raphting.dev

Blog

The Autopilot Paradox

Why AI and Rigid Scrum Are Failing Developers

In aviation, progress requires finding the right balance. Safety depends on a careful mix of innovation and tradition. Focusing too much on new ideas can harm the industry’s excellent safety record. At the same time, sticking only to old methods is also risky because it means missing out on important improvements. This idea offers important lessons for software development, where two major trends—generative AI and the Scrum framework—risk upsetting this balance.

Read more...

Moving almost 1000 domains

The service that once brought me to the top of Hacker News, my free tool for monitoring TLS certificate expiration, is moving house.

It was a surprise for me to see people submitting hundreds of domains to get monitored only a few days after launch. This number has since stagnated, and because it was a fun little experiment, I am fine with this.

I want to move the service from its current domain (scrutineer.tech) to a subdomain of this blog (monitor.raphting.dev). I am not certain if anyone relies on this service for something important, but I want to make the transition as smooth as possible.

Read more...

When I wrote an Aviation App

In 2019 I received my Pilot License. I was (and still am) enthusiastic about flying and I wanted to dive deeper into the structures of the airspace. I worked a couple of years for German Air Traffic Control (DFS Deutsche Flugsicherung) and picked up a few things about airspace there too. I wanted to build an App for Aviation that visualizes airspace in 3D.

As you remember, early 2020 was a time in which we all learned about the existence of a new virus, and with its spread around the world, aviation came to a halt almost entirely.

Read more...

Sensing North

TL;DR: I published an Apple Watch App on the App Store link

If you are an attentive blog reader, you noticed that the last RSS post was a bit off-context. It didn’t appear in the HTML version though.

I published an Apple Watch App on the App Store, and one of the requirements is to have a support page. I host it on a “hidden” page of this blog. Due to a configuration issue, the page ended up in the RSS feed.

Read more...

Numbers for the RSS Monitoring Service

Last week I published a free tool to monitor the expiration of TLS certificates.

The UX is clunky. Users have to hand-type the URL pattern. There are no queries for customization. And still, more than 500 domains were added over the course of a few days. About half of them are monitored frequently via RSS.

monitored domains

I got a lot of constructive feedback and friendly comments on Hacker News and Lobsters. This showed me again what a great community we have in software development.

Read more...

Free Monitor Certificate expiry via RSS

The expiration of TLS certificates is usually monitored with established monitoring solutions. Sometimes monitoring happens via services that send e-mails when the expiration date comes closer. Often times, these services require a sign-up.

I created an entirely free service that monitors the expiry of TLS certificates via RSS without any sign-up.

How it works

With your RSS Feed Reader of choice, you subscribe to

https://scrutineer.tech/monitor/cert/{domain}.rss

Example for scrutineer.tech: https://scrutineer.tech/monitor/cert/scrutineer.tech.rss

Some background info

  • This is a free service without sign-up
  • Notifications are generated 30 days, 7 days and 1 day in advance
  • No guarantees are given, for nothing 🙃
  • There are no checks for the trustworthiness of certificates. Only the “Not After” field is checked
  • Which means self-signed certificates work

How it looks

github.com

Read more...

Seeing Faces in Trees

When I joined a large software project for a supermarket, I noticed an inexplicable part in the code that was about a CarController. I was curious about how this was related to our project since I was not aware of requirements related to shopping carts. My team lead at the time told me “The main supplier of these software components worked for a German car brand before. The CarController must be copypasta from that project”.

Read more...

My phone is not publicly writable anymore

Phone numbers are weird. They are not secret in their nature, and they grant everyone public write access to my phone (which is surprisingly intrusive with all the noises and vibrations the phone can make).

In the old days, when telephones had numbered buttons, I think phone usage was a bit more self-regulatory due to the few pennies a call cost. That’s not anymore.

I receive a couple of cold calls every week from Dutch numbers, even though the Dutch law forbids cold calls. I don’t know why the law is not effective. This reminds me of the CAN-SPAM Act 2003 which forbids sending non-solicited marketing e-mails a.k.a. Spam, which, apparently, was not effective either.

Read more...

Go Proxy Security, Part 3: Behind Google's Curtain - Auditing Gosumdb

tl;dr: https://gosumdb.scrutineer.tech

In Part 1 and Part 2 of this series, I explained why goproxy and gosumdb exist. In this last part of this series, I introduce an auditing tool for gosumdb that I published, Gosumd Audit.

Goproxy was built with auditability in mind. In my research, I could not find a publicly available audit of the goproxy and the supporting gosumdb, so I built one.

Two parts of the Merkle Tree need auditing: The Merkle Tree itself and the logical integrity of the records stored in the Tree.

Read more...

Go Proxy Security, Part 2: In the Tree

In Part 1 of this series, I explained why Go offers a module proxy and that it is secured by the gosumdb. In this part, I explain how gosumdb secures the Go proxy.

If you want to trust the authorship of code, you would need a direct trust relationship with the code author. In a highly dynamic module ecosystem like Go, this would be infeasible. The assumption that gosumdb makes is, if everyone looks at the same code, it must be the right code.

Read more...

Go Proxy Security, Part 1: A critical piece of infrastructure

When pulling dependencies for Go via go mod, the dataflows are not obvious for the user. You import a github.com/… and the rest happens automatically.

In the default settings, go pulls these dependencies from proxy.golang.org, not from github.com.

This solves one issue in Software Supply Chains: Vanishing dependencies.

When the npm package left-pad was removed from npm, this led to failing builds around the globe. It was one of many supply chain disasters.

Read more...

I can haz Markdown

My feed reader is the main source of online articles I read. I can tune how text is represented in terms of color, font size, font type, and other parameters. This is based on the content source from RSS (and Atom). There is usually no JavaScript-CSS-whatever trickery going on in these feed formats. Just text and media content, and I can consume it in my style.

In contrast there is the world wild web. I designed this blog. I tried my best to provide good typography but I am a typography-enthusiast backend developer. Please don’t ask me for much more than what is already here to see. There are many people like me, enjoying creating content on the web, enjoying self-hosting, but with little knowledge or skills to create the best reading experience. What I usually do when I come across a rather un-readable website (harsh colors, monospaced fonts, mini-fonts, paragraphs as wide as my screen, no clear visual boundaries - a lot can go wrong), I click on the “Reader View” icon in my browser and, like in my feed reader, I am able to tune my reading experience.

Read more...

Without Search, the Fediverse is not decentralized

In 2009 I created a Twitter account. That was about 1 year after I started blogging with Wordpress.

About 10 years later I created a Mastodon account on the instance chaos.social. The instance grew tremendously since I joined, accelerated by things Elon Musk did with or said about Twitter. With so many new users, the vibe changed a bit. Some new people expected things to work more or less like on Twitter. New rules were introduced to make less of a chaos on chaos.social. Instance owners have every right to setup new rules and to enforce them. It is their piece of metal.

Read more...

Thinking above the Team

If you follow me on this blog or the Fediverse, you know that I advocate thinking about team organization. Leslie Lamport phrased the term Thinking above the Code, which I borrow here to think above the team I worked with.

Over the past 6 months, I was part of a self-organized, autonomous team building infrastructure for a sub-section of the Dutch Government. Overall, we run a successful team. We had several deadlines throughout the period, and we delivered every time +/- 1 day.

Read more...

Queues are like Singletons

With a friend of mine I talked about this article you just started reading. After I told him my arguments, he said Queues are like Singletons. Here is why:

Queues come under a few different names, mostly based on the context they are used in. They run under log, PubSub or messaging queue. They offer a client to publish messages to a topic. They also offer clients to subscribe to topics and read the posted messages. (hence the name PubSub).

Read more...

Package manager for dotfiles

There’s a multitude of dotfile manager helpers out there. For clarification: A dotfile is a configuration file typically used in UNIX operating systems to configure various software applications. They are prefixed with a dot “.” so that they are hidden by default.

Gnu Stow, a tool to manage dotfiles, has a history dating back to the year 1993.

What it does

Stow is technically a file link manager. Many file systems offer to link a filename to the contents of another file. Stow by default works with the parent directory. Wherever you store your stow folder, by default stow will create file links in the parent directory.

Read more...

What Software Engineering can learn from Aviation

Is it not magical that an airplane crew that has possibly never worked together in this constellation can flawlessly execute a flight on an extremely complex airplane? A few key ingredients make that possible. Can Software Engineers learn from it?

Disclaimer: I am a licensed pilot, but I never worked with a Crew. I was lucky enough to have excellent instructors who work(ed) as Fighter Jet Pilot, KLM Boeing 747 Captain and Lufthansa Airbus A320 Captain. What I write about airplane crews comes from what I learned from them.

Read more...

Digitaler Impfpass - Kritik

Der digitale Impfpass kommt. Die Bundesregierung hat IBM den Zuschlag zur Koordination des Projekts gegeben. Eine Firma namens Ubirch aus Köln liefert das entsprechende Protokoll zur Ausstellung und Verifizierung von Impfdaten. Ich möchte nicht über die Nützlichkeit oder die gesellschaftlichen Aspekte des digitalen Impfpasses schreiben. Mir geht es vor allem um die technische Umsetzung in Bezug auf Datensparsamkeit. Ich kritisiere zunächst drei Punkte der Implementierung, wie sie zur Zeit ersichtlich ist. Die Daten, die ich online finde, sind allerdings spärlich. Abschließend erläutere ich einen Ansatz, der mir praktikabler erscheint und auf den Datenschutz und das Voranschreiten der Wissenschaft Rücksicht nimmt.

Read more...

Secure updating is hard

Some systems have higher security requirements for auto-updates than others. Think about cars, airplanes and wherever physical harm can result. For updates, secure or not, there is a common pattern:

  1. Check a remote endpoint for available updates
  2. Retrieve the update
  3. Apply the update

Number 3 is environment and application specific, so it won’t be covered in this text. If you think, infrastructure will never be compromised, then this text is not for you. The approach here is: “Trust the people, don’t trust the infrastructure”. The following paragraphs are written under the assumption that update hosts could be compromised.

Read more...

Writing again

I write as long as I know how to use a text editor. It started early, I think when I was eight years old and my mum brought home a used computer. She worked at an IT company at that time, otherwise I don’t think my family would have gotten a computer that early.

My stories were about kids running through forests (the stuff I usually did as a kid), becoming witness of mystical situations (the stuff I wished as a kid to happen).

Read more...

By Raphael Sprenger