The tech industry is filled with all sorts of silly jargon and acronyms. Our overuse of jargon not only makes us very easy to identify in a crowded restaurant but also helps make things confusing for new-comers and veterans alike. In my current role, I find myself spending a lot of time with vendors who also seem to delight in barraging prospects with unpleasant jargon. My least favorite word among it all is performant.

I spend more time than I wish to admit thinking about how continuous delivery (CD) processes should be modeled. The problem domain is one that affects every single organization which distributes software, yet the approach each organization takes is almost as unique as the software they develop. From my perspective Jenkins Pipeline, especially its declarative syntax, is the best available option for most organizations to model their continuous delivery processes. That does not mean however that I believe Jenkins Pipeline is the best possible option.

San Francisco, Santa Cruz, King City, Paso Robles, Santa Maria, Lompoc, Ventura, Los Angeles. For the better part of seven days, I sat on a bicycle with over 2,200 cyclists and 650 volunteers riding from one part of California to another to raise money for HIV/AIDS services as part of AIDS/LifeCycle. For perspective, 545 miles is further than the distance from Boston to Washington D.C., further than Brussels to Berlin, further than Tokyo to Hiroshima. It is countless hills, steep descents, farm fields, supportive on-lookers, packets of chamois butter, potholes, water bottles, and sliced bananas. Based on this, my first year’s experience, it is also six inner tubes, one bike tire, and an entire bike frame long.

Offlineimap has been a major part of my desktop computing environment for many years, indulging my use of mutt for all work and personal email. My work email has unfortunately been stored in Gmail, which does support IMAP but tends to do a few wacky things with files and folders.

For a myriad of reasons the only video-news I consume tends to be German-language news out of Germany. Local or national American news is usually lower quality, setting aside the abhorrent monopolies, it always trends towards an insular world view, missing many major international events. One such event skirting under radar of American media has been the disintegration of the Austrian parliament after the deputy chancellor, a member of a far-right party, was caught on video soliciting bribes from a woman posing as a relative to a Russian oligarch.

JRuby/Gradle is one of the few open source projects which I created that actually resonates with people. One that I find myself continuing to work on, despite not using it in my day-to-day work. JRuby/Gradle is a collection of Gradle plugins which make it easy to build, test, manage and package Ruby applications. By combining the portability of JRuby with Gradle’s excellent task and dependency management, JRuby/Gradle provides high quality build tooling for Ruby and Java developers alike. With my fellow maintainer, Schalk Crojné, I started working towards the 2.0 milestone.

For years the Jenkins project has published anonymous usage statistics to stats.jenkins.io. Despite its warts, the system has ultimately proven useful for determining which plugins are most frequently installed, big coarse-grained changes in growth, and providing various marketing departments with the validation they so desperately crave. Like many of the tucked away corners of the Jenkins project, being an infrastructure maintainer affords me an understanding of how the system works, and sometimes doesn’t. As I promised to the CDF Technical Oversight Committee many weeks ago, in this post I will attempt to describe how this system works.

Making changes safely to an application like Jenkins is incredibly tricky. Jenkins is distributed to hundreds of thousands of independently owned and operated servers and is used in a myriad of ways. Our changes with the best intentions, can still result in confounding bugs and errors for users with different configurations, or different combinations of plugins. Over on the Jenkins project blog, Daniel wrote about the first use of “telemetry” by Jenkins core, a project on which we collaborated. I ended up building the backend service for receiving this telemetry, Uplink, and I hope it paves the way for making smarter changes across Jenkins core in the future.

Today marks one month until the beginning of AIDS/LifeCyle 2019 (ALC)! Which means I am one month away from starting a bicycle journey with thousands of other riders from San Francisco to Los Angeles as part of our effort to raise money for AIDS/HIV related services. As of this writing, my fundraising is at $3,377 which is still short of my fundraising goal: $5,000. If you appreciate my work in the Jenkins project, the JRuby/Gradle project, or if you have enjoyed my sass on Twitter, please convert your appreciation into a donation to AIDS/LifeCYcle. :)

Continuous integration and continuous delivery (CI/CD) projects might just be one of the hardest to lock down and secure. As system designers and implementors we must enable developers to automate their builds, tests, and deployments. And yet, in doing so, we also give those same developers the ability to bypass many of the boundaries we may have set up to secure our environments. If you give me the ability to automate my deployment with a script, I can think of a number of ways in which that ability can lead to information disclosure or other types of breaches. Jenkins Pipeline is filled with any number of problematic examples here the same feature can be looked at as empowering or as compromising. I believe the immense flexibility of Jenkins Pipeline also gives us a path to provide automation which is inherently more secure than some competitors. In this post, I’ll outline one such idea: a pipeline secure enclave.

If you were to draw a coordinate system for software, where the x-axis was “important to use” and the y-axis was “enjoyable to use”, x509 certificates would be at the extreme edge of the bottom right of quadrant four. Much as I dislike them, they are absolutely critical to securing practically everything we do. As is the case with most companies, Scribd uses custom root certificates to establish a controlled chain of trust for internal resources. A sensible practice, but can be a great learning exercise, causing you to discover all the various ways in which trust is defined and managed in a modern development environment.

When waiting for containers to build, or dependencies to download, my mind tends to wander. Yesterday it wandered to the plight of new contributors to modern free and open source projects; how much they must do before even attempting to collaborate! I started a Twitter poll, asking:

Ever since I stumbled across this blog post on auto documented Makefiles, I have been adding the author’s little snippet to every new Makefile that I write.

The fire at Notre Dame is certainly unfortunate, but with President Macron having committed to rebuilding the famed cathedral, the destruction is in no way permanent. Restoring or building new architectural masterpieces is expensive and challenging, but it is definitely not impossible.

This past week a missed security update contributed to a compromise at Matrix.org. As I have said before, for purposes of infrastructure design, it is prudent to consider CI/CD tools like Jenkins as “remote code execution as a service.” In the Continuous Delivery world, I think we have a serious problem with user education around securely running CI/CD tools; anything which can touch production represents a potential liability.

“Enterprise Software Sales” is not something I ever imagined spending as much time considering as I have over the past four years, but life is full of surprises isn’t it? At my previous gig we had changed our pricing model at least once during my time, and I learned quite a bit from the trade-off discussions which were had. Now sitting on the other side of the table, I get to enjoy a different perspective on the same underlying problem: how should enterprise software be priced? The question is important to answer, not just from a business perspective, but from a user perspective; the pricing model determines how your software will be adopted and used.

“But they weren’t doing true microservices” he droned on, while my train of thought came grinding a halt on the assertion. In my experience, many software developers apply all sorts of purity tests to the world around them, especially when it comes to “legacy” code. In most of my experiences, it has been delivered more subtly than this textbook example of the No true Scotsman fallacy. “Microservice” is already a silly term, one which many people defend by evoking the mythic status of “the unix philosophy.” Composition of components is definitely a valuable trait in a system, especially as an organization scales with new people and projects, but the microservice purity test fails in many cases.

The ability to shamelessly ask stupid questions has led me to numerous interesting projects and in some cases truly novel solutions. The subject of this blog post fits into the first part of that equation at least. I find the single static binaries produced by Rust and Golang to be quite compelling for system utilities, at the same time however I am fond of writing TypeScript. Why can’t I mix chocolate with my peanut butter?

Turn back now, this blog post is so niche that it’s statistically impossible for you to find this useful. Last night I was thinking about building a little app which needed to deal with an event stream, and started poking around the Azure Event Hubs documentation. I noticed that they apparently can now speak Kafka which means I can use my existing Kafka library tooling, nice! Since I was already working with Kafka and Rust for another little project, I took a quick detour and tried to see if I could publish to an Event Hub over Kafka, from Rust. As luck would have it, I can!

Building daemons and system-level utilities has always been something I have enjoyed. While I have professionally written C code, I have always found it a bit antiquated and unpleasant, like using a screwdriver while everybody around you is using power tools and machines. It certainly still has its place in the world, but there are more powerful options out there. I have experimented with Ada as a system level toolchain, while an all around compelling language it suffers from a severe lack of libraries and doesn’t have a strong community of tooling. Recently I started experimenting with Rust and despite it’s promise, it has been one of the most challenging languages to date for me to learn.