Weeknotes 144

You may have heard of security issue taking over the Internet this week. Someone called Jia Tan seems to have been gradually sneaking a backdoor into xz - a widely data compression library.

I haven’t kept up with everything but the things that stand out 1) it was discovered by accident; 2) some automatic checks were sneakily disabled by adding a single period to the beginning of a line - would you have spotted that in code review?

Here is a very exhaustive post detailing what’s happened by Evan Boehs.

Deposit transferred. Exchanged on Thursday. Completion next week. Let’s do this!

There’s nothing you can do to prevent a SIM-swap attack by Terence Eden is a very scary prospect.

It is tempting to think that users are to blame for their own misfortune. If only they’d had a stronger password! If only they didn’t re-use credentials!

I try to use an app-based 2nd factor when I can, but there are a lot of services, especially important ones like banks, that will only send you an SMS.

Freeze

Generate images of code and terminal output.

This is charming.

“Chilled strings” are soon to be thing in Ruby.

As a path toward enabling frozen string literals by default in the future, this commit introduce “chilled strings”. From a user perspective chilled strings pretend to be frozen, but on the first attempt to mutate them, they lose their frozen status and emit a warning rather than to raise a FrozenError.

I thought frozen strings were not happening, so this is an interesting development.

The Rails docs are getting an overhaul and they look promising so far.

We’ve been catching up with The Bear the last couple of weeks. I watched up to half way season 2 before but got distracted and never finished the series. This is such good television.

There is no EU cookie banner law.

…while people think terrible banners are legal requirements enforced from the EU, most cookie banners are actually… illegal according to the EU law.

Huh.

This situation is superbly paradoxical. And not just because Americans complaining about EU having too much influence outside of its border is peak irony.

🔥

From Zach Leatherman of 11ty fame:

Here’s the source code between the doctype and the <title> for this site:

×26 <link rel="preload">
×36 external <link rel="stylesheet">
×91 external <script src>

This is not a nuanced point I’m making. We’re not debating the finer points of complicated web performance trade-offs. This is a very slow web site.

Pretty compelling, right?

Stop GraphQL-ing, you are not Facebook.

(Yes, I did have to deal with GraphQL this week).

Phoenix Dev Blog – Server logs in the browser console – very nice.

Let’s collocate the server logs with the client logs! The first place you’re going to look while using the UI is the browser’s web console. Your UI framework logs and UI errors are already there and built into your workflow.

Yet another example of developer UX improvements in Phoenix apps.