On repositories of patches and tension between security professionals and in-house developers
On null encryption and automated documentation
No one expects the Spanish Acquisition.
Relevance and repeatability
Visibility leads to debuggability.
Don't irk your local sysadmin.
What do you do when your debugger fails you?
Shortchanged by open source
And the illogic of PDF
The meaning of bits and avoiding upgrade bog downs
It's not always size that matters.
Waste not memory, want not memory—unless it doesn't matter
Also, the perils of premature rebooting
Software is supposed be a part of computer science, and science demands proof.
Whenever someone asks you to trust them, don't.
Is there a best used-by date for software?
One programmer's extension is another programmer's abuse.
The bytes you save today may bite you tomorrow
Colorful metaphors and properly reusing functions
Stopping to smell the code before wasting time reentering configuration data
Using a tool for the wrong job is OK until the day when it isn't.
A tale of hubris and zealotry
KV hates unnecessary work.
Keep your debug messages clear, useful, and not annoying.
It's more of a social than a technical problem.
It takes more than flossing once a year.
Cleaning up your storage space quickly and efficiently
Separating the good programmers from the bad
Beware keeping data in binary format
Using tools such as Automake and Autoconf with preexisting code bases can be a major hassle.
There's only so much you can do to optimize NFS over a WAN.
A good library is like a garden.
Debugging an ephemeral problem
Gathering statistics is important, but so is making them available to others.
Overspecialization can be the kiss of death for sysadmins.
Frequent broken builds could be symptomatic of deeper problems within a development project.
When is the right time to commit changes?
Easing the pain of implementing standards
Integrating changes in branched development
Software maintenance is more than just bug fixes.
A sure-fire technique for ending pointless coding debates
Kode Vicious's temper obviously suffers from having to clean up after the mistakes of his peers. What would he have them learn now so that he can look forward to a graceful and mellow old age?
What can software engineers learn from shipbuilders?
I hope you're lucky enough to have decent documentation and support from your vendor. If not, then I'll see you at the bar. I'm the guy sitting alone at the far end, crying into a chip manual with an always-full gin and tonic. My bartender knows me well.
Dear KV, I'm working on a networked system that has become very sensitive to timing issues. When the system was first developed the bandwidth requirements were well within the tolerance of off-the-shelf hardware and software, but in the past three years things have changed. The data stream has remained the same but now the system is being called on to react more quickly to events as they arrive. The system is written in C++ and runs on top of Linux. In a recent project meeting I suggested that the quickest route to decreasing latency was to move to a realtime version of Linux, since realtime operating systems are designed to provide the lowest-latency services to applications.
A koder with attitude, KV answers your questions. Miss Manners he ain't.
A koder with attitude, KV answers your questions. Miss Manners he ain't.
Dear KV, I'm working on a network server that gets into the situation you called livelock in a previous response to a letter (Queue May/June 2008). Our problem is that our system has only a fixed amount of memory to receive network data, but the system is frequently overwhelmed and can't make progress. When I ask our application engineers about how much data they expect, the only answer I get is "a lot," which isn't much help. How can I figure out how to size our systems appropriately?
Dear KV, I just joined a company that massages large amounts of data into an internal format for its own applications to work on. Although the data is backed up regularly, I have noticed that access to this data, which has accumulated to be several petabytes in size, is not particularly well secured. There is no encryption, and although the data is not easily reachable from the Internet, everyone at the company has direct access to the volumes, both physically and electronically, all the time.
"Dear KV: My company has a very large database with all of our customer information. The database is replicated to several locations around the world to improve performance locally, so that when customers in Asia want to look at their data, they don't have to wait for it to come from the United States, where my company is based..."
Dear KV, I hope you don't mind if I ask you about a non-work-related problem, though I guess if you do mind you just won't answer. I work on an open source project when I have the time, and we have some annoying nontechnical problems. The problems are really people, and I think you know the ones I mean: people who constantly fight with other members of the project over what seem to be the most trivial points, or who contribute very little to the project but seem to require a huge amount of help for their particular needs. I find myself thinking it would be nice if such people just went away, but I don't think starting a flame war on our mailing lists over these things would really help.
Have you ever worked with someone who is a complete jerk about measuring everything?
Dear KV, I know you did a previous article where you listed some books to read (Kode Vicious Bugs Out, April 2006). I would also consider adding How to Design Programs, available free on the Web (http://www.htdp.org/). This book is great for explaining the process of writing a program. It uses the Scheme language and introduces FP (functional programming). I think FP could be the future of programming. John Backus of the IBM Research Laboratory suggested this in 1977 (http://www.stanford.edu/class/cs242/readings/backus.pdf). Even Microsoft has yielded to FP by introducing FP concepts in C# with LINQ (Language Integrated Query).
Kode Vicious is hungry. He sustains himself on your questions from the software development trenches (and lots of beer). Without your monthly missives, KV is like a fish out of water, or a scientist without a problem to solve. So please, do you part to keep him sane (or at least free from psychotic episodes), occupied, and useful.
What requirement is being satisfied by having Unclear build a P2P file-sharing system? Based upon the answer, it may be more effective, and perhaps even more secure, to use an existing open source project or purchase commercial software to address the business need.
Dear KV, I am new to programming and just started reading some books about programming, particularly C++ and Visual Basic. I truly enjoy programming a lot, to the extent that for the past couple of months I have never missed a day without writing some code. My main concern now is what the world holds for programmers. If someone is called a programmer (i.e., professionally), what will he or she really be programming? As in, will you always be inventing new software or what, really? This is mainly in the case of someone who will not be working for someone else.
Dear KV, This may sound funny to you, but one of my co-workers recently called one of my designs fat. My project is to define a set of database APIs that will be used by all kinds of different front-end Web services to store and retrieve data. The problem is that a one-size-fits-all approach can't work because each customer of the system has different needs. Some are storing images, some are storing text, sound, video, and just about anything else you can imagine. In the current design each type of data has its own specific set of APIs to store, search, retrieve, and manipulate its own type of data.
Dear KV, I'm in the QA group for a medium-size startup in Silicon Valley, and one of our VPs sits on the board of a company that makes code-scanning software--you know, the stuff that spits out warnings about all the bad things you can do in C and C++. We've definitely found our share of buffer overflows and other problems in our code, but this stuff is expensive, more than $5,000 a seat and I'm just not sure its worth it. What do you think of these tools?
Dear KV, I've just started on a project working with P2P software, and I have a few questions. Now, I know what you're thinking, and no this isn't some copyright-violating piece of kowboy kode. It's a respectable corporate application for people to use to exchange data such as documents, presentations, and work-related information. My biggest issue with this project is security, for example, accidentally exposing our users data or leaving them open to viruses. There must be more things to worry about, but those are the top two. So, I want to ask "What would KV do?"
Is there any data showing that Java projects are any more or less successful than those using older languages?
Dear KV, I am an IT consultant/contractor. I work mainly on networks (Im a Cisco Certified Network Associate) and Microsoft operating systems (Microsoft Certified Systems Engineer). I have been doing this work for more than eight years. Unfortunately, it is starting to bore me. My question is: How would I go about getting back into programming? I say getting back into because I have some experience. In high school I took two classes of programming in Applesoft BASIC (archaic, I know). I loved it, aced everything, and was the best programming student the teacher ever saw. This boosted my interest in computer science, which I pursued in college.
Dear KV, I've been working on a software team that produces an end-user application on several different operating system platforms. I started out as the build engineer, setting up the build system, then the nightly test scripts, and now I work on several of the components themselves, as well as maintaining the build system. The biggest problem Ive seen in building software is the lack of API stability. It's OK when new APIs are added--you can ignore those if you like--and when APIs are removed I know, because the build breaks. The biggest problem is when someone changes an API, as this isn't discovered until some test script--or worse, a user--executes the code and it blows up.
We've had problems in the past with internal compromises, and management has decided that the only way to protect the information is to encrypt it during transmission.
Dear KV, I've been stuck with writing the logging system for a new payment processing system at work. As you might imagine, this requires logging a lot of data because we have to be able to reconcile the data in our logs with our customers and other users, such as credit card companies, at the end of each billing cycle, and we have to be prepared if there is any argument over the bill itself. I've been given the job for two reasons: because I'm the newest person in the group and because no one thinks writing yet another logging system is very interesting.
Re: phishing, doesn't the URL already give away enough information?
Dear KV, I'm on a small team that is building a custom, embedded, consumer device that is due out by Christmas. Of course the schedule is tight and there are make-or-break dates that if we miss basically mean the product will never make it to market. Not the most fun environment in which to have problems. The software was carefully specified and laid out and then simulated while the hardware was being manufactured. Now we have real hardware, and real problems as well. Aside from the timing issues we found when we were no longer running the software in a simulator, several bugs remain that show up only under very special circumstances and that disappear when I use the debugger or turn on the logging code built into the system.
Dear KV, I've been reading your column occasionally and havent seen you address anything related to user interface design and how it can completely torque a piece of software. I happen to work as a programmer on a project for a company that sells point-of-sale software, which is a nice way of saying cash registers. The goals of the marketing people and user interface designers (we have several for our different product lines) always seem to twist the software into directions that only make it more fragile. These people ask for features that, while to a naive user might make the user interface easier to customize or use, to any of the programmers on the project its obvious that the feature in question will have a negative impact on code size, clarity, or some other nasty side effect.
Dear KV, Simple question: When is the right time to call the c_str() method on a string to get the actual pointer?
Dear KV, I know you usually spend all your time deep in the bowels of systems with C and C++ (at least that's what I gather from reading your columns), but I was wondering if you could help me with a problem in a language a little further removed from low-level bits and bytes, PHP. Most of the systems where I work are written in PHP, and, as I bet you've already worked out, those systems are Web sites. My most recent project is a merchant site that will also support user comments. Users will be able to submit reviews of products and merchants to the site.
Dear Kode Vicious, I've been reading your rants for a few months now and was hoping you could read one of mine. It's a pretty simple rant, actually: it's just that I'm tired of hearing about buffer overflows and dont understand why anyone in his or her right mind still uses strcpy(). Why does such an unsafe routine continue to exist at all? Why not just remove the thing from the library and force people to migrate their code? Another thing I wonder is, how did such an API come to exist in the first place?
The problem? Computers make it too easy to copy data.
Dear KV, Suppose I'm a customer of Sincere-and-Authentic's (Kode Vicious Battles On, April 2005:15-17), and suppose the sysadmin at my ISP is an unscrupulous, albeit music-loving, geek. He figured out that I have an account with Sincere-and-Authentic. He put in a filter in the access router to log all packets belonging to a session between me and S&A. He would later mine the logs and retrieve the music--without paying for it. I know this is a far-fetched scenario, but if S&A wants his business secured as watertight as possible, shouldn't he be contemplating addressing it, too? Yes, of course, S&A will have to weigh the risk against the cost of mitigating it, and he may well decide to live with the risk.
Not only does California give you plenty of sun, it also apparently has employers that give you plenty of time to play around with the smaller problems that you like, in a programming language that's irrelevant to the later implementation.
Dear Kode Vicious, I am a new Webmaster of a (rather new) Web site in my company's intranet. Recently I noticed that although I have implemented some user authentication (a start *.asp page linked to an SQL server, having usernames and passwords), some of the users found out that it is also possible to enter a rather longer URL to a specific page within that Web site (instead of entering the homepage), and they go directly to that page without being authenticated (and without their login being recorded in the SQL database).
Dear KV, My co-workers keep doing really bad things in the code, such as writing C++ code with macros that have gotos that jump out of them, and using assert in lower-level functions as an error-handling facility. I keep trying to get them to stop doing these things, but the standard response I get is, "Yeah, it's not pretty, but it works." How can I get them to start asking, "Is there a better way to do this?" They listen to my arguments but don't seem convinced. In some cases they even insist they are following good practices.
Dear KV, I'm maintaining some C code at work that is driving me right out of my mind. It seems I cannot go more than three lines in any file without coming across a chunk of code that is conditionally compiled.
The program should be a small project, but every time I start specifying the objects and methods it seems to grow to a huge size, both in the number of lines and the size of the final program.
Dear KV, My officemate writes methods that are 1,000 lines long and claims they are easier to understand than if they were broken down into a smaller set of methods. How can we convince him his code is a maintenance nightmare?
Dear KV, Whenever my team reviews my code, they always complain that I don't check for return values from system calls. I can see having to check a regular function call, because I don't trust my co-workers, but system calls are written by people who know what they're doing--and, besides, if a system call fails, there isn't much I can do to recover. Why bother?
Dear Kode Vicious, I have this problem. I can never seem to find bits of code I know I wrote. This isn't so much work code--that's on our source server--but you know, those bits of test code I wrote last month, I can never find them. How do you deal with this?
Dear Kode Vicious, Where I work we use a mixture of C++ code, Python, and shell scripts in our product. I always have a hard time trying to figure out when it's appropriate to use which for a certain job. Do you code in only assembler and C, or is this a problem for you as well?