Design

Social media in the physical world

, , , No Comments

So one of the things I have been seeing more and more are meat-space kiosks that are enabling (and encouraging) you to interact with them by sharing the activities you participated in via your social media identities.

How are they doing this? By having you type your credentials directly into the kiosk. Not only is this a Really Bad Idea(tm) but even the act of encouraging the generally non-security-savvy population that this is a "thing" is horrifically scary. No longer do you need to click on a phishing email to lose your password, all you have to do is buy something from a kiosk which has this configuration in it, from a kiosk which has been hacked. Oh wait, it's not like that ever happens, right? Certainly Target would never get hacked, and if Target is safe, well, maybe the little guys will be fine too.

This is a patently Really Bad Idea but I don't think it's going away, so what I propose is this: sites and services that consider themselves identity providers (a.k.a. you offer OAuth login credential verification for third party sites/apps/projects/whatever), with their mobile app, should provide an easy way to generate a limited-time-use OAuth token, and then provide a way to display it via QR code, or similar.

Granted, this would require adding a webcam to the kiosks, but webcams are dirt cheap, and the net positive for everyone involved. Heck, I bet it turns out to be so much more user friendly that the rates of those social participation options becomes more frequent. Imagine Retailers could even, with this new, nearly painless, option, even offer users a chance to tweet, or post a status, about their in-progress transaction to receive some sort of discount, or special offer.

Bottom line: let's get real and not encourage the general population to foster insecure password management choices. Entering your password (which is statistically likely your password to everything) into a public kiosk which exists in an unknown state of security is a bad idea, every time. Making it normal is an even worse idea. Let's wrangle this under control before it becomes even more wide spread.

Applying functional programming design principals to server architecture design

, , , No Comments

It occurred to me this morning that there are actually quite a few parallels between functional programming and infrastructure design and management.

It all started by what I realized that I said while talking about environments: Production is meant to go from one stable, working, vetted version of code to another stable, working, vetted version of code. Any state between those two is invalid and should (preferably) never occur.

If you cycle on that again, you start to see that most deployment processes you know about violate this One Basic Rule(tm).

I posit that if you are deploying new code to currently running hosts that are handling traffic, you are doing it wrong.

Think about it like this: what is the one core feature of every highly scalable functional programming language? Every one has (or has developed patterns which essentially create) immutable values.

So when we scale this out of software and apply it to infrastructure, your code is the value of your server. If you are changing the value of your server while other processes are trying to access it, you're going to run into concurrency issues. Ask any developer about sharing data between threads, and they'll quickly tell you it's difficult. Why, then, do we improperly share data between releases of our software?

The simple answer is that you have two options for atomic deployments that follow the rules of immutability:

  1. Drop the servers you are deploying to out of the flow of traffic. This is the easiest, but still fails to honor the spirit of immutability because the value of the server is still changing, it's just changing while nobody is looking.
  2. Spin up new instances, and slowly work them into live traffic, confirming along the way that you are in fact getting the expected behavior out of the code.

Now, I know this is all hand-wavy because it glosses over the important aspect of data migration: I don't have an answer there, yet. I suspect the true answer to that part of the solution would be something to the effect of being able to seamlessly decouple your entire system from write traffic (using a request proxy which could 'pause' calls) for some period of time while data updates are done.

What if, to create a truly fault tolerant design, you simply create a nearly 100% asynchronous  API. All requests come in and go into a process queue, and are handled from there. This way you are never required to turn off traffic to do an atomic update of your software because you can simply tell it to stop processing while the update progresses.

Thoughts?

Why developers outside of Symfony should care about Symfony Live

, , , , , , , , No Comments

If you haven't checked them out already, go to Symfony's "Talks" section.

Now, this is great for all of us Symfony developers, but it's also a good thing for php developers in general.

If you're a Symfony developer already, you know what you're interested in there, so I'm going to focus on what non-symfony developers can get out of this treasure trove. Also, these videos are also available in French through the talks section.

Talks that apply to everyone

Designing HTTP Interfaces and RESTful Web Services -- David Zuelke gives an excellent presentation on what restful web interfaces mean, and was actually the driving inspiration behind my dedicating my Symfony Live hack day project to the Accept Header Service Provider for Silex, as well as this pull request for the Symfony core.

Talks for programmers

Behat by example (Behat best practices) -- Konstantin Kudryashov walks you through how to do approach BDD in a way that makes sense. I haven't watched it yet myself, but it is definitely on my list.

Symfony2 components to the rescue of your PHP projects -- Xavier Lacot goes over how you can use symfony components in your every-day php projects to make your life easier.

Using MongoDB responsibly -- Jeremy Mikola gives a talk about Mongo DB. Really, who's surprised? I haven't seen it, but it's on my list, and I'm sure, knowing Jeremy, that it is "web scale."

PHP developers, what can Postgresql do for you? -- Grégoire Hubert gives a talk about Postgresql, why you should use it, and what advantages it has in store for your next project.

ORMs don't kill your database, developers do! -- Guilherme Blanco shows you some ways to optimize your setup when dealing with an ORM. I've heard there is some controversy on some suggestions within, but I think that just makes it juicer.

Dependency Management with Composer -- If this is anything like his talk in San Francisco (and I'll just go ahead and blindly assume so!), Jordi Boggiano gives an excellent overview of what you can do with Composer and how to take advantage of it right away.

Talks for frontend developers

How we built the new responsive BBC News site -- Really. Need I say more?

twig.js: The Templating Engine for the Client-Side -- Johannes Schmitt gives a talk about the very interesting twig.js javascript templating library. I seriously need to look at this one as well.

Still need more?

Richard Miller gave a talk on what you get from a full stack framework. I haven't watch this, as I have already drank that particular kool-aid, but if you haven't made the leap yet, I'm sure he presents some compelling arguments. If, after it, you're still not sold on full stack frameworks, just wait until Dustin Whittle's Silex talk from San Francisco is up. It will blow. Your. Mind.

Working with Silex

, , , , , , , No Comments

Update: Gregorie Pineau pointed out to me that this was already done, so I will refer you to the more canonical resources: Silex Skeleton and Silex Kitchen Edition.

Update #2: However it does seem that my setup may be even more minimal than even Fabian's Skeleton, which could be a benefit to some.

One of the inherent problems of micro frameworks is the tendency to just go ... willy nilly ... and put your files in any ol' spot. It makes the code look awful and hurts your brain trying to comprehend where to handle your changes, and then your project turns against you.

To that end, I want to help! Who's surprised? Awww, c'mon! Pretend? Ok. Thanks.

I have created a Sample Silex Install on GitHub that shows some of the best practices for working w/ composer, and getting off to a great start with your next Silex project.

Questions? Comments? Please leave them below!

1 2 3