Categories
General

It’s good to talk

This has been a pretty fun few weeks. I did a talk (“Agile at Amazon”) at an AgileScotland/ScotlandIS event in Glasgow. My main claim was that there are two vital ingredients for effective software project. Firstly, you must accept that during a project you will go through a learning process. You learn about technology, the business and the problem domain. Your development process needs to embrace this learning process, and make it easy (not painful) to change direction throughout the project as you learn new stuff. Secondly, software development is done by human beings, not robots. A good development process will accept this, and play to our human strengths whilst protecting us from our weaknesses. If you want a successful project, you need engineers who are enjoying their job, learning a range of relevant skills and working in a supportive environment. The rest of my talk described what a typical month at Amazon Scotland looks like.

Ezra Cooper kindly continued the talk-karma by agreeing to come along to Amazon and give us a talk on the work he’s doing on the Links project, It was a really good talk, and delivered well. I’m pleased to see that Ezra got a lot out of our questions during the talk. Thanks again, Ezra!

In other spoddery, I’ve been using the amazing Omniscient Debugger again. This time I’m trying it out on non-toy examples, and have been feeding bug reports back to Bil. If you want to see the debugger in action, check out the wonderful Bil delivering a talk at Daniel Friedman’s 60th birthday celebrations.

Finally, I’m excited to be going to a week-long course on the Foundation of Computing Science in a few weeks. I’ve done a fair amount of reading in this area in my spare time, but it’s great to have an opportunity for a bit of focused learning (and question asking!).

Categories
General

Capistrano security fun

Capistrano (formerly switchtower) is the ‘ruby on rails’ way to deploy your code out onto your fleet of production/test servers. I’ve previously written my own ‘deploy’ script which had similar goals to capistrano, but I’ve only recently tried capistrano itself.

Having now used it, I think it makes a poor design decision. Capistrano runs a “svn co” operation on the deploy host itself. I think it’d be much better to grab a clean set of sources on your local development box, and then rsync/scp that to each deploy host.

The capistrano way is poor for the following reasons. Firstly, since I access my svn respository over ssh I need to have my private key on my deploy host. This is non-optimal for security reasons. I want to keep close tabs on my private keys, and I don’t want it living on a (potentially) compromisable public-facing host. Why not do all the svn stuff locally and keep your private key local?

But it gets worse. Your deployed rails app ends up (by default) being a ‘live’ checked out copy, complete with .svn directories. Additionally, the default rails setup unfortunately exposes the very top level .svn directory in your deployment. This leaks some information: nothing critical, but in security terms any leakage is bad. To find examples, look no further than the list of apps on the RoR site. Examples include 37signals [fixed] and penny arcade and strongspace and iconbuffer [fixed] etc.

Like I say, the information leaked in this way is not too critical. But, if you were into social engineering, knowing the hostname of their internal svn server in addition to login names for several developers could be just the info you need.

What’s the moral to this story? It’s the old lesson of minimal privileges. There’s no real need for the deployment hosts to have ssh access to the svn repository. Nor is there any need to have your deployment version be a ‘live’ checked out version of your source code. I think I will be sticking to a deployment method where I check out locally and rsync to the production hosts …

Update: This method also reveals the contents of some .htaccess files … append .svn/text-base/.htaccess.svn-base to your favourite rails app URL.

Categories
Programming

MethodFinder for Ruby

I was preparing a talk about Smalltalk for the boys and girls at Amazon when it occured to me that it’s easy to implement Smalltalk’s MethodFinder in Ruby. So, without further ado, here’s a Ruby MethodFinder. Take the red pill, dynamic Neo!

Excerpt from the article:

I use lots of different programming languages, and they all seem to have different names for the same concepts. For example, string concatenation is “+” in ruby and java, “.” in perl, “,” in smalltalk and “^” in ocaml. After a while, this starts to drive you mad. I know that I want a method which takes “foo” and “bar” and returns “foobar” but I can’t remember which incantation I need to utter today.

Smalltalk has this neat thing called the MethodFinder. It lets you find methods by providing an example. If you’ve got the string “foo”, you can ask the MethodFinder to find all the method that, when called with argument “bar” return “foobar”. This is a very useful tool. No more scrabbling around with documentation to find the name of a method which you know exists. Stay in the red-pill world, and ask the code.

Now, ruby is basically smalltalk (without lots of the k3wl bits). So we can easily build a method finder in ruby too!

Read the full article here.

Categories
General

Trusting your future self

Trusting your future self:

– You don’t need to solve all your problems right now by yourself.
– There’s another copy of you – tomorrow’s you – waiting in the future to help.
– Actually, in this week alone, there’s another six “future you”s all waiting to help out.
– They’re going to know everything you do, plus more.
– “Tomorrow’s you” has a whole extra day to sort stuff out in.

So, “today’s you” can relax a bit. Instead of taking the whole world on your shoulders today, trust your future self.

(Okay, I haven’t turned into a self-help guru overnight. But this mind-hack has been really useful to me. I’ve told a few other people about it and got positive feedback, so I decided to write it down. Normal planning-to-take-over-the-world stuff will resume shortly).

Categories
Programming

Callstacks of the future

I read a blog entry recently (but can’t find the reference now, sorry) which changed my view about callstacks. Now, these are pretty fundamental things and I’ve been aware of them for nearly twenty years. So this was a pretty remarkable change.

In my head, a callstack was a record of history. When I drop into the debugger, I look at the callstack to see “where I’ve been”.

That’s wrong. The callstack isn’t a record of history. It’s a record of the future. It tells you where your computation is going to go next. The “return addresses” on the stack are where computation will continue from in the future.

Now, it’s easy to see why my misconception has continued for so long. There’s usually not much difference between the two views. Most of the time in a C-like language, you get called from some point in a function and then (later) you resume again from just after that point. So is it really worth worrying about such a tiny different?

Yes it is, because it gets your mind ready to understand concepts such as tail-call optimization and continuations much more easily. In the “future” view of callstacks, tailcall optimization becomes obvious. If we don’t need an activation record in the future, we don’t need it on the stack. Similarly, continuations make much more sense.

It’s a pretty small change in metaphor. I haven’t magically learned anything new because of it. But several bits of my knowledge now fit together in a much more satisfying way because of this switch. Whoever wrote that original blog article, thank you! 🙂

UPDATE: Rar, finally found the original blog article. Dave Herman was the man with the wisdom. 🙂