We figured out how to write good code. We figured out how to write good code in a reusable way…for the most part. We figured out how to distribute and mix all that good reusable code in a sensible fashion. Can we now figure out how to do it all securely?
Package signing is a simple enough idea, and I’ve been spending time trying to fit it, Composer and Packagist together as a model in my head. The concept is to have parties create a cryptographic signature of the code to be distributed at a specific point in time using a private key. If anyone were to change that code or its metadata (think composer.json) with malevolent intent, the end user would then notice that the cryptographic signature cannot be verified using the package author’s known public key. It’s a familiar topic from all those cryptography books you’ve doubtlessly read .
Alright, it’s actually a horrendously complicated topic that boggles the minds of many a programmer. We’re a practical bunch, and we just want the damn code. NOW!
Practical considerations and security are locked in a continuous battle for primacy. Look at SSL/TLS – it is a security nightmare but we keep it around because, until someone comes up with a decent replacement, the alternative is no encrypted HTTPS with a verifiable host for anyone. We continue to support old versions of SSL/TLS out of practical concerns despite knowing their weaknesses. They are old versions for a reason!
Those same concerns have been at war in my own head since last week, when I made the mistake of contemplating package signing. Eventually, my practical side won out and my security persona has been sulking in a corner ever since refusing to talk to me.
The problem with package signing from my perspective is tied up in a phrase most of you would know: The needs of the many outweigh the needs of the few. Thank you, Spock.
PKI vs GPG (Some Context!)
I won’t go into too much detail here…
Right off the bat, we have two contenders for signing packages: Public-key infrastructure (PKI) backed by a Certificate Authority (CA) and Pretty Good Privacy (PGP) also commonly referred to by its GNU implementation, GNU Privacy Guard (GPG). You’d be most familiar with PKI in the form of the SSL certificates used online. Both have the notion of private keys and public keys. Data encrypted by one key can only be decrypted by the other key. If you keep one private, then holders of the public key can always verify that data sent by you was really sent by you. If you lose the private key, you’ll need to revoke it and get a new one.
Assuming, they trust it is you to start with!
Trust is the core difference between PKI and GPG. How do you know, with certainty, than any given public key is firmly associated with the person you know it should be associated with? Maybe it’s a hacker posing as that person? Maybe it’s the local friendly NSA office masquerading as Google? Establishing trust takes diverging paths for PKI and GPG. PKI keys (in the form of certificates) are either self-signed or signed by a trusted Certificate Authority. Generally, we put zero faith in self-signed certificates because anyone can claim to be anyone else using them. We instead trust a select number of CAs to sign certs because they’ll hopefully do stuff like asking for passports, addresses, and other person or company specific information to verify any entity’s real identity before doing so. GPG avoids centralised authorities like the plague and instead uses a “web of trust” model where everyone can sign everyone else’s public key, i.e. the more of these endorsements a GPG private key gets,
Truncated by Planet PHP, read more at the original (another 11962 bytes)
Recruiters. Many developers hate their guts, and (in most cases) rightfully so. They usually have no clue about technology or about how to communicate with developers. It is also pretty clear most of the times that they’re only out for quick wins. I’ve seen recruiters call a developer they’d placed in a company exactly 6 months after he started to see if he wanted to move on, because 6 months was the period in the contract between the employer and the recruiter. I’ve seen recruiters tell candidates that the employer wasn’t interested, just because the employer didn’t want to pay the extremely high recruiter-fee. Hell, my first professional PHP job was like that. I ended up having direct contact with the employer because I didn’t believe the story the recruiter was telling me, and landed a pretty cool project. Some of the people I worked with there are still friends.
There is a flipside though: There are recruiters out there that do understand how things work. They know how developers work, communicate, what they feel is important. They are rare, but they do exist. So it would be stupid to just say “don’t work with recruiters” to companies or to developers. The thing with working with recruiters is: It takes time. You can’t just give a recruiter a profile and wait until they get you developers, or tell them you’re looking for a job and wait for the interviews. You have to invest in the relationship with the recruiter, do some research, get to know them, and ensure you’ve found one of the good ones.
The role of a recruiter
Many companies I’ve worked at, with or been in touch with expect a recruiter to look at their huge list of available developers (here’s your first mistake, because how many developers are actually available?) and give you the best developers based on a (usually incomplete) profile. But what exactly is it that a recruiter does?
Most recruiters have very little technical knowledge. They’re networkers, they create a network amongst developers and companies and try to link one with the other when they get a request. So from the majority of the recruiters, you should not expect that they make a judgement on the seniority of the developer or his skillset.
In an ideal world, the recruiter you work with actually has a development background and keeps his/her development knowledge up to acceptable levels. Ideally, the recruiter should be able to judge the skills and level of any developer they send your way.
Think about your reasons for hiring a recruiter
Before even contacting a recruiter, you need to ensure you’re doing this for the right reasons. Many companies simply expect the wrong things from a recruiter. As I mentioned before, you can’t just give them a profile and wait for the developers to come in.
Simply outsourcing getting potential candidates should not be your only reason hiring a recruiter, at least not if you want to save yourselves some time. The time you save by getting in the candidates, you will most probably spend doing interviews with candidates that do not actually fit your profile. The amount of times I (specialized in PHP with very little experience with other languages) got approached by a recruiter for a Java or Python-project is beyond belief. Getting 10 CV’s from a recruiter is not a good thing. It’s a bad thing. Instead, you’d want to get one or two CV’s of developers that actually are what you look for.
Even if you have a good recruiter, don’t expect to save much time on the recruitment process. Even if they immediately pass you the right CV’s, you’ll still need to make the final judgement on whether the developers are good or not, and of course convince them to work for you. You’ll still need your own HR-people to handle everything.
Take back your own recruitment
It may be worth your while to consider taking the recruitment back into your own organization. The most important task for a recruiter is to find the right developers for your organization. This may seems like a task that takes a lot of time, but it is easily combined with other stuff you already do (or should do).
The best representatives of your company when it comes to finding developers are your developers. They can speak to potential developers on the same level, can explain what the challenges are and what the fun aspects are of working for your company. They are also the best people to try and find out if a potential developer would fit your company, both in skills and in personality.
So if you have a position for a new developer, send your existing developers to usergroup meetings and conferences. Let them get in touch with other developers, potential employees. Don’t tell them to go out and find people, but tell them to keep their
Truncated by Planet PHP, read more at the original (another 3249 bytes)
What is Gamification?
“Gamification” is the use and application of game design techniques and game mechanics, in non-game contexts, to engage a target audience to change behaviours, learn new skills, or enable innovation. Game design can be applied to practically all facets of business from customer engagement, employee performance, training and education, innovation management, personal development, sustainability and health. Gartner predicts that by 2015, more than 50% of organizations that manage innovation processes will gamify those processes.
Continue reading %Building Engaging Web Apps with Game Mechanics%
The MySQL Fabric framework brings two major features: automatic client- and server-side failover and sharding. The manual hints, you need a “Fabric aware driver” for this but it does not list one for PHP. First, you don’t necessarily need new … Continue reading →
If you want to create a blog using MongoDB and PHP, this article will teach you to:
- Connect to a MongoDB database
- Save documents in a collection
- Query documents in a collection
- Perform range queries
- Sort documents, update a document, delete one or more documents from a collection
The reason I chose to build a blog application is because it is a basic CRUD application and it is very suitable for easing into PHP and MongoDB web development. We will build a plain user interface using Bootstrap with simple textboxes and buttons. A MongoDB database will store all the content. You can download full source from github, see a demo frontend here and try the demo app’s backend with the user name and password being duythien.
Continue reading %Building a Simple Blog App with MongoDB and PHP%
- Continue reading →
Lorna is an independent web development consultant, author and trainer, available for work (interesting projects only). This post was originally published at LornaJane
One of the things that we do by defining design patterns is we create a common language that we can use to explain and express ourselves. When I say to you “I used an Adapter” or “I implemented the Factory pattern”, that should conjure up a specific image in your mind of object relationships and behaviors, even if you don’t know my specific use case or problem domain.
When we use these terms incorrectly, we not only devalue them, we confuse developers. For one of the most up-and-coming frameworks to use a technical term so incorrectly is disturbing. It breaks down the vocabulary that technical people use to communicate with each other, because there are now two very different definitions floating around with the same name.
Of course, Laravel’s Facades are in fact well-designed proxies implementing the Proxy Pattern. There’s nothing wrong with that: as a developer, it’s up to you to decide how and what patterns you’re willing to accept in your framework, and to write your application however you wish. All I ask is that we stop calling them Facades.
Hear hear. Via Let’s Talk About Facades | BrandonSavage.net.