Humans shape technology and technology shapes us. Beyond the drama of change, there lie great opportunities for humanity.
"It follows that whenever we gain a new talent, we not only change our bodily capacities, we change the world. The ocean extends an invitation to the swimmer that it withholds from the person who has never learned to swim. With every skill we master, the world reshapes itself to reveal greater possibilities."
@phaedral@jawnsy for me it’s more about the form. The form factor of older vintage films cameras works better for me. If I shoot with a Yashica Mat 124G at an event it’s very different from using a DSLR. I feel I blend in more, and I have different types of tools for different types of shoots. Many modern digital cameras other than the Ricoh GR III, don’t have the same form factor : vibes thing I’m looking for.
@phaedral@jawnsy and as someone who develops my own film, I also like having a certain degree of control over the whole thing without using a computer. I wouldn’t recommend it to everyone, but it’s a workflow that I personally enjoy
Insightful take about corporate contributions to open source, and whether IP is valuable:
"I’m sorry to be the one to have to break it to you, but most of the intellectual property that your company creates isn’t especially important and it’s certainly not business critical."
"What qualifies as critical intellectual property naturally varies by company and business, but you’ll probably know it when you see it."
"The enshittification of the services we once loved and still rely on represents a series of victories for the forces of evil over the forces of good – a victory for the people who want to use the internet to trap us, over the people who want to use the internet to set us free.
As it got harder for users to leave online services, it got easier to abuse users."
As engineers, it's easy for us to measure inputs (how much time we're spending) and outputs (lines of code written or features produced), but what really matters are the business outcomes (customers acquired and retained, revenue growth metrics, profitability), which are less directly related.
It's always useful for us to step back and ask ourselves: what's the point?
@jawnsy This checks out if you're at a smaller company / startup, working close to your (potential) customers. If your at $MEGACORP "what's the point?" is sometimes the most detrimental question of all for your well-being 😄 Having some point or sense of purpose though — absolutely crucial... you'll just have to invent it yourself at some places. It was at a place like that I started contributing to open source. Likely wouldn't happen if I'd been busy doing interesting work for customers.
@jawnsy yeah, but it’s been a long time since the last time. Had a job where legacy “Enterprise Java” was one of the things I was supposed to do. You know going in that it’s useless knowledge, as the alternative is to stick around, which is of course much worse. The things I saw.
@jawnsy my sworn enemies are projects of rewriting in different languages that don't establish a clear "this is what we're gaining by not using the old language" baseline.
"The naive approach to securing software is to blindly implement a checklist of security features. But a deeper understanding of security will quickly uncover that perfect security is impossible; you have to make trade-offs and prioritize the most likely scenarios."
@anderseknert Yeah. It tracks with my own experience, too.
I often wonder about these "last mile" problems - the tools are great, but require more effort to use effectively than many teams are able or willing to invest, which results in situations like this.
In the end, no technology or process is perfect: it's tradeoffs all the way down...
@jawnsy totally. I have implemented encryption at rest for kubernetes secrets in a previous role, although entirely driven by compliance requirements and not because we wanted to. Vault was too expensive though. My god that service is expensive.
Very few software projects are successful over long periods of time. I think one explanation is that it is very challenging to evolve systems in ways that respect the needs of new users ("better" approaches to things, temptation to make backwards-incompatible changes) and existing users (backwards-compatibility is a virtue.)
@stuartmarks@briangoetz@rkatz Something that I find interesting about the various communities of experts (IETF, KEP, JEP, PEP) is the insights that people have, particularly around non-obvious interactions between features. Following the JDK development lists is a great lesson that implementing things hastily can really cost you enormously later, and I think often about all the avoided mistakes, too.
Also, Josh Bloch's Golden Rule of API Design, "when in doubt, leave it out," is so wonderful
@jawnsy Ha, the pain is real. Just looking at our users, 36% are on Windows, 14% are on Linux & 12% are on macOS (and much unknown b/c of Cookie Consents.)
I've seen the numbers for embedded devs on Windows as high as 60% in reports!
It's always a delightful surprise to come across posts from folks with familiar names when looking something up. I wanted to get a comparison of Kyverno vs Open Policy Agent Gatekeeper and came across this awesome comment by longtime Kubernetes security nerd, @raesene: https://www.reddit.com/r/kubernetes/comments/u5tcfd/comment/i56i5ta/
@anderseknert@jawnsy@hrefna I'd agree there's a maturity piece, where more mature/complex environments will require solutions that have more power and flexibility.
At the moment I'd see VAP more at the level of allowing things like basic Pod Security Standards compliance (from a security standpoint, it has non-security use cases too).
That can be valuable for less complex environments, as it avoids the complexity of adding an external admission control solution.
@raesene@jawnsy@hrefna Agreed. If you don't need more than VAP, there's benefits to that given how it's now native to kube. I'm just thinking that the same moment I'd need something more, I'd probably prefer to move over all admission control responsibilites to OPA/Kyverno/Whatever rather than having to maintain two disparate systems for that.
Looking through this list of libraries for working with JWTs, it seems that the highest-quality ones assume that keys are managed directly, instead of using a Vault, Cloud KMS, etc. to sign. This is true for Python and Go libraries at least. Why is that? https://jwt.io/libraries
@jawnsy yeah the exchange of one OIDC token from one provider to another I get, as that’s covered by specs I know of. It’s the GITHUB_TOKEN -> OIDC JWT I don’t see how they manage to fit within the OIDC standard. My guess is “they don’t” but it’s useful enough to warrant an exception. Not like it would be the first time someone ignored a standard :) Or there’s something to it I missed. Either way, useful, and I’m looking forward to seeing what you come up with!
I think it's similar in AWS, presumably you're using their Security Token Service to exchange a AWS Access Key ID and AWS Secret Key ID for a JWT? No idea, it's all relatively new & exciting stuff, IMO!
Google might be different, because Google Cloud uses JWTs natively, so you might get to skip that non-standard exchange step