I liked this, from DHH:
The progress of technology is throwing an ever greater number of optimizations into the “premature evil” bucket never to be seen again.
That can be a tough lesson for those of us who have been developing software for awhile to internalize. It becomes ever more sensible to optimize for simplicity rather than performance.
Today I was talking to a friend about his job. He said his company had just had a meeting where the management told his team that they were not satisfied with the overall sense of urgency and that the team needs to be getting things done more quickly. Reading between the lines, it was clear that what the manager meant was that the team needed to be putting in more hours.
Working more than forty hours a week is hardly outside the norm in software development, but directly demanding more hours from people is a bad idea for a number of reasons. I won’t get into basic issues of justice and decency and instead focus only on effectiveness. Even if your only goal is to get things done as quickly as possible, demanding that your team work more as a group is still a bad idea.
The first issue is morale. Members of the team will not readily accept “work more hours” as a possible solution to any problem if other solutions that don’t require them to work more hours are apparent. If there are process changes that would make the team more productive, they’ll wonder why those aren’t being made instead. If there are underperforming members of the team, others will wonder why those team members aren’t being specifically urged to do a better job or being replaced.
And, of course, some team members will start asking themselves why they’re working at a place where the management tries to solve problems using the blunt instrument of “work more hours.” In the end, you wind up with an unhappy team that starts losing its strongest contributors to other jobs. If you do plan to go this route, understand that the team will hold you accountable for every second of their time you appear to waste, so you’d better have your ducks in a row.
The second issue is quality. This is an issue I touched on when I talked about the problem with all-nighters. When someone is working and they know they could be doing something else, whether it’s having dinner with the family, going to their kid’s soccer practice, or sleeping on the couch, chances are their focus is going to be on doing whatever it takes to finish as quickly as possible. Corners will be cut. The longer the team is working extra hours, the more technical debt you build up, which in turn makes it harder for developers to get things done, requiring even more work to maintain the same level of production. It’s a losing proposition.
The third reason not to fall back on “make them work more hours” as a strategy for increasing productivity is that it reduces the organization’s capacity to manage a crisis. For one thing, there are fewer hours to throw at unexpected problems. If your lead developer is already working on Sundays, those Sundays aren’t available when you get a surprising feature request from a big customer. If the team is already burnt out from previous death marches, they’re going to be pretty cynical when their confronted with an actual crisis. And finally, when the crisis arises, that crappy code people were writing at night when they were trying to watch Glee at the same time is going to be an impediment to solving whatever problem is at hand.
The funny thing is that on a good team, you never need to ask people to work more hours at all. If you have good people and they understand and have bought into the team’s goals, then they will do what needs to be done to ship, even when it means putting in extra hours. One way to make sure that never happens is to coerce them into working more hours.
Every time you’re tempted to do so, sit down with members of the team and ask them how many hours a week they spend dealing with stuff not related to shipping and work to make those things go away instead.
Paul Querna has written an interesting post arguing that developers should rethink how they handle logging — using a robust, machine-readable format (like JSON) rather than human-readable strings that are formatted so that each log entry is a single line long.
The big change is not in how you create log messages but rather in how you consume them. Right now, when a user notices an error, I tend to immediately log into the server and start looking for the log messages associated with the transaction in question using grep or my favorite pager.
Were I to log everything in a machine-readable format, it would make sense to have a more robust tool to parse the logs. Finding or building such a tool is doable, but it becomes yet another project. You need management to sign off on it, the systems administrators to agree to the infrastructure change, and someone to actually choose, test, and deploy the new tool for dealing with logs. Then you have to teach everyone who’s used to finding things in the old logs how to find things in the new logs.
That’s how things that seem like a great idea find a way to never become reality.
cbloom rants on the value of strict coding standards:
Strict coding standards are actually an intellectual relief because they remove all those decisions and give you a specific way to do the syntax. (The same of course goes for reading other people’s code – your eyes can immediately start looking at the functionality, not try to figure out the current syntax)
Don’t forget that adherence to coding standards also produces higher quality diffs.
One weakness of many Web services that require authentication, including the ones I’ve built in the past, is that the username and password of the user making the request are simply included as request parameters. Alternatively, some use basic authentication, which transmits the username and password in an HTTP header encoded using Base64. Basic authentication obscures the password, but doesn’t encrypt it.
This week I learned that there’s a better way — using a Hash-based Message Authentication Code (or HMAC) to sign service requests with a private key. An HMAC is the product of a hash function applied to the body of a message along with a secret key. So rather than sending the username and password with a Web service request, you send some identifier for the private key and an HMAC. When the server receives the request, it looks up the user’s private key and uses it to create an HMAC for the incoming request. If the HMAC submitted with the request matches the one calculated by the server, then the request is authenticated.
There are two big advantages. The first is that the HMAC allows you to verify the password (or private key) without requiring the user to embed it in the request, and the second is that the HMAC also verifies the basic integrity of the request. If an attacker manipulated the request in any way in transit, the signatures would not match and the request would not be authenticated. This is a huge win, especially if the Web service requests are not being made over a secure HTTP connection.
There’s one catch that complicates things.
For the signatures to match, not only must the private keys used at both ends of the transaction match, but the message body must also match exactly. URL encoding is somewhat flexible. For example, you may choose to encode spaces in a query string as %20. I may prefer to use the + character. Furthermore, in most cases browsers and Web applications don’t care about the order of HTTP parameters.
foo=one&bar=two&baz=three
and
baz=three&bar=two&foo=one
are functionally the same, but the crypto signature of the two will not be.
Another open question is where to store the signature in the request. By the time the request is submitted to the server, the signature derived from the contents of the request will be mixed in with the data that is used to generate the signature. Let’s say I decide to include the HMAC as a request parameter. I start with this request body:
foo=one&bar=two&baz=three
I wind up with this one:
foo=one&bar=two&baz=three&hmac=de7c9b8 ...
In order to calculate the HMAC on the server, I have to remove the incoming HMAC parameter from the request body and calculate the HMAC using the remaining parameters. This is where the previous issue comes into play. If the HMAC were not in the request, I could simply calculate the signature based on the raw incoming request. Once I start manipulating the incoming request, the chances of reconstructing it imperfectly rise, possibly introducing cases where the signatures don’t match even though the request is valid.
This is an issue that everyone implementing HMAC-based authentication for a Web service has to deal with, so I started looking into how other projects handled it. OAuth uses HMAC, with the added wrinkle that the signature must be applied to POST parameters in the request body, query string parameters, and the OAuth HTTP headers included with the request. For OAuth, the signature can be included with the request as an HTTP header or as a request parameter.
This is a case where added flexibility in one respect puts an added burden on the implementor in others. To make sure that the signatures match, OAuth has very specific rules for encoding and ordering the request data. It’s up to the implementor to gather all of the parameters from the query string, request body, and headers, get rid of the oauth_signature parameter, and then organize them based on rules in the OAuth spec.
Amazon S3′s REST API also uses HMAC signatures for authentication. Amazon embeds the user’s public key and HMAC signature in an HTTP header, eliminating the need to extract it from the request body. In Amazon’s case, the signed message is assembled from the HTTP verb, metadata about the resource being manipulated, and the “Amz” headers in the request. All of this data must be canonicalized and added to the message data to be signed. Any bug in the translation of those canonicalization rules into your own codes means that none of your requests will be authenticated by Amazon.com.
Amazon uses the Authorization header to store the public key and HMAC. This is also the approach that Microsoft recommends. I think it’s superior to the parameter-based approach taken by OAuth. It should be noted that the Authorization header is part of the HTTP specification and if you’re going to use it, you should do so in a way that complies with the standard.
For my service, which is simpler than Amazon S3 or OAuth, I’ll be using the Authorization header and computing the HMAC based on the raw incoming request.
I realize that HMAC may not be new to many people, but it is to me. Now that I understand it, I can’t imagine using any of the older approaches to build an authenticated Web service.
Regardless of which side of the Web service transaction you’re implementing, calculating the actual HMAC is easy. Normally the SHA-1 or MD5 hashing algorithms are used, and it’s up to the implementor of the service to decide which of those they will support. Here’s how you create HMAC-SHA1 signatures using a few popular languages.
PHP has a built-in HMAC function:
hash_hmac('sha1', "Message", "Secret Key");
In Java, it’s not much more difficult:
Mac mac = Mac.getInstance("HmacSHA1");
SecretKeySpec secret =
new SecretKeySpec("Secret Key".getBytes(), "HmacSHA1");
mac.init(secret);
byte[] digest = mac.doFinal("Message".getBytes());
String hmac = Hex.encodeHexString(digest);
In that case, the Hex class is the Base64 encoder provided by Apache’s Commons Codec project.
In Ruby, you can use the HMAC method provided with the OpenSSL library:
DIGEST = OpenSSL::Digest::Digest.new('sha1')
Base64.encode64(OpenSSL::HMAC.digest(DIGEST,
"Secret Key", "Message"))
There are also libraries like crypto-js that provide HMAC support for JavaScript.
Miguel de Icaza writes about the bad news that Google is shutting down Code Search. In it, he lists a number of things Code Search was useful for that never really occurred to me. I hate missing out. I particularly regret not taking advantage of it when I was wrestling with connection and socket timeouts with Commons HttpClient awhile back.
In 2001, Dave Winer wrote about the strategy tax:
Ben explained that sometimes products developed inside a company such as Microsoft have to accept constraints that go against competitiveness, or might displease users, in order to further the cause of another product. I recognized the concept but had never heard the term.
Google is retiring all of the social features in Google Reader in order to push users to Google Plus instead. Discontinuing these features is bad — I find that people use them very effectively to share interesting stuff and would argue that the shared links from my Google Reader friends are generally more interesting than any single blog that I read. Even worse, Google is going to delete everyone’s past shared links in a few days. So people who have been using link sharing as a sort of blog will soon see their entire archive deleted.
Why? In order to prop up Google Plus. I wouldn’t argue that the strategy tax is never worth paying, but I would say that it’s higher than most companies realize. The good news for Google is that there’s not much competition in the news reader space any more, so it’s not like Google Reader users are going to rush off to use some other product as a result.
Update: I can’t find confirmation that archived shared links will be deleted and I don’t want to be a rumor monger. Hopefully I was just wrong about that.
Update: Courtney Stanton explains the value of Google Reader’s social features. (via Andy Baio) After reading it I realize that I wasn’t really taking advantage of Google Reader.
GitHub has one of the most interesting approaches to product development and software development of anyone in the industry. Zach Holman posted an overview of their process and talked about how they have maintained it as the team has grown. Toward the end, he writes:
This stuff doesn’t come easily, but it unfortunately leaves easily. Figuring out ways to streamline, to improve your process, to grow your company as you grow your employees is a constant struggle. It’s something that should be continually re-evaluated.
Just as it’s a lot easier to add features to software than it is to remove them, so too is it a lot easier to make software development processes more complex than it is to simplify them.
Brent Simmons writes about how wrong he was to assume that nobody would ever see code he wrote, and how coding with the assumption that other people will eventually work on his code makes him a better developer:
But now I write code with the absolute certain knowledge that it will end up in somebody else’s hands. I could be wrong, yes, but I’ve learned that it helps me write better and more-maintainable code if I just assume from the start that somebody else, most likely a friend, will end up working on that code base.
It’s hard to overstate the importance of this approach. There are very specific coding habits that solo developers tend to pick up, and the longer many developers work solo, the worse they become.
Bagcheck, a company I’d never heard of, was acquired by Twitter today. In Luke Wroblewski’s announcement of the deal, he lists some of the things they learned in building the startup. One idea that really captured my imagination was building features starting with the command line interface:
We always add features to the Bagcheck API (and thereby command line interface) first. This provides us with a way to start using new things before we invest time in how they’ll look and work in a graphical user interface. In fact, the first bags ever made on Bagcheck were lovingly typed into the CLI character by character. Including my complete mountain biking set-up.
Obviously, we decided creating bags needed an easier solution than pure text entry! But starting with just the essential actions in the CLI gave us a great understanding of how bags could be created and managed in more capable situations. In fact, starting with the API and command line interface always forces us to distill things to their core essence and to understand them simply. What can go in and what will come out? That makes designing more enhanced versions of the same features much easier. We know what they need to do and why.
This reminds me of Josh Bloch’s talk on how to design a good API. In it, he argues that you should start coding APIs by writing a client for the API rather than implementing the back end of the API.
Designing from the API up is similar to designing from the schema up, either way, you’re starting with a data model, although in the API case you’re starting with a data model and verbs rather than just the data structure.
© rc3.org. Powered by WordPress using the DePo Skinny Theme.