"The Most Dangerous Code in the World"

  Posted on November 21, 2012
Our main conclusion is that SSL certificate validation is completely broken in many critical software applications and libraries. (emphasis original) Vulnerable software includes Amazon’s EC2 Java library and all cloud clients based on it; Amazon’s and PayPal’s merchant SDKs… Chase mobile banking… any Android app that uses Pusher API to manage real-time messaging (for example, GitHub’s Gaug.es), clients of Apache ActiveMQ servers…   Instant messenger clients such as Trillian and AIM do not validate certificates correctly, either. [Read More]
culture shock  php  diff -> apply 

Love your package manager

  Posted on November 17, 2012
Notwithstanding that it’s wrong, as far as debian rubies go: Because going back to non-packaged non-vetted flavor-of-the-month code is a retrograde step back to 1993. You lose consistency, you lose the ability to reliably recreate a same environment, you lose tested and low-friction security updates, you lose dependency management, you lose the security of a crypto web-of-trust, and you lose the google-fu of being on the exact same versions of software as thousands of other people. [Read More]
deb  rb 

Pig-headed determination

  Posted on November 14, 2012

I’ve been searching for a measure of technical debt (or its inverse, design quality)

And:

As Martin Fowler said in 2001, “I have an increasing sense that pig-headed determination to remove all repetition can lead you a long way toward a good design.” And then there’s Carter’s Compass, coined by John Carter: “I know I’m on the right track when by deleting code I’m adding functionality.”

James Shore

muses