Monthly notes 56

Issue 56, 26.2.2021

Work life

Researchers identify four causes of "Zoom fatigue" and their simple fixes
"Those video calls are likely tiring you out." tl;dr;

  • Excessive amounts of close-up eye contact is highly intense.
  • Seeing yourself during video chats constantly in real-time is fatiguing.
  • Video chats dramatically reduce our usual mobility.
  • The cognitive load is much higher in video chats.

Maximizing Developer Effectiveness
"It’s all about tight feedback loops." (from Weekend Reading)

Information security

OWASP Top 10 for Web
"Inspired by real-world vulnerabilities and case studies, we have created a series of interactive application security training modules to help developers understand, identify and mitigate security vulnerabilities in their applications."

3 Ways to Mitigate Risk When Using Private Package Feeds
"Microsoft whitepaper on best practices to follow to reduce risks against substitution attacks." (from Cloud Security List)

How to use Docker Security Scan Locally
"Docker and Snyk recently entered into a partnership to provide container vulnerability scanning to official images on Docker Hub. Additionally, Docker has integrated scanning directly into Docker for Desktop clients." (from Cloud Security List)

Cloud

Introducing GKE Autopilot: a revolution in managed Kubernetes
"Autopilot is a new mode of operation in Google Kubernetes Engine (GKE). Autopilot clusters are pre-configured with an optimized cluster configuration that is ready for production workloads. This streamlined configuration follows GKE best practices and recommendations for cluster and workload setup and security." You can achieve "the same" by manually ticking the right options.

AWS Account Setup Guide
A guide for configuring new AWS accounts with an emphasis on security, including customizable templates. (from Cloud Security List)

Microservices

A Practical Guide to Writing Secure Dockerfiles
How to write secure Dockerfiles, and how to automate security checks as codified policies and validate them against the Dockerfiles to identify potential security risks before deploying them into production. (from Cloud Security List)

Learning

Tackling TypeScript: Upgrading from JavaScript
"For JavaScript developers looking to learn TypeScript." (from Weekend Reading)

How they SRE
A curated collection of publicly available resources on how technology and tech-savvy organizations around the world practice Site Reliability Engineering (SRE) (from Hacker Newsletter)

Tools of the trade

skan
"sKan is a Kubernetes configuration files and resources scanner that enables developers and devops team members to check whether their work is compliant with security & ops best practices." (from Cloud Security List)

Something different

Calvin and Hobbes search engine
(from Hacker Newsletter, comments)

Short notes on tech 5/2021

Week 5/2021

Worklife

Why Working from Home Will Stick
Or will it? Hacker News comments provide a good pointers why it won't stick for the broader society.

Software development

Maximizing Developer Effectiveness
"It’s all about tight feedback loops." (from Weekend Reading)

Google Engineering Practices Documentation
"Google has many generalized engineering practices that cover all languages and all projects. These documents represent our collective experience of various best practices that we have developed over time." Unfortunately it currently contains only "Google's Code Review Guidelines".

Awesome Software and Architectural Design Patterns
"A curated list of software and architecture related design patterns."

Tools of the trade

deep-email-validator
"Library that handles all the email validation strategies: regex, common typos, disposable email blacklists, MX record lookup, and SMTP to check the inbox exists." (from Weekend Reading)

Mock Service Worker
Seamless API mocking library for browser and Node. (from Weekend Reading)

Monthly Notes 55

It's a new year and let's start it with Monthly notes. Something new and something old from the short tech notes. Let this year be good!

Issue 55, 5.1.2021

Tools of the trade

Awesome CI
List of Continuous Integration services. There's a bunch of them to choose, my favorites are: GitHub Actions, Circle CI, Google Cloud Build, Drone CI.

Alternatives to JIRA which is moving to cloud only:
Asana
ClickUp
Linear
Redmine

Ignore node_modules in BackBlaze

PostgREST
"PostgREST serves a fully RESTful API from any existing PostgreSQL database. It provides a cleaner, more standards-compliant, faster API than you are likely to write from scratch." (from hackernewsletter)

alyssaxuu/screenity
"Screenity is a feature-packed screen and camera recorder for Chrome. Annotate your screen to give feedback, emphasize your clicks, edit your recording, and much more." (from Weekend Reading)

Foam
"Foam is a personal knowledge management and sharing system inspired by Roam Research, built on Visual Studio Code and GitHub."

Web Development

Integrate the Web Share API into our websites
"Use the Web Share API instead of these ugly lists of social icons. We should take care that our products support the native frameworks to make the web a better place." (from WDRL 285)

Sass vars, CSS vars, and semantic theme vars
"How we should define semantic variable names in the age of light and dark themes." (from WDRL 285)

Apple now lets us integrate Face ID and Touch ID on the web
"Building it on top of the Web Authentication API. Imagine how this can improve the logging in experience for a good part of your user base."

Work life

A Day in the Life of an Engineering Manager
"Engineering Manager is one of the roles that most people don’t know exactly what it’s about and what these people do. Karl Hughes explains what he does all day and it turns out it’s a role full of soft skills like networking, explaining things or translating between two people, between company departments and to raise awareness around delivery, around process management and recruiting as well as people’s happiness in their jobs." (from WDRL 285)

Development

Collection of tips for note taking by Dr. Sam Ladner
"This is a great collection of tips for note taking. For user research, design reviews, board meetings, whatever". (from Weekend Reading)

How to Make Your Code Reviewer Fall in Love with You
"Value your reviewer’s time". tl;dr; Start with these and read the article for more:

  • Review your own code first
  • Write a clear changelist description
  • Automate the easy stuff
  • Answer questions with the code itself
  • Narrowly scope changes
  • Separate functional and non-functional changes
  • Break up large changelists

Cloud

Monitoring & securing AWS with Microsoft
"Interesting approach, how to setup (advanced) monitoring of AWS with Azure Security Center (CSPM), Azure Defender (CWPP), Cloud App Security (CASB), and Azure Sentinel (SIEM)." (from Cloud Security Reading List)

Learning

How I read books: setting up a new system
"Knowledge is much more valuable when we can act on it, and change our behavior."
tl;dr; Active learning / reading; Processing and reflecting; Repeating; Presenting; Taking action. (from HackerNewsletter)

Things you're allowed to do
"This is a list of things you’re allowed to do that you thought you couldn’t, or didn’t even know you could."

Monthly notes 54

Working from home continues as COVID-19 still surges and if you yet haven't checked your video call capabilities, read the How to make video calls almost as good as face-to-face article. The remote working isn't going away as this year has shown that pendeling to offices every day isn't really needed.

Issue 54, 6.11.2020

"Nobody gets hacked"

Working from home

Companies plans for remote work going forward
Twitter thread by Chris Herd of what he learned by speaking to 1,000 companies over the last 6 months about their plans for remote work going forward. Office space going down; flexi-work; people working too hard; burnouts; asynchronous communication is difficult; invest to ergonomic working equipment; workers will be happier as a result of remote work; need tools to track output; documentation is the unspoken superpower of remote teams; coaching and facilitators are needed;

How to make video calls almost as good as face-to-face
How much nicer video calls would feel if the problems with low-quality microphones and webcams, lag and such would be solved? The post summarizes what can be done by fiddling with gear and software. TL;DR; Get away from other people; Throw your wireless headset in the trash; Don’t mute; Get a better microphone; Listen to yourself; Improve your lighting; Use your real background; Don’t bother with webcams;

Docker and Kubernetes security

Dockerfile Security Best Practices
List of common security issues and how to avoid them. For every issue there's an Open Policy Agent (OPA) rule ready to be used to statically analyze your Dockerfiles with conftest. TL;DR; Do not store secrets in environment variables; Only use trusted base images; Do not use ‘latest’ tag for base image; Avoid curl bashing; Do not upgrade your system packages; Do not use ADD if possible; Do not root; Do not sudo;

Docker Threat Model

The Current State of Kubernetes Threat Modelling
"If you are planning on using Kubernetes in production, one of the key things to consider from a security perspective is your threat model."

Arsenal of Cloud Native (Security) Tools
Marco Lancini's curated list of tools he finds useful, alongside a quick “usage” guide for each one of them. i.a.: Docker Bench, kube-bench, kube-hunter, AWS Security Benchmark,

Something different

2020 UCI Cycling eSports World Champs heads to Zwift’s Watopia in December
"2020 UCI Cycling eSports World Championships are set to take place on virtual ride platform Zwift in their online Watopia environment. Garmin-Tacx will supply all of the connected trainer for with elite men and women to race each other virtually"

Monthly Notes 52

Issue 52, 9.9.2020

Software development

Field Ops Guide
"The Field Ops Guide (by Futurice) is a booklet that makes it possible to survive a software development project. It's a distillation of years of wisdom gathered working in client projects."

Kubernetes

Threat matrix for Kubernetes
"While Kubernetes has many advantages, it also brings new security challenges that should be considered. Therefore, it is crucial to understand the various security risks that exist in containerized environments, and specifically in Kubernetes."

Docker

Faster Builds and Smaller Images Using BuildKit and Multistage Builds
"Multistage builds feature in Dockerfiles enables you to create smaller container images with better caching and smaller security footprint. In this blog post, I’ll show some more advanced patterns that go beyond copying files between a build and a runtime stage, allowing to get most out of the feature."

Tools

img
"Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder."

GraphQL Voyager
"Represent any GraphQL API as an interactive graph."

SQL diagrams

Something different

Cheating in eSports: How to cheat at virtual cycling

Monthly notes 51

It's August and after summer holidays it's time to get back to monthly notes. If you read only one note, check the "Some important things to keep in mind when you work remotely" which has good tips also in general. Happy reading :)

Issue 51: 2020-08-07

Kubernetes

How to gracefully shut down Pods without dropping production traffic in Kubernetes?
If you've ever noticed dropped connection after a rolling upgrade, read Daniele Polencic Twitter thread which digs into the details with detailed pictures.

Web development

Prevent Info leaks and enable powerful features: COOP and COEP
"Cross-Origin Embedder Policy (COEP) and Cross-Origin Opener Policy (COOP) isolate your origin and enable powerful features." The video by @agektmr helps you understand how it works and why this is important. Unlock access to new perf API's to help you identify JS bottlenecks, memory leaks, and more. (from @igrigorik)

How To Setup Your Local Node.js Development Environment Using Docker
(from @Docker)

Web Stories are coming to WordPress!
Web Stories are tappable, engaging visual stories brought to the web. They’re powered by AMP technology. (from @pbakaus)

Working remotely

Some important things to keep in mind when you work remotely
Check the Twitter thread for 10 great tips for working remotely. They are also good tips also in general. I've also found the tip 8. be great. Writing notes and making (public) blog posts of them helps you to process new information better and also help other developers. Documentation is often undervalued and it takes time to do it correctly.

Software development

It's probably time to stop recommending Clean Code
"There is a growing movement against Rob Martin's books (e.g., Clean Code). After reading the article, I have to agree with a lot of it, but I also hope that this movement doesn't push too far to the other side." (from @maybeFrederick) My take is that don't believe everything you read be it on a book or nowadays in the Internet. Use your own thinking and reasoning. "Clean Code" has good points and suggestions but also goes a bit overboard with how "clean" things should look.

Tools

Boop
"Boop is a place to paste text, and transform it using basic operations. The goal is to allow quick experimentation and avoid using random websites to do that stuff. It's super useful when working with logs, JSON data, etc." (from @OKatBest). This is what I've always needed. No more searching for online tool for a specific task (or looking it from tiny-helpers.dev which is a great collection).

Git-bug
Fully embedded bug-tracker in git: you only need your git repository to have a bug tracker.

Something different

Remy Metailler Smashes Squamish Mountain Bike Trails

Following a Pro Enduro Racer Down Whistler's Hardest Trails // Wyn Masters

Monthly notes 50

Issue 50, 15.6.2020

Serverless

AWS Lambda — should you have few monolithic functions or many single-purposed functions?
Interesting question of if single responsibility principle (SRP) should be followed in the serverless world. What is a “function” if not SRP? TL;DR; many single-purposed functions are better.

Stories

Twitter search of "telling early-in-career engineers stories of times you messed something up real bad is a good way to help them combat their own impostor syndrome." from (@ElleArmageddon)

Kubernetes

In Kubernetes, what should I use as CPU requests and limits?
Good Twitter thread of what are the difference of requests and limits.

How should I answer a health check?
Explains how to use liveness and readiness probes (on Kubernetes). Heard that liveness probe should be always off unless there’s a bug in app which it can’t recover. And long checks can be cached.

Managed Kubernetes Price Comparison (2020)
"TL;DR: Azure and Digital Ocean don’t charge for the compute resources used for the control plane, making AKS and DO the cheapest for running many, smaller clusters. For running fewer, larger clusters GKE is the most affordable option. Also, running on spot/preemptible/low-priority nodes or long-term committed nodes makes a massive impact across all of the platforms."

Learning

Performance profiling for Web Applications with Sam Saccone
"How to use Chrome DevTools to understand a Web application's performance bottlenecks. Goes over a few different workflows that will help us to answer the question "Why is this slow and how can I fix it"."

Tools

OpenSnitch
GNU/Linux port of the Little Snitch application firewall. (from Hacker Newslettter #490, comments)

Kubectl-debug
kubectl-debug is an out-of-tree solution for troubleshooting running pods, which allows you to run a new container in running pods for debugging purpose (examples). The new container will join the pid, network, user and ipc namespaces of the target container, so you can use arbitrary trouble-shooting tools without pre-installing them in your production container image.

Lighthouse audit add-on for Firefox
"Report, Performance, Accessibility, PWAs, SEO scores for any public site. Without opening DevTools."

Monthly notes 49

Working From Home edition.

Issue 49, 27.3.2020

Conferences

Now that COVID-19 has all of us in corontine and working from home, also the technology conferences have been moved to online and free. Here's some.

WFHConf
Working From Home Conf with talks from technology to projects, best practices, lessons learned and about working from home. Agenda and recorded videos: part 1, part 2, part 3.

DEVOPS 2020, April 21 to 22
The Next Decade. The first day (main conference) has interesting talks from use cases and lessons learned, scaling devsecops, transformation journey and more.

MagnoliaJS, April 15-17
JavaScript heavy talks like component reusability, modern JavaScript for modern browsers, JavaScript’s exciting new features, how to supercharge teams and much more.

Red Hat Summit 2020, April 28-29

Tips and tricks

How to do effective video calls
tl;dr; TL;DR "Get good audio, use gallery view, mute if not talking, and welcome the cat."

Tools

Screen
Work together like you’re in the same room. Fast screen sharing with multiplayer control, drawing & video. (from @use_screen)

Kap
An open-source screen recorder built with web technology.

Setapp
The paramount collection of productive Mac apps.

Monthly notes 48

This time monthly notes is for learning Node.js best practices and some interesting approaches for (Node.js) software architecture. Happy reading and be a better developer!

Issue 48, 25.2.2020

Learning

Docker and Node.js Best Practices talk at DockerCon 2019
Slides and Examples .
tl;dr; Use even numbered LTS releases; Don’t use :latest tag; Use Debian:slim/stretch or Alpine; Add node_modules to .dockerignore; Use node user; Proper shutdown (--init, tini, capture SIGINT); Multi-stage builds; healthchecks;

Node.js Best Practices
More than 80 best practices, style guides, and architectural tips with additional info. The repository is a summary and curation of the top-ranked content on Node.js best practices.

Testing in production: ideas, experiences, limits, roadblocks
Talk from Bristech 2019 by Jorge Marin. "Are you afraid of testing in production? Do you test in production? Do you use real data? By definition testing in production is hard. This talk puts together my experience testing in production a large scale system that affects millions of users."

Software Architecture

Using Clean Architecture for Microservice APIs in Node.js with MongoDB and Express
This is an interesting approach to construct your application. "Talk about Bob Martin's Clean Architecture model and I will show you how we can apply it to a Microservice built in node.js with MongoDB and Express JS."

Monthly notes 47

Issue 47: 30.1.2020

War Stories

#Y2038 problem. "It's *already here*. Fix your stuff."
In many systems time is represented as number of seconds passed since 00:00:00 UTC on 1 Jan 1970 and stored as signed 32-bit integer. Such implementations can't encode times after 03:14:07 UTC on 19 January 2038. (from @walokra)

Ops Lessons We All Learn The Hard Way
Good Twitter thread of lessons learned on Ops.

Web

Front-End Performance Checklist 2020
Great resource to read for better front-end performance. Remember, if you don’t measure it, you can’t improve it 🚀 To get you started: use i.a. page speed and lighthouse to see where you stand.

JavaScript

20 ways to become better node.js developer in 2020
tl;dr; Sleep more; Use Jest & Ava; GraphQL!; Check Nest.js; Gradual deployment; Test in production? Learn Docker & Kubernetes; Read vulnerable code; Use monitoring; CI with quality tools;

Kubernetes

How Soon We Forget: Security in the Age of Docker & Kubernetes
Good starting point for hardening your containers and Kubernetes cluster. tl;dr; Running as non-root. Read-only file system. Not terminating TLS too soon. Setting resources limits (Denial of service). Use Kubernetes policies. (from nicolas_frankel)

Software Development

Goodbye, Clean Code
AHA! Avoid Hasty Abstractions. Prefer duplication over the wrong abstraction. Check also Dan’s tweet’s thread.

Remote working tips
tl;dr; the thread: 1) activity signal to start work day 2) frequent small breaks 3) dedicate a space for work (not sofa/bed) 4) take sick days 5) connect with other humans 6) non-project connection point with peers 7) block out distractions 8) go out for lunch.

Tools

tiny-helpers.dev
Collection of useful single-purpose online tools that are useful for web devs. (from @stefanjudis)

Insomnia
"Debug APIs like a human, not a robot". If you don't like Postman then try Insomnia which says to be powerful HTTP and GraphQL tool belt and open source. Seems that it doesn't have similar scripting and testing features as Postman though.

Something different

Finding the best bicycle chain
tl;dr; No major reason for not to use drivetrain manufacturer’s recommended chain. The lubricant you use will play the most critical role in drivetrain durability. Run a good lube and keep your drivetrain clean.