In a previous post, I introduced ’legit’, a fantastic git frontend, which is now hosted on legit.
When checking repositories, I like to get a feeling for their commit activity. When was the last commit? How frequent are commits? Am I looking at a repository that was once full of life and is being forgotten now? It is a quick “sanity check” to align my expectations. Not perfect, but a good signal.
In a previous post, I introduced ’legit’, a fantastic git frontend originally written by icyphox. I’ve since decided to “hard-fork” the project to better suit my needs, creating a new, independent version.
My primary goal was to make deployment simpler and more secure. The new version introduces a few changes:
config.yaml file has been replaced by environment variables.
This means you no longer need to manage separate configuration or asset folders..service file (for running legit on Linux) has been hardened. The program now has
read-only access to the repository folder and is blocked from reading or writing to any other part of the file
system. This sandboxing ensures that even if a vulnerability were found in legit, it couldn’t affect the rest of your
system.Normally, I believe it’s best to contribute changes back to the original (“upstream”) project. However, several pull requests in the original repository have gone unanswered. Furthermore, some external dependencies were outdated or pinned to old versions, which can create bugs and security risks.
GitHub was a nice code hosting and showcasing platform, before it became an AI powered developer platform. I need a
simple, read-only showcase for my source code. I didn’t need a full-blown Git forge; I needed a lightweight,
self-hosted frontend, something akin to a modern cgit.
After a quick search for alternatives, I settled on legit. It’s a minimal static site generator written in Go that creates a clean, browsable HTML interface for a directory of Git repositories. It lets you inspect files, view commit history, and read diffs, all without any client-side JavaScript or backend database.
Why AI and Rigid Scrum Are Failing Developers
In aviation, progress requires finding the right balance. Safety depends on a careful mix of innovation and tradition. Focusing too much on new ideas can harm the industry’s excellent safety record. At the same time, sticking only to old methods is also risky because it means missing out on important improvements. This idea offers important lessons for software development, where two major trends—generative AI and the Scrum framework—risk upsetting this balance.
The service that once brought me to the top of Hacker News, my free tool for monitoring TLS certificate expiration, is moving house.
It was a surprise for me to see people submitting hundreds of domains to get monitored only a few days after launch. This number has since stagnated, and because it was a fun little experiment, I am fine with this.
I want to move the service from its current domain (scrutineer.tech) to a subdomain of this blog (monitor.raphting.dev). I am
not certain if anyone relies on this service for something important, but I want to make the transition as smooth as
possible.
In 2019 I received my Pilot License. I was (and still am) enthusiastic about flying and I wanted to dive deeper into the structures of the airspace. I worked a couple of years for German Air Traffic Control (DFS Deutsche Flugsicherung) and picked up a few things about airspace there too. I wanted to build an App for Aviation that visualizes airspace in 3D.
As you remember, early 2020 was a time in which we all learned about the existence of a new virus, and with its spread around the world, aviation came to a halt almost entirely.
TL;DR: I published an Apple Watch App on the App Store link
If you are an attentive blog reader, you noticed that the last RSS post was a bit off-context. It didn’t appear in the HTML version though.
I published an Apple Watch App on the App Store, and one of the requirements is to have a support page. I host it on a “hidden” page of this blog. Due to a configuration issue, the page ended up in the RSS feed.
Last week I published a free tool to monitor the expiration of TLS certificates.
The UX is clunky. Users have to hand-type the URL pattern. There are no queries for customization. And still, more than 500 domains were added over the course of a few days. About half of them are monitored frequently via RSS.
I got a lot of constructive feedback and friendly comments on Hacker News and Lobsters. This showed me again what a great community we have in software development.
The expiration of TLS certificates is usually monitored with established monitoring solutions. Sometimes monitoring happens via services that send e-mails when the expiration date comes closer. Often times, these services require a sign-up.
I created an entirely free service that monitors the expiry of TLS certificates via RSS without any sign-up.
With your RSS Feed Reader of choice, you subscribe to
https://scrutineer.tech/monitor/cert/{domain}.rss
Example for scrutineer.tech: https://scrutineer.tech/monitor/cert/scrutineer.tech.rss
When I joined a large software project for a supermarket, I noticed an inexplicable part in the code that was about a CarController. I was curious about how this was related to our project since I was not aware of requirements related to shopping carts. My team lead at the time told me “The main supplier of these software components worked for a German car brand before. The CarController must be copypasta from that project”.
Phone numbers are weird. They are not secret in their nature, and they grant everyone public write access to my phone (which is surprisingly intrusive with all the noises and vibrations the phone can make).
In the old days, when telephones had numbered buttons, I think phone usage was a bit more self-regulatory due to the few pennies a call cost. That’s not anymore.
I receive a couple of cold calls every week from Dutch numbers, even though the Dutch law forbids cold calls. I don’t know why the law is not effective. This reminds me of the CAN-SPAM Act 2003 which forbids sending non-solicited marketing e-mails a.k.a. Spam, which, apparently, was not effective either.
tl;dr: https://gosumdb.scrutineer.tech
In Part 1 and Part 2 of this series, I explained why goproxy and gosumdb exist. In this last part of this series, I introduce an auditing tool for gosumdb that I published, Gosumd Audit.
Goproxy was built with auditability in mind. In my research, I could not find a publicly available audit of the goproxy and the supporting gosumdb, so I built one.
Two parts of the Merkle Tree need auditing: The Merkle Tree itself and the logical integrity of the records stored in the Tree.
In Part 1 of this series, I explained why Go offers a module proxy and that it is secured by the gosumdb. In this part, I explain how gosumdb secures the Go proxy.
If you want to trust the authorship of code, you would need a direct trust relationship with the code author. In a highly dynamic module ecosystem like Go, this would be infeasible. The assumption that gosumdb makes is, if everyone looks at the same code, it must be the right code.
When pulling dependencies for Go via go mod, the dataflows are not obvious for the user. You import a github.com/…
and the rest happens automatically.
In the default settings, go pulls these dependencies from proxy.golang.org, not from github.com.
This solves one issue in Software Supply Chains: Vanishing dependencies.
When the npm package left-pad was removed from npm, this led to failing builds around the globe. It was one of many supply chain disasters.
My feed reader is the main source of online articles I read. I can tune how text is represented in terms of color, font size, font type, and other parameters. This is based on the content source from RSS (and Atom). There is usually no JavaScript-CSS-whatever trickery going on in these feed formats. Just text and media content, and I can consume it in my style.
In contrast there is the world wild web. I designed this blog. I tried my best to provide good typography but I am a typography-enthusiast backend developer. Please don’t ask me for much more than what is already here to see. There are many people like me, enjoying creating content on the web, enjoying self-hosting, but with little knowledge or skills to create the best reading experience. What I usually do when I come across a rather un-readable website (harsh colors, monospaced fonts, mini-fonts, paragraphs as wide as my screen, no clear visual boundaries - a lot can go wrong), I click on the “Reader View” icon in my browser and, like in my feed reader, I am able to tune my reading experience.
In 2009 I created a Twitter account. That was about 1 year after I started blogging with Wordpress.
About 10 years later I created a Mastodon account on the instance chaos.social. The instance grew tremendously since I joined, accelerated by things Elon Musk did with or said about Twitter. With so many new users, the vibe changed a bit. Some new people expected things to work more or less like on Twitter. New rules were introduced to make less of a chaos on chaos.social. Instance owners have every right to setup new rules and to enforce them. It is their piece of metal.
If you follow me on this blog or the Fediverse, you know that I advocate thinking about team organization. Leslie Lamport phrased the term Thinking above the Code, which I borrow here to think above the team I worked with.
Over the past 6 months, I was part of a self-organized, autonomous team building infrastructure for a sub-section of the Dutch Government. Overall, we run a successful team. We had several deadlines throughout the period, and we delivered every time +/- 1 day.
With a friend of mine I talked about this article you just started reading. After I told him my arguments, he said Queues are like Singletons. Here is why:
Queues come under a few different names, mostly based on the context they are used in. They run under log, PubSub or messaging queue. They offer a client to publish messages to a topic. They also offer clients to subscribe to topics and read the posted messages. (hence the name PubSub).
There’s a multitude of dotfile manager helpers out there. For clarification: A dotfile is a configuration file typically used in UNIX operating systems to configure various software applications. They are prefixed with a dot “.” so that they are hidden by default.
Gnu Stow, a tool to manage dotfiles, has a history dating back to the year 1993.
Stow is technically a file link manager. Many file systems offer to link a filename to the contents of another file. Stow by default works with the parent directory. Wherever you store your stow folder, by default stow will create file links in the parent directory.
Is it not magical that an airplane crew that has possibly never worked together in this constellation can flawlessly execute a flight on an extremely complex airplane? A few key ingredients make that possible. Can Software Engineers learn from it?
Disclaimer: I am a licensed pilot, but I never worked with a Crew. I was lucky enough to have excellent instructors who work(ed) as Fighter Jet Pilot, KLM Boeing 747 Captain and Lufthansa Airbus A320 Captain. What I write about airplane crews comes from what I learned from them.
Der digitale Impfpass kommt. Die Bundesregierung hat IBM den Zuschlag zur Koordination des Projekts gegeben. Eine Firma namens Ubirch aus Köln liefert das entsprechende Protokoll zur Ausstellung und Verifizierung von Impfdaten. Ich möchte nicht über die Nützlichkeit oder die gesellschaftlichen Aspekte des digitalen Impfpasses schreiben. Mir geht es vor allem um die technische Umsetzung in Bezug auf Datensparsamkeit. Ich kritisiere zunächst drei Punkte der Implementierung, wie sie zur Zeit ersichtlich ist. Die Daten, die ich online finde, sind allerdings spärlich. Abschließend erläutere ich einen Ansatz, der mir praktikabler erscheint und auf den Datenschutz und das Voranschreiten der Wissenschaft Rücksicht nimmt.
Some systems have higher security requirements for auto-updates than others. Think about cars, airplanes and wherever physical harm can result. For updates, secure or not, there is a common pattern:
Number 3 is environment and application specific, so it won’t be covered in this text. If you think, infrastructure will never be compromised, then this text is not for you. The approach here is: “Trust the people, don’t trust the infrastructure”. The following paragraphs are written under the assumption that update hosts could be compromised.
I write as long as I know how to use a text editor. It started early, I think when I was eight years old and my mum brought home a used computer. She worked at an IT company at that time, otherwise I don’t think my family would have gotten a computer that early.
My stories were about kids running through forests (the stuff I usually did as a kid), becoming witness of mystical situations (the stuff I wished as a kid to happen).