Oh, man, I just realized I haven't ranted one of my best stories on here!

So, here goes!

A few years back the company I work for was contacted by an older client regarding a new project.

The guy was now pitching to build the website for the Parliament of another country (not gonna name it, NDAs and stuff), and was planning on outsourcing the development, as he had no team and he was only aiming on taking care of the client service/project management side of the project.

Out of principle (and also to preserve our mental integrity), we have purposely avoided working with government bodies of any kind, in any country, but he was a friend of our CEO and pleaded until we singed on board.

Now, the project itself was way bigger than we expected, as the wanted more of an internal CRM, centralized document archive, event management, internal planning, multiple interfaced, role based access restricted monster of an administration interface, complete with regular user website, also packed with all kind of features, dashboards and so on.

Long story short, a lot bigger than what we were expecting based on the initial brief.

The development period was hell. New features were coming in on a weekly basis. Already implemented functionality was constantly being changed or redefined. No requests we ever made about clarifications and/or materials or information were ever answered on time.

They also somehow bullied the guy that brought us the project into also including the data migration from the old website into the new one we were building and we somehow ended up having to extract meaningful, formatted, sanitized content parsing static HTML files and connecting them to download-able files (almost every page in the old website had files available to download) we needed to also include in a sane way.

Now, don't think the files were simple URL paths we can trace to a folder/file path, oh no!!! The links were some form of hash combination that had to be exploded and tested against some king of database relationship tables that only had hashed indexes relating to other tables, that also only had hashed indexes relating to some other tables that kept a database of the website pages HTML file naming. So what we had to do is identify the files based on a combination of hashed indexes and re-hashed HTML file names that in the end would give us a filename for a real file that we had to then search for inside a list of over 20 folders not related to one another.

So we did this. Created a script that processed the hell out of over 10000 HTML files, database entries and files and re-indexed and re-named all this shit into a meaningful database of sane data and well organized files.

So, with this we were nearing the finish line for the project, which by now exceeded the estimated time by over to times.

We test everything, retest it all again for good measure, pack everything up for deployment, simulate on a staging environment, give the final client access to the staging version, get them to accept that all requirements are met, finish writing the documentation for the codebase, write detailed deployment procedure, include some automation and testing tools also for good measure, recommend production setup, hardware specs, software versions, server side optimization like caching, load balancing and all that we could think would ever be useful, all with more documentation and instructions.

As the project was built on PHP/MySQL (as requested), we recommended a Linux environment for production. Oh, I forgot to tell you that over the development period they kept asking us to also include steps for Windows procedures along with our regular documentation. Was a bit strange, but we added it in there just so we can finish and close the damn project.

So, we send them all the above and go get drunk as fuck in celebration of getting rid of them once and for all...

Next day: hung over, I get to the office, open my laptop and see on new email. I only had the one new mail, so I open it to see what it's about.

Lo and behold! The fuckers over in the other country that called themselves "IT guys", and were the ones making all the changes and additions to our requirements, were not capable enough to follow step by step instructions in order to deploy the project on their servers!!!

[Continues in the comments]

So, some time ago, I was working for a complete puckered anus of a cosmetics company on their ecommerce product. Won't name names, but they're shitty and known for MLM. If you're clever, go you ;)

Anyways, over the course of years they brought in a competent firm to implement their service layer. I'd even worked with them in the past and it was designed to handle a frankly ridiculous-scale load. After they got the 1.0 released, the manager was replaced with some absolutely talentless, chauvinist cuntrag from a phone company that is well known for having 99% indian devs and not being able to heard now. He of course brought in his number two, worked on making life miserable and running everyone on the team off; inside of a year the entire team was ex-said-phone-company.

Watching the decay of this product was a sheer joy. They cratered the database numerous times during peak-load periods, caused $20M in redis-cluster cost overrun, ended up submitting hundreds of erroneous and duplicate orders, and mailed almost $40K worth of product to a random guy in outer mongolia who is , we can only hope, now enjoying his new life as an instagram influencer. They even terminally broke the automatic metadata, and hired THIRTY PEOPLE to sit there and do nothing but edit swagger. And it was still both wrong and unusable.

Over the course of two years, I ended up rewriting large portions of their infra surrounding the centralized service cancer to do things like, "implement security," as well as cut memory usage and runtimes down by quite literally 100x in the worst cases.

It was during this time I discovered a rather critical flaw. This is the story of what, how and how can you fucking even be that stupid. The issue relates to users and their reports and their ability to order.

I first found this issue looking at some erroneous data for a low value order and went, "There's no fucking way, they're fucking stupid, but this is borderline criminal." It was easy to miss, but someone in a top down reporting chain had submitted an order for someone else in a different org. Shouldn't be possible, but here was that order staring me in the face.

So I set to work seeing if we'd pwned ourselves as an org. I spend a few hours poring over logs from the log service and dynatrace trying to recreate what happened. I first tested to see if I could get a user, not something that was usually done because auth identity was pervasive. I discover the users are INCREMENTAL int values they used for ids in the database when requesting from the API, so naturally I have a full list of users and their title and relative position, as well as reports and descendants in about 10 minutes.

I try the happy path of setting values for random, known payment methods and org structures similar to the impossible order, and submitting as a normal user, no dice. Several more tries and I'm confident this isn't the vector.

Exhausting that option, I look at the protocol for a type of order in the system that allowed higher level people to impersonate people below them and use their own payment info for descendant report orders. I see that all of the data for this transaction is stored in a cookie. Few tests later, I discover the UI has no forgery checks, hashing, etc, and just fucking trusts whatever is present in that cookie.

An hour of tweaking later, I'm impersonating a director as a bottom rung employee. Score. So I fill a cart with a bunch of test items and proceed to checkout. There, in all its glory are the director's payment options. I select one and am presented with:

"please reenter card number to validate."

Bupkiss. Dead end.

OR SO YOU WOULD THINK.

One unimportant detail I noticed during my log investigations that the shit slinging GUI monkeys who butchered the system didn't was, on a failed attempt to submit payment in the DB, the logs were filled with messages like:

"Failed to submit order for [userid] with credit card id [id], number [FULL CREDIT CARD NUMBER]"

One submit click later and the user's credit card number drops into lnav like a gatcha prize. I dutifully rerun the checkout and got an email send notification in the logs for successful transfer to fulfillment. Order placed. Some continued experimentation later and the truth is evident:

With an authenticated user or any privilege, you could place any order, as anyone, using anyon's payment methods and have it sent anywhere.

So naturally, I pack the crucifixion-worthy body of evidence up and walk it into the IT director's office. I show him the defect, and he turns sheet fucking white. He knows there's no recovering from it, and there's no way his shitstick service team can handle fixing it. Somewhere in his tiny little grinchly manager's heart he knew they'd caused it, and he was to blame for being a shit captain to the SS Failboat. He replies quietly, "You will never speak of this to anyone, fix this discretely." Straight up hitler's bunker meme rage.

On my former job we once bought a competing company that was failing.

Not for the code but for their customers.

But to make the transition easy we needed to understand their code and database to make a migration script.

And that was a real deep dive.

Their system was built on top of a home grown platform intended to let customers design their own business flows which meant it contained solutions for forms and workflow path design. But that never hit of so instead they used their own platform to design a new system for a more specific purpose.

This required some extra functionality and had it been for their customers to use that functionality would have been added to the platform.

But since they had given up on that they took an easy route and started adding direct references between the code and the configuration.

That is, in the configuration they added explicit class names and method names to be used as data store or for actions.

This was of cause never documented in any way.

And it also was a big contributing cause to their downfall as they hit a complexity they could not handle.

Even the slightest change required synchronizing between the config in the db and the compiled code, which meant you could not see mistakes in compilation but only by trying out every form and action that touched what you changed.

And without documentation or search tools that also meant that no one new could work the code, you had to know what used what to make any changes.

Luckily for us we mostly only needed to understand the storage in the database but even that took about a month to map out WITH the help of their developer ;)

It was not only the “inner platform” it was abusing and breaking the inner platform in more was I can count.

If you are going down the inner platform, at least make sure you go all the way and build it as if it was for the customers, then you at least keep it consistent and keep a clear border between platform and how it is used.

Today I discovered what slowed my productivity the most: variable naming.

In a project I was naming many variables 'dirname' in different parts of the my code, but it represented 3 things: only the name of the directory, relative path + directory, and absolute path + directory.

I wasted to much time just figuring out which was which everytime until I finally decided to organize variables names better and see the wonders of the world. Result:
- dirname: only the name
- reldirname: relative path + dir
- absdirname: absolute path + dir

Such simple solution, yet took me years to actually see the benefits, my god

(First devRant post btw :3)

So I'm writing some multithreaded shit in C that is supposed to work cross-platform. MingW has Posix threads for Windows, so that saved already half of the platform dependency. The other half was that these threads need to run external programs.

Well, there's system(), right? Uhm yes, but it sucks. It's incredibly slow on Windows, and it looks like you can have only one system() call ongoing at the same time. Which kinda defeats the multithreaded driver. Ok, but there's CreateProcessA(), and that doesn't suck.

Fine, now for Linux. The fork/exec hack is quite ugly, but it works and is even fast. Just never use fork() without immediate exec(). First try under Cygwin... crap I fork bombed my system! What is this shit? Ah I fucked up the path names so that the external executable couldn't be run.

Lesson learnt: put an exit() right after the exec() in the path for child process. Should never be reached, but if it goes there, the exit() at least prevents a fork bomb.

Well yeah, sort of works under Cygwin, but only with up to 3 threads. Beyond that, it seems like fork() at some point gives two processes the same PID, and then shit hangs.

Even slapping a mutex around the fork and releasing it only in the parent process didn't help. Fork in Cygwin is like a fork in the ass. posix_spawn() should work better because it can be mapped more easily to the Windows model, but still no dice.

OK, testing under real Linux. Yeah, no issues with that one! But instead, I get some obscure "free(): invalid size" abort. What the fuck would that even mean?! Checking my free() calls: all fine.

Time to fire up GDB in the terminal! Put a catch on the abort signal, mh got just hex data. Shit I forgot to compile with -O0 and -g. Next try. Backtrace shows the full call trace, back to the originating line in my program - which is fclose() on a file.

Ahhh I remember! Under Linux, fclosing a file that is already closed makes the program crash. So probably I was closing it twice. Checking back.. yeah that's where it was.

Shit runs fast on several cores now!

MTP is utter garbage and belongs to the technological hall of shame.

MTP (media transfer protocol, or, more accurately, MOST TERRIBLE PROTOCOL) sometimes spontaneously stops responding, causing Windows Explorer to show its green placebo progress bar inside the file path bar which never reaches the end, and sometimes to whiningly show "(not responding)" with that white layer of mist fading in. Sometimes lists files' dates as 1970-01-01 (which is the Unix epoch), sometimes shows former names of folders prior to being renamed, even after refreshing. I refer to them as "ghost folders". As well known, large directories load extremely slowly in MTP. A directory listing with one thousand files could take well over a minute to load. On mass storage and FTP? Three seconds at most. Sometimes, new files are not even listed until rebooting the smartphone!

Arguably, MTP "has" no bugs. It IS a bug. There is so much more wrong with it that it does not even fit into one post. Therefore it has to be expanded into the comments.

When moving files within an MTP device, MTP does not directly move the selected files, but creates a copy and then deletes the source file, causing both needless wear on the mobile device' flash memory and the loss of files' original date and time attribute. Sometimes, the simple act of renaming a file causes Windows Explorer to stop responding until unplugging the MTP device. It actually once unfreezed after more than half an hour where I did something else in the meantime, but come on, who likes to wait that long? Thankfully, this has not happened to me on Linux file managers such as Nemo yet.

When moving files out using MTP, Windows Explorer does not move and delete each selected file individually, but only deletes the whole selection after finishing the transfer. This means that if the process crashes, no space has been freed on the MTP device (usually a smartphone), and one will have to carefully sort out a mess of duplicates. Linux file managers thankfully delete the source files individually.

Also, for each file transferred from an MTP device onto a mass storage device, Windows has the strange behaviour of briefly creating a file on the target device with the size of the entire selection. It does not actually write that amount of data for each file, since it couldn't do so in this short time, but the current file is listed with that size in Windows Explorer. You can test this by refreshing the target directory shortly after starting a file transfer of multiple selected files originating from an MTP device. For example, when copying or moving out 01.MP4 to 10.MP4, while 01.MP4 is being written, it is listed with the file size of all 01.MP4 to 10.MP4 combined, on the target device, and the file actually exists with that size on the file system for a brief moment. The same happens with each file of the selection. This means that the target device needs almost twice the free space as the selection of files on the source MTP device to be able to accept the incoming files, since the last file, 10.MP4 in this example, temporarily has the total size of 01.MP4 to 10.MP4. This strange behaviour has been on Windows since at least Windows 7, presumably since Microsoft implemented MTP, and has still not been changed. Perhaps the goal is to reserve space on the target device? However, it reserves far too much space.

When transfering from MTP to a UDF file system, sometimes it fails to transfer ZIP files, and only copies the first few bytes. 208 or 74 bytes in my testing.

When transfering several thousand files, Windows Explorer also sometimes decides to quit and restart in midst of the transfer. Also, I sometimes move files out by loading a part of the directory listing in Windows Explorer and then hitting "Esc" because it would take too long to load the entire directory listing. It actually once assigned the wrong file names, which I noticed since file naming conflicts would occur where the source and target files with the same names would have different sizes and time stamps. Both files were intact, but the target file had the name of a different file. You'd think they would figure something like this out after two decades, but no. On Linux, the MTP directory listing is only shown after it is loaded in entirety. However, if the directory has too many files, it fails with an "libmtp: couldn't get object handles" error without listing anything.

Sometimes, a folder appears empty until refreshing one more time. Sometimes, copying a folder out causes a blank folder to be copied to the target. This is why on MTP, only a selection of files and never folders should be moved out, due to the risk of the folder being deleted without everything having been transferred completely.

(continued below)

Today in some onboarding meeting i was laughing my ass off.

We were setting up the development machines that we got from the client to work on via citrix.

You guys probably know, that when you put your npm projects too nested into your filesystem, that packages randomly start not behaving because of too long file names or path names and stuff like that. That seems to be a problem with all OS (to be fair i havent actively looked for a solution, but it happened to me on Windis and Linux, so i'm just assuming here)

but even more so for some packages on Windis, when the project is not running on the same fucking drive letter than where your OS is running on. Like... wtf?

Had two UI5 projects pulled, both of them on D:. The first npm install went through flawlessly, the second one has a number of random errors, me and the other dev didn't know what they were. So what i suggested is to move this project onto C: and try it again. Turns out that was exactly it. Et voila, npm install ran through without any hiccups..

Okay ... Windows, I really tried to be nice, but that's it. You get off my ssd right now ...

Just got the error: "filename is too long - unable to delete file" (full name incl. path)

Seriously, WHY?
I mean, sure ... Long file paths/names are a thing and this is why there are limitations. I am totally fine with it!
But Why the hell allows windows you to create those files if it is unable to delete these files later ...
I don't get it. Maybe I am just hit my head to hard as a child and someone may enlighten me ...

PS: windows was running in a VM to give it a real serious try after years on Linux

Mobilis in mobili.

Yesterday, I was trying to figure out how to open a folder via the linux terminal (like the `open path/to/folder` in MacOS), and I discovered that it can be done via `nemo path/to/folder`. This rang a bell on me because I know that GNOME file manager was named Nautilus.

This got my interest because both names are in Jules Verne's "Twenty Thousand Leagues Under the Sea". Nautilus is the submarine commanded by the great Capt. Nemo, a brilliant individual who plans to explore the depths of the sea with Nautilus.

I learned that the developers of Linux Mint believed the GNOME file manager Nautilus (v3.6) was a catastrophe, and thus, they forked project, giving birth to the awesome Nemo. So instead of exploring the depths of the sea, I guess we could say Nemo is now exploring the depths of our filesystem, right?

You know shit is going to hit the fan if the sentence "c++ is the same as java" is said because fuck all the underlying parts of software. It's all the fucking same. Oh and to write a newline in bash we don't use \n or so, we just put an empty echo in there. And fuck this #!/bin/bash line, I'm a teacher. I don't need to know how shit works to teach shit. Let's teach 'em you need stdio for printf even tho it compiles fine without on linux (wtf moment number one, asking em leaves you with "dunno..") and as someone who knows c you look at your terminal questioning everything you ever learned in your whole life. And then we let you look into the binaries with ldd and all the good stuff but we won't explain you why you can see a size difference in the compiled files even tho you included stdio in the second one, and all symbol tables show the exact same thing but dude chill, we don't know what's going on either.
Oh and btw don't use different directory names as we do in our examples. You won't find your own path, there is no tab key you can press to auto-fill shit.
But thats not everything. How about we fill a whole semester with "this is how to printf" but make you write a whole game with unity and c#. (not thaught even the slightest bit until then btw)
Now that you half-assed everything because we put you in a group full of fucks who don't even know what a compiler is but want to tell you you don't know shit and show you their non-working unfinished algorithms in some not-even-syntax-correct java...

...how about we finally go on with Algebra II: complex numbers, how they are going to fuck up your life, how we can do roots of negative numbers all of the sudden and let you do some probability shit no one ever fucking needs. BUT WHY DON'T YOU KNOW EVERYTHING ALREADY HMMMMM, IT'S YOUR SECOND LESSON, YOU WENT TO SCHOOL PLS BE A MATH PRO ASAP CUS YOU NEED IT SO MUCH BUT YOU DON'T NEED TO KNOW PROPER SYNTAX, HOW MEMORY MANAGEMENT WORKS, WHAT A REFERENCE IS AND PLS FINALLY FORGET THE WORD "ALLOCATION" IT DOESN'T PLAY A SINGLE ROLE YOU ARE STUDYING SOFTWARE DEVELOPMENT WHY ARE YOU SO BAD AT ECONOMICS IT MAKES NO SENSE I MEAN YOU HAD A WHOLE SEMESTER OF HOW TO GREET SOMEONE IN ENGLISH, MATHS > ECONOMICS > ENGLISH > FUCKING SHIT > CODING SKILL THATS HOW THE PRIORITIES WORK FOR US WHY DON'T YOU GET IT IT MAKES SO MUCH SENSE BRAH

so I started a side project a while ago.
the only thing it could do was to create some files with desired names and extensions. so this was basically a pretty simple editor.

I left this project with no future plans for a month or so until I started working on it again this week. I added comments to the editor, a console user interface.

the ui isn't futuristic. the program runs in the console. it just lists all the files and folders where the program is currently located in. in the beginning it could take user input and that input was the location where the files created in the editor would be saved. then I thought: it would be more interesting if I created a folder in which I saved the files from the editor. so I did this thing.

then I thought, again: hey, this console is pretty boring and stuff. why should I add some special commands? and so I did.
now you can create an empty folder, before you created a folder and saved at the same time the files created in the editor. now you can open another folder in which you can do the same stuff as before. you can get the current location of the folder you are currently in, so you don't get lost in your fancy computer. you can delete a folder completely, set color, reset color.

but one thing that I lost almost ONE FREAKING HOUR ON IT TO MAKE THE USER EXPERIENCE BETTER was the following: when creating a folder, either empty or with the files from the editor, the program automatically opens the folder, not in the console(hey, I didn't thought of that) but in the file explorer from the os. now it only works for windows and windows explorer because I used system(const char*). I know it's not portable or efficient but I just wanted things to work, I will optimise it later.

the thing that made me lose that one hour debugging was figuring out how to open that file.

ok, so I used windows api with GetCurrentDirectory, I knew how to use system, I knew how to form the path that would match up with the folder, I almost knew how to open the folder with system().

the problem was that I had the path complete, but if the folder had white spaces system() wouldn't recognise the freaking command!

so the string with the path would also contain the command used in system() and I would just .c_str() the string so it could work. as an example my wrong way to make the path was this:

"start C:\\path"

can you figure out what is the problem?
you don't?
it's just so trivial.
how cannot you figure it out?
of course you NEED to put "explorer" between the start command and the actual path!
pffft, you idiot! so easy to figure it out.

so yeah, the right way to open a folder is like this:

"start explorer C:\\path to heLL!!"

p.s.: I still don't understand why putting explorer works and without it doesn't. without explorer it just just says that path with the first word before the white space doesn't exist.

Well I just found a security issue with my company's website thats potentially been there for YEARS

You can just fucjing bypass the login screen and access any file. You do have to know the filename and path from the site root. But I doubt that matters to anyone willing to try hard enough. I'm sure there's tools to find the paths

Especially since the files names are fucking predictable 🙄 😒

Other peoples' code... (in C++)
I am finding what some people consider good code is not as described. I found a class that provides strings. Great it gives me paths and stuff. I incorporated it in a new project.

segfaults

Hmmm, it must have an init function... It does, but not in the class. It has a friended init function:
friend init_function(). If this function is not created and called external to the class then the class will segfault...

okay...

I implement this. I use code from another project that implements this correctly. The friend class allows the private constructor to be called to create the main instance of the class. So its a fucking cryptic ass singleton. I look at this class. It uses a macro to decide what to function call in the class. The class already has function names for each call it needs to make. The class is literally a string lookup table. I vow to redo this shitty code, someday...

I start to wonder what other fragile code I will find. Not long later I keep getting errors on malloc. Like any malloc that is called results in a segfault. The malloc is not at fault though. I run valgrind and find a websocket library is returning an object a different size than the header file describes.

WTF...

Somebody has left an old ass highly modified definition of the websocket header in a location in that I include headers (partly my fault). I eliminate that from my include path. All is well, everything behaves. I will be making sure this fucking header is not used and it is going to die. Wasted a bunch of time.

Lessons learned: some code is just fucked and don't leave old ass shit you tried laying around.

Colleague: I'll write a stored procedure that does fully qualified database table path names to access data from the other databases and then do business logic with all of it in the same proc.

Me: That will be 600 lashings.

So let me get this straight:

Out of the dozen odd solutions python has been through, virtualenv is now depreciated in favor of venv as of 3.5+? And venv ships standard now?

What happened to simplicity and there being "only one way" of doing things?

I hope python isn't catching a case of js-fever.

Someone was saying the problem with virtualenv was that it doesn't play well with relative path names?

so some controversial opinions

Our company is moving most of our code style to snake_case, even the JavaScript. Here's our resoning:

Take the CustomerAccountMembership model. In our Python server, we would access it as obj.customer_account_membership, in JavaScript as obj.customerAccountMembership and our API endpoint as api/path/customer-account-membership. Thus we had several String utility functions such as `camelize`, `kebabChop` (which is ironically camelCased) and `snakeify`, and we would use them in translating from URL path to JS to Python, which was troublesome.

Now HTTP allows _underscores_ unescaped and do not pose any significant meaning. JavaScript also accepts it as a valid character in variable names. On the other hand, HTTP is strictly lower-cased, and all computer languages use the -dash- to signify subtraction. Sooo the _underscore_ is the only style that is compliant everywhere.

Unless, of course, we go with customeraccountmembership, which I refuse to do.

I'm not that deep into code character rules.
Opinions?

So when installing an rpm there is a file collision check. When you add a file to an rpm package with cmake / cpack it unfortunately adds parent directories your file goes into, which will give you conflicts with other packages. But well you have that beautiful feature to exclude directories from being added:
CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
Now somehow it failed. Turned out it would not work if my path ended with a backslash. Brush my banana! Like "/etc/sysctl.d" is a different animal than "/etc/systclt.d/". - But at least that's nothing against the strangeness of the "mv" command in those respects.

How much of a security risk is it to serve static data from a json file on flask? Values are posted from a mobile device to a server to groom objects to return. My coworker is giving me a lot of shit for it as the file is accessed through a relative path, but the file names are checked and sanitised. He says the objects should be in a database.

file names

full capitalized, spaces in between some, mix of underscores and hyphens depending

but it works when i used them raw as is to be supplied for a path to something

didnt even bother escaping anything

should be a pleasant surprise but was told (reasonably considering the situation) to correct what i received

Dumb question, but does anyone know how to make VSCode show more of the path than just the folder name on the side bar, I am working on making workspaces to avoid opening 6 file explorer windows but a lot of folders for my workflows have the same name but different locations on the network and I can't change the folder names for automation purposes.

I know it shows the path if i hover over the name, but i'd like to just show path by default on the side panel

example image below (can't show real folders due to NDA)