A devRant Update!

Hey everyone,

We thought now would be a great time for a devRant summer update on what we've added recently and what we've been working on.

Highlights since our last update:

- We launched devRant++, a supporter program for people who want to help us cover our costs while getting some cool extra features (a supporter badge on rants/comments/profile, reserved spot on our in-app supporter list, ability to edit rants/comments for up to 30 minutes instead of 5, and thanks to immediate user feedback, we also added the ability to post a rant every 1 hour instead of 2, and post comments that are up to 2,000 characters instead of 1,000!) We are extremely happy and thankful for the great response the program has gotten and we plan to continue to improve it using your feedback.

- We added the ability to subscribe to a user's rants. This makes it so you get a notification whenever that user posts a new rant!

- We added an "active discussions" feature (available in the "more" tab on the right). If you're looking to join a conversation happening in the moment, then this feature will help you discover those rants. It shows rants that have recently been commented on so if it's a topic that interests you, you can easily get in on the discussion!

Some stuff we have in the pipeline:

- More fun avatar stuff, including fun new OS/language-themed pets
- More perks for the devRant++ subscriber program - if you have anything you'd like to see, please let us know and we will try to make it happen!
- We will be testing some stuff to help classify rant types (rants, jokes, questions, etc.) in order to create a more personalized experience
- On that note, we're also going to take some more time to do some work on the algo as we haven't done much in terms of improvement since the initial smart algo launched
- Community projects page update - we've been slacking on updating the page and apologize for that. If you have created a devRant-related project and it's not on the community page, please resend it to david@hexicallabs.com (even if you sent it already) so we can make sure it gets added. Sorry about that!

A note on community etiquite regarding voting on content:

We've always believed that one of the most important and awesome experiences on devRant is getting your content noticed and appreciated by others. If you enjoy a piece of content, you should upvote it. If you enjoy 500 pieces of content, you should upvote them all. People really appreciate others enjoying their rants and comments so let them know if you do! If you don't like content, you can downvote it with the relevant reason. What we don't encourage is voting on content that you haven't actually looked at or spamming upvotes in mass for content you're not even actually reading/viewing. While we don't encourage that, it's not explicitly disallowed so we won't impose any penalty for it.

What is strictly prohibited and enforced is using scripts or automated procedures for voting on content. Anyone who is caught doing that will have their account deleted without warning. While very rare, we caught a couple of people doing that this week and both accounts in question were immediately deleted once discovered. To be clear, this is the practice of explicitly using a script or automation to mass vote on content. You will NEVER be banned/deleted for voting on a lot of content manually, even if you vote quickly and on lots of stuff. We just want to make that clear becuase this is not meant to discourage people from voting, it is only regarding votes not placed by humans. So if you're a human voting on content, you have nothing to worry about, we promise!

Please feel free to let us know if you have any questions or feedback on any of this. We love constructive feedback and in the past it has gone a very long way to improving and advancing the devRant community. And as always, thank you to everyone who contributed to the community in any way, we really appreciate it and want to keep making your experienfce better.

Happy ranting,
~David and Tim (Team devRant)
@dfox @trogus

Root gets ignored.

I've been working on this monster ticket for a week and a half now (five days plus other tickets). It involves removing all foreign keys from mass assignment (create, update, save, ...), which breaks 1780 specs.

For those of you who don't know, this is part of how rails works. If you create a Page object, you specify the book_id of its parent Book so they're linked. (If you don't, they're orphans.) Example: `Page.create(text: params[:text], book_id: params[:book_id], ...)` or more simply: `Page.create(params)`

Obviously removing the ability to do this is problematic. The "solution" is to create the object without the book_id, save it, then set the book_id and save it again. Two roundtrips. bad.

I came up with a solution early last week that, while it doesn't resolve the security warnings, it does fix the actual security issue: whitelisting what params users are allowed to send, and validating them. (StrongParams + validation). I had a 1:1 with my boss today about this ticket, and I told him about that solution. He sort of hand-waved it away and said it wouldn't work because <lots of unrelated things>. huh.

He worked through a failed spec to see what the ticket was about, and eventually (20 minutes later) ran into the same issues Idid, and said "there's no way around this" (meaning what security wants won't actually help).

I remembered that Ruby has a `taint` state tracking, and realized I could use that to write a super elegant drop-in solution: some Rack middleware or a StrongParams monkeypatch to mark all foreign keys from user-input as tainted (so devs can validate and un-taint them), and also monkeypatch ACtiveRecord's create/save/update/etc. to raise an exception when seeing tainted data. I brought this up, and he searched for it. we discovered someone had already build this (not surprising), but also that Ruby2.7 deprecates the `taint` mechanism literally "because nobody uses it." joy. Boss also somehow thought I came up with it because I saw the other person's implementation, despite us searching for it because I brought it up? 🤨

Foregoing that, we looked up more possibilities, and he saw the whitelist+validation pattern quite a few more times, which he quickly dimissed as bad, and eventually decided that we "need to noodle on it for awhile" and come up with something else.

Shortly (seriously 3-5 minutes) after the call, he said that the StrongParams (whitelist) plus validation makes the most sense and is the approach we should use.

ffs.
I came up with that last week and he said no.
I brought it up multiple times during our call and he said it was bad or simply talked over me. He saw lots of examples in the wild and said it was bad. I came up with a better, more elegant solution, and he credited someone else. then he decided after the call that the StrongParams idea he came up with (?!) was better.

jfc i'm getting pissy again.

I remember it was Friday, 30 minutes before leaving the office when suddenly someone from the upper management directly asked for my help to mass update something as it is important. By that time our CMS is not capable of doing this so I had to do it straight in the live database.

It was an update query and I decided to type the query in notepad first. when i pasted it in the terminal i didn't noticed i missed the "where" part so i mass updated the status of all our records dating 3 years back.

fuck.. please take note it was on a Friday night.

Windows Update Hate has really become a full fledged trend on devRant. Is this the first mass trend here?

Recently many of us may have seen that viral image of a BSOD in a Ford car, saying the vehicle cannot be driven due to an update failure.
I haven't been able to verify the story in established news sources, so I won't be further commenting on it, specifically.
But the prospects of the very concept are quite... concerning.

Deploying updates and patches to software can be reasonably called *the software industry*. We almost have no V0 software in production nowadays, anywhere (except for some types of firmware).
Thus, as car and other devices become more and more reliant on larger software rather than much shorter onboard firmware, infrastructure for online updates becomes mandatory.
And large scale, major updates for deployed software on many different runtime environments can be messy even on the most stable situations and connections (even k8s makes available rolling updates with tests on cloud infrastructure, so the whole thing won't come crashing down).
Thereby, an update mess on automotive-OS software is a given, we just have to wait for it.

When it comes... it will be a mess. Auto manufacturers will adopt a "move fast and break things" approach, because those who don't will appear to be outcompeted by those who deploy lots of shiny things, very often.
It will lead to mass outages on otherwise dependable transportation - private transportation.
Car owners, the demographic that most strongly overlaps with every other powerful demographic, will put significant pressure on governments to do something about it.
Governments (and I might be wrong here) will likely adapt existing recall implementation laws to apply to automotive OS software updates.
That means having to go to the auto shop every time there is a software update.
If Windows may be used as a reference for update frequency, that means several times per day.
A more reasonable expectation would be once per month.
Still completely impossible for large groups of rural car owners.
That means industry instability due to regulation and shifting demographics, and that could as well affect the rest of the software industry (because laws are pesky like that, rules that apply to cars could easily be used to reign in cloud computing software).

Thus... Please, someone tells me I overlooked something or that I am underestimating the adaptability of the powers at play, because it seems like a storm is on the horizon, straight ahead.