Tales from the Machine Room

Home Page | Comments | Articles | Faq | Documents | Search | Archive | Tales from the Machine Room | Contribute | Login/Register

Non Particularly Maginificent

Sometimes I look at the "modern" development structure and I think... what the fuck are they thinking?

Ok, I'll try to explain. I grew up in the "old" days where you had a computer in front of you, some book/documentation at hand and that was it. If you wanted to write code, you only had to crack your knuckle and start typing. And you had a doubt, you only had to open up your books and look up what you needed to know.

"Asking for suggestion" most of the time meant to phisically go ask somebody about it, carrying along a bunch of floppies or a thick stack of paper print-outs of your code and "copy-pasting" from example code meant re-writing it from scratch basically.

If you needed or wanted to use already-made libraries you had to actually GET the bloody things, most of the time paying for them, and then add them to your project. And a large part of a "development" project was actually to build-up a large collection of library functions that were tailored for the use.

And then backup everything of course.

Nowadays... The average developer works by searching shit in StackOverflow, copy-pasting bits of crappy code that most of the time doesn't work or doesn't do what he wants, then he search again, copy-paste some more, then search a bit more, copy-paste again, then he download a load of crap from this or that site (looking at the code is out of scope, since he doesn't understand what it does and how), try some more crappy code until it almost looks like it's doing what he wants and then call it a day and move to the nearby coffee shop for a frappuccino and to look cool with his macbook.

And then we wonder why there are so many 'xploit and bugs left unpatched in unimportant stuff like routers, switches and software that is used by a bazillion machines around the world.

Long ago we had Testing & Debugging, that required a long sequence of operations repeated every time we wanted to be sure that our stuff was working, this involved first of all collect all the code written by all the developers, if more than one was working on the same project, and then compile the whole thing. And normally it wasn't even compiling because something was fucked, so we had to be sure we could first compile everything, then run the "normal" tests that were to be sure we didn't broke the whole thing trying to fix it, and then to check if what we wanted to fix was actually fixed and lastly, try to figure out what else was broken. The whole procedure coule take several days or WEEKS.

Now... Modern developers don't do debugging because they don't even know what it means, and they don't test either, what they do is to run "automated" tests, that never fails because they are designed to only test what is supposed to work and not what is not supposed to work or nor how is it supposed to work, that's why we have default username and passwords in application and there is no check on the values that are requested.

Did I mentioned that a big part of development was to build large library codebase? Well, maintaining those was a big job. Sometimes a group of people were employed specifically to only do that and nothing else. And whenever there was an update to the libraries, all the stuff had to be recompiled and re-tested to be sure that everything was still working. I remember one case where to fix a minor problem (a space left in one string), the whole office had to spend a week recompiling and re-testing because the problem was in a library that was used basically everywhere.

Today... The "normal" procedure is to always download from the 'net the latest version of wathever shit they are using, gigabytes of stuff for 'hello world'. And of course, everything is done the same on the production environment. This way you can't never tell if the production environment run the same shit that you're trying to fix on your stupid laptop and when something goes wrong, it does it in the most catastrophic way possible.

And after this reminescent introduction, we talk about NPM.

You know NPM don't lie. If you really, truly don't. Then you're lucky. NPM stands for Node Package Manager. What is Node? Node is a Javascript engine. It is used by the developer "du jour" to write code that, in theory, is supposed to be superefficient and portable. In practice it ain't.

Now, normally, a language is developed in such a way that the basic functions and libraries are part of the 'core' of the language, and then you can extend it further with libraries. Somehow Javascript has managed to go for almost 30 years and still is lacking a load of basic stuff, so all that is also part of "external" and "third party" libraries.
This means that, almost every time, every project download bits of code that are used thousands of time in every operation. It also means that if something "slip" into those libraries, or is missing, the impact is massive and can't really be prevented. It is implicit in the way the project is organized.
So it is no surprise that the system that is used to manage and maintain Node's libraries is in the hands of an official body with well respected and known university and business at the helm that guarantee that the code that is distributed is of the maximum standards and controlled to avoBWAHAHAHAHAHAHAHHAHAHHHHAAHHHH....

No, sorry, I'm messing with you again. No. Sadly. No.

What constitute basically the life and blood of countless projects in the whole fucking world is in the hands of a bunch of clowns that don't have any oversight, don't give any guarantee and, recently, decided that to "optimize" their business (?) they need to fire some of their own developers.

Also, the qualification to add or remove from the codebase apparently are even lower than the ones to get a gun in the US (is able to stand-up and is not drooling...yet). Is from not very long ago that some jackass developer, pissed off at something, decided to de-publish his bunch of code from Node causing a world-wide catastrophe with thousands of application ceasing to work when they couldn't found the bits they were expecting.

After this, you would expect that nobody with a tad of brain and a system that is supposed to be used to get money would touch that stuff with a bargepole. Well, then you don't know $wedoitforreal. Another company that was trying very hard to look "trendy". So trendy that they had to use the latest and greatest.

So they started to build this... thing... using Node. Of course.

And of course they applied the Classic Rules of Applied Programming... also known as CRAP. That is: every time you "deploy", first of all you zap the old version of the application, then you download and update all the libraries (several gigabytes) then you download your code from some repository then you start and hope that it doesn't explode in your face.

Now, after a number of "explosion" they were getting a bit irritated by those pesky users, you know, the kind of peoples that since they are actually paying you money for the privileges of doing the beta-testing of your software, they think they can pretend something like... I don't know, the fact that the software actually works? And does what they want? I mean, come on... So, they asked us to help to solve their problems.

Ok, I use the term "ask" and "help" in a more general way, it should be "they told us with no half-term that we had to fix their shit pronto or they were leaving for some other place". Of course we immediately started celebrating, 'cause the only way to fix their crap was to lock them out of the system and never let them in again.
Our manglement, wasn't very keen on that. And since they were more interested in getting the dosh (I mean, they just spent a lot of money in buying up all those companies that are now bringing in all their shitty customers that we don't know what to do with, they have to get some money somehow, right?), started to throw ideas around.
Like: implementing some sort of code-versioning control or try to persuade them to first TEST the bloody code before wiping the whole production sytems.

I reminded everybody that $wedoitforreal was already using a code-versioning, in the form of Git. And they were also "testing" the stuff... on every individual laptops of the various developer. The problem with both was that 1. having your code in some sort of database doesn't guarantee that the code works, only that you can get to the previous version. Or a different one. And 2. since the "test" were fully automated and based on what they were expecting, there was no chance to catch any kind of operational error that their customers were doing or any kind of "unexpected" behavour from the same.

And lastly, since everytime the procedure was to wipe everything and download the last version of all the stuff, there was a clear danger of unwanted garbage coming into the system from untrusted sources. In fact, the whole environment should've been considered 'unsafe' for any use.

And while we were debating, suddenly we got the news that one of our system was spouting malware and seemed to be involved in some sort of DDOS. And who do you think it was? Yep. The latest round of "deployment" apparently had downloaded from the vastity of the net also something that... should not have been there. Before you could say "uops", we applied the Standard Procedure in those cases: kill it with fire. Then, since there was an obious breach of security, we started a complete re-examination of their codebase, for which we wanted to know what the fuck are you using and why. And as you can imagine, they had no idea what 90% of that code did or who made it or whatnot.

Their standard procedure was "this code (got from CodeWarriors) require this library that is 600Mb, let's download it and import it in full". Never mind that what hey wanted was one single function that probably could have be reduced to 20 lines of code. Nope, who cares? They certainly didn't. Anyhow, since the whole thing was now in the realm of the Security Officer, I swapped NPM with NMP (not my problem) and that was all for me. I've no idea if they ever finished the "code review" and with what results.

12/04/2019 16:11

Previous Next

Comments are added when and more important if I have the time to review them and after removing Spam, Crap, Phishing and the like. So don't hold your breath. And if your comment doesn't appear, is probably becuase it wasn't worth it.

9 messages post new
Messer Franz By Messer Franz - posted 27/05/2019 09:33 - reply

Ammetto di aver usato delle volte codice da CodeGURU o StackOverflow (anche se cerco di capire che cacchio sto usando), ma tutto ciò mi fa pensare a quando dovevo lavorare sotto linux, che per fare la cosa X devi avere la libreria y, che è gratis, ma ha bisogno a sua volta della libreria Z, che è gratis, e devi compilarla con il programma W, che è gratis, e quindi potrai fare la cosa X. Poi, in genere dopo 3-4 ore di compilazione, salta fuori che uno qualsiasi degli anelli non è compilabile con il compilatore perchè è fatto per una versione vecchia, ma se usi il compilatore vecchio non vanno le altre parti, e , dato che è gratis e il programmatore non ci campava con il suo codice e quindi si è dovuto cercare un lavoro abbandonando l'idea di essere il nuovo Bill Gates, sono 2 bilioni di secoli che non esce una nuova versione (ammesso che ce ne sia una vecchia ancora in giro su internet). Meravigliosa l’idea del costruire sul lavoro di altri che lo fanno per hobby...

Messer Franz

Guido By Guido - posted 27/05/2019 12:47 - reply

Vedi Davidone,

ho qualche anno meno di te, ma il mio modo di ragionare e' prima capisci cosa vuoi fare (e come lo vuoi fare) e poi eventualmente lo fai. Cosi' se sai il perche' ed il percome puoi anche risolvere eventuali problemi e/o applicare quello che stai facendo a cose che differiscono dall'esempio.

$CAPA tempo fa pretendeva che mettessi le mani su un progetto SOAP, di cui ne so poco o niente e gliel'ho fatto presente, come ho fatto presente che se vuole che ci metta mano deve darmi il tempo di studiare ed imparare. No. Lei pretendeva che fosse fatto per subito, e per capire soap "basta guardare un esempio su internet". Ecco questo e' il modus ragionandi di molti, troppi capi progetto. Ovvio che se uno e' un pisquano appena affacciato al mondo della programmazione ed impara dai suoi superiori...

who uses Debian learns Debian but who uses Slackware learns Linux

Anonymous coward By Anonymous coward - posted 27/05/2019 13:36 - reply

Devo ahimè correggerti, per acquistare un'arma da fuoco in alcuni degli stati uniti basta essere in grado di pagarla, dei tuoi eventuali problemi deambulatori o salivari Non Gliene Importa Una Beneamata Fava. 

Anonymous coward

Anonymous coward By Anonymous coward - posted 27/05/2019 13:53 - reply

Io Stackoverflow goni tanto lo uso... Ma avendo già bene in mente COSA devo realizzare (e tendenzialmente a livello amatoriale), e con un approccio critico al tutto. E' un "ho ben chiaro in mente cosa devo fare, in questo momento mi sfugge la funzione precisa".

Anonymous coward

Massimo M. By Massimo M. - posted 27/05/2019 22:51 - reply

Io sono un po' piu' flessibile riguardo a stackoverflow.

Il mio modo di fare e': guardo le risposte, seleziono quelle scritte da esseri con un QI stimato almeno paragonabile a un fox terrier (vivo), e da li' faccio ulteriori ricerche.

Ovviamente se non comprendo a fondo la sbrodolata, nel mio codice non ci entra.

Massimo M.

Lazza By Lazza - posted 29/05/2019 17:17 - reply

> Oggi... Il tipico sviluppatore lavora in genere cercando schifezze su StackOverflow, facendo copiaincolla di spezzoni di codice schifoso

Scusa, stavolta devo fare quello "simpatico alle feste". :P

Vedo che in molti articoli, ma soprattutto in questo, confondi pesantemente il termine "sviluppatore" col termine "programmatore". Non è del tutto colpa tua, purtroppo in giro si usa molto.

Non so se considerarmi moderno, ma sono uno sviluppatore under 30, per cui NPM e Node li ho usati per alcuni progetti anche con successo. Sono piuttosto critico su NPM per diversi dei motivi che hai già elencato pure tu, ma la descrizione dell'inetto medio che dai non è quella degli sviluppatori, è dei classici self-taught programmers che trovi tanto in giro.

Questi sono quelli che non si sono fatti 5 anni di istituto tecnico e 5 per una magistrale in informatica, ma pensano che adesso basti scrivere "software developer" nella bio di Twitter per essere qualificati. Poi ti danno pure dello "str****" se gli dici che non è così.

Tanto per dire, una delle minime accortezze da usare se si usa NPM è specificare la versione precisa dei pacchetti che si vuole prelevare. Oltre al fatto che scaricarli da zero ogni volta non ha alcun senso.

Qui non ti sei trovato di fronte a degli sviluppatori, ma a quattro programmatori improvvisati e per nulla preparati. :\)


Klarg@ Lazza By Klarg - posted 31/05/2019 15:58 - reply


Qui non ti sei trovato di fronte a degli sviluppatori, ma a quattro programmatori improvvisati e per nulla preparati. :\)

Secondo me il termine che voleva usare era "sviluppatroti", e il correttore automatico l'ha fregato... :D




Anonymous coward@ Lazza By Anonymous coward - posted 31/05/2019 17:36 - reply

>> Oggi... Il tipico sviluppatore lavora in genere cercando schifezze su StackOverflow, facendo copiaincolla di spezzoni di codice schifoso

> Questi sono quelli che non si sono fatti 5 anni di istituto tecnico e 5 per una magistrale in informatica, ma pensano che adesso basti scrivere "software developer" nella bio di Twitter per essere qualificati. Poi ti danno pure dello "str****" se gli dici che non è così.

Un mio ex-collega di lavoro aveva 5 anni di istituto tecnico (ramo informatico) e stava finendo la triennale di informatica.

L'app per android che stava sviluppando doveva collegarsi ad un server http. Siccome l'app sarebbe stata utilizzata via connessione mobile, spinsi per implementare l'https. Android non permette (o, perlomeno, agevolmente e senza altri problemi) di inserire certification authority "personali" e non si voleva comprare un certificato apposta (LE non era ancora molto conosciuto).

La sua soluzione? Presa direttamente da stackoverflow, diceva con tante circonvoluzioni (controlla questa supercazzola, confronta con antani, setta questa variabile tizio, esegui sbidigula), che se la CA è riconosciuta da Android, va avanti, se non è riconosciuta, vai avanti.

Comunque, secondo me, il problema non era lui. È solo una vittima inconsapevole dell'ambiente, quello informatico, in cui lavoriamo: pieno belle parole e di presunzione.

Anonymous coward

emi.ska By emi.ska - posted 30/05/2019 09:06 - reply

Beh... che dire, anche io uso codice preso da internet ogni tanto, ma almeno lo leggo e se non fa precisamente quello che voglio in caso lo modifico!

Davide, ma quest'anno niente video? Sono morto dal ridere vedendoli...


9 messages post new

Previous Next

This site is made by me with blood, sweat and gunpowder, if you want to republish or redistribute any part of it, please drop me (or the author of the article if is not me) a mail.

This site was composed with VIM, now is composed with VIM and the (in)famous CMS FdT.

This site isn't optimized for vision with any specific browser, nor it requires special fonts or resolution.
You're free to see it as you wish.

Web Interoperability Pleadge Support This Project
Powered By Gojira