The Latest WordPress Psychopathy

Background on me:

So, as you may or may not know, I work at an Open Source company. We distribute our software (Snipe-IT) for free – and we support it, as best we can, also for free. But you can also pay us to host it for you, and we will be happy to do that. Or if you need to run it on your own infrastructure, you can pay us for support. This has worked out great for us. We do have some users who leave our paid services saying “moving to self-hosted!” – which, hey, less money for us, so not necessarily great news. But we have many, many more who migrate from their self-hosted installs to ours.

So open-source, for us, is not only an ethos that we believe in. But, just to be very, very clear – it absolutely is an ethos that we believe in. But it has a side effect of giving us a pool of potential customers – and they’re the best types of customers because they know the software already. And our hosted version, versus our “open source version” are both exactly the same.

Yes, we have to spend more resources supporting free users on GitHub, and Discord, and wherever else we might find them. That’s true. But our users will also happily support each other, and we don’t have to do any marketing at all in order to get a steady flow of customers. So, IMHO, you could say that this is a “cost of doing business” or maybe a “loss-leader,” from a business perspective. (Though, again, just to reiterate – we do Open Source because our entire careers have been built on open source. The language we write in is open source. The database we use is open source. The Operating System we use is open source. So this ‘thing’ that has given us so much, it makes sense for us to give back something. And, maybe, without open source I don’t know that we’d have jobs in tech at all?)

Background on WordPress:

WordPress has been, like, our “Big Sibling” since we began. They have a very similar model to ours – you can download WP for free and run it right now. In fact, this very blog runs on it. Or you can pay them to host it for you.

By doing that they’ve become a company that earns billions. Matt Mullenweg himself is reportedly worth somewhere in the neighborhood of $400 million dollars.

We’ve wanted to be just like them – never took VC money, never took any kind of investment, just built a good business from the ground up and employed a bunch of people, and provided a great product for free, and also, optionally, a paid-for product.

They got big enough that they do have competitors who sell the very same product that they sell. WPEngine being the pertinent example today.

WPEngine has a different angle on how they do WordPress. They enable some stuff. They turn off other stuff. They charge for some things, they don’t charge for other things.

And – and this is a bit of a dick move – they also don’t contribute much back to the open source community. The thing is, while I might call it a “dick move,” it’s also completely and totally permissible.

And that should be the end of the story, right there. WordPress is making billions, they have a competitor who’s also making hundreds of millions or billions, and that competitor doesn’t do a good job of contributing things upstream. And all of that is fine and everyone should be happy. Or at least happy-ish.

The state of affairs, as of a week or so ago

But Matt (the founder of WordPress) has fucking lost his fucking marbles. He changed the copyright on the “WP” and “WordPress” marks. All of a sudden. He’s blocked third-party access to updates and plug-ins for WordPress. He’s gone on tirades about WPEngine, his competitor. There are lawsuits and counter-suits flying around.

This is an absolute violation of not only the spirit of open source, but very much so the letter of it. You can’t say “my software is open source until you make at least a million bucks a year on it, and then it isn’t.” That’s not how it works.

Big names like DHH – a guy who I have taken as my personal goal to just “not be like” – has even come out swinging saying that WordPress is very, very much in the wrong here.

So. Cool, cool. Whatever. People on the internet are going to do weird Internet things. I have this blog, our https://snipe.pt blog, and we have a corporate blog – and I bet that Alison has a few more blogs I’m not remembering, all hosted on WordPress. This “drama” (a misnomer IMHO) is a nuisance, and sad, but shouldn’t affect us.

But it does and it will.

Because I’m sure that we’re going to have customers who start to ask, “how can I be sure you aren’t going to go full Matt on us?”

And that’s a big fucking problem. It hasn’t happened yet, thank God, but it could very well happen. And I don’t know what I might tell someone if it did.

So, even though this doesn’t directly affect us, it can possibly have an effect on us. So, now, we have to worry a little bit. No need to do anything, but, probably, have a little worry.

This is where I was as of last night. A little worried, but not losing sleep or anything.

The Latest

While what most of WordPress has done has been generally awful, this is the first time they’re doing something that is actually EVIL.

These custom fields folks made a nice plug-in for WordPress. They contributed it back to WP’s github, as a good open-source citizen should. And WP just stole it.

Now, mind you – the folks who wrote this plug-in are WPEngine. I suspected as much because I can’t imagine them just arbitrarily grabbing some third-party’s code and running with it. Though, hey, maybe they can do that next? The genie’s out of the bottle now.

This is the last straw, for me. I’m going to move this blog onto something else. Unfortunately, I hate everything else.

This is probably some of the worst destruction of value I’ve seen since Elon took over Twitter. Tons of goodwill – poof – destroyed in just a few shitty blog posts.

I’ll do my best to report back on whatever I happen to come up with for my new hosting platform. Honestly, this is more a symbolic move rather than a technological one – because I just simply cannot be a party to this type of shit-fuckery. Shit-fuckery that may even have echo effects on my actual business.

Why I’m moving to Portugal

Boa Tarde!

So for those of you who are my friends, none of this is news – but Alison and I are moving to Portugal. We don’t know when, and the process is really unpleasant and long, but as soon as our visas come through, things are really going to get moving. I’d be pretty shocked if we didn’t make it over there this year (unless we get flat-out rejected, and then who knows how long re-application would take). But I thought I might at least explain more about the why rather than the how – there are plenty of explanations about “how” that are already out there.

As to why – well, I’ll keep that brief. This country doesn’t feel like it once was, after 45 got in office – but also, it’s been feeling like that more and more with each Republican that ever got in office in my lifetime. And it’s not the former President that scares me so much – presidents come and go. It’s the people who vote for him. Those people actually really scare me, and make me not want to live here.

So it’s time to go. I want a functioning Democracy (even though I won’t be able to vote in it for a while). I want someplace warm. I will need some levels of creature comforts, because I am a bougie bitch. I want the general politics to line up with at least some of mine. And the culture to line up a little bit with mine (not interested in super-racist, super-sexist, etc.) Language need not be English (and, for Alison, she wanted it to definitely not be English). And the number one country we came up with was Portugal. (For what it’s worth, New Zealand would probably be second on the list, though I don’t think they’d ever actually have us).

Known Pros:

  1. Functioning Parliamentary Democracy. The Socialist Party (PS) is pretty dominant, but they don’t always win. The do have a separate vote for President, but the President’s powers are pretty limited. (The current President is from the PS, and the “Assembly of the Republic,” or ”Parliament,” currently has an absolute majority with the PS – without having to form coalitions. That can, and will, change).
  2. Some of the warmest weather in Europe. Can get chilly, especially in the North, but not too much so.
  3. Lovely people who will leave you alone if you don’t feel chatty, but can be warm, charming, funny and even a little sarcastic if you let them in (and they let you in). Once you find a Portuguese friend they will move heaven and Earth for you.
  4. Delicious food, from all around the world.
  5. Solid internet service and cell service (in cities – in some rural areas, you’ll see the ’number of bars’ drop down to 0).
  6. The Lisbon subway was prompt, with modern trains and great signage.
  7. The full-size trains themselves took a bit of getting used to, but were also very pleasant to take throughout the country (modulo the Alfa Pendular, which I will get to later).
  8. SOCIALIZED FUCKING MEDICINE. And that existing means that private healthcare is much, much cheaper (current advice is: use socialized medicine for severe things, like organ transplants and cancer, use your private healthcare insurance for normal everyday things, but then switch back to the socialized system for prescriptions)
  9. Drug Decriminalization. We’re not big drug users or anything, but what I like here is that it means that the cops are more focused on real, like, crime-things, and not stupid things like drugs.
  10. Prostitution is legal, pimping is not. Same reason as before – we don’t partake, but I’d rather cops focusing on other things. And love the idea that it’s not only that ”pimping ain’t easy” but also ”pimping ain’t LEGAL.” (though it wasn’t in the song, either, so, well, I digress).
  11. Trans people seem pretty well-accepted, gay folks seem pretty well-accepted
  12. Abortion is legal (though there have been attempts to change this)
  13. Gay Marriage is legal!!!!!
  14. Later lifestyle – we’re night-owls already so that works really well for us. It’s not hard to get food at 10:30 or 11:00.

Known Cons (and these are all ’nits’ – livable little annoyances)

  1. Cripplingly horrific beauracracy, which is rather infamous. Apparently a lot of other European countries are similar, but theirs is really awful.
  2. Some very old buildings, which means some poor insulation, for both sound as well as heat/cold.
  3. Some things we’ve grown accustomed to we’re just not going to be able to get there. (No Ranch sauce! We’re San Diegans – how will we be able to cope??!?!)
  4. Some things can be really antiquated – like, buying subway tickets in lisbon with a credit card you buy a big long number online and then when you get to the station you have to type it in. You have to pay cash sometimes – not as often as I feared, but more often than I’d want. (Since the pandemic, I’ve gotten into the habit of not taking out cash for months at a time).
  5. The worst banking system I’ve seen. Nothing earns interest. You get nickle-and-dimed for everything. I’d do better to just keep my money under a mattress and would get a better return.
  6. Some really nasty history – we are talking about the place that literally invented chattel slavery
  7. There are gonna be shitty people there, just like there are shitty people here. We saw some graffiti saying ”COVID = NAZISMO = SOCIALISMO”, and we saw an ’anti-vax parade’.

Unexpected Pros

  1. In bigger cities, the ’MultiBanco’ system (when they offer it) allows contactless payments, right with your Apple Watch or Phone. It’s really quite nice. And if you do use a credit card, it never leaves your hand – they don’t take it away then bring it back, you can just tap or insert it right there on the mobile terminal your server brings you.
  2. Hooking up utilites and stuff – once you’ve got it going you just put in your IBAN number and it just takes the money out – easy-peasy.
  3. They actually had a revolution to escape out of dictatorship. That’s pretty cool! (Yes, it’s embarassing that I didn’t know this. Blame American public schools)
  4. And this is going to sound like a back-handed compliment, but it isn’t – European Portuguese is hard. But we very much do like a challenge 🙂
  5. As our Portuguese gets a little better, we’re starting to understand more and more bits of other Romance languages – we were watching something in Romanian and both of us said, ”wait – why did I understand that?!” And something similar for French, and Italian. And the weird thing is that our Spanish is still better than our Portuguese (though not for long!). Basically some weird feature of Portuguese, I guess, that it’s closer to some of the ”Vulgar Latin” roots? I dunno, I read something on Wikipedia or something 😛
  6. Because of the way Parliament works, you can get little teeny parties that have different platforms, and if coalition-building happens, maybe they can get some of their stuff pushed through. There’s the Pessoas-Animais-Natureza party (PAN – “People, Animals, Nature”) that’s won a seat or two. The PCP (Partido Comunista Português) also has had a seat here and there (and it’s WEIRD to see sickle-and-hammers around on campaign posters. And it’s weirder to read what they’re saying and say, ”hrm, those are actually some decent ideas…”)
  7. Some really amazing laws that we don’t have here. I haven’t vetted all of these but they include:
    1. You can’t take pictures of people without their permission
    2. It’s illegal to discriminate in housing to people with pets (though our real estate person said that sometimes people still do)
    3. Some strong privacy laws – I had to redact my social security number on my visa application because they didn’t want to see it. Same with some transaction details on my US-based bank.
    4. Every public building (school, hospital, prison, etc) must have at least one vegan option.
    5. AirBnB’s are regulated insanely hard – every (legal) one you see will have a completely identical plastic ”Alojamento Local” placard posted conspicuosly, and the licenses for those are hard to get.
  8. The anti-vax parade was orderly, and had cops embedded in it to prevent the parade-goers from getting attacked by the regular folks, and vice-versa.
  9. They’re pretty smoking-friendly, but that’s actually kinda good for us – as we both vape and most places now treat them the same.
  10. Green wine is actually delicious!

Unexpected Cons (that did genuinely suck, but, not deal-breakers)

  1. I went to get a haircut and shave and the douchey place I went to wouldn’t fix up Alison’s mohawk (I mean, just shave the sides is all!) because it wouldn’t ”Fit the aesthetic” they were going for. (I think they’re just sexist pieces of shit). Meh, that shit happens everywhere, but Portugal still isn’t some kind of Utopia.
  2. The Alfa Pendular – a super-duper sophisticated train that uses ’tilting’ technology to be able to achieve very high speeds on relatively old tracks – can make you motion-sick. I got queasy, Alison got full-on horrifically sick.
  3. My wife wants to live in the Algarve, and I’m more interested in Lisbon. SPOUSAL CONFLICT!
  4. Driving is difficult, the streets are tiny, and weird little ’bollards’ will pop-up and prevent access to some areas.
  5. Absolutely terrifying toilets. Honestly, Alison might start a blog about this once we get there.

So that’s why I want to move there. At this point, for me, it’s still more wanting to move there, rather than get away from here. Though the latter I must admit is true. I still can’t wait til we have us and our animals all safe in our apartment in Lisbon, wake up and walk the girls over near that one tree, then go out to the local cafe to have cafes pingados and some pasteis de nata, then relax for a bit with some portos, then wander around Lisbon for a bit until we go for a nice big lunch at noon, then it’s off to work!

Creating a site-to-site VPN in AWS between regions

I spent crazy amounts of hours – days, really – doing this. I figured I might at least try and save someone else some time.

The solution I went with was a simple software-based VPN using AWS Linux instances in either region. I went with IPSec as my encryption/tunneling mechanism, and ISAKMP IKE as my method of sharing keys. I selected Libreswan as my VPN software. I evaluated and discarded several other potential solutions, but this is what I actually got to work for me.

Continue reading “Creating a site-to-site VPN in AWS between regions”

Why I would seriously consider using Laravel instead of Rails for just about any web project

This is an opinion piece. The following is my opinion. I don’t need to yuck your yum; if you love Rails and you think Rails is great, then that’s awesome for you. I’ve had a lot of great experiences with it in the past. These are my thoughts, for me. I’m not stupid enough to say “Rails Considered Harmful!” or anything stupid like that; it’s still a powerful, popular tool. But here are my thoughts about it:

Continue reading “Why I would seriously consider using Laravel instead of Rails for just about any web project”

Mini Displayport to Thunderbolt 3 – Connect an Apple Cinema Display to a 2016 MacBook Pro – for $26

I am still pretty shocked that there’s still no all-in-one Apple-provided doodad to do this. And there are some articles but they don’t seem quite complete.

So, here’s how I did it for around $26, using two devices on Amazon:

This gets you from Thunderbolt 3 (via USB-C) to full-size Displayport.

This gets you from full-size Displayport to Mini Displayport.

I could’ve sworn that the USB-C-to-Displayport adapter I picked up listed Displayport Alternate mode and all that jazz, but apparently not. Either way, it seems to work for me (?).

Also wish it supplied power on its own – it doesn’t – but I guess I can live without that. Sucks though.

 

How to make a multiplayer FPS that isn’t Battlefield or Call of Duty

So those guys (BF, CoD, maybe even Overwatch) are super-huge. They don’t really have problems with scaling. Or, maybe, in some cases, they do?

Here’s something I saw while playing Titanfall 2. First off, and I think this is a significant problem, they have a TON of datacenters, like around 8 or 10 within 100ms of my location. So I’m on at, like 1AM Pacific. There are a couple hundred people active on my closest-location data center (Salt Lake City). There are a couple hundred on in Oregon (GCE1?). A couple hundred more in Oregon-2 (GCE2). But we’re having matching problems, and it’s taking longer than it should to start games, and I keep seeing the same people. Logically, I can see that during peak times, with a crazy-high number of players logged-in, you want everyone to be as close as they can to their own data center, and you want as many damned data centers as you can throw money at to get. But when not? We’re splitting too many players across too many data centers, all for the sake of the difference between 45ms and 65ms. As it got later and later (I am a bit of a night owl) I started to check out other servers, farther away. In many cases, numbers as low as zero. Ugh. There’s a real concern that you might have some people logging in, seeing just a few users, and giving up. That’s enormously dangerous.

This is a really hard problem. Crazy hard. There are a lot of different ways to approach it, and as I was thinking about it, I thought I might’ve come up with a decent algorithm that might work. This is more of a thought experiment, me armchair-quarterbacking a problem that I’m sure the actual devs are already hard-at-work fixing. But anyways, here’s my idea:

  • First off, instead of connecting to your closest data-center, you instead connect to one Grand Unified Centralized registration system. First come, first serve. And, yes, if you live 500ms away, your registration time will be 500ms older than someone else. Too bad, that’s life. A “registration consist of just an IP/serial/whatever, a version number, and the number of milliseconds of delay to every datacenter that exists.
  • Now the server has a list of registrations, in time order. First, you grab the oldest registration. (Note the time, for keeping track of worst-case registration times). Grab the shortest datacenter from the list of datacenters. Walk through registrations in time order, trying to find (howevery many users you need for a game) users for whom that is also their closest datacenter.
    • Did that work? Then great. Shunt those ‘N’ players off to a game hosted in that data center. Then repeat with the next oldest registration.
    • Let’s say that didn’t work. Now, things get interesting. Of all the registrations you have, find the lowest-ranked first-choice. This, by the way, is the same method as Instant Runoff Voting. For anyone who had chosen that first choice, bump them to their second choice. That may include our candidate registration, itself.
    • Now, repeat the attempt to match up our candidate. Keep eliminating the least-popular data center until you can find a match.

So that’s it. Here are some of the practical advantages and disadvantages of this system, and some weird side-effects:

  • If there’s, like, a 10 minute wait (which there oughtn’t ever to be), some people could beat that time by being at the end of the queue, but being in a region that needs players. I think that’s OK.
  • I _think_ this might be hard to parallelize. You’d have high contention for the oldest items in the queue; you’d have to have some kind of locking mechanism, or something. This algorithm works best if running in series. Maybe there are some sneaky ways to do it otherwise, but I don’t know how off the top of my head. Maybe grab batches of 1000 registrations, and working that way?
  • Super-duper single-point-of-failure. You lose the centralized registration server, game over. Maybe you fall back to the ‘old’ way? Or maybe you’re just down, and that’s it.
  • I worry what might happen if you start getting to 10,000,000 players all online at the same time? Being unable to burn through those folks fast enough might become a problem. Maybe once your region gets >1000 users on it, you let them just hit their local region? I don’t know?
  • The centralized registration system does have one simple function: match players and bounce them over to their regions. So it has exactly-one job, and I can’t imagine a single ‘matching’ taking more than a few hundred milliseconds or so?
  • In terms of scaling and stuff, I would say that you should add capacity to a region when there are no free game servers available (or ‘game slots’). If new servers take a while to spin up, I’d be more liberal than that (maybe using an algorithm of “if there are less than ‘n’ slots available, then add a server”).
  • You can go completely nuts spinning up data centers. Until you get into the, like 1000’s or so, this algorithm ought to keep working pretty well.
  • When there are only ‘n’ people online, total – and they’re from all around the globe – they may end up having a bad time; high latency. That is life, too bad.
  • There may be a point where you say, “Sorry, person, but you’re fucked. There’s no one close enough to you to play a game.” That would be a terrible result, but it could happen. It depends on where the barrier to ‘too many milliseconds’ is.
  • I’ve thought about ways to globalize the registration system, with some kinds of distributed databases or whatever. I don’t think the costs are worth it, but, maybe, you could do some kind of distributed database-ey thing. I don’t know.
  • The registration data is pretty dang ephemeral. You could maybe do this with something like Redis, though some of the queries we’d be talking about doing might not work there.
  • I’d probably have it set up so that if the centralized service blows up and loses all its data, the various game clients will all try and reconnect. Especially if the registration service uses an ephemeral data-store, this could happen.

Of course, there are so many ‘gotchyas’ and caveats and potential failure modes, and all kinds of problems with networking and latency and who-knows-what. I don’t know if this system is harder to implement with those caveats or not.

And I’m just some guy, not a brilliant algorithms person or some distributed programming guru. This could all be a horrible, disastrous mistake of a system. I doubt most armchair quarterbacks actually call spectacular plays when they’re watching their various football games. (Look, sports reference! Yay!)

JavaScript: Callbacks, EventEmitters, and Promises – which one to use?!?

Short version

If you have something that’s simple and always synchronous, don’t use any of them. Just write a dumb function.

If you have a function that’s simple and only needs one asynchronous response – and there are no other potential responses – then a callback is fine.

If you have some kind of object that could have several different potential asynchronous responses – at various different points in lifecycle – and you might or might not want to listen to none, one, or more of them? Then use EventEmitters.

And finally, use Promises when:

  • You have a collection of asynchronous functions, and you need to respond only when all of them have returned, or any one of them have returned.
  • You’re doing mostly ‘imperative’ functions and don’t need to pass a lot of values around, you just need to chain together some callbacks in sequence.
  • You have some functions that might be synchronous, and some that might not be, and you’re not sure which until runtime
  • You have a collection of asynchronous events that are all firing, but the order that they must complete in is dependent upon some value determined only at runtime.
  • (weaker argument) You are falling victim to callback-hell, and your code is steadily creeping rightward

Long version

Functions


function foo(param1,param2,param3) {
  return "something";
}

//usage:
var a=foo(1,2,3);

If you can do it this way your life will be better. Do it this way if at all possible.

Simple Callbacks


function foo(param1,param2,param3,callback) {
  process.nextTick(function () {
    callback("something");
  });
}

//usage:
foo(1,2,3,function (result) {
  console.warn("Yay, we got result! "+result);
});

If you find you’re passing “callback1, callback2, callback3” definitely don’t do this. But for small, simple asynchronous functions, with not much else going on, this is still fine. Still pretty easy to reason about. As functions grow larger, and nested callbacks grow deeper, it gets harder and harder to reason about, though. The invocations of your little function probably ought not to be more than just a few lines; if they are, you should consider the next option…

EventEmitters

I think 95% of the EventEmitters I create end up being ‘classes’ that extend the EventEmitter class, and I think that’s probably a good way to do it.


   /* ..... */
   this.emit("begin","something");
   /* ..... */
   this.emit("success","something");
   /* ...... */ 
   this.emit("failure","something");
   /* ...... */
   this.emit("complete","something",success === true);

What’s great about this model is that someone who’s consuming this object might only care about one particular event – in which case they can listen for just that one. I believe it’s ok, and actually good, to emit liberally, even events that are similar but not the same (in my example “success”/”failure” as well as “complete”).

Another nice side-effect is that all of your various listen events (.on(foo)) help document what the callback is actually for. E.g. –


on("complete",function (param) {
  /* see? Now we know this event handler fires when things are complete! */
});

If you’re not careful, you can absolutely slide into callback-hell here. But this is my personal favorite pattern to use. It’s pretty extensible.

Never do synchronous callbacks; ever. If you want to do something ‘immediate’ at least wrap it in a process.nextTick(function () {/* blah */}); block; that’ll effectively be immediate but allow for someone to use it in the way most EventEmitters are used.

Never throw errors; just emit “error” instead.

Promises

These are massively over-hyped as the solution to everything. While they are actually very, very cool; they definitely have some real drawbacks.

  • They can get hard to debug
  • They can be confusing
  • missing something like a return – which is super-easy to do – may just cause silent code malfunctioning instead of issuing any kind of error
  • Propagating data forward from previously-resolved promises into later promises looks and acts weird.
  • You lose a lot of the benefits of ‘closing-over’ variables

But, when used properly – they can turn something nasty like this:


foo.on("bar",function (baz) {
  bif.on("blorgh",function (bling) {
    bloop.on("gloob",function (fweep) {
      /* .... */
    });
  });
});

Into something much prettier like this:


foo.bar().then(function (baz) {
  return "thing";
}).then(function(bling) {
  return "other_thing";
}).then(function (fweep) {
  return "last_thing";
});

Which, especially if you end up with a super-long list, can be helpful.

You can also use .catch() to grab any error in your list of actions – and that can be enormously useful.

Also, if you have an array of promises, you can do something like –


Promise.all(my_array_of_promises).then(function (results) {
  /* do something */
});

Which can be very, very handy.

Where it starts to get ugly is, if in that example I gave above foo.bar().... – if you need to treat an error condition for each of those steps slightly differently. Now you can throw various .catch statements after each .then statement, but I can imagine trying to visually read through that as being a nightmare.

The other huge thing here is that some promises can be fully synchronous – e.g. Promise.resolve(7) – that’s a promise that will resolve to the number 7. And some promises (well, probably most of them) are asynchronous. This is great, and the ability to unify these two modes together can be very helpful.

So, absolutely use them when they make sense. But my current thinking (which might change) is that you should use the simplest asynchronous mechanism that expresses what you need, without adding complexity. Step up the complexities of your tech as you need to, but not before.

Use the right tool for the job.

A pinko-commie lefty-liberal’s _technical_ argument against The Secretary of State using Her Own Email Server

If an employee of mine tried to send email from their own server, instead of using my company’s, I’d reprimand them, harshly. And if they continued to refuse to use the appropriate email server I’d have to terminate them.

Why? Security.

Who ran Hillary Clinton’s Email server? What software did it run? Where was it hosted? How physically secure is that location? How secure is the ISP that serves data to that server? The administrators of that server – are they background-checked? Are we sure they are not in the service of any foreign entity, or even a domestic one? Is the server patched to the latest version? Are there any vulnerabilities on the version it is running? Are there any backdoors or rootkits or other such stuff on there? What’s the update schedule on that server? Is there any strong cryptography on it? What protocols are running?

And the answer in just about all of these cases is, “I have absolutely no idea.” And that is completely and totally unacceptable.

If you administer an email server, YOU CAN (usually) READ ANY EMAIL THAT IS ON IT. When it’s some regular schmoe somewhere, that’s less of a big deal (but still something to be concerned about). When it’s the Secretary of State of the United States of America, that’s a bit of a bigger deal.

If you are reading this and feeling like I’m not exactly right, go talk to your email admin. Ask them to read you your latest email – “just so you can see if your email software is working.” Let me know what you find.

How to do: Gulp + Browserify + Coffeescript + Sourcemaps + Uglify as of mid-2015

I blew so much time on this, it’s crazy.

I got it down to something simple and clean, finally. And it turns out the “recipes” section on the Gulp website pretty much had the answer already. I just needed to understand more about what I was trying to do in the first place.

Note: You need to install coffeeify to have it available as a transform!

var gulp        = require('gulp');
var browserify  = require('browserify');
var source      = require('vinyl-source-stream'); //to 'rename' your resulting file
var uglify      = require('gulp-uglify');
var buffer      = require('vinyl-buffer'); // to transform the browserify results into a 'stream'

var sourcemaps  = require('gulp-sourcemaps');

gulp.task("your_target",function() {
  browserify({
      entries: ["./sample.coffee"],
      debug: true,
      extensions: [".coffee"],
      transform: ["coffeeify"] // npm install --save-dev coffeeify
      })
    .bundle()
    .pipe(source('resulting_file_name.js'))
    .pipe(buffer())
    .pipe(sourcemaps.init({loadMaps: true,debug: true}))
    .pipe(uglify(/* {
          debug: true,
          options: {
            sourceMap: true,
          }
      }*/)).pipe(sourcemaps.write("./" /* optional second param here */))
    .pipe(gulp.dest('./build/'));

});

If you don’t want the sourcemap URL in your resulting JS file (which I didn’t, because I keep my sourcemap file private), add a second parameter ,{addComment: false} to the sourcemaps.write line near the end.

Edit: – the parameter to uglify isn’t even needed.

Debugging or Troubleshooting the PHP Autoloader

I used PHP pretty heavily a while ago. It’s still – in its primitive, non-objectey, non-frameworked form – one of the environments in which I can ‘think’ in the language the fastest. If someone had a gun to my head and said “build me this thing ‘x'” – I would probably do it in PHP (unless it were large enough with lots of forms/fields/tables/etc., then I might use something else. Or maybe still PHP? I dunno.)

But that means I missed out on the newest revolutions in PHP – composer, Laravel, all that stuff. And some of it is actually pretty cool, once you get a handle on it.

Composer is very similar to how Bundler works under Ruby, or how npm works under Node. You say which libraries you need and which versions in a config file, then say ‘composer install’ (or ‘php composer.phar install’) and it magically goes and gets them and installs them. Pretty neat.

One of the more subtle pieces you get is no longer having to say require "foo.php"; – the new system of Autoloading does that for you, if you’ve gotten everything set up right. It seems to be powered by PHP Namespaces – each composer-able package declares which namespace it’s going to set stuff up in, and then if you try and use something from that namespace, it automagically gets loaded up. Pretty neat!

It’s actually very neat. Until…it doesn’t work. And then I started to find that it was extremely difficult to troubleshoot what it’s actually doing, and why my custom package wouldn’t autoload.

Probably the first place to start should be the DebugClassLoader component ("/Symfony/Component/Debug/DebugClassLoader.php"). That was installed by default in the Laravel app I was playing with. It looks like there’s a nice static class method you can invoke, which will help troubleshoot what’s going on in the class-loading process – “DebugClassLoader::enable()“. There seemed to be another Debug component – somewhere – that wanted to enable that feature – “/Symfony/Component/Debug/Debug.php” – but I couldn’t end up figuring out how to turn the damned thing on. If you do? I bet that’ll be more helpful than the other stuff I ended up playing around with. That DebugClassLoader seems like it will wrap the autoloading process and yell at you if it can’t find the classes it wants in the appropriate files, and there’s not a lot else going on with the autoload sequence than that.

But, due to my ignorance, the most useful tool that worked for me was manually loading up the autoloader object and just asking it dumb questions:

$autoloader = require "./vendor/autoload.php";

$results = $autoloader->findFile("\MyNamespace\MyClassName");

print "Found file for class at: $results";
exit(1);

Other methods I ended up playing with were:

$autoloader->loadClass("\MyNamespace\MyClassName");

print_r($autoloader);
exit(2);

Enough poking around with some of these techniques eventually got me to the point where I could figure out what it was that I was doing wrong. Hopefully I can save someone else a few hours of heartache too.