The Changelog The Changelog #352  – Pinned

The Pragmatic Programmers

Dave Thomas and Andy Hunt, best known as the authors of The Pragmatic Programmer and founders of The Pragmatic Bookshelf, joined the show today to talk about the 20th anniversary edition of The Pragmatic Programmer. This is a beloved book to software developers all over the world, so we wanted to catch up with Andy and Dave to talk about how this book came to be, some of the wisdom shared in its contents, as well as the impact it’s had on the world of software. Also, the beta book is now “fully content complete” and is going to production. If you decide to pick up the ebook, you’ll get a coupon for 50% off the hardcover when it comes out this fall.

read more

Forbes Icon Forbes

Developers don't understand CORS

Fascinating look at the underpinnings of the big Zoom vulnerability announced last week, including an excellent discussion of how a lack of understanding may have led to this huge fiasco. Author Chris Foster: What this says to me is that Zoom may have needed to get this feature out and did not understand CORS. They couldn’t make the AJAX requests without the browser disallowing the attempt. Instead, they built this image hack to work around CORS. By doing this, they opened Zoom up to a big vulnerability because not only can the Zoom website trigger operations in the native client and access the response, but every other website on the internet can too.

read more

Strange Loop Icon Strange Loop – Sponsored

Observability is SUPERPOWERS for developers

Christine Yen, cofounder of, is giving a talk at Strange Loop 2019 on “Observability: Superpowers for developers.” When observability is folded into the development process itself, it represents the potential for a beautifully virtuous cycle: production stops being just where our development code runs into issues, and it becomes where part of our development process lives.

read more

logged by @logbot permalink

Tobias van Schneider

Content or design first?

This is a thoughtful look at the relationship between content and design, and some steps that designers can take to better work with copywriters. We all know designers and copywriters should not work in silos. We know design and copy should inform each other, rather than one being retrofitted to the other. This is especially true for UX writing, which must work in tandem with design to do its job well. Effective collaboration between design and content, however, is easier said than done. The author goes on to lay out some ideas to improve collaboration, mostly from the standpoint of the designer, but honestly I think a lot of these same ideas are important for developers. And you can extend it further by saying “don’t use placeholder copy for user generated content”.

read more

Michael del Castillo

Shell invests in Ethereum

This is a really interesting usage of blockchain technology to ensure you are really getting what you think you bought. Michael del Castillo writes on The fifth-largest oil and gas company in the world, valued at $262 billion, is investing an undisclosed amount in LO3, a New York startup using a modified version of the ethereum blockchain to make it easier for individuals to buy and sell locally produced energy using the existing network of power cables. While the bitcoin blockchain lets users track the flow of value without the need of banks to audit the system, LO3’s platform, called Exergy, is designed to track the flow of energy as it is added to a shared, local energy network, giving the neighbors who purchase the energy absolute certainty it really came from a windmill, a solar panel or a gerbil running on a treadmill.

read more

Nicholas Rempel

Moving the world to a 4 day workweek

Is it possible to work just 4 days a week, be happier, more productive, and still make the same amount of money? That’s one of many questions Aidan Harper and other researchers at the New Economics Foundation and members of the 4 Day Week campaign are trying to solve in an effort to combat the problem of overwork, which is “leading to a crisis in mental health and well-being.” The single biggest cause of work related stress, anxiety, and depression is overwork. So much so that last year one in four of all sick days was the result of overwork — which is huge proportion of sickness caused directly by overwork. In some ways, you can look at this statistic as a massive drag on the economy. Losing that many work days is very expensive but, more importantly, it’s also a huge societal malaise. Every day people are feeling the effects of overwork and this statistic doesn’t even take into account the number of people who aren’t taking sick days but are feeling generally burnt out and are just barely getting by. To summarize — the 4 day workweek is a pragmatic response to a the problem of overwork that is leading to a crisis in mental health and wellbeing. If you’re just off the heels of the recent honest conversation about burnout on JS Party, then you’ll certainly enjoy this interview with Aidan Harper,

read more


Sqlite To Rest

LGTM, but why? Mostly because I wanted to dig deeper into node web server code, but also because I haven’t jumped onto the NoSQL bandwagon and think that web APIs are extremely useful. The result is a modest attempt at automating the CRUD boilerplate that every developer hates, while following the specs to make API consumption intuitive. I chose sqlite to keep the database side of things simple, with the intent that the API isn’t serving heavy loads.

read more

Jonathan Leitschuh Medium

Zoom's zero day bug bounty write-up

By now you’ve probably heard about Zoom’s zero day bug that exposed 4+ million webcams to the bidding of nefarious hackers. Security researcher Jonathan Leitschuh shared the full background and details on InfoSec Write-ups: This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. However… If you use Zoom or if you’ve EVER installed Zoom, read Jonathan’s write-up and take appropriate action to update Zoom or to remove the lingering web server it leaves behind. Confirm if the server is present by running lsof -i :19421 in Terminal.

read more

link Icon

How to run a small social network site for your friends

Darius Kazemi, recent Mozilla Fellow and one of my favorite internet artists, has put together a comprehensive guide on how to run your own social network. The Mastodon instance he runs, Friend Camp, seems like one of the more fun and positive social networks around. This document exists to lay out some general principles of running a small social network site that have worked for me. These principles are related to community building more than they are related to specific technologies. This is because the big problems with social network sites are not technical: the problems are social problems related to things like policy, values, and power.

read more


Hypothesis seeks to automate your test process

This interesting testing tool was pointed out to me by Ned Batchelder when he was on The Changelog. It combines human understanding of your problem domain with machine intelligence to improve the quality of your testing process while spending less time writing tests. At its core, Hypothesis is a modern implementation of property based testing, which came out of the Haskell world 20 (!) years ago. Hypothesis runs your tests against a much wider range of scenarios than a human tester could, finding edge cases in your code that you would otherwise have missed. It then turns them into simple and easy to understand failures that save you time and money compared to fixing them if they slipped through the cracks and a user had run into them instead.

read more

Medium Icon Medium

I’ve spent 5 years writing a JavaScript framework on my own

Typescene is a robust front end library written in TypeScript: strongly typed, no dependencies, no nonsense. It’s really great for desktop-like (or mobile) applications, not so great for blogs and other content. It isn’t backed by some major corporation, not even a startup, but it’s been built by me: one developer on a mission to build a no-nonsense dependency-less framework The author’s journey is noteworthy, but if you’re mostly wanting to know if this particular framework speaks to you, jump directly to its list of goals.

read more


One program written in Python, Go, and Rust

This is a subjective, primarily developer-ergonomics-based comparison of the three languages from the perspective of a Python developer, but you can skip the prose and go to the code samples, the performance comparison if you want some hard numbers, the takeaway for the tl;dr, or the Python, Go, and Rust diffimg implementations. Not only is this a good way to compare programming languages, but it’s a good way to learn a new language if you’re already familiar with one of the others.

read more

Podcasts from Changelog

Weekly shows about developer culture, software development, open source, building startups, artificial intelligence, and the people involved.

0:00 / 0:00