunset. I took the opportunity to clean it up a bit, and to address a matter that has bothered me for a long time - the very broad permissions it need(ed) to work. Along the way, I have recorded a short demonstration of the addon to explain it better to potential users. Sadly, all my subsequent work has made it outdated, so I will have to redo it 😅.
Gems from the world wide web
👓 A better regex experience [clojure]
Great tips for making RegExp more readable: 1) Add the (?x) so that whitespace are ignored (such as newlines -> can break over multiple lines) and you can include line comments with # whatever.... 2) Use named capture groups for self-documentatiion via ?
👓 Easy Mode Rust — Llogiq on stuff [rust, learning]
Talk transcript, with the topic of teaching as little Rust as possible to become productive in Rust, so you can start and have success right away and learn the harder parts later when you’re comfortable with the basics.
👓 faces.js - A JavaScript library for generating vector-based cartoon faces [library, javascript, graphics]
Faces are drawn as SVGs with each also represented by a JavaScript object so you can draw them again later.
👓 Thoughts on the xz backdoor: an lzma-rs perspective | Blog | Guillaume Endignoux [security, opinion]
Interesting thoughts on the xz hack, how likely it would be in Rust vs. C (much less thanks to much simpler and universal tooling), and on the maintenance of OSS ecosystems (I am happy we have CLJ Commons!)
👓 Language-theoretic Security [security]
An organization working for more secure software:
The Language-theoretic approach (LANGSEC) regards the Internet insecurity epidemic as a consequence of ad hoc programming of input handling at all layers of network stacks, and in other kinds of software stacks. LANGSEC posits that the only path to trustworthy software that takes untrusted inputs is treating all valid or expected inputs as a formal language, and the respective input-handling routines as a recognizer for that language. The recognition must be feasible, and the recognizer must match the language in required computation power.
When input handling is done in ad hoc way, the de facto recognizer, i.e. the input recognition and validation code ends up scattered throughout the program, does not match the programmers' assumptions about safety and validity of data, and thus provides ample opportunities for exploitation. Moreover, for complex input languages the problem of full recognition of valid or expected inputs may be UNDECIDABLE, in which case no amount of input-checking code or testing will suffice to secure the program. Many popular protocols and formats fell into this trap, the empirical fact with which security practitioners are all too familiar.
LANGSEC helps draw the boundary between protocols and API designs that can and cannot be secured and implemented securely, and charts a way to building truly trustworthy protocols and systems.
👓 Rama: a Storm is brewing [experience, rama]
A must-read for anyone interested in the Rama programming platform. The author shares his experiences building a startup on top of Rama in the past 5 months, and how the hype compares to reality. It turns out it does pretty well.
From the conclusion: "Rama does live up to the hype, as an early beta product there are some rough edges. From what I know RPL is currently more focused on finalizing key features such as backups, database migrations, etc. before focusing more on developer experience."
👓 Virtual Threads in Clojure [clojure, learning, concurrency]
Great overview of how and when to use virtual Threads (JVM 21+), what pitfalls to avoid and how, and how they compare to normal threads and to core.async (key difference is that blocking is ok).
👓 Icônes [tool, webdev, asset, look&feel]
Icônes is An Icon Explorer with Instant Search through 100+ Icon Sets, powered by Iconify. Via Frontend Focus.
👓 tinyworldmap/tiny-world-map: tinyworldmap is a tiny world map for offline-first and low-bandwidth web apps [webdev, library, asset]
A tiny world map for offline-first and low-bandwidth web apps, designed to be used with Leaflet. The most complete version is only 450 kB gzipped. Tested on low-end decade-old phones. Has ± all cities with 50k+ inhabitants. Use it as a base map, replacing OpenStreetMap tiles, or as an offline fallback for OpenStreetMap tiles.
👓 Home Assistant [automation]
An open source home automation SW / HW with many integrations and powerful add-ons, such as voice control and display on Chromecast devices. Looks very interesting!
👓 What to Do With Evaluated REPL Expressions? [clojure, productivity] - In Clojure, we’ve internalized, as Stuart Halloway said, to send things to the REPL, not type into the REPL. The (sub)expressions we send to
A good productivity tip from a colleague: Every developer keeps her REPL sessions/expressions in a file, and these files are included in version control for sharing, but excluded from class path and all checks.
Personally, I keep my own dev/jakub.clj with all my prod troubleshooting sessions, and with frequently used snippets. I find it very useful to have this history around.
--
Thank you for reading!