Try something like this:
When a user visits the website, they will be assigned a session ID, and it will be transmitted to them in the HTTP response and stored in their browser.
But not like this!
When a user visits the website, he will be assigned a session ID, and it will be transmitted to him in the HTTP response and stored in his browser.
Using gendered pronouns signals to the audience your assumptions about who they are, and very often lets them know that they don't belong. Since that's not your intent, better to just be gender neutral.
And if you don't believe me, some folks did some science (other studies have consistently reproduced this result).
It's a nice idea, unfortunately it doesn't work. Your users don't read your documentation cover to cover, so they won't be able to see your good intentions. Instead they'll be linked somewhere in the middle, see your gendered language, and feel excluded.
In addition, not everyone identifies by male or female pronouns. Play it safe, just be gender neutral.
I've been assured by people far more knowlegable than I that it's ok, even Shakespeare did it. Personally, I'm comforted by the knowledge that even if I'm wrong about the grammar, I won't have made anyone feel excluded.
So merge it! If you've got some process that a contributors needs to go through (such as a CLA), let them know. They're just trying to make your community better and bigger!
I'm sorry, but you were. Your choice of language has an impact on people.
That's ok, hostility isn't about intent, your words had an impact whether you meant it or not.
Maybe you didn't know, you're not a native English speaker, your 11th grade English teacher beat you over the head with some bad advice. That's ok, it only takes a moment to fix it, and then you're letting everyone know it's easy to fix!
There are so many giant issues we face. This one takes 15 seconds to fix, has no downsides, and we can all be a part of making it better. If we can't do this, how could we ever tackle the other challenges?
You have no idea.
Whenever the topic of affirmative action comes up, you can be sure someone will ask the question: "How would you feel if you found out that you got your job, or got into college, because of your race?"
It's funny, no one ever asks: "How would you feel if you got your job, or got into college, because you were systemically advantaged from the moment you were born?"
Interesting.You can find the rest here. There are view comments.
This post is intended to describe how open source projects should handle security vulnerabilities. This process is largely inspired by my involvement in the Django project, whose process is in turn largely drawn from the PostgreSQL project's process. For every recommendation I make I'll try to explain why I've made it, and how it serves to protect you and your users. This is largely tailored at large, high impact, projects, but you should able to apply it to any of your projects.
Security vulnerabilities put your users, and often, in turn, their users at risk. As an author and distributor of software, you have a responsibility to your users to handle security releases in a way most likely to help them avoid being exploited.
The first thing you need to do is make sure people can report security issues to you in a responsible way. This starts with having a page in your documentation (or on your website) which clearly describes an email address people can report security issues to. It should also include a PGP key fingerprint which reporters can use to encrypt their reports (this ensures that if the email goes to the wrong recipient, that they will be unable to read it).
You also need to describe what happens when someone emails that address. It should look something like this:
From the moment you get the initial report, you're on the clock. Your goal is to have a new release issued within 2-weeks of getting the report email. Absolutely nothing that occurs until the final step is public. Here are the things that need to happen:
Obtaining a CVE
In short, follow these instructions from Red Hat.
Your release announcement needs to have several things:
Why complete disclosure?
I've recommended that you completely disclose what the issue was. Why is that? A lot of people's first instinct is to want to keep that information secret, to give your users time to upgrade before the bad guys figure it out and start exploiting it.
Unfortunately it doesn't work like that in the real world. In practice, not disclosing gives more power to attackers and hurts your users. Dedicated attackers will look at your release and the diff and figure out what the exploit is, but your average users won't be able to. Even embedding the fix into a larger release with many other things doesn't mask this information.
In the case of yesterday's Node.JS release, which did not practice complete disclosure, and did put the fix in a larger patch, this did not prevent interested individuals from finding out the attack, it took me about five minutes to do so, and any serious individual could have done it much faster.
The first step for users in responding to a security release in something they use is to assess exposure and impact. Exposure means "Am I affected and how?", impact means "What is the result of being affected?". Denying users a complete description of the issue strips them of the ability to answer these questions.
A zero-day is when an exploit is publicly available before a project has any chance to reply to it. Sometimes this happens maliciously (e.g. a black-hat starts using the exploit against your users) and sometimes it is accidentally (e.g. a user reports a security issue to your mailing list, instead of the security contact). Either way, when this happens, everything goes to hell in a handbasket.
When a zero-day happens basically everything happens in 16x fast-forward. You need to immediately begin preparing a patch and issuing a release. You should be aiming to issue a release on the same day as the issue is made public.
Unfortunately there's no secret to managing zero-days. They're quite simply a race between people who might exploit the issue, and you to issue a release and inform your users.
Your responsibility as a package author or maintainer is to protect your users. The name of the game is keeping your users informed and able to judge their own security, and making sure they have that information before the bad guys do.
Let's start with a definition, a meritocracy is a group where leadership or authority is derived from merit (merit being skills or ability), and particularly objective merit. I think adding the word objective is important, but not often explicitly stated.
A lot of people like to say open source is a meritocracy, the people who are the top of projects are there because they have the most merit. I'd like to examine this idea. What if I told you the United States Congress was a meritocracy? You might say "gee, how could that be, they're really terrible at their jobs, the government isn't even operational!?!". To which I might respond "that's evidence that they aren't good at their jobs, it doesn't prove that they aren't the best of the available candidates". You'd probably tell me that "surely someone, somewhere, is better qualified to do their jobs", and I'd say "we have an open, democratic process, if there was someone better, they'd run for office and get elected".
Did you see what I did there? It was subtle, a lot of people miss it. I begged the question. Begging the question is the act of responding to a hypothesis with a conclusion that's premised on exactly the question the hypothesis asks.
So what if you told me that Open Source was meritocracy? Projects gain recognition because they're the best, people become maintainers of libraries because they're the best.
And those of us involved in open source love this explanation, why wouldn't we? This explanation says that the reason I'm a core developer of Django and PyPy because I'm so gosh-darned awesome. And who doesn't like to think they're awesome? And if I can have a philosophy that leads to myself being awesome, all the better!
Unfortunately, it's not a valid conclusion. The problem with stating that a group is meritocratic is that it's not a falsifiable hypothesis.
We don't have a definition of objective merit. As a result of which there's no piece of evidence that I can show you to prove that a group isn't in fact meritocratic. And a central tenant of any sort of rigorous inquisitive process is that we need to be able to construct a formal opposing argument. I can test whether a society is democratic, do the people vote, is the result of the vote respected? I can't test if a society is meritocratic.
It's unhealthy when we consider or groups, or cultures, or our societies as being meritocratic. It makes us ignore questions about who our leaders are, how they got there who isn't represented. The best we can say is that maybe our organizations are (perceptions of subjective merit)-ocracies, which is profoundly different from what we mean when we say meritocracy.
I'd like to encourage groups that self-identify as being meritocratic (such as The Gnome Foundation, The Apache Software Foundation, Mozilla, The Document Foundation, and The Django Software Foundation) to reconsider this. Aspiring to meritocracy is a reasonable, it makes sense to want for the people who are best capable of doing so to lead us, but it's not something we can ever say we've achieved.You can find the rest here. There are view comments.
If you haven't already, you should start by reading Wired's article on this.
I am not a lawyer. That said, I want to walk through my take on each stage of this.
The government served Lavabit with an order requiring them to supply metadata about every email, as well as mailbox accesses, for a specific user. Because this was "metadata" only the government was not required to supply probable cause.
First, it should be noted that metadata isn't a thing. There's not a definition, it has no meaning. There's simply data.
Lavabit refused to comply, whereupon the government filed a motion requiring them to comply, which a US magistrate so ordered.
And here's where things go wrong. The magistrate erred in ordering compliance. While an argument could be made (note: I'm not making this argument) that in general, certain metadata does not have an expectation of privacy, Lavabit operates a specialized service. Immediately upon receipt of mail, it's encrypted with a user's public key. After that it's technically impossible for the service to read the plaintext of a user's email. This relationship creates a strong expectation of privacy, and the Fourth Amendment very explicitly requires a warrant supported by probably cause at this point.
But let's ignore this first order. Lavabit has, in past, complied with lawful search warrants, and there's no reason to believe they would not have been able to comply with a lawfully constructed one here.
Following this the FBI obtained a warrant requiring that Lavabit turn over their SSL private key. The application for, and issue of, this warrant unambiguously violated Lavabit's constitutional protection. The Fourth Amendment requires that a warrant describe specifically where is to be searched, and what they're looking for.
Access to Lavabit's private key would allow someone with the raw internet traffic (which presumably the FBI, had access to) to decrypt and read any user's emails before they reached Lavabit's servers. Simply put, this was a warrant issued in flagrant violation of the United State Constitution.
The fact that Lavabit refused to cooperate with the government's original order in no way gave them the right to apply (or be granted) the follow up order. Failure to comply with a lawfully issued warrant can result in fines, or even jail time, but it does not grant the government extra-legal authority.
The entirety of this case, but particularly the government's second request, demonstrate a travesty of immense proportions. The assumptions I grew up with about my legal protections as an American are rapidly being shown to be illusory. Lavabit's founder is raising money to support his legal defense, I've donated and I hope you will too.You can find the rest here. There are view comments.
Maybe you practice code review, either as a part of your open source project or as a part of your team at work, maybe you don't yet. But if you're working on a software project with more than one person it is, in my view, a necessary piece of a healthy workflow. The purpose of this piece is to try to convince you its valuable, and show you how to do it effectively.
This is based on my experience doing code review both as a part of my job at several different companies, as well as in various open source projects.
It seems only seems fair that before I try to convince you to make code review an integral part of your workflow, I precisely define what it is.
Code review is the process of having another human being read over a diff. It's exactly like what you might do to review someone's blog post or essay, except it's applied to code. It's important to note that code review is about code. Code review doesn't mean an architecture review, a system design review, or anything like that.
Why should you do code review? It's got a few benefits:
So now that I've, hopefully, convinced you to make code review a part of your workflow how do you put it into practice?
First, a few ground rules:
So how do you start? First, get yourself a system. Phabricator, Github's pull requests, and Gerrit are the three systems I've used, any of them will work fine. The major benefit of having a tool (over just mailing patches around) is that it'll keep track of the history of reviews, and will let you easily do commenting on a line-by-line basis.
You can either have patch authors land their changes once they're approved, or you can have the reviewer merge a change once it's approved. Either system works fine.
As a patch author
Patch authors only have a few responsibilities (besides writing the patch itself!).
First, they need to express what the patch does, and why, clearly.
Second, they need to keep their changes small. Studies have shown that beyond 200-400 lines of diff, patch review efficacy trails off . You want to keep your patches small so they can be effectively reviewed.
It's also important to remember that code review is a collaborative feedback process if you disagree with a review note you should start a conversation about it, don't just ignore it, or implement it even though you disagree.
As a review
As a patch reviewer, you're going to be looking for a few things, I recommend reviewing for these attributes in this order:
You're going to want to start at intent and work your way down. The reason for this is that if you start giving feedback on variable names, and other small details (which are the easiest to notice), you're going to be less likely to notice that the entire patch is in the wrong place! Or that you didn't want the patch in the first place!
Doing reviews on concepts and architecture is harder than reviewing individual lines of code, that's why it's important to force yourself to start there.
There are three different types of review elements:
It's important to note which type of feedback each comment you leave is (if it's not already obvious).
Code review is an important part of a healthy engineering culture and workflow. Hopefully, this post has given you an idea of either how to implement it for your team, or how to improve your existing workflow.
From time to time I joke that Bob Knight stole the title of my autobiography with his, which is titled "The Power of Negativity". I've never read the book, but it's very easy for me to imagine how it could apply to me. Many people who know me would immediately identify me as a negative person. They're not wrong, and it's a constant source of struggle for me.
To be clear: I'm sarcastic, I'm critical, I'm a perfectionist and impossible to impress, and I have a capacious ego. As a result of which I almost universally have a problem with any technology I come across, I have a critique to offer of nearly everything, both social and technical.
Some of this is probably my "personality" , but a lot of it is intentional. I'm deliberately negative about many things. There's a few reasons for this. First, I'm good at it, I seem to have an ability to identify and articulate problems with things. I also think it's important, when things are not perfect (and they so rarely are), we have a responsibility to speak honestly about them, and to discuss their flaws with the same prominence we discuss their features. Finally, articulating problems with things is one of the ways I learn best. Much of my philosophy about software, and the world, has been formed by identifying problems with the things that exist today.
The conflict about this negativity for me comes from two places. First, the effect it has on other people. For many people, when they see this negativity it has a demoralizing effect on them, they lose interest in something as a result. In particular I'm concerned that my attitudes could be an discouraging to people getting into software development; James Coglan wrote a thing about this, and I certainly don't want to be part of the problem, particularly given how much I've invested in trying to make the tech community more, not less, welcoming . The second conflict comes from the fact that I am, at heart, a boundlessly optimistic person. A strong complement to my negativity is an unyielding belief that we must and can fix all of these things.
Where does this leave me? Uncertain. It is truly important to me that I continue to cast a critical eye on everything, including playing the devil's advocate; it's part of how I learn, and learning is very much something I want to continue to do. But I don't want to ever be why someone is afraid to get involved in programming, in open source, in speaking, or in anything else, because they're afraid I'll do nothing but critique their work. I don't know how to resolve this tension. For the past few months I've been trying to be less negative and angry on Twitter, I don't know how successful I'm being. I hope you'll try to help by letting me know when I've got over the line.
|||This isn't to say it's intrinsic, or immutable, but simply that it's not a conscious thing.|
I just shipped a new release of alchimia. Here are the steps I went through:
Here's how it works for OpenStack projects:
Once the tag is approved in the code review system, a release will automatically be issue including:
Version numbers are always automatically handled correctly.
This is how it should be. We need to bring this level of automation to all projects.You can find the rest here. There are view comments.
Friends of mine will know I'm a very big fan of the TV show Sports Night (really any of Aaron Sorkin's writing, but Sports Night in particular). Before you read anything I have to say, take a couple of minutes and watch this clip:
I doubt Sorkin knew it when he scripted this (I doubt he knows it now either), but this piece is about how Open Source happens (to be honest, I doubt he knows what Open Source Software is).
This short clip actually makes two profound observations about open source.
First, most contribution are not big things. They're not adding huge new features, they're not rearchitecting the whole system to address some limitation, they're not even fixing a super annoying bug that affects every single user. Nope, most of them are adding a missing sentence to the docs, fixing a bug in a wacky edge case, or adding a tiny hook so the software is a bit more flexible. And this is fantastic.
The common wisdom says that the thing open source is really bad at is polish. My experience has been the opposite, no one is better at finding increasingly edge case bugs than open source users. And no one is better at fixing edge case bugs than open source contributors (who overlap very nicely with open source users).
The second lesson in that clip is about how to be an effective contributor. Specifically that one of the keys to getting involved effectively is for other people to recognize that you know how to do things (this is an empirical observation, not a claim of how things ought to be). How can you do that?
This all works in reverse too, projects need to treat contributors with respect, and show them that the project is worth their time:
Remember, Soylent Green Open Source is people
That's it, the blog post's over.You can find the rest here. There are view comments.
Having your own open source project is awesome. You get to build a thing you like, obviously. But you also get to have your own little playground, a chance to use your favorite tools: your favorite VCS, your favorite test framework, your favorite issue tracker, and so on.
And if the point of your project is to share a thing you're having fun with with the world, that's great, and that's probably all there is to the story (you may stop reading here). But if you're interested in growing a legion of contributors to build your small side project into an amazing thing, you need to forget about all of that and remember these words: Your contributors are more important than you.
Your preferences aren't that important: This means you probably shouldn't use bzr if everyone else is using git. You shouldn't use your own home grown documentation system when everyone is using Sphinx. Your playground is a tiny thing in the giant playground that is the Python (or whatever) community. And every unfamiliar thing a person needs to familiarize themselves with to contribute to your project is another barrier to entry, and another N% of potential contributors who won't actually materialize.
I'm extremely critical of the growing culture of "Github is open source", I think it's ignorant, shortsighted, and runs counter to innovation. But if your primary interest is "having more contributors", you'd be foolish to ignore the benefits of having your project on Github. It's where people are. It has tools that are better than almost anything else you'll potentially use. And most importantly it implies a workflow and toolset with which a huge number of people are familiar.
A successful open source project outgrows the preferences of its creators. It's important to prepare for that by remembering that (if you want contributors) your workflow preferences must always be subservient to those of your community.You can find the rest here. There are view comments.
I get asked from time to time why I care about diversity in the communities I'm a part of, particularly the Django, Python, and the broader software development and open source community.
There's a lot of good answers. The simplest one, and the one I imagine just about everyone can get behind: diverse groups perform better at creative tasks. A group composed of people from different backgrounds will do better work than a homogeneous group.
But that's not the main reason I care. I care because anyone who knows how to read some statistics knows that it's ridiculous that I'm where I am today. I have a very comfortable job and life, many great friends, and the opportunity to travel and to spend my time on the things I care about. And that's obscenely anomalous for a high school dropout like me.
All of that opportunity is because when I showed up to some open source communities no one cared that I was a high school dropout, they just cared about the fact that I seemed to be interested, wanted to help, and wanted to learn. I particularly benefited from the stereotype of white dropouts, which is considerably more charitable than (for example) the stereotype of African American dropouts.
Unfortunately, our communities aren't universally welcoming, aren't universally nice, and aren't universally thoughtful and caring. Not everyone has the same first experience I did. In particular people who don't look like me, aren't white males, disproportionately don't have this positive experience. But everyone ought to. (This is to say nothing of the fact that I had more access to computers at a younger age then most people.)
That's why I care. Because I benefited from so much, and many aren't able to.
This is why I support the Ada Initiative. I've had the opportunity to see their work up close twice. Once, as a participant in Ada Camp San Francisco's Allies Track. And a second time in getting their advice in writing the Code of Conduct for the Django community. They're doing fantastic work to support more diversity, and more welcoming communities.
Right now they're raising funds to support their operations for the next year, if you accord to, I hope you'll donate: http://supportada.orgYou can find the rest here. There are view comments.
Your community appears to be a disaster. I've already read about the following happening in your community/conferences:
I can only conclude you don't want to be welcoming to new users.
And so I don't participate. Congratulations. You've built a community so unwelcoming that otherwise interested developers won't be a part of it.
Friends of mine in the security community: I beg of you, don't enable this by continuing to attend events like this. Don't validate this behavior with your participation.
Security community, fix your shit.You can find the rest here. There are view comments.
By this point it's likely you've read about the discussion Sarah Sharp started on the Linux Kernel Mailing List (LKML) about the abusive nature of some of the comments there, she also wrote about it on her blog.
The negative responses to this broadly fall into two categories: 1) The Linux development process works, stop trying to change it, and 2) professionalism means sugar coating things and that leads to backstabbing and people writing terrible patches. I'll try to respond to each of these.
To the former, all I'll say is that unless you believe the Linux development process is literally perfect you should be ok to investigating changes to it. You want to discuss the merits of a specific change, that's fine, but you can't honestly dismiss change as a whole out of hand.
To the latter, first I should probably say "yes this is a real concern". Quoting Linus here:
Because if you want me to "act professional", I can tell you that I'm not interested. I'm sitting in my home office wearign a bathrobe. The same way I'm not going to start wearing ties, I'm also not going to buy into the fake politeness, the lying, the office politics and backstabbing, the passive aggressiveness, and the buzzwords. Because THAT is what "acting professionally" results in: people resort to all kinds of really nasty things because they are forced to act out their normal urges in unnatural ways.
First, I want to stress that he makes a wholly unsubstantiated claim. That acting professionally (in this context: not being outrageously abusive) inevitably leads to backstabbing, passive aggressiveness, and politics.
I've done code review as a part of my job, I've done code review for several open source projects, including Django, CPython, PyPy, OpenStack, and Twisted. You don't need to be a jerk to review code. And you certainly don't need to be emotionally abusive. A useful code review involves telling someone what's wrong with their patch that prevents it from being merged, and if it's not self-evident, how they can fix it. None of this is made better by profanity-laced tirades.
Sarah, thank you for trying to help improve the Linux kernel community.You can find the rest here. There are view comments.
I get a lot of feedback about people's experiences with PyPy. And a lot of it is really great stuff for example, "We used to leave the simulation running over night, now we take a coffee break". We also get some less successful feedback, however quite a bit of that goes something like, "I ran our test suite under PyPy, not only was it not faster, it was slower!". Unfortunately, for the time being, this is really expected, we're working on improving it, but for now I'd like to explain why that is.
If you want to find out how fast PyPy (or any technology) is, sit down and write some benchmarks, I've got some advice on how to do that.You can find the rest here. There are view comments.
Since I joined Rackspace a little over a month ago, I've gotten involved with OpenStack, learning the APIs, getting involved in discussions, and contributing code. I wanted to write a bit about what some of my experiences have been, particularly with respect to the code and contribution process.
Were I to have started to design a system similar to OpenStack, and particularly components like Swift (Object store), the first thing I would have done would be build a (or select an existing) general purpose distributed database. The OpenStack developers did not go in this direction, instead they built tools specific to each of their needs. It's not yet clear to me whether this is a better or worse direction, but it was one of the most striking things to me.
Open Stack's contribution process is fantastic. Most open source projects have a group of individuals who are committers (often called "core developers" or similar) and the rest of the community contributes by sending patches, which these committers merge. Eventually members of the community become committers; this model is seen in projects like Django or CPython.
OpenStack flips this on its head. In OpenStack there are no committers. The only thing that commits is a Jenkins instance. Instead, they have "core reviewers". Essentially, to contribute to OpenStack, whether you're a long standing member or brand new, you upload your patch with a git-review script to their Gerrit instance. People who follow that project in Gerrit are notified, and Jenkins CI jobs are kicked off. People will review your patch, and once it has both passing tests and the necessary number of "+1" reviews from core reviewers, your patch is automatically merged.
This process of having no committers, only core reviewers, normalizes the contribution process. Uploading a patch is the same experience for me, a relative new comer, as it is for someone who's been working on the project from the beginning. We just have slightly different review experiences. It also puts an emphasis on code review, which I think is fantastic.
OpenStack comprises a large amount of Python code, and I'm a very opinionated Python developer. For the most part the OpenStack code is of good quality, however there are a few issues I've run across:
A lot of OpenStack's code is around what I like to think of as "infrastructure". Things like spinning up VMs, storing disk images, taking snapshots, and handling authentication for all of this. When OpenStack started there was one application service, Swift, which does massively scalable object ("blob") storage. One of the most exciting developments in OpenStack, in my opinion, is the growth to include more application services, things that directly provide utilities to your application. These include:
It's worth noting that many of these are still "StackForge" projects, which means it's not guarnteed that they'll become a part of OpenStack, nevertheless I think these are exciting developments.
Of particular value is that, because they're (of course) open source, you're spared some of the lock-in concerns that come from many "as a service" offerings.
Looking towards the future, I'm hoping to be involved with OpenStack primarily in three ways: