We do programmers a disservice when we act as if the conversation about the growing threat of legacy code begins and ends with COBOL. A whole generation of software engineers are spending their careers making the problem worse by outsourcing all but the most unique aspects of their applications to armies of libraries, plugins and modules that they are powerless to monitor let alone update.
The real horsemen of the legacy apocalypse is the depth of the dependency tree. Modern software development stacks abstraction on top of abstraction. If the left-pad incident of 2016 proved nothing else it demonstrated that even experienced engineers will YOLO dependencies on to their applications if given the infrastructure to make installing them easy. Modern developer environments are a veritable candy store of cheap and convenient dependencies.
My workstation (E5-2640) has seen multiple generations of operating systems, video editing software, DAWs.
Browsers and web browsing in general is the only thing that I can tell it's getting consistently worse year after year.
I know it's an odd metric but 10-15 seconds to fully render a newspaper homepage is more than it takes for my full DAW setup (Cubase + FL Studio as VST plugin) to fully come up with tracks loaded and play button ready. I don't even recall dialup being this bad.
So we are driving company decision making based on the needs of synthetic fake financial instruments? Is there any other way to run a company that is more stupid than striving to fulfill the needs of someone else's derivative product?
I cannot imagine a worse basis on which to steer a company. It makes zero sense. Using a random number generator to pick every decision would result in better results than what we are currently doing.
An example of a company that has completely succumbed to Wall Street is Texas Instruments. They are (or used to be) a tech company. They used to have research. They used to create new products.
But in the past few years they have started committing to "returning 100% of free cash flow to investors" (quoting their own earnings release) via stock buybacks and dividends. They actually put it down in writing: we are committed to NOT reinvesting in employees, NOT doing R&D, NOT creating new products. In every earnings call about how they are still committed to getting all the cash into stock buybacks and dividends. That's it. That's the whole company now.
Wall Street loves Texas Instruments. The shiny bucket of treasure known as stock buybacks + equity based compensation is irresistible. This is going to keep happening until we make it stop happening.
First, as I show, courts have shifted the boundaries of protection for software under both copyright and patent law, further amplifying the attractiveness of trade secrecy. Second, the law has been willing to entertain an unique – and paradoxical-- overlap between copyright, patent, and trade secrecy, even though the three regimes have opposing public goals. Copyright and patent law are oriented towards disclosure, trade secrecy the opposite. While this overlap of protection in software seemed, at first glance, to be a good thing for innovation policy, it has proven deleterious for the larger public, particularly criminal defendants and lower income populations, who are now increasingly governed by an invisible hand that they can no longer investigate or question.
8 months ago
Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle. This paper presents a dataset of 174 malicious software packages that were used in real-world attacks on open source software supply chains, and which were distributed via the popular package repositories npm, PyPI, and RubyGems. Those packages, dating from November 2015 to November 2019, were manually collected and analyzed.
Third-party delivery platforms, as they've been built, just seem like the wrong model, but instead of testing, failing, and evolving, they've been subsidised into market dominance.
“Things have really changed since I began learning, and rightly so. Instead of coding in plain HTML, CSS and JS, I'm now using endless frameworks, modules and libraries to build increasingly more complex web and mobile applications. It's great, if I didn't use these tools my code would be an unmaintainable mess.”
How sad that this has become the widely accepted narrative. There’s a lot of value right now in NOT building things that way. Last week I had to deal with fixing another dev’s mess on a stuck project. Big company website, but nothing fancy at all. Purely a marketing window. The amount of complexity he put into it by using Vue.js was insane for the scope of the project. INSANE. To do something as easy as changing the pages <title> tag we had to write an unjustified amount of lines of code. Framework-itis really is a bad disease, it not only affects your work, but it definitely clouds the simplest form of judgement, it appears. Then we have exactly this: someone who got a hammer and spent years treating everything like a nail comes to a reckoning, usually framed as a longing for the good old days when things used to be simple. Well, you know, things can still be simple, if you don’t offload to unjustifiably complex frameworks the duty of understanding what’s going on in your project.
9 months ago
9 months ago in Quotes
For the most part I think the reason so many web devs put up with the “all-react” (and similar) development experience is basically cargo culting. If you admit you don’t like it, chances are there’s at least one front-end hipster around who will mock you as outdated, and that’s enough to silence most. For the hipsters, the problems of SPAs are hard, and engineers like hacking on hard problems. Also the fact that the solutions don’t work very well means they’re constantly being reinvented, which means if you do the work to keep up with it all you’re rewarded by being regarded as an expert, which is nice.
Lastly, I wouldn’t underestimate how this has built up slowly over time, and therefore how many people just don’t know any better.
This is a good, very productive, very fast-learning developer I’m talking about. He literally had never tried to use the DOM api, and didn’t realize it was, you know, useful.
I think there’s a lot of that in front end world today.
9 months ago in Quotes
I fear that most authors (and most creators of images and links) are not knowledgeable enough to see the web's shortcomings and that it will be very hard to explain the shortcoming to them -- with the result that most authors will continue to consider their job to be done once they have put their writings (and images and links) on the web.