Non Particularly Maginificent
Sometimes I look at the "modern" development structure and I think... what the fuck are they thinking?
Ok, I'll try to explain. I grew up in the "old" days where you had a computer in front of you, some book/documentation at hand and that was it. If you wanted to write code, you only had to crack your knuckle and start typing. And you had a doubt, you only had to open up your books and look up what you needed to know.
"Asking for suggestion" most of the time meant to phisically go ask somebody about it, carrying along a bunch of floppies or a thick stack of paper print-outs of your code and "copy-pasting" from example code meant re-writing it from scratch basically.
If you needed or wanted to use already-made libraries you had to actually GET the bloody things, most of the time paying for them, and then add them to your project. And a large part of a "development" project was actually to build-up a large collection of library functions that were tailored for the use.
And then backup everything of course.
Nowadays... The average developer works by searching shit in StackOverflow, copy-pasting bits of crappy code that most of the time doesn't work or doesn't do what he wants, then he search again, copy-paste some more, then search a bit more, copy-paste again, then he download a load of crap from this or that site (looking at the code is out of scope, since he doesn't understand what it does and how), try some more crappy code until it almost looks like it's doing what he wants and then call it a day and move to the nearby coffee shop for a frappuccino and to look cool with his macbook.
And then we wonder why there are so many 'xploit and bugs left unpatched in unimportant stuff like routers, switches and software that is used by a bazillion machines around the world.
Long ago we had Testing & Debugging, that required a long sequence of operations repeated every time we wanted to be sure that our stuff was working, this involved first of all collect all the code written by all the developers, if more than one was working on the same project, and then compile the whole thing. And normally it wasn't even compiling because something was fucked, so we had to be sure we could first compile everything, then run the "normal" tests that were to be sure we didn't broke the whole thing trying to fix it, and then to check if what we wanted to fix was actually fixed and lastly, try to figure out what else was broken. The whole procedure coule take several days or WEEKS.
Now... Modern developers don't do debugging because they don't even know what it means, and they don't test either, what they do is to run "automated" tests, that never fails because they are designed to only test what is supposed to work and not what is not supposed to work or nor how is it supposed to work, that's why we have default username and passwords in application and there is no check on the values that are requested.
Did I mentioned that a big part of development was to build large library codebase? Well, maintaining those was a big job. Sometimes a group of people were employed specifically to only do that and nothing else. And whenever there was an update to the libraries, all the stuff had to be recompiled and re-tested to be sure that everything was still working. I remember one case where to fix a minor problem (a space left in one string), the whole office had to spend a week recompiling and re-testing because the problem was in a library that was used basically everywhere.
Today... The "normal" procedure is to always download from the 'net the latest version of wathever shit they are using, gigabytes of stuff for 'hello world'. And of course, everything is done the same on the production environment. This way you can't never tell if the production environment run the same shit that you're trying to fix on your stupid laptop and when something goes wrong, it does it in the most catastrophic way possible.
And after this reminescent introduction, we talk about NPM.
You know NPM don't lie. If you really, truly don't. Then you're lucky. NPM stands for Node Package Manager. What is Node? Node is a Javascript engine. It is used by the developer "du jour" to write code that, in theory, is supposed to be superefficient and portable. In practice it ain't.
Now, normally, a language is developed in such a way that the basic functions and libraries are part of the 'core' of the language, and then you can extend it further with libraries. Somehow Javascript has managed to go for almost 30 years and still is lacking a load of basic stuff, so all that is also part of "external" and "third party" libraries.
This means that, almost every time, every project download bits of code that are used thousands of time in every operation. It also means that if something "slip" into those libraries, or is missing, the impact is massive and can't really be prevented. It is implicit in the way the project is organized.
So it is no surprise that the system that is used to manage and maintain Node's libraries is in the hands of an official body with well respected and known university and business at the helm that guarantee that the code that is distributed is of the maximum standards and controlled to avoBWAHAHAHAHAHAHAHHAHAHHHHAAHHHH....
No, sorry, I'm messing with you again. No. Sadly. No.
What constitute basically the life and blood of countless projects in the whole fucking world is in the hands of a bunch of clowns that don't have any oversight, don't give any guarantee and, recently, decided that to "optimize" their business (?) they need to fire some of their own developers.
Also, the qualification to add or remove from the codebase apparently are even lower than the ones to get a gun in the US (is able to stand-up and is not drooling...yet). Is from not very long ago that some jackass developer, pissed off at something, decided to de-publish his bunch of code from Node causing a world-wide catastrophe with thousands of application ceasing to work when they couldn't found the bits they were expecting.
After this, you would expect that nobody with a tad of brain and a system that is supposed to be used to get money would touch that stuff with a bargepole. Well, then you don't know $wedoitforreal. Another company that was trying very hard to look "trendy". So trendy that they had to use the latest and greatest.
So they started to build this... thing... using Node. Of course.
And of course they applied the Classic Rules of Applied Programming... also known as CRAP. That is: every time you "deploy", first of all you zap the old version of the application, then you download and update all the libraries (several gigabytes) then you download your code from some repository then you start and hope that it doesn't explode in your face.
Now, after a number of "explosion" they were getting a bit irritated by those pesky users, you know, the kind of peoples that since they are actually paying you money for the privileges of doing the beta-testing of your software, they think they can pretend something like... I don't know, the fact that the software actually works? And does what they want? I mean, come on... So, they asked us to help to solve their problems.
Ok, I use the term "ask" and "help" in a more general way, it should be "they told us with no half-term that we had to fix their shit pronto or they were leaving for some other place". Of course we immediately started celebrating, 'cause the only way to fix their crap was to lock them out of the system and never let them in again.
Our manglement, wasn't very keen on that. And since they were more interested in getting the dosh (I mean, they just spent a lot of money in buying up all those companies that are now bringing in all their shitty customers that we don't know what to do with, they have to get some money somehow, right?), started to throw ideas around.
Like: implementing some sort of code-versioning control or try to persuade them to first TEST the bloody code before wiping the whole production sytems.
I reminded everybody that $wedoitforreal was already using a code-versioning, in the form of Git. And they were also "testing" the stuff... on every individual laptops of the various developer. The problem with both was that 1. having your code in some sort of database doesn't guarantee that the code works, only that you can get to the previous version. Or a different one. And 2. since the "test" were fully automated and based on what they were expecting, there was no chance to catch any kind of operational error that their customers were doing or any kind of "unexpected" behavour from the same.
And lastly, since everytime the procedure was to wipe everything and download the last version of all the stuff, there was a clear danger of unwanted garbage coming into the system from untrusted sources. In fact, the whole environment should've been considered 'unsafe' for any use.
And while we were debating, suddenly we got the news that one of our system was spouting malware and seemed to be involved in some sort of DDOS. And who do you think it was? Yep. The latest round of "deployment" apparently had downloaded from the vastity of the net also something that... should not have been there. Before you could say "uops", we applied the Standard Procedure in those cases: kill it with fire. Then, since there was an obious breach of security, we started a complete re-examination of their codebase, for which we wanted to know what the fuck are you using and why. And as you can imagine, they had no idea what 90% of that code did or who made it or whatnot.
Their standard procedure was "this code (got from CodeWarriors) require this library that is 600Mb, let's download it and import it in full". Never mind that what hey wanted was one single function that probably could have be reduced to 20 lines of code. Nope, who cares? They certainly didn't. Anyhow, since the whole thing was now in the realm of the Security Officer, I swapped NPM with NMP (not my problem) and that was all for me. I've no idea if they ever finished the "code review" and with what results.
Davide
12/04/2019 16:11
