[2024 dev2next] avoid rework

Speaker: Lisa Crispin

For more see the table of contents


Typing this up after. I didn’t live blog because there were a lot of group exercises.

General

  • Bug vs missed requirement – which one is less painful for the user?
  • Lose focus entirely if try to focus on more than 6 things

7 product dimensions; ask questions about each

  • User
  • Interface
  • Action
  • Data
  • Control
  • Environment
  • Quality Attribute
  • Bring cheat sheet with dimensions to meeting to draw out questions; helps think laterally
  • Thinking tool; doesn’t matter which question a category is in.

Personas

  • Name
  • Description
  • Values
  • Likes

Others

  • State diagram
  • Flow diagram
  • Context diagram
  • Examples – can become tests/stories

Exercises

  • Ask a question for each dimension
  • Make a persona. Ours was named Kim and a stick figure on a coffee cup
  • List business rules and examples

My take

The interactivity was helpful in “feeling” why these are valuable.

https://bddbooks.com

[2024 dev2next] distributed consensus algorithms

Speakers: Mykyta Protsenko, Alex Borysov

For more see the table of contents


Scenario: need 5 people to meet: two in Ukraine, one east coast US and two West coast US. Need to meet weekly

Consensus properties

  • Fault tolerance – not reliant on one person to see result
  • Safety – only one value chosen
  • Liveness – get to consensus in finite about of time, can take multiple iterations

2 phase commit

  • One person asks and someone says can attend if everyone can. everyone says yes.
  • Commit and now official.
  • Simple but downsides. When group big, a lot of acks. If one no, transaction aborted and start over. Also, waiting for slowest node to reply.
  • If coordinator loses internet, everything blocked
  • Fails on fault tolerance and liveness

Paxos Protocol

  • Everyone has a ballot with unique ballot number
  • Propose a time with next ballot
  • Submit last vote null message to promise that will vote. Can be for or against.
  • Once majority promise to vote, sends actual begin ballot message
  • Then people actually vote
  • Consensus is majority. Sends message that reached consensus
  • Each participant must track last ballot tried, promise to vote and actual vote.
  • Choosing proposer and ballot don’t have to same person
  • Can only vote if confirmed a promise to vote in cluster
  • Learners can observe to be notified when consensus is reached
  • Fault tolerant because majority is enough
  • Safety because majority based
  • Doesn’t ensure liveness.
  • Can elect member as leader who can be the only one to propose
  • 2 round trips for consensus

Cassandra

  • Uses Paxos
  • Need to know order of data – linearizable consistency
  • Don’t mix transaction types. ex: use if exists/if not exists consistently.
  • Lightweight transactions are faster than two phase commit
  • Incurs performance penalty by design because more Paxos interactions.

Raft

  • Two message types
  • Leader based. All other nodes are followers
  • No reelections. Leader stays as leader until disappears
  • Like Paxos, use increasing numbers
  • Every node starts as a follower. on term 1 Followers notice no leader. One or more volunteers and increases term number. Others vote on leader. Only one vote for that term so can’t vote twice.
  • Once leader elected, followers send requests to leader who propagates
  • Log replication – can be applied (not final) or committed
  • Use commit index as tracker of what data was committed. Allows to see state
  • All followers have a heartbeat tracker. If leader disappears, the one who hasn’t heard from the leader in the longest time becomes a candidate to be new leader. If away and request leader, gets rejected because have one
  • If outside cluster and want to know status, asks leader
  • Fault tolerance – yes leader or follower can droo
  • Safety – guarantees one choice. Also only commit data from term
  • Liveness – in practice yes, but in theory no

Mongo DB

  • Uses Raft
  • If slow member is leader, there is a write bottleneck.
  • Can horizontally scale by replica set. Can hash keys so majority of requests aren’t all on one replica

Accord

  • New algorithm; not widely available
  • Leader based protocols create bottleneck
  • Fast and slow paths
  • If can get majority with fast path, can tell slower nodes later; even async
  • A node must be part of all fast paths majority so can share with others when back online
  • Fast path should be 3/4 of nodes to guarantee someone has latest state
  • Slow path remains as simple majority
  • ACID
  • Reorder buffer to reset transactions to be in order based on time differenitials

My take

I knew what two phase commit was. Everything else was new to me. Excellent start to the morning! The five people voting made it easier to follow. The reasons for them disappearing (Ukrainian soldier, Californian losing power) also helped pay attention. (Left a few minutes early to answer a phone call)

[2024 dev2next] Breaking AI

Speaker; Micah Silverman @afitnerd)

For more see the table of contents


Notes

  • ChatGPT took 2 months to get to 100 million global monthly active users. By contrast, TikTok took 9 months, Uber 70 months, Instagram 30 months
  • Hot trend, but also people found utility in it.

App Security

  • Getting hard.
  • Code growing faster and apps getting more complex

Common uses in dev

  • Adding comments
  • Summarizing Code
  • Writing “readme”
  • Refacotring code
  • Proividing templates
  • Pair programming
  • Generating code – the new stack overflow

Stats and studies

  • 92% using AI coding use
  • 57% completed tasks faster (not necessarily better)
  • 27% more likely to finish task
  • 40% co-pilot code contained vulnerabilities
  • More likely to believe wrote more secure code, but wrote less secure code. Because believed was more secure, didn’t look hard.

AI code

  • Like junior dev just out of bootcamp. Need to checked works and secure
  • Example hallucinations. Change over time. Over a few months, went from 98% on math to 2% on math. Open AI fixed basic math. Designed to be good prediction engines, not math
  • “chatGPT is confidently wrong” – Eelko de Vos

AI Coding

  • Asked for an Express app to take name in request param and returns a website showing name
  • All LLMs tried had XSS/injection
  • If questioned or asked to create a secure express app, would get sanitized one. Let of sanitization varies.
  • Showed Synyk advisor – gives health score on libraries – ex: sanitizer. Need to check recommended libraries

Co-pilot

  • 40% code trained on is insecure
  • Used approach where prompt through comments (vs chat feature)
  • Used live templates to autocomplete prompt comments to save time for demo
  • Example with Spring boot and Thymeleaf. Copilot got that from context of project
  • Not quite right but made minor changes vs starting from scratch
  • Copyright was 2017; noted hadn’t done that before
  • Copilot tried to provide the next comment/prompt. Not what wanted, but reasonable
  • Synk IDE extension – Detected SQL injection in view that looks like problems view

Chat GPT

  • Had do a security code review
  • Added HtmlUtils.htmlEscape(username) – context aware; knew using Spring Boog

My take

Micah said up front that he has no connection to Microsoft or IntelliJ and is just using their products. I never thought to give that disclaimer when I use tools. I’ll think about whether I want to when it isn’t almost 9pm. I am very much a morning person. In fact, that’s why I chose this talk. I thought it would require loading the least info into my mind to understand at this hour while still learning. The demo of copilot for building an app was fun with a good emphasis on security.