11 November 2011

Android Nails Sandboxing

So I'm learning to programme the Android platform. Despite constantly typing it as "Androind" finding programming fun again after many years of regarding it as somewhere between tiresome drudgery and only mildly interesting in sporadic parts.

It's early days, yet, but I do think that Android's architects had one flash of brilliant insight: Using Unix user and group permissions to sandbox applications. Brilliant! We've had this mechanism since forever, and let's be honest, it's never been all that useful except in the very early years of Unix when we actually did have to put multiple users on a single computer. And even then, most users didn't understand it. Questions about umask and file permissions are among the commonest of Unix confusions I've run across for the past 25-odd years.

Warping the idea to mean that every application is a unique user is a flash of inspiration.

09 November 2011


'the idea of immediate compilation and "unit tests" appeals to me only rarely, when I’m feeling my way in a totally unknown environment and need feedback about what works and what doesn’t. Otherwise, lots of time is wasted on activities that I simply never need to perform or even think about. Nothing needs to be "mocked up."'

Donald Knuth 25 April 2008

(Okay, so I'm late to the party. As always.)

06 August 2011

Design using Other Peoples' APIs

Where you are dependant upon somebody else's API, decouple from that API at the earliest possible opportunity so that the remainder of your system works in terms of your own abstractions rather than that somebody else's. This shields you from the random, spurious, and often unwarned changes they may make. It also enables you to place guards against the various stupidities they may likely perpetrate in the name of fashion or unthinkingness, and ensures that you are - as much as possible - forced to deal only with your own stupidities and unthinkingess.

This injunction includes decoupling from your own APIs where those are non-core to the subsystem under design.

05 June 2011

Housekeeping Note - Server Change

Explaining why I've been so quiet lately: Migrating data and upgrading the software that runs the blogs and farm site (plus a bunch of other stuff) to a new server.  Yay upgrade!  Boo problems!  Just in time, too, it would seem, since the old server started mysteriously and frequently rebooting for no good reason, so I'm pretty sure that its been down more than its been up for about ten days now. :-(

Sorry if its all been very dodgy.

If anybody notices anything noticably untoward, please let me know -- I think I've moved everything over successfully, but not yet 100% sure, but, with the old server dying, I just want everything off it as soon as possible, so haven't had time to test all my new configuration properly.

23 May 2011

Web Site Passwords

"Signing up" for yet another something-social-facebook-wannabe website, I was struck by a random Thought Particle.

Why do all these websites ask me to enter a password twice?

No, seriously! I know the stock answers. Hell, I've written such web-signup forms myself, more times than I care to think about.

Am I that likely to misspell a password? And who would care, when all I have to do is click a link that says something like, "I forgot my password!" to get a new password sent to me. Or a reminder. Or my original password. Or some other way of recovering from my "spelling error".

So, tell me again, why are we typing these things twice inthe first place?

11 May 2011

The Magic Key to Hiring Software Developers

Over the past several months and a half I seem to have run across a lot of Development Managers1 who repeatedly and quite consistently make poor-ranging-to-terrible hiring decisions about prospective developers.

One company I know about has had such terrible luck in hiring developers that they're looking at outsourcing all their development needs. And they're a software house! But you can hardly blame them for feeling demoralised and dispirited after numerous bad hires. Or can you...?

I recently met a programmer - let's call him Arthur2 - who was looking for some Java training. He has experience developing in C, and was looking for a basic Java foundation course, but he needs it to be spread out over evening and weekends. I found this to be admirable! A programmer investing in broadening his skills in his own time and at his own cost!

I don't normally take on that sort of part-time training, but decided to try and assist a fellow Seeker In Pursuit Of Excellence, and engaged Arthur further on ways we might be able to work together. Especially challenging, since I am not even within 500km of the same city as Arthur.

As the emails and telephone conversations flowed back and forth, I soon developed a sense the something was amiss. It took a while, but Arthur eventually told me that he needed the training "urgently and quickly". The penny dropped...

It took me back to a day some 8 or 10 months ago when, whilst helping a client with some recruitment interviews, I came across a candidate-programmer who clearly was unable to program at all. A fellow who allegedly held advanced degrees, and could certainly talk a good project, but who evaded and avoided any and all questions about actual programming. Asked anything about how he would design a programme for a variety of small and typical programming problems, he ducked and he dived, twisted, turned and blathered. Clearly he was unable to write code at all.

It is my working hypothesis that Arthus has talked his way into a Java development position, but is unable to code in Java. By his own admission he knows nothing of object-oriented design. I further conjecture that he may be unable to programme at all, and is not so much seeking a Teacher, but rather wants someone to whom he can effectively sub-contract his daytime work.

There are two mysteries wrapped up in these incidences.

How do such "developers" get hired in the first place?

Clearly the managers hiring them never, ever ask them to write code at any point in the recruitment process.

I have seen a good number of articles of late urging companies who are hiring software developers to make sure that candidates write code live, sometime during the interview process. Isn't this obvious? If you want to hire a bus driver, isn't it logical to put them behind the wheel of a bus and see how they handle the job? Why do we apply a different standard for testing the competence of software developers?

The actual form of code, and the depth of testing can vary, and need not be done all at once. You might simply ask for a whiteboard sketch of a solution in initial interviews. It may not always be necessary to sit candidates down with an IDE and some of your senior developers. Even the most superficial competence checking will quickly revela any bullshit artistry, and I firmly maintain that all people are possessed of exquisitely sensitive bullshit recognition skills.

In a sense, though - for me, anyway - there's a weirder question...

How does someone completely lacking competence in a skill have the chutzpah to talk their way into the job at all?

I can't imagine applying for a job as a Bus Driver. Sooner or later someone's going to expect me to actually drive an actual bus. And I can't. What makes people think they can get away with it just because the job ad says "Java Developer"?

Moral of the story? Just repeating what so many others have already said, in the hope that we can get the word out better. And we do have to get more hiring managers to pay attention, because evidently a whole lot of them are not paying attention yet. If you're hiring a developer, have them write code in front of you. If you really don't have the skills to judge their comptence, and you're starting with a completely new technology so that you lack any already-hired developers who do have the necessary technical skills, then get an outside consultant in to help. Or something.

But please stop hiring bullshit artists who claim to be software developers.

They're giving the rest of us a bad name.

Update: Also beware of technical Trainers who are unable to show you any of their code. Another smell of bullshit artistry!

[1] People acting in the role of Dev Manager, at any rate.
[2] I don't know anyone named Arthur, so I'm reasonably sure I'm not subconsciously picking on anyone.

20 April 2011

shrtn: A URL-shortener

Everyone should have their own personal URL shortener, shouldn't they?
I figured that this wouldn't take more than a couple of hours to write. And, indeed, the core functionality didn't take much more time than that. But then we start designing our way round the shortcuts and quick-and-dirty hacks we've used to "get things going quickly", writing unit-tests and comments explaining our thinking, adding some JSP pages so that we can exercise the whole mess, brewing a couple of batches of beer in between times... let's just leave it at a little bit longer!


Indeed! Why would anybody want Their Very Own Personal URL Shortener?

First: I don't really trust all the "cloudy" hype going around right now. For a start, I have no good reason to trust bit.ly, is.gd, goo.gl or any of the other several-dozen public shorteners. Not that I have much reason to distrust them, but really, I don't know them or the people behind them from a bar of soap. And why should I, like a sheep, participate in generating value[1] for someone who gives me little or nothing in return aside from a shorter, opaque URL that requires an extra network round-trip? And let's not forget that these entities have a nasty tendency to vanish, sometimes rather abruptly. Companies get bought and the acquiring company borgs the product, or sees no value in it, or any of a thousand other corpthink accidents may happen.

Then, too, what sort of assurance do I have that I'll ever be able to get my data (and if I shorten a reference, it's my reference) out of their service ever again? Granted that Google does make some effort in that direction (or at least nods benignly while their engineers do it), but, like the actions of the kakistocracy throughout history, things are only good until a single bad apple rots the barrel.

Second: I don't have PHP deployed on my servers and have no wish to add to the system-administration burden I already have to deal with, so I distinctly want something written in Java...

Third: A whole lot of the URL-shortening services out there don't give any analytics. At least not of those that I can self-host. I think that the analytics angle is compelling. Conventional web analytics - like Google Analytics - are only accessible to the people who created and host the content under analysis. They know where their audience came from, when and how, but nobody else does. If I refer people to some web-stuff[2] I'd like to get an idea of how many people I influenced - how many people followed my recommendation. It is a measure of my own reputation and influence, so highly personal[3]. URL-shorteners give us a way to measure, with a reasonable degree of accuracy and assurance, the influence we have in persuading others to follow our webby blatherings.

I will confess that Google's shortening service is pretty good, and has some nice-ish analytics, but I still think it's in our own best interest to keep at least some stuff out of Google's (or anybody's) mitts. Just on general principles.

An Unexpected Bonus

As it turns out, this is a really, really nice project to use for teaching a JSP/Servlet course, so I'll be reversing it into my Java web-dev course. It covers all the principles I like to get across, from container-managed security through session management and clever use of error-pages, to exploiting the underlying infrastructure properly (instead of hoping that some crapulatious web framework will substitute for your own lack of knowledge or understanding.)


I'll be releasing the code under the GNU Affero General Public License (probably via Google Code). Just have some tidying-up to do first (like getting license notices in place.) The first deployment is very feature incomplete - there's quite a bit I'd still like to add to the app - and some downright dodgy implementation details that need replacing in time, but for now its working for me.

Drop me a line if you're desperate to have it work for you and can't wait...

[1] At least I assume they get some value out of hosting their shorteners, otherwise why would they do it?
[2] I despise the word "content", despite using it quite frequently.
[3] And, YES, ego-gratifying[4].
[4] Or ego-destroying, as the case may be.

15 April 2011

SEO Fail

So. I've been working quite hard at getting course material together... mainly for OO Software Analysis Design courses and a Design Patterns course. The motivation comes from years and years of teaching Other Peoples Courses and experience a deep and abiding dissatisfaction with the material I am handed to work with. I strongly suspect that my students sense this...

Not Good!

So - after a very, very long time umming and aahing over it - I've put my own course materials together. Blatantly stealing tricks and tips from the HeadFirst books, plans include incorporating video and even music. Dare I say I've done a whole lot better than the usual run-of-the-mill courseware? Order of magnitude? But that would be presumptuous, wouldn't it?

Along the way I realised that I needed to pay a whole lot of attention to my (business) website. The old one sucked. Bad! Not at all descriptive of what I'm now doing or trying to achieve in the OO design and architecture space. So I spent a little time reading up on the website of that famous search engine about how best to structure my site and its content for searching. How to better market what it is I do. I read all about "not using Black Hat SEO" techniques. I paid strict attention to their advice! And I went forth and restructured... but only in a good way! What you see is what the googlebot gets. No tricks!

The result?

Falling from a page-rank of nearly fuck all, I now have a page rank of... zero. Thanks, Google! I guess I'll take my advertising business over to Microsoft, now.

I can only speculate what might have brought this on. Perhaps I got listed on some directory site that Google's software considers Bad News. That's the most likely thing I can think of... Or did I just use words like "software design and architecture" a time or two too many? Perhaps it was the word "Java"...

Unfortunately - like The Borg - there's no Human Person one can contact at Google to say, "Hey! I'm really a Person. What went wrong here and how do I fix it?" Pretty much I'm screwed. Where my site was ranking very well for searches on stuff like "software design training", "Java training"  and "software architecture course" last week, this week I'm nowhere to be seen. Instead you'll see listing from schmucks offering the same-old same-old. The same tired, half-hearted training crap that led me to start developing my own course material in the first place!

So what's a Real Human to do? I guess I'll just have to live with it. After all, my reputation amongst intelligent human beings is top-notch... not something I have to worry about. So do I need to get upset over how some software see me?

Probably not.

15 February 2011

Test-First for Mental Health

I've been thinking recently about how a Test-First approach to development is good for our emotional well-being and psychological balance, and I believe this may be the most important reason to adopt test-driven  development.

Consider how we would traditionally develop software using a conventional Test-Last approach. We read our requirement spec (whatever form that takes), perform some design work -- as much as we feel we need to go forward with some confidence, and we start cutting code. Time goes by. Our codebase grows. We're doing some informal testing as we go along to feel confident that the code under development does what we think it should be doing...

And here's Important Point Number One: "the code does what we (the developers!) think it should be doing". Not what the business thinks it ought to be doing. See? We're inherently unsure -- even if only subconsciously -- whether we're doing work that actually serves the business. And unsureness is insidious and destructive to our well-being. We feel much better about ourselves as developers when we know that we're producing useful stuff that really has value. So here's the first way that having tests defined up-front helps us preserve our mental balance: With a reasonable set of tests1, defined together with our business partners, there's no bullshit involved; no trying to convince ourselves of the (probably shaky) value of our ever-growing codebase. We have an external, automated, objective, easily understood yardstick of value.

But there is, I think, a deeper psychological value to the Test-First approach.

So much of the time -- I will thumbsuck something like 99% of the time -- our code is broken. The system we're working on doesn't work. This is inherent in the fact that it takes us time to design and write software, and the continual not-workingness can be powerfully demoralising. Especially when we (finally, right towards the end of the project lifecycle) start formal testing, and our tester (often users) start coming back with bug after bug after bug after bug, and all that beautiful code we're so proud of is labelled "Less Than Satisfactory" -- usually in much stronger language than that.

Herein lies the secret destructiveness of Test-Last. Our code is always broken, and we can never do more than run after the brokenness trying to patch it up, until, at last, demoralised and exhausted, we move on to the next job or project.

Contrast this with a Test-First pattern.

We first write a bunch of tests. Sure it takes some time, can often be pretty tedious, and is frequently little more than a first-pass best-guess at what the code is supposed to do. Almost certainly we will add more tests as our code grows and evolves and begins to tell us the shape it wants and needs to be. But at least we start with a battery of (automated!) tests. And we start with the expectation of them all failing. This is by definition! We haven't written the necessary code, yet. A short time later we may have enough of the boilerplate in place that we can at least compile everything and actually run our tests, but we still expect them all to fail because our methods all read

throw new UnsupportedOperationExcetion( "TODO" );

So we run our tests, and they all fail. And we're happy about that! Everything went as we predicted. We feel in control.

As we go along replacing those stubbed-out methods, some of our tests begin to go green. We're making visible progress towards a well-defined end goal. We gain an ever-increasing feeling of confidence and accomplishment. We have tangible, objective evidence that we're making progress. Even when we make some of the "test bar" revert somewhat to red -- because we add new tests, or because we do some large-scale refactoring that breaks stuff -- we still feel good about it, because we know that our self-built safety-net is working! We've actually decreased the likelihood of things going wrong, so we know we're enhancing the quality of our product. (And every good developer I've ever worked with has an inner Proud Craftsman lurking in their soul.)

So it seems to me that Test-First builds our confidence and self-esteem as we go along, whereas Test-Last contains an inherently destructive, soul-sapping subversiveness to it.

I think this value outweighs the sum of all the other benefits (many though they are) of Test-First.

[1] Note that I make no distinction, here, between Unit Tests, Functional Tests, or System Tests (which would probably involve real databases, external systems, and so forth, albeit serving test data to our system-under-test.) I don't really care what form of Test-First is most useful to your team and situation. It's the principle that counts!

08 February 2011

Fusion Cuisine: Slicing and Dicing Courses to Suit Different Palates

Ever been faced with setting up training for some of your developers, but the courses offered by the usual suspects fail to cover the technologies your team uses? Or cover technologies that you don't use? Or lack the depth you're looking for in particular areas? Or too much depth...?

I was recently faced with a request from a client who want to put some of their junior developers through an Intro to Java course. The developers in question come from various other programming backgrounds, and already understand OO concepts and normal development disciplines. The "obvious" choice is the Sun/Oracle SL-275 mainstay course which I have been teaching (on and off) for something like 15 years, now.

But! A good part of SL-275 – and of my own Intro to Java course – delves into developing applications using the Swing GUI toolkit, used to construct desktop applications. This particular client is a company that only does web-applications, so learning a bunch of Swing concepts does them little good. I was happily able to propose that, instead of using Swing for that portion of the course, we could substitute some Servlet and JSP concepts and development. This arrangement serves them much better, as it also equips their developers with knowledge they will be able to immediately put to productive use. Fortunately I have lately put in a lot of work on a Servlet/JSP course, so I'm able to cycle some of that material into the Java Intro course.

It's not as simple as it sounds, though!

The Swing portion of "Intro to Java" also serves some other pedagogic purposes. It reinforces some of the OO groundwork covered earlier in the course by driving home the differences between inheritance, containment and usage. (At least it does the way I teach it!) Swing also provides a good platform for introducing listeners (Observer Pattern in the GoF book), Java's anonymous-inner class mechanism, and the exception-handling framework, along with a bunch of other bits-and-pieces that are useful for new-to-Java developers to learn, like converting between Strings and numbers.

So the challenge, now, is to make sure that I can adequately cover the same territory, and serve the same purposes, using servlets and JSPs. Not too hard, really, but it should make for a fun course where we can do a lot more hands-on, practical development work than the stock SL-275 allows.

The other tricky bit to watch is making sure that the level of detail doesn't overwhelm new-to-Java developers with too many web-application specifics. It is important to keep the focus on "Introduction to Java", and not lose sight of the real objective in a welter of webapp configuration and deployment.

Just a single, simple example of where and when customised courses can much better match the client's needs than any standardised, templatised training provided by a 4-week-per-month manual-pusher.
Contact me for a course customised to your organisation's needs!

18 January 2011

2011 Course Planning

Whew! Looks like March is going to be a busy month. I've planned no less than 3 courses back to back, so hard work ahead...

I'll be kicking off with the 5-day "Intro to Java" course on 7-11 March. It seems like Cape Town's demand for Java developers is insatiable. I've had requests from a couple of clients for this course simply because they just can't find good Java devs for their expanding teams, and they're going to be hiring developers with good OO experience from other (non-Java) environments and training them up for Java development as an alternative. Now, I know that any good developers loves learning new stuff, so I think these clients are doing a Good Thing by offering skills-development as part of their hiring process. My job is to give them the best possible Java Platform course, and I have great plans for delivering just that!

Next up will be the newly developed 5-day "Web Application Development with Servlets and JSP". If you've last looked at JSP technology a few years ago, possibly run away in terror at the sight of all the horrible in-page logic that made scriptlet-based JSPs such a nightmare for maintenance, then you really owe it to yourself to get up to speed with scriptlet-free, tag-based JSP development. The course includes topics on the new, new Servlet-3.0/JSP-2.2 enhancements that use annotation-based configuration.

And last, but not least, will be my much-acclaimed 4-day "OO Analysis and Design" course – thus fitting neatly into the 4 working days that remain after the Human Rights Day public-holiday.

I'm planning to run all the courses in Cape Town. (still looking for a great venue, so please drop me a line of you know of something extraordinary.)

Drop me a line if you're interested in any of these. Miss this opportunity at your own risk – I will probably not be scheduling courses in Cape Town again before August!

I'm offering an Early Bird discount of 20% to anybody who confirms a reservation before the end of January!
Related Posts Plugin for WordPress, Blogger...