This doesn’t paper over deprecating the Rust plugin and stealing contributions. I used to be a huge JetBrains fan and now I pull this out every time. Anything but.

He reads like an academic. This is a really interesting perspective; I’ve never thought anything of his writing because it’s what I’m used to from normal journals. There is a style, good or bad, that comes from this stuff.

My degree is in combinatorics. All of the fancy words you’re not a fan of are core ideas (the Petersen graph is really neat). I view The Art… as an academic work for academics who aren’t necessarily excited about the real world (which is my approach to combinatorics). If you’re not one of those people, you’re not interested in becoming one of those people, or you don’t work/research something that needs incredible optimization, you can safely skip it. Once you go into heavy proofs, the utility is very debatable.

I catch a lot of shit for my distaste of GPL. I don’t think I should be able to tell you what you can and can’t do with my source code. I’ve released it into the wild. If I put caveats on it it’s not really free.

I agree with comment OP; you haven’t solved the problem. The number of empty lines in a file that shouldn’t be parsed shouldn’t affect your code. If it is, then you need to stop parsing files that shouldn’t be parsed. For example, if this arbitrary file is being included (totally valid assumption given your debugging), what’s to prevent a malicious payload from being included or executed?

I genuinely have no idea how a random text file, much less a dot file, gets parsed in a PHP project. It feels like there’s no attempt at file validation which is really fucking important for server-side code.

The Twitter account has been privated and there are no news stories about it. Other communities where this has been shared are reasonably suspicious.

I have heard the same rhetoric about IDEs, autocomplete (Intellisense, Jedi, etc.), DevOps, and frameworks. The kernel of truth across all of them is the separation between a dev and good dev. It is getting easier and easier to have something built for you using AI in your IDE in a framework that abstracts all the things away dumped into a prebuilt pipeline that deploys your artifacts for you. A dev can do that. A good dev understands the tools and knows when to dig into things.

I have yet to see a decrease in the number of good devs I meet even though IDEs slowly replaced text editors (and editors became strong enough to become IDEs). Frameworks have enabled more good devs to focus on business logic. DevOps provides solid guard rails for everything.

I don’t know if there’s an increase in the number of superficial devs. I haven’t interviewed junior dev candidates in awhile. I do know the market is flooded right now so I’d argue there might be other factors.

Also overall I do agree with the idea that letting copilot do everything for you means you don’t understand anything. Shit was the same way when cookbooks were common.

$2/mo is pretty close to what Reddit premium was back before they turned the Reddit silver meme into a real thing! That’s a great amount to donate. Don’t sell yourself short.

You’ve turned this into a catch 22. If there were no female characters, you could argue that’s sexist. If the idiotic boss was female, you could argue all of the dumb characters are female so that’s sexist. If Jarod were the only female, that would be sexist.

How does this sketch get rewritten in such a way that it is not casually sexist?

A single character, per your definition, is not blatant malicious code. Stop moving the goalposts.

It’s clear you don’t understand the space and you don’t seem to have any interest in acting in good faith based on your other comments so good luck.

I mean anything is a good fit for future, science fiction AI if we imagine hard enough.

What you describe as “blatant malicious code” is probably only things like very specific C&C domains or instruction sets. We already have very efficient string matching tools for those, though, and they don’t burn power at an atrocious rate.

You’ve given us an example so PoC||GTFO. Major code AI tools like Copilot struggle to explain test files with a variety of styles, skips, and comments, so I think you have your work cut out for you.

There are competing interests here: normal consumers and script kiddies. If I build an API that follows good design, RFCs, pretty specs, all of that, my normal users have a very good time. Since script kiddies brute force off examples from those areas, so do they. If I return 200s for everything without a response body unless authenticated and doing something legit, I can defeat a huge majority of script kiddies (really leaving denial of service). When I worked in video games and healthcare, this was a very good idea to do because an educated API consumer and a sufficiently advanced attacker both have no trouble while the very small amount of gate keeping locks out a ton of annoying traffic. Outside of these high traffic domains, normal design is usually fine unless you catch someone’s attention.

Other answers have only called out rotating the secret which is how you fix this specific failure. After you’ve rotated, delete the key from the repo because secrets don’t belong in repos. Next look at something like git-secrets or gitleaks to use as a local pre-commit hook to help prevent future failures. You’re human and you’re going to make mistakes; plan for them.

Another good habit to be in is to only access secrets from environment variables. I personally use direnv whose configuration file is globally ignored via the core.excludesfile.

You can add other strategies for good defense-in-depth such as a pre-receive hook checking for secrets to ensure no one can push them (eg they didn’t install hooks).

To be clear, usually there’s an approval gate. Something is generated automatically but a product or business person has to actually approve the alert going out. Behind the scenes everyone internal knows shit is on fire (unless they have shitty monitoring, metrics, and alerting which is true for a lot of places but not major cloud or SaaS providers).

This is a common problem. Same thing happens with AWS outages too. Business people get to manually flip the switches here. It’s completely divorced from proper monitoring. An internal alert triggers, engineers start looking at it, and only when someone approves publishing the outage does it actually appear on the status page. Outages for places like GitHub and AWS are tied to SLAs that are tied to payouts or discounts for huge customers so there’s an immense incentive to not declare an outage even though everything is on fire. I have yelled at AWS, GitHub, Azure, and a few smaller vendors for this exact bullshit. One time we had a Textract outage for over six hours before AWS finally decided to declare one. We were fucking screaming at our TAM by the end because no one in our collective networks could use it but they refused to declare an outage.

Your response was to call my argument sarcasm. That is directed at me rather than what I said. That’s quite literally, not figuratively, the definition of sarcasm.

I wish you the best of luck. You don’t seem to be interested in the comments unless it agrees with you and you have yet to share a perfect resource. Have fun!

I took the things defined in the comments responding to mine and extended them. If we can’t share a mixed bag, all of the things I highlighted are out. It would be logically inconsistent to think otherwise starting from your conclusions. Either we have perfect resources or we have, as I called out, to pick and choose our battles. I want to see a perfect resource not ad hominem.

Edit: genuinely surprised to see someone on a CS instance not understand reductio ad absurdum/impossibile (depending on how you feel about Gang of Four)

I’m all for it! What’s the resource that solves this problem?

It must be perfect since we can’t ever give mixed bags of advice. There are apparently better resources although I didn’t see one in the article and things like Code Complete and Pragmatic Programmer address a lot of the same things. Hell, we probably shouldn’t talk about The Mythical Man-Month anymore either. Do we also throw out Design Patterns since singletons are arguably bad design these days?

I feel like it’s wrong to idolize anything in the same way that it’s wrong to throw out many things (there are some clear exceptions usually in the realm of intolerance but that’s unrelated to this). Clean Code, like every other pattern in software development, has some good things and some bad things. As introduction to the uninitiated, it has many good things that can be built on later. But, like Gang of Four, it is not the only pattern we apply in our craft and, like Agile, blind devotion, turning a pattern into a prescription, to Clean Code is going to lead to a lot of shit code.

Cognitive load helps us understand this problem a lot better. As a junior with no clue how to write production code, is Clean Code going to provide with a decent framework I can quickly learn to start learning my craft, should I throw it out completely because parts are bad, or should I read both Clean Code and all its criticism before I write a single line? The latter two options increase a junior’s extraneous cognitive load, further reducing the already slim amount of power they can devote to germane cognitive load because their levels of intrinsic are very high by the definition of being a junior.

Put a little bit differently, perfection (alternatively scalable, maintainable, shipped code) comes from learning a lot of flawed things and adapting those patterns to meet the needs. I am going to give my juniors flawed resources to learn from to then pick and choose when I improve those flaws. A junior has to understand the limitations of Clean Code and its failures to really understand why the author is correct here. That’s more cognitive science; we learn best when we are forming new connections with information we already know (eg failing regularly). We learn worse when someone just shows us something and we follow it blindly (having someone solve your problem instead of failing the problem a few times before getting help).

I’m gonna be super hand-wavy with citations here because this a soapbox for me. The Programmer’s Brain by Felienne Hermans does a good job of pulling together lots of relevant work (part 2 IIRC). I was first introduced to cognitive load with Team Topologies and have since gone off reading of bunch of different things in pedagogy and learning theory.

I think a huge problem with this is trying to frame everything through D&D as well as our perspective. Fuck modern D&D and its desire to control the entire dialogue. Wizards of the Coast aside, there’s also a fantasy component here. I personally dislike requiring all races to act exactly like humans with human motives. From a specific perspective, we view the wanton murder and sacrifice of wood elves by the drow as a terribly evil thing. From the drow perspective, why can’t the opposite be true? I’m not talking about Salvatore’s one-sided writing that makes it clear the whole thing is a massive con. D&D is very biased toward human motive and perspective. Why can’t both be true? Drow are evil to us and we are evil to them? That’s a much more interesting story and completely changes the narrative around someone like Drizzt.

This is a really nuanced take on speculative fiction in general. I also strongly feel that, the way WotC writes things, removing racial alignment is very important. There is no nuance in their universe. Even when we see other races, we always evaluate their action through a human lens rather than being presented a cogent paradigm contrary to ours.