Cross-posted from TeliaSonera Tech blog.

Handling dependencies is one of important challenges in any software project - and especially in the fast-moving JavaScript world. Our Nettbutikk team just had a heated discussion about handling upgrades of our dependencies that continuous our learning journey lined with failures (or rather "experiments that generated new knowledge" :-)).

Failed attempt one: Let tools do it

Originally we let npm automatically do minor upgrades but that turned out to be problematic as even minor version changes can introduce bugs and having potentially different (minor) versions on our different machines and in production makes troubleshooting difficult.


Continue reading →

---

People don't really like changes yet change we must in this fast-developing world. How to introduce a change, or rather how to inspire people to embrace a change? That is one of the main questions of my professional life.

I have recently talked about Functional programming (FP) in JavaScript and compared it to ClojureScript, which was designed for FP. To my surprise the team proposed to give ClojureScript a try and we agreed to have a live coding session, implementing a new functionality in our internal part of our webshop using ClojureScript. But how to kindle this little flame of motivation to keep it going, despite hurdles that will certainly come? And here I got a few interesting ideas.

1. An experienced speaker once recommended sharing personal experiences (even - or especially - if they make me vulnerable) as it is much easier for people to relate to them than to general statements.
2. A Cognicast eposide mentioned storytelling as a great tool for introductory guides. We humans are natural storytellers, we think in stories and relate to them much more easily - so a story should be great also to communicate the value of a change.
3. My ex-colleague Therese Ingebrigtsen gave an inspiring talk presenting some points from The Switch - mainly that we need to address the recipient's minds with rational arguments, but also their hearts to involve their emotion (e.g. by drawing a picture of the new bright future), and that it is important to show a clear path forward.

Continue reading →

---

While refactoring a relatively simple Clojure code to use a map instead of a vector, I have wasted perhaps a few hours due to essentially type errors. I want to share the experience and my thoughts about possible solutions since I encounter this problem quite often. I should mention that it is quite likely that it is more a problem (an opportunity? :-)) with me rather than the language, namely with the way I write and (not) test it.

The core of the problem is that I write chains of transformations based on my sometimes flawed idea of what data I have at each stage. The challenge is that I cannot see what the data is and have to maintain a mental model while writing the code, and I suck at it. Evaluating the code in the REPL as I develop it helps somewhat but only when writing it - not when I decide to refactor it.


Continue reading →

---

CircleCI has recently published a very useful post "Why we’re no longer using Core.typed" that raises some important concerns w.r.t. Typed Clojure that in their particular case led to the cost overweighting the benefits. CircleCI has a long and positive relation to Ambrose Bonnaire-Sergeant, the main author of core.typed, that has addressed their concerns in his recent Strange Loop talk "Typed Clojure: From Optional to Gradual Typing" (gradual typing is also explained in his 6/2015 blog post "Gradual typing for Clojure"). For the sake of searchability and those of us who prefer text to video, I would like to summarise the main points from the response (spiced with some thoughts of my own).


Continue reading →

---

These 2 magical lines will protect your upstream server from possible overload of many users try to access the same in cached or expired content: 

Continue reading →

---

You don’t need to finish a feature and your users don’t need to see it to be able to release and start battle-testing it. Slice it as much as possible and release the chunks ASAP to shorten the feedback loop and decrease risk.

My colleagues have been working on a crucial change in our webshop - replacing our legacy shopping cart and checkout process with a new one and implementing some new, highly desired functionality that this change enables. We have decided to decrease the risk of the change by doing it first only for product accessories. However the business wanted the new feature included and that required changes to the UI. But the UI has to be consistent across all sections so we would need to implement it also for the main products before going live - which would necessitate implementing also the more complex process used by the main products (and not yet supported by the new backend). And suddenly we had a a load of work that would take weeks to complete and would be released in a big bang deployment.

Such a large-scale and time-consuming change without any feedback from reality whatsoever and then releasing it all at once, having impact on all our sales - I find that really scary (and have fought it before). It is essentially weeks of building risk and then releasing it in a big kaboom. How could we break it down, to release it in small slices, without making the business people unhappy?


Continue reading →

---

Gor is a great utility for replicating (a subset of) production traffic to a staging/test environment. Running it on AWS Elastic Beanstalk (EB) has some challenges, mainly that it doesn't support running as a daemon and that there isn't any documentation/examples for doing this. Well, here is a solution:


Continue reading →

---

If you are adding a service entry to your .ebextensions/
Continue reading →

---

Our webshop, nettbutikk.netcom.no, runs on AWS Elastic Beanstalk and we use .ebextensions/ to customize the environment. I have been just trying to get Gor running on our leader production instance to replay some traffic to our staging environment so that we get a much richer feedback from it. However the container_command I used caused the instance to time out and trash the environment, against all reason. The documentation doesn't help and troubleshooting this is hard due to lack of feedback and time-consuming. Luckily I have arrived to a solution.


Continue reading →

---

Philipp Garbe describes how to pass environment variables that you want to keep private to a public Docker instance run on Amazon Web Services (beanstalk or ECS) in his post How to Run HuBot in Docker on AWS EC2 Container Services - Part 3
Continue reading →

---

By Michael T. Nygard, 2007, ISBN: 978-0-9787-3921-8

My digest and review of the book.

Review

Of the books I have read, Release It! is the one I would require all "senior" developers to read (together with something like Architecting Enterprise Solutions: Patterns for High-Capability Internet-based Systems). Especially the first part on stability with its patterns and anti-patterns is a must read. Without knowing and applying them, we create systems that react to problems like a dry savannah to a burning match. I found also to next to last chapter, #17 Transparency, very valuable, especially the metrics and design of the OpsDB and observation practices.

One thing I have left out of the digest which is really worth reading are the war stories that introduce each section, they are really interesting, inspiring, and educational.

Extra Links

• Release It! slides: http://gotocon.com/dl/jaoo-sydney-2009/slides/MichaelT.Nygard_FailureComesInFlavoursPart2.pdf
• https://github.com/Netflix/Hystrix/
• Netflix's Dependency Command talks about using circuit breakers and a thread pool limit http://techblog.netflix.com/2012/02/fault-tolerance-in-high-volume.html
• MSDN Guidance for Cloud Applications: Design Patterns - Circuit Breaker and many more highly useful patterns

Stability

Stability x longevity bugs

Selected (anti)patterns

Stability antipatterns

Integration points

Integration point = call to a DB, WS, ... . Stability risk #1.


Continue reading →

---

A great conference. A good deal of good talks.

To (perhaps) check later

Wednesday

• Practical CSS tips & tricks for backend developers - really useful tips! video
• No Estimates, Let's Explore the Possibilities video
• Form with Function: Adding Behavior with CSS - recommended by a friend (modal dialogs, tab switching, ...) video
• ? Anti-fragile and feedback. Trying to make up for the failures of "agile." video
• ? JavaScript Forensics - not sure what this is about but it might be interesting
• ? Designing and Programming Accessible Website and App UIs video

Thursday

• ? Declarative REST: State Machines for the Web video
• Continuous Delivery for Architects - Neal Ford video
• ? Desktop applications using JavaScript and Electron video
• ? High Performance in the Critical Rendering Path - how to make pages to load fast video
• This is Water - Neal Ford - an excursion into a strange, fantastical world with things like immutable database server, phoenix machines, and lambdas. video
• Securing Web APIs – Patterns & Anti-Patterns video
• ? Functional Data - event sourcing & FP video
• Authentication and authorization in modern JavaScript web applications – how hard can it be? video
• ? Taking other peoples money: A guide to online payments video
• ? Running Docker and Containers in Development and Production video
• Not Even Close: The State of Computer Security

Friday

• 595 billions income - untouched by human hands video
• Boosting security with HTTP headers video
• The rest of ReST - we'll look at the challenges of building usable real-world ReST APIs: Hypertext Application Language (HAL), HTTP Patch, ... video
• ? How do you scale a logging infrastructure to accept a billion messages a day? - DB -> ELK -> ELK + Kafka video
• ? Learning Client Hypermedia from the Ground Up - how to move specific knowledge of 1) addresses, 2) inputs, and 3) workflow out of the client app and place it into the message => a more robust, adaptable, and resilient client video
• ? Make it Faster - Lessons Learned from Benchmarking NoSQL on the AWS Cloud - best practices for performing database benchmarking on the AWS cloud & how to get more speed and efficiency in your production workloads video
• ? Crafting Evolvable Web API Representations - like structuring for evolution, sizing for optimum caching, the different ways to include metadata, ... video
• ? Mob Programming, A Whole Team Approach video
• ? Removing barriers - JetBrains's good and bad expericences with minimizing management video

Keynote Data and Goliath ☆☆☆☆

Continue reading →

---

According to the NDC Oslo talk Lean and Functional Programming
Continue reading →

---

Troy Hunt (@troyhunt, blog) had a great, very hands-on 2-day workshop about webapp security at NDC Oslo. Here are my notes.

Highlights - resources

Personal security and privacy

• https://www.entropay.com/ - a Prepaid Virtual Visa Card
• mailinator.com - tmp email
• f-secure VPN
• https://www.netsparker.com/ - scan a site for issues (insecure cookies, framework disclosure, SQL injection, …) (lot of $k)

Site security

• https://report-uri.io/ - get reports when CSP rules violated; also displays CSP headers for a site in a human-friendly way
• https://securityheaders.io/ check quality of headers wrt security
• free SSL - http://www.startssl.com/, https://www.cloudflare.com/ (also provides web app firewall and other protections) ; 
• SSL quality check: https://www.ssllabs.com/ssltest/ 
• https://letsencrypt.org/ - free, automated, open Certificate Authority (Linux Found., Mozilla)
• HSTS Preload - tell Chrome, FF that your site should only be ever loaded over HTTPS - https://hstspreload.appspot.com/

Breaches etc.

• http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/
• https://twitter.com/jmgosney - one of ppl behind http://passwordscon.org . http://password-hashing.net  experts panel. Team Hashcat. 
• http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ 

To follow

• ! http://krebsonsecurity.com/
• ! http://www.troyhunt.com/
• ! https://www.schneier.com/
• ! https://twitter.com/mikko (of F-Secure) also great [TED] talks
• kevin mitnick (jailed for hacking; twitter, books)

Continue reading →

---

By Matthew Podwysocki

Events

Lot of work (setup, remove listeners ...), not composable.

Promises

No way to abort promise in progress. (Me: has to remember to check for errors: then(onOk, onError).)

No try-catch-finally; only try-catch.

Streams

Node: Stream 1 were terrible (pause/resume unusable, data sent before ready, ...).


Continue reading →

---

Copyright © 2024 Jakub Holý
Powered by Cryogen
Theme by KingMob