Forem: rhymes

How to combine Rails's Ajax support and Stimulus

rhymes — Fri, 27 Aug 2021 15:03:18 +0000

In this post I'm going to explain how we are exploring adding snappier SPA-like interactivity to the Admin and what we've learned so far. I am using the word "exploring" because this is ongoing work, that is not visible yet in Forems, so it many or may not reflect the final version but I think there are useful lessons to be learned nonetheless.

I'm going to assume you're familiar with Ruby on Rails, Stimulus and the concept of componentization.

What we wanted to accomplish

Let's start with a video demo:

The goal here is to give the user a perception of interactivity, and we want to do that without unleashing a full client side single page application. Forem's Admin interface is mostly server rendered and we wanted to explore a path to progressively enhance the experience, stopping short of a rewrite.

What's the status of the current Admin?

Currently the Admin, on the backend, is a custom made collection of Rails controllers, for all intents and purposes a part of the Forem core app. It's not an external web app, it's also not generated by a third party gem. We think the Forem Creator (and their merry band of collaborators) experience is paramount and it has evolved from DEV's needs to now the larger Forem ecosystem's.

Being a custom app, grown over the years, it's admittedly a mix of technologies that we're trying to streamline, hence the need for some good old exploratory software development. On the frontend it currently uses: jQuery, Bootstrap, vanilla JS, Stimulus, Preact, a few web components and our custom Crayons design language.

Why did we explore an alternative?

The end goal is to reduce that to Crayons, Stimulus and use Preact or Web Components when absolutely needed, to foster a nimbler architecture, with reuse between the "frontoffice" website and the admin, where possible.

After discussing this with the team I set out to investigate the following assumption (not a direct quote): "We want users actions to be interactive, minimizing page reloads, and because of that we're going to send blocks of server rendered HTML to them by injecting the markup into the page"..

If this sounds like a barebones version of notable frameworks like Elixir's Phoenix LiveView, Rails's StimulusReflex or Hotwire Turbo, PHP's LiveWire, Django's Reactor... well, you're right! (Bonus: my colleague @jgaskins built a LiveView clone for Crystal)

You can sense a pattern in these frameworks, and the demand they fulfill.

In our case, though, we used none of them. I wanted to explore how far we could go without adding a whole framework and by using the tools we had a bit more in depth. This to lessen the cognitive load on anyone that's going to further this exploration or adopt this pattern for the Admin as a whole.

Aside from the obvious "why should I need a framework to send basic HTML to the client", we have plenty of frameworks and libraries on the client side already and frameworks usually take quite a while to be learned. Also, we're a small team.

So this is how I implented it:

Rails and HTML on the server side with a bit of JSON when needed. I cheated a bit the constraints I set for myself using GitHub's ViewComponent but you can achieve similar results using builtin Rails partials and this post isn't going into depth about ViewComponent.
Rails's UJS (Unobtrusive JavaScript) and Stimulus on the client side. UJS is a library builtin inside Rails that powers JavaScript interactions on the DOM via Rails special helpers, like link_to or button_to.

How does it all fit together?

Let's start from the goal again: a user clicks on a link, the client side sends a request to the server, some action is performed, some HTML is sent back, this HTML is injected in the page.

This is what happens when the user clicks on one of the gray boxes for example:

Clicking on "Emails", hits the EmailsController which renders the EmailsComponent (which, again, could just be a partial), the resulting HTML is sent to Stimulus which calls a JavaScript function injecting the HTML, thus finalizing the switch of the section.

Let's look at the code, one step at a time:

Initiating the contact between client and server

This is how the gray box titled "Emails" is defined in Rails:

<%= link_to admin_user_tools_emails_path(@user), remote: true,
                                                 data: { action: "ajax:success->user#replacePartial" },
                                                 class: "crayons-card box js-action" do %>
  <h4 class="crayons-subtitle-3 mb-4">Emails</h4>

  <span class="color-base-70">
    <%= pluralize(@emails.total, "past email") %>
    <% if @emails.verified %> - Verified<% end -%>
  </span>
<% end %>

and this is an example of the resulting HTML:

<a
  class="crayons-card box js-action"
  href="/admin/users/13/tools/emails"
  data-remote="true"
  data-action="ajax:success->user#replacePartial"
>
  <h4 class="crayons-subtitle-3 mb-4">Emails</h4>

  <span class="color-base-70"> 7 past emails </span>
</a>

There's a bit going on in such a small snippet of code, let's unpack:

href="/admin/users/13/tools/emails" identifies this as a regular HTML link, if I were to visit it with my browser I would get the same response JavaScript is going to be sent when the user activates the click.
data-remote="true" (the result of remote: true in Ruby) is how Rails determines if the link should be handled by Ajax or not. Rails calles these remote elements, they can be links, forms or buttons.
data-action="ajax:success->user#replacePartial" is how we connect Rails UJS
and Stimulus together. data-action is a Stimulus action (the description of how to handle an event), ajax:success is a custom event triggered by Rails UJS.

This is what it all translates to: on initiating the click on link, let Rails UJS fetch the response via Ajax and, upon a successful response, handle the ajax:success event via the method replacePartial in the Stimulus UserController class.

This is a lot of behavior in a few lines. It reads like declarative programming with a good abstraction, working well if one wants to minimize the amount of custom JavaScript to write and thus needs to describe behavior directly in the templates :-)

The resource the link points to is a regular HTML snippet, this is what one sees if visited manually:

The great thing (in my opinion), is that the whole behavior in question still works in isolation: it's server side rendered, it redirects upon submission as it should by default, it is essentially a regular HTML form.

Being able to play with these components in isolation definitely speeds up development.

The whole section (which I called ToolsComponent on the server) works
in isolation:

What happens on the server when this request is sent?

Once again, let's start from the code:

module Admin
  module Users
    module Tools
      class EmailsController < Admin::ApplicationController
        layout false

        def show
          user = ::User.find(params[:user_id])

          render EmailsComponent.new(user: user), content_type: "text/html"
        end
      end
    end
  end
end

That's it. We tell Rails not to embed the component (or partial) in a layout, we load the user object and we tell the framework to render the HTML sending it back to the client as HTML (this last tiny detail is important, as Rails's "remote mode" defaults to text/javascript for the response, which is not very helpful to us in this case...).

What does the frontend do when it receives the HTML?

Let's look at the code once again:

<a
  class="crayons-card box js-action"
  href="/admin/users/13/tools/emails"
  data-remote="true"
  data-action="ajax:success->user#replacePartial"
>
  <h4 class="crayons-subtitle-3 mb-4">Emails</h4>

  <span class="color-base-70"> 7 past emails </span>
</a>

We've instructed the app to trigger replacePartial inside the Stimulus
UserController, this is what it does:

replacePartial(event) {
  event.preventDefault();
  event.stopPropagation();

  const [, , xhr] = event.detail;

  if (event.target.classList.contains('js-action')) {
    this.toolsComponentTarget.classList.add('hidden');
    this.replaceTarget.innerHTML = xhr.responseText;
    this.announceChangedSectionToScreenReader();
  }
}

This method:

prevents the default behavior and stops propagation
extracts the XMLHttpRequest injected by Rails
hides the section we're looking at and shows the new one
announces the change to the screen reader, as we are neither changing the URL nor doing a full page reload.

How did we make this accessible?

After discussing it with our resident accessibility guru, @suzanne, she suggested we use a "screen reader only" aria-live element:

<div
  class="screen-reader-only"
  data-user-target="activeSection"
  aria-live="polite"
></div>

This is managed by Stimulus, which at the end of the action, fetches the title of the new section, announces it to the screen reader and changes the focus so the section is ready to be used.

Recap so far

So far we've seen quite a few things:

using Rails builtin capabilities to connect client side code and the server side via Ajax but using server side HTML
using Stimulus to listen in on the action and augment behavior as we see fit, keeping the code organized
replacing a section of HTML with another, that's self contained in a component that can be at least functional without JavaScript as well

How to send an email with Rails and Stimulus

Here we're going to show how this "connection" works, using sending an email as an example.

Let's start from the perspective of the user:

What does the email form do?

Given we're in the domain of UJS and Stimulus combined, we have to look at how they are connected:

<section
  data-controller="users--tools--ajax"
  data-action="ajax:success@document->users--tools--ajax#success ajax:error@document->users--tools--ajax#error">

  <!-- ... -->

    <%= form_with url: send_email_admin_user_path(@user) do |f| %>
      <!-- ... -->
    <% end -%>
</section>

Our "Emails" section declares it needs a Stimulus controller named AjaxController and that it's going to dispatch to it the Rails UJS events ajax:success and ajax:error.

When the "Send Email" submit button is activated, Rails will send the form via Ajax to the server, which upon successful submission, will answer with data, in this case JSON.

What happens on the server?

Once again, code first:

if # email sent
  respond_to do |format|
    message = "Email sent!"

    format.html do
      flash[:success] = message
      redirect_back(fallback_location: admin_users_path)
    end

    format.js { render json: { result: message }, content_type: "application/json" }
  end
end

If the email is sent the server figures out if it was a regular form submission and thus invokes a redirect or if it was a submission via Ajax (our case), it sends back a feedback message in JSON.

I am using JSON here because it fits well with the snackbar notifications, but we could send well styled HTML to inject for a richer interaction, same we did in the first part.

Specifying the content type is important, because Rails defaults to text/javascript for Ajax interactions.

What does the client do once it receives a successful response?

export default class AjaxController extends Controller {
  success(event) {
    const [data, ,] = event.detail;
    const message = data.result;

    // close the panel and go back to the home view
    document.dispatchEvent(new CustomEvent('user:tools'));

    if (message) {
      // display success info message
      document.dispatchEvent(
        new CustomEvent('snackbar:add', { detail: { message } }),
      );
    }
  }
}

The "success" event handler extracts the feedback message sent by the server and then dispatches two custom events that asynchronously communicate with two different areas of the page:

user:tools communicates with the Stimulus UsersController telling it to initiate a navigation back to the initial screen, the "Tools" section. How? Via this line in the HTML of the container page:
```
data-action="user:tools@document->user#fetchAndOpenTools"
```
snackbar:add communicates with the Stimulus SnackbarController telling it to add a new message to the stack of messages to show the user. I wrote a post if you're interested in how this part works.

Once the first event is received, the following function is invoked, which triggers an Ajax call, fetching the server side ToolsComponent's HTML and displaying it in the UI:

fetchAndOpenTools(event) {
  event.preventDefault();
  event.stopPropagation();

  Rails.ajax({
    url: this.toolsComponentPathValue,
    type: 'get',
    success: (partial) => {
      this.replaceTarget.innerHTML =
        partial.documentElement.getElementsByClassName(
          'js-component',
        )[0].outerHTML;
      this.announceChangedSectionToScreenReader();
    },
  });
}

Rails.ajax is builtin in Rails UJS, not very different from using window.fetch.

Conclusions

There's quite a bit going on here, depending on your level of familiarity with the major parts: Rails and Stimulus.

In my opinion Stimulus is really good to keep vanilla JS organized and to attach behavior to server side rendered HTML markup, in a declarative way.

By leveraging Rails builtin Ajax support and thin layer you can add interactivity without having to rely on larger frameworks or having to switch to client side rendering.

If this is something that fits your use case, only you know, but I hope this post showed you how to combine two frameworks to improve the user experience without a steep learning curve and thus increasing the level of developer productivity.

Resources

Aside from countless DuckDuckGo searches (there's little documentation on how to fit all the pieces together) and source code reading, I mainly spent time here:

How to wrap a Preact component into a Stimulus controller

rhymes — Thu, 24 Jun 2021 13:51:54 +0000

In this post I'm going to illustrate the following:

wrapping a Preact component inside a Stimulus controller
loading Preact and the component asynchronously on demand
communicating with the wrapped component via JavaScript custom events

This is partly based on work @s_aitchison did last February on Forem. Forem's public website uses Preact and vanilla JavaScript. Some of Forem's Admin views are using Stimulus. This is an example of how to recycle frontend components from one framework to another.

I'm also assuming the reader has some familiarity with both Preact and Stimulus.

Wrapping the component

Yesterday I was working on some Admin interactions and I wanted to reuse Forem's Snackbar component:

How it is implemented inside Preact is not important for our purposes and I haven't checked either, I just know its module exports Snackbar and a function addSnackbarItem to operate it.

As the screenshot shows, it is similar to Material's Snackbar component, as it provides brief messages about app processes at the bottom of the screen.

With that in mind and with the groundwork laid by Suzanne Aitchison on a different component, I wrote the following code:

import { Controller } from 'stimulus';

// Wraps the Preact Snackbar component into a Stimulus controller
export default class SnackbarController extends Controller {
  static targets = ['snackZone'];

  async connect() {
    const [{ h, render }, { Snackbar }] = await Promise.all([
      // eslint-disable-next-line import/no-unresolved
      import('preact'),
      import('Snackbar'),
    ]);

    render(<Snackbar lifespan="3" />, this.snackZoneTarget);
  }

  async disconnect() {
    const { render } = await import('preact');
    render(null, this.snackZoneTarget);
  }

  // Any controller (or vanilla JS) can add an item to the Snackbar by dispatching a custom event.
  // Stimulus needs to listen via this HTML's attribute: data-action="snackbar:add@document->snackbar#addItem"
  async addItem(event) {
    const { message, addCloseButton = false } = event.detail;

    const { addSnackbarItem } = await import('Snackbar');
    addSnackbarItem({ message, addCloseButton });
  }
}

Let's go over it piece by piece.

Defining a container

static targets = ['snackZone'];

Most Preact components need a container to render in. In Stimulus lingo we need to define a "target", which is how the framework calls important HTML elements referenced inside its controller (the main class to organize code in).

This is defined as a regular HTML <div> in the page:

<div data-snackbar-target="snackZone"></div>

Inside the controller, this element can be accessed as this.snackZoneTarget. Stimulus documentation has more information on targets.

(snackZone is just how the Snackbar's container is called inside Forem's frontend code, I kept the name :D)

Mounting and unmounting the component

The Snackbar component, when initialized, doesn't render anything visible to the user. It waits for a message to be added to the stack of disappearing messages that are shown to the user after an action is performed. For this reason, we can use Stimulus lifecycle callbacks to mount it and unmount it.

Stimulus provides two aptly named callbacks, connect() and disconnect(), that we can use to initialize and cleanup our Preact component.

When the Stimulus controller is attached to the page, it will call the connect() method, in our case we take advantage of this by loading Preact and the Snackbar component:

async connect() {
  const [{ h, render }, { Snackbar }] = await Promise.all([
    import('preact'),
    import('Snackbar'),
  ]);

  render(<Snackbar lifespan="3" />, this.snackZoneTarget);
}

Here we accomplish the following:

asynchronously load Preact, importing its renderer function
asynchronously load Forem's Snackbar component
rendering the component inside the container

To be "good citizens" we also want to clean up when the controller is disconnected:

async disconnect() {
  const { render } = await import('preact');
  render(null, this.snackZoneTarget);
}

This destroys Preact's component whenever Stimulus unloads its controller from the page.

Communicating with the component

Now that we know how to embed Preact into Stimulus, how do we send messages? This is where the JavaScript magic lies :-)

Generally, good software design teaches us to avoid coupling components of any type, regardless if we're talking about JavaScript modules, Ruby classes, entire software subsystems and so on.

JavaScript's CustomEvent Web API comes to the rescue.

With it it's possible to lean in the standard pub/sub architecture that JavaScript developers are familiar with: an element listens to an event, handles it with a handler and an action on another element triggers an event. The first element is the subscriber, the element triggering the event is the publisher.

With this is mind: what are Stimulus controllers if not also global event subscribers, reacting to changes?

First we need to tell Stimulus to listen to a custom event:

<body
  data-controller="snackbar"
  data-action="snackbar:add@document->snackbar#addItem">

data-controller="snackbar" attaches Stimulus SnackbarController, defined in the first section of this post, to the <body> of the page.

data-action="snackbar:add@document->snackbar#addItem" instructs the framework to listen to the custom event snackbar:add on window.document and when received to send it to the SnackbarController by invoking its addItem method acting as en event handler.

addItem is defined as:

async addItem(event) {
  const { message, addCloseButton = false } = event.detail;

  const { addSnackbarItem } = await import('Snackbar');
  addSnackbarItem({ message, addCloseButton });
}

The handler extracts, from the event custom payload, the message and a boolean that, if true, will display a button to dismiss the message. It then imports the method addSnackbarItem and invokes it with the correct arguments, to display a message to the user.

The missing piece in our "pub/sub" architecture is the published, that is given us for free via the Web API EventTarget.dispatchEvent method:

document.dispatchEvent(new CustomEvent('snackbar:add', { detail: { message: 'MESSAGE' } }));
document.dispatchEvent(new CustomEvent('snackbar:add', { detail: { message: 'MESSAGE', addCloseButton: false } }));
document.dispatchEvent(new CustomEvent('snackbar:add', { detail: { message: 'MESSAGE', addCloseButton: true } }));

The great advantage is that the publisher doesn't need to inside Stimulus at all, it can be any JavaScript function reacting to an action: the network, the user or any DOM event.

The CustomEvent interface is straightforward and flexible enough that can be used to create more advanced patterns like the, now defunct, Vue Events API which provided a global event bus in the page, out of scope for this post.

Demo

Conclusion

I hope this showed you a strategy of reuse when you're presented with multiple frameworks that have to interact with each other on a page.

Changelog: API updates

rhymes — Mon, 02 Nov 2020 10:20:27 +0000

We recently shipped a series of improvements to the Forem API thanks to our open source contributors:

Fetching articles by their slugs
Fetching podcast episodes comments
Retrieving a list of followed tags
Getting the list of articles in the reading list
Finding organizations details

Read on to find more about these changes!

Thanks to Oghenebrume50 we can fetch an article by its slug:

Fetch article by slug #8929

Oghenebrume50 posted on Jun 26, 2020

What type of PR is this? (check all applicable)

[ ] Refactor
[X] Feature
[ ] Bug Fix
[ ] Optimization
[ ] Documentation Update

Description

According to this issue #8313 the user suggested that articles should be searchable by slug and not only by id. My implement included converting the param input to an integer, so if a string that is not a valid number is passed it returns 0. So if the value is not zero then I find with the id else I find by the slug, in both cases, the error is well handled by rails, this is why I used find_by! instead of find_by because the former return an ActiveRecord::ActiveRecordError when nothing is found

QA Instructions, Screenshots, Recordings

This is an example of a working slug

Example of a wrong slug that is not found

Also, the id works fine

I tested everything, all possible endpoints and they work fine.

I am opening this as a draft PR to check if this is a good approach, if this is okay I can update the documentation.

Please replace this line with instructions on how to test your changes, as well as any relevant images for UI changes.

Added tests?

[ ] yes
[x] no, because they aren't needed
[ ] no, because I need help

Added to documentation?

[ ] docs.dev.to
[ ] readme
[x] no documentation needed

View on GitHub

You can find more information in the documentation and try it here: https://dev.to/api/articles/devteam/the-7-most-popular-dev-posts-from-the-past-week-4fhi

Thanks to jkrsn98 we can retrieve a podcast episode’s comments:

API: retrieve podcast episodes comments #9677

jkrsn98 posted on Aug 07, 2020

What type of PR is this? (check all applicable)

[ ] Refactor
[x] Feature
[ ] Bug Fix
[ ] Optimization
[ ] Documentation Update

Description

Modified the index in comments controller which previously only handled look for a_id parameter, to having it look for a_id or p_id parameter which allow for accessing podcast episode comments. If a_id key has value, it looks for article with that id, if a_id has no value, then it must be that user is trying to query with p_id, so it looks for podcast episode.

Related Tickets & Documents

Fixes #6526

QA Instructions, Screenshots, Recordings

Currently you can only request comments related to articles with parameter a_id

With the line I modified it now uses parameter p_id as well, which will return all the comments related to the podcast episode with that id, same behaviour as was for articles For example, with the following podcast episode with id 1, I comment on it then try to query with that id, and it works as follows

Added tests?

[x] yes
[ ] no, because they aren't needed
[ ] no, because I need help

Added to documentation?

[x] docs.forem.com
[ ] readme
[ ] no documentation needed

View on GitHub

You can find more information in the documentation and try it here: https://dev.to/api/comments?p_id=15564

jkrsn98 also added the missing created_at field in comments that will help determine when a comment was posted on the website:

API: add created_at datetime to comments #9829

jkrsn98 posted on Aug 17, 2020

What type of PR is this? (check all applicable)

[ ] Refactor
[x] Feature
[ ] Bug Fix
[ ] Optimization
[ ] Documentation Update

Description

Added created_at field for comments in api response

Related Tickets & Documents

Fixes #6095

QA Instructions, Screenshots, Recordings

Currently when user requests api/comment they do not see when each comment was created

Now that information is included:

Added tests?

[x] yes
[ ] no, because they aren't needed
[ ] no, because I need help

Added to documentation?

[x] docs.forem.com
[ ] readme
[ ] no documentation needed

View on GitHub

Thanks to danascheider, a user can retrieve a list of the tags they follow:

API: Add route for fetching a user's followed tags #9108

danascheider posted on Jul 03, 2020

What type of PR is this? (check all applicable)

[ ] Refactor
[x] Feature
[ ] Bug Fix
[ ] Optimization
[ ] Documentation Update

Description

This PR adds the /api/tags/me route, which returns the authenticated user's followed tags as JSON.

Related Tickets & Documents

Closes #5111

QA Instructions, Screenshots, Recordings

I've added request specs for requests with and without valid authentication.

Added tests?

[x] yes
[ ] no, because they aren't needed
[ ] no, because I need help

Added to documentation?

[ ] docs.dev.to
[ ] readme
[x] no documentation needed

View on GitHub

You can find more information in the documentation

Thanks to bhacaz a user can retrieve a list of articles in their reading list.

API - New endpoint to retrieve the articles in the reading list of the authenticated user #10540

Bhacaz posted on Oct 02, 2020

What type of PR is this? (check all applicable)

[ ] Refactor
[x] Feature
[ ] Bug Fix
[ ] Optimization
[x] Documentation Update

Description

Add a new endpoint in the DEV API to retrieve the reading list articles for the authenticated user.

GET api/articles/me/readinglist

Related Tickets & Documents

This feature was requested in Issue #6755.

QA Instructions, Screenshots, Recordings

You can try the new API endpoint via a curl command with a valid api-key.

curl -H "api-key: API-KEY" http://localhost:3000/api/readinglist

Added tests?

[x] yes
[ ] no, because they aren't needed
[ ] no, because I need help

Added to documentation?

[x] docs.forem.com/api
[ ] readme
[ ] no documentation needed

What gif best describes this PR or how it makes you feel?

View on GitHub

You can find more information in the documentation.

Thanks to diogoosorio we can retrieve the profile image of a user or an organization.

Introduce /api/profile_images/:username endpoint #10547

diogoosorio posted on Oct 04, 2020

What type of PR is this? (check all applicable)

[ ] Refactor
[x] Feature
[ ] Bug Fix
[ ] Optimization
[ ] Documentation Update

Description

This PR aims to introduce the operation GET /api/profile_images/:username to the API.

I struggled a bit with what the contract for the operation should be (as this isn't a "resource" per se), I ended up keeping it simple and re-using the structure I saw throughout the rest of the API, when dealing with profile images:

{
  "type_of": "profile_image",
  "profile_image": "/uploads/organization/profile_image/be5e87e9-5b77-40ea-81e8-dd10c6d01146.png",
  "profile_image_90": "/uploads/organization/profile_image/be5e87e9-5b77-40ea-81e8-dd10c6d01146.png"
}

Having said that, I'm happy to refactor the contract to whatever the maintainers believe it to be the correct way to represent a profile image in this endpoint - I just ask for concrete example of what the response's payload should look like 😄 .

Related Tickets & Documents

https://github.com/forem/forem/issues/10132

QA Instructions, Screenshots, Recordings

curl "http://localhost:3000/api/profile_images/:username"

Added tests?

[x] yes
[ ] no, because they aren't needed
[ ] no, because I need help

Added to documentation?

[x] docs.forem.com
[ ] readme
[ ] no documentation needed

View on GitHub

You can find more information in the documentation and try it here https://dev.to/api/profile_images/devteam

Thanks to twinsfan421 we’re one step closer to having API for organizations:

API: Endpoint to get an organization's details #10931

twinsfan421 posted on Oct 19, 2020

What type of PR is this? (check all applicable)

[ ] Refactor
[x] Feature
[ ] Bug Fix
[ ] Optimization
[ ] Documentation Update

Description

This would provide an api show endpoint dev.to/api/organizations/{org_username} to search organizations by their username.
As discussed in issue 9212, This is the first of 4 related endpoints that will include:

dev.to/api/organizations/{org_username}/users
dev.to/api/organizations/{org_username}/articles
dev.to/api/organizations/{org_username}/listings

Related Tickets & Documents

https://github.com/forem/forem/issues/9212

Added tests?

[x] yes
[ ] no, because they aren't needed
[ ] no, because I need help

Added to documentation?

[x] docs.forem.com
[ ] readme
[ ] no documentation needed

View on GitHub

You can find more information in the documentation and try it here: https://dev.to/api/organizations/devteam

We hope you’ll find these updates to the Forem API useful!

Is accidental complexity inevitable?

rhymes — Mon, 17 Aug 2020 12:27:32 +0000

I'll start with two questions:

Is complexity inevitable in software development?
How much of this complexity is our failure to curb "accidental complexity" which we are the ones to introduce to begin with?

Let us use a couple of popular tools as examples: Rust and React.

For what I've gathered Rust has has been developed out of need. The need to manage systems programming, manual memory management and the development of software that sits very close to the operating system. Its complexity is intrinsic to the problems it had to solve initially.

React has been developed out of need as well. The need to manage a massive frontend code base at Facebook. Its complexity is intrinsic to the problems it had to solve initially.

As any software developer knows, tools intended for a purpose are easily going to be used for anything else but that initial purpose. It's normal, we're humans. It's not like Rust or React creators have a direct line with all the developers out there.

This goes back to the second of my initial questions: is a tool developed and managed by a company, worth several hundreds of billions of dollars, to handle a massive frontend code base going to be accidental complexity when applied to the 99.99% of projects which are infinitely smaller?

If you're not familiar with the difference between essential/intrinsic complexity and accidental complexity I suggest you this post:

Complexity

stereobooster ・ Dec 28 '18 ・ 9 min read

#programming #beginners

Is the push towards React's adoption only a positive or could it have effectively hurt some companies business over the years?

Is using Rust for your average web application a good idea? Is using Rust for anything other than systems programming a good idea? Is using React for anything other than a complex frontend a good idea?

We all know how the wrong tool chosen at the wrong time can affect a company's prospects. So, when people choose a tool before having written any lines of code, are they betting they will be able to manage the complexity it brings or are they really making an informed choice?

Evidence tells us you can build successful products with or without either Rust or React, so that's a given but the problem, as always, isn't in the tool per se.

I think Nat Allison here has a point:

Nat Alison

@tesseralis

I've talked with Dan about React's philosophy. React is built for *massive scale*. Facebook-level scale. Sure, it's perfectly fine for your blog or cute app, but it's a tool for megacorporations to influence the world at scale.

00:24 AM - 15 Aug 2020

Are we software developers simply bad at making choices for a thousand different reasons?

Happy birthday Django! 🎂

rhymes — Mon, 20 Jul 2020 07:48:57 +0000

Django is 15 years old!

Simon Willison

@simonw

15 years ago today on my blog: Introducing Django simonwillison.net/2005/Jul/17/dj…

13:57 PM - 17 Jul 2020

Do you have a Django story to share?

How we decreased our memory usage with jemalloc

rhymes — Fri, 05 Jun 2020 08:21:45 +0000

DEV is a Ruby on Rails application deployed on Heroku servers.

The other day Molly Struve, our resident SRE sorceress, noticed we were having some memory troubles. They didn't look like memory leaks, since they plateaued over time. But they were obviously worth investigating.

After investigating a bit I remembered how in the past I happened to switch a Rails app from the standard memory allocator to jemalloc.

The jemalloc library is an alternative memory allocator that can be used by apps (Redis ships with it) which works better with memory fragmentation in a multithreading environment.

We researched that, activated it and this was the result:

The slight decrease you see before the red bar is due to deployments which for obvious reasons free some occupied memory.

How do I do the same in my Rails app(s)?

The prerequisite is that you're using multiple threads with Rails, otherwise it won't help much.

If you're using Heroku you can follow these instructions.

If not, you can take inspiration from this tutorial and recompile your Ruby and activate jemalloc support.

Why does this happen?

Nate Berkopec has an extensive explanation in his post Malloc Can Double Multi-threaded Ruby Program Memory Usage but long story short: the Ruby virtual machine and the default memory allocator (malloc) aren't great at talking to each other when multithreading is involved because of the way they are both designed.

Are there any downsides?

Potentially yes, as it would make your app less portable (it doesn't work on Windows) and there are options with a smaller footprint that are being explored by Ruby core, like using malloc_trim().

My suggestion is to test it :-)

How to build unique indexes in PostgreSQL on large text

rhymes — Thu, 28 May 2020 12:15:24 +0000

As I believe a relational database schema should be as independent as possible from the apps using it, I've been trying to strengthen the DEV's database a bit lately (there are exceptions to this rule but they are not for this post).

One way to do that is to make sure that Rails model statements like this:

validates username, uniqueness: true

correspond to actual unique indexes in PostgreSQL.

Two reasons for that:

let the DBMS do its job, it was built to check constraints
data can "get in" from all sort of ways (throwaway SQL scripts for example)

Even if today your database is used only by a single app, you might have more than one in the future and adding indexes on existing tables or having to clean duplicate rows in large tables is always a bit of a pain (because of locking, I might write another article about that..).

What happened then?

It seems straigtforward, right? List the column(s) you need the index for, write a Rails migration for them, run the migration, forget about it.

That's where a random test literally saved me from an oversight.

We have a test in our codebase that imports 20+ items from a RSS feed, transforms them into articles and inserts them in the DB, then checks the count to make sure it matches.

They are all different articles, but the database is going to check they are unique anyway (for obvious reasons).

The counts weren't matching and after some very serious debugging magic (aka setting a breakpoint and printing stuff) I came across this:

[1] pry(#<RssReader>)> p e
#<ActiveRecord::StatementInvalid: PG::ProgramLimitExceeded: ERROR:  index row size 7280 exceeds btree version 4 maximum 2704 for index "index_articles_on_body_markdown_and_user_id_and_title"
DETAIL:  Index row references tuple (8,1) in relation "articles".
HINT:  Values larger than 1/3 of a buffer page cannot be indexed.
Consider a function index of an MD5 hash of the value, or use full text indexing.
: INSERT INTO "articles" ("body_markdown", "boost_states", "cached_tag_list", "cached_user", "cached_user_name", "cached_user_username", "created_at", "description", "feed_source_url", "password", "path", "processed_html", "published_from_feed", "reading_time", "slug", "title", "updated_at"

Wait, what!?

After a bit of digging I realized my oversight: if the text to be indexed is too large and doesn't fit PostgreSQL buffer page, indexing is not going to work.

PostgreSQL buffer page size can be enlarged but that's beside the point and also not a great idea.

So, what's the solution?

The solution is to create a hash of the column and index that instead of the column itself.

There are many ways to go about this but this is what I chose for our particular situation:

CREATE UNIQUE INDEX CONCURRENTLY "index_articles_on_digest_body_markdown_and_user_id_and_title"
ON "articles"
USING btree (digest("body_markdown", 'sha512'::text), "user_id", "title");

Let's break it down:

CREATE UNIQUE INDEX is self explanatory: creates an index on a column, making sure you can't insert the same value twice
CONCURRENTLY is a huge change in PostgreSQL land. In short: it adds the index asynchronously in the background. Basically it doesn't block operations on the table while the index is being built.
btree is the standard default index for PostgreSQL
digest("body_markdown", 'sha512'::text) is where the magic happens: we tell PostgreSQL to build a SHA512 hash (go away MD5 😅) and use that for comparison of the index
"user_id", "title" are there because this is not an index on a single column, but a multi column index

This is what happens when you try to add the value twice in the database:

$ pgcli PracticalDeveloper_development
PracticalDeveloper_development> insert into articles (body_markdown, user_id, title, created_at, updated_at) select body_markdown, user_id, title, now(), now() from articles order by random() limit 1;
duplicate key value violates unique constraint "index_articles_on_digest_body_markdown_and_user_id_and_title"
DETAIL:  Key (digest(body_markdown, 'sha512'::text), user_id, title)=(\x1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75, 10,  The Curious Incident of the Dog in the Night-Time Voluptas quia) already exists.

bonus tip for pgcli which I use instead of the regular psql

The result of this investigation is this commit.

A couple of thoughts from the Python survey results - 2019

rhymes — Wed, 20 May 2020 11:35:09 +0000

the screenshots and data come from Python Developers Survey 2019 Results

Python's usage in data analysis is more or less the same as last year but its usage for web development is decreasing.

Flask usage share is strong! I thought Django was much more used. Interesting how their communities have roughly the same size (though Django is much more popular for prototypes I guess). This would be unthinkable in Ruby land. I believe Rails has much higher usage share by Ruby web developers.

A special mention to that 26% (!!) of people who do web development in Python with no frameworks.

Redis 6 is out

rhymes — Fri, 01 May 2020 10:47:19 +0000

Huge fan of Redis here :-)

Its latest version adds the following:

Access control lists (ACL) so that clients/users can be barred from performing dangerous operations
Multithreaded I/O (Redis until now has been largely single threaded with async) which is bound to make Redis even faster
Client side caching: this is really cool in my opinion, reminds me of the evergreen article about how StackOverflow does layered caching
Longest common substring (LCS) command which works both on text and binary data

See Redis Labs: Diving Into Redis 6.0 and the official release notes.

My laptop is 8 years old

rhymes — Tue, 28 Apr 2020 20:00:21 +0000

I bought this laptop in Paris in 2012: it has the French keyboard layout (AZERTY instead of QWERTY) even though I use it with the Italian layout by memory (👀).

It's probably one of the last models Apple made that you could open up and upgrade yourself. I did, a long time ago, with 16 GB of RAM and a 512GB SSD.

It's starting to worry me: the fan makes weird noises sometimes.

I can say that daily programming with Rails activates the fan quite often (damn you Rails system tests 😂), it didn't when a couple of years ago I was writing a web app with Go (not a fair comparison, I know).

Having held on to a "slow" computer (well, it wasn't the first few years 😝) also had the side effect of me becoming really interested in performance optimization in programming 🔥

It's also the only computer I own.

Eight years with a portable computer is pretty amazing in my opinion. It was great hardware or I got super lucky or both!

Here's to another 8 years. Just kidding 🤣

A semi technical explainer of all known Zoom issues

rhymes — Sun, 05 Apr 2020 15:17:58 +0000

(or Zoom choices are what got them in trouble)

(opinions are mine and not DEV's)

A (mild) defense of Zoom Inc.'s troubles

Let me start by quoting Citizenlab's report:

For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning.

For those who have no choice but to use Zoom, including in contexts where secrets may be shared, we speculate that the browser plugin may have some marginally better security properties, as data transmission occurs over TLS.

Unfortunately a few hours later, on the same day, the web client was put under maintenance and thus disabled for the time being, hopefully not for long. update: the web client has been restored, multiple sources confirmed. Please enable join from your browser as a default setting.

Zoom probably didn't anticipate going from 0 to 100 (actually + 1126% of increased usage according to some estimates) in the span of a few weeks and the fact that their network hasn't melted down and rendered all calls impossible to make is a testament to the quality of the underlying technology.

As we all can imagine there are challenges in scaling that big that fast, but most of the problems that have been identified up until now don't really have much to do with scalability or reliability per se, but with questionable software design choices and bad privacy or marketing decisions made by the company.

To be fair, sometimes shortcuts seem a great idea when you're in the heat of the moment and have a booming product, but the more people use it, the higher the likelihood that these shortcuts will come back to haunt it. Also, Zoom devs are humans and like all humans, sometimes they just make bad decisions without malice. What worries me is how the company management, also entirely human AFAIK 😃, decided to handle the response, more on that later.

Last but not least: the media piled up on them quite extensively and some security flaws (except maybe "zoombombing") aren't an inherent problem for those meetings that would otherwise be held in public if we weren't quarantined even though the extent of the problem with user generated content is that its severity differs case by case and here there would be millions of cases (each Zoom call) to analyze.

Zoom is used by everyone: individuals, institutions, therapists, teachers, doctors, religious and secular organizations, goverment officials and even heads of state.

Zoom, as of April 1st 2020, halted all feature development and vowed to fix privacy and security issues over the following 90 days.

What went wrong is also a cautionary tale about the importance of implementing secure practices and caring about users privacy from day one because at the scale they are now it's quite understandable they are trying to put out fires left and right.

What is or was wrong it with

TLDR; Zoom has numerous known security holes. Some of those have since been fixed, some haven't.

The company also made (and in some cases, still makes) questionable decisions related to privacy.

(I'm going to use the past tense where I reasonably verified the issue has been fixed)

Zoom has a security issue in its "waiting room" feature. The issue is currently unknown as the security researchers correctly disclosed it only to Zoom Inc. granting them time to get it fixed lest it gets in the hands of malicious actors. Security researchers are advising people to use passwords and not the waiting room feature.
Recordings are easily findable on the web: Zoom saves recordings with a guessable name pattern, thus it's quite trivial to find them if they are uploaded to the open web. Search engines are literally built to find public data on the web. Again, "security through obscurity" is not a good practice if the content is sensible, and it was: the Washington Post was able to watch other people's therapy sessions and elementary school online classes by scanning the web (!!!!!).
The ID of a meeting room is numeric, which means that people can guess it (manually or with scripts) and thus, being openness the default, people can hijack meetings, thus "zoombombing". The meeting ID has 9 to 11 digits, not even "obscured". Security researchers did actually find meetings and with scripts had up to 14% of a success rate guessing correct meetings URLs.
Recurring Zoom meetings links can be found: they also contain info of the meeting organizer and whatever info the organizers disclosed as topic or description. Security researchers found meetings of large banks, government contractors and other companies.
Screensharing by any participant is on by default, which means that people can stream whatever they want without oversight. Very handy for private and regulated meetings, not great if meetings rooms are open by default.
File transfer is on by default: don't think this needs explaining in an app where a meeting is public. You can literally send to dozens or hundreds of people malware hoping at least one of them will click on it.
The app has too many settings: I went through the configuration panel on both the app and the web version (before it was disabled) and I didn't understand half of the options and got bored after a few minutes (minutes!!!). As we all know as creators of sofware the default matters (most users don't even look at apps settings), and by default you should respect the user's privacy and be secure, otherwise hell can break loose when enough people come knocking with the receipts.
The company lied about being end to end encrypted, that's it. They said they use end to end encryption (e2e) but they don't. They also own decryption keys for what is encrypted on the wire, which is definitely not *end to end encryption. *FYI: true end to end encryption means that only the participants in a communication exchange can actually see the data in the clear. Not the company providing the service, not any goverment, not anyone except who's invited.
Zoom uses weakish encryption: even though the service is not e2e encrypted, calls don't travel in the clear on the transport network. They are encrypted using a central encrypting server which holds the keys. The issue is that they use a single AES 128 bit key in ECB mode which is definitely deprecated and has security holes. Security researchers were able to decrypt video and audio frames from "encrypted" calls.
Zoom encryption and security protocols are not independently audited, which means that they most certainly contain flaws. We all know how hard is to pull off encryption done correctly, I can't imagine how hard it is to do it with video, audio, text and generic media. "Roll your own encryption" is 99.99% of the time a bad idea, it's monumentally bad in this instance. As Bruce Scheiner wrote:

I'm okay with AES-128, but using ECB (electronic codebook) mode indicates that there is no one at the company who knows anything about cryptography.

Zoom encryption keys are occasionally on servers under the jurisdiction of the Chinese goverment: under Chinese law the goverment of China can require companies to disclose their encryption keys and tools for oversight. This has happened also if all participants were outside the country. Likely a data routing problem (Zoom tries to keep calls local to the participants) but not reassuring nonetheless. Also makes me thing of sci fi scenario in which governments or attackers decrypt all of these calls and use facial recognition to create mass surveillance tools. 👀
The company sent data to Facebook unbeknownst to users: this is probably quite common in apps that embed the Facebook SDK without tweaking it (and it only applied to the iOS app which might mean it was truly unintentional), but it's not great anyway. Facebook already knows a lot about users (both those using it and those who don't). It has been fixed since discovery.
Zoom's privacy policy was all encompassing. Basically it stated that all personal data (including recordings, chats and uploaded files) could be shared with third parties. It has been since amended.
Zoom allowed hosts to monitor participant's attention. This is 1984-the-book kind of stuff 😱. It was removed since discovery, on April 1st.
The app bypassed the usual installation process. This was probably done to be friendler to the user in the very common scenario in which a user gets a link, doesn't have the app on their computer and wants to be in the videocall as fast as possible. It's exactly what malware does. It has been fixed since the discovery.
Zoom shares your contact info to everyone within certain email domains. What happened was that thousands of users whose emails belonged to a Dutch email provider where pooled together and their personal info shared with each other.
The app let Windows users click on anything resembling a link. Basically you could automatically open a file on a shared drive sending your network credentials to an attacker. It has been fixed.
Zoom sent your contact data to Linkedin. In some situations, if they could match you to a Linkedin Profile somehow, they did, without telling you and sharing your Linkedin data to other people. This feature has since been removed on April 1st.
0 day vulnerabilities leading to hardware take over were discovered. The likelihood of those happening was very low (the vulnerability window span the length of the installation process and just that). Fixed as well on April 1st.
Records of private messages with the host are available in the export. This is not a huge problem in theory as the export doesn't contain private messages between other participants than those with the host.
Zoom tracks lots of data about its users and has many third party trackers on its website. This to me feels like a very intentional choice. Part of those were amended when the new privacy policy was published the other day.

What has happened in the "aftermath"

So far:

Privacy and advocacy groups started to notice
Class actions are starting to mount
The US government and the FBI have started to notice 👀
NASA, SpaceX, Disney and other companies moved away from Zoom
New York City has banned Zoom from its schools

Conclusions

I'm sure you've noticed how this article doesn't talk at all about alternatives. The question of alternatives really depends on what the users requirements are and if the entire globe is your users, then it's hard to evaluate on the spot. It also takes a lot of time to evaluate all options and I think it'll take a few days before deeply researched articles about pros and cons of the alternatives start to appear. You also need a group of people distributed all over the world for thorough testing of each app.

Let's also not forget that we mostly felt okay with Zoom until tens of millions of people started using it overnight and it got on experts's radars. Alternatives might be just as flawed, simply less popular right now.

Trust in the company is important so I do understand why regular people are rushing to find alternatives.

I'm also not a tech columnist nor a security expert, so I can't claim "X is better than Zoom for everything and for everyone".

I'll see if I can find a reasonably well done comparison of alternatives in the next few days with what I think should be generic requirements: great video and audio call performance, secure by default with indipendently reviewed encryption and protocols, and absolutely no adtech on all of this sensible data (which wouldn't be possible anyway if they had e2e, though technically you can still sell metadata about users...).

Echoing other people's sentiments I read online: Apple is sitting on a gold mine if they open Facetime, get it audited and make sure their e2e encryption has no "backdoors".

I'm leaving last a long list of links, with some excerpts, which is what I've read to write this summary.

Media (and other sources) coverage (in chronological order)

Although there are past issues (like the "open web server" debacle from 2019), I've focused only on recent media coverage from March-April 2020.

20200317 - (Techcrunch) - Beware of ‘ZoomBombing’: screensharing filth to video calls
20200326 - (Motherboard, Vice) - Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account
20200330 - (Doc Searls, digital privacy expert) - Zoom’s new privacy policy:

There will be no need for Zoom to disambiguate services and websites if neither is involved with adtech at all. And Zoom will be in a much better position to trumpet their commitment to privacy.

That said, this privacy policy rewrite is a big help. So thank you, Zoom, for listening.

20200331 - (Motherboard, Vice) - Zoom Faces Class Action Lawsuit for Sharing Data with Facebook
20200401 - (Motherboard, Vice) - Zoom is Leaking Peoples' Email Addresses and Photos to Strangers:

"I was shocked by this! I subscribed (with an alias, fortunately) and I saw 995 people unknown to me with their names, images and mail addresses."

"I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional?"

20200401 - (webrtcH4cKS, WebRTC technologists) - Does your video call have End-to-End Encryption? Probably not...:

So yes, Zoom does not have end-to-end encryption. Quite often, WebRTC doesn’t either – not yet at least. If you are using a WebRTC service check their terms of service and privacy policy and make sure that you understand what they are saying about this. Hopefully we will see this change soon as WebRTC Insertable Streams matures.

20200402 - (Fight for the future, digital rights group) - New campaign calls for Zoom to (actually) implement end to end encryption to keep people safe:

Digital rights group Fight for the Future, known for organizing massive online protests for net neutrality and Internet privacy, has launched a new campaign calling for video conferencing service Zoom to implement default end-to-end encryption on all video, audio, and chat content.

20200402 - (Steven Bellovin, security researcher and professor) - Zoom Security: The Good, the Bad, and the Business Model:

There is, though, a class of problems that worries me: security shortcuts in the name of convenience or usability. Consider the first widely known flaw in Zoom: a design decision that allowed “any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.” Why did it work that way? It was intended as a feature

I'm optimistic that things are heading in the right direction. Still, it's the shortcuts that worry me the most. Those aren't just problems that they can fix, they make me fear for the attitudes of the development team towards security. I'm not convinced that they get it—and that's bad. Fixing that is going to require a CISO office with real power, as well as enough education to make sure that the CISO doesn't have to exercise that power very often. They also need a privacy officer, again with real power; many of their older design decisions seriously impact privacy.

20200402 - (Krebs on Security, security expert) - ‘War Dialing’ Tool Exposes Zoom’s Password Problems:

according to data gathered by a new automated Zoom meeting discovery tool dubbed “zWarDial,” a crazy number of meetings at major corporations are not being protected by a password.

Lo said zWarDial evades Zoom’s attempts to block automated meeting scans by routing the searches through multiple proxies in Tor, a free and open-source software that lets users browse the Web anonymously.

“Having a password enabled on the meeting is the only thing that defeats it,” he said.

Lo shared the output of one day’s worth of zWarDial scanning, which revealed information about nearly 2,400 upcoming or recurring Zoom meetings. That information included the link needed to join each meeting; the date and time of the meeting; the name of the meeting organizer; and any information supplied by the meeting organizer about the topic of the meeting.

20200402 - (Reuters) - Elon Musk's SpaceX bans Zoom over privacy concerns -memo:

In an email dated March 28, SpaceX told employees that all access to Zoom had been disabled with immediate effect.

20200403 - (NYTimes) - ‘Zoombombing’ Becomes a Dangerous Organized Effort:

Zoom raiders often employ shocking imagery, racial epithets and profanity to derail video conferences.

Harassers have begun to leverage every feature of Zoom’s platform for abuse. They have used the app’s custom background feature to project a GIF of a person drinking to participants in an Alcoholics Anonymous meeting, and its annotation feature to write racist messages in a meeting of the American Jewish Committee in Paris.

The frequency and reach of the incidents on Zoom prompted the F.B.I. to issue a warning on Tuesday, singling out the app

20200403 - (TidBITS) - Every Zoom Security and Privacy Flaw So Far, and What You Can Do to Protect Yourself:

As detailed as this article is, I fear that this list of problems and choices will be far from the last we hear about Zoom’s security and privacy troubles. In fact, while writing and editing this article over the last 48 hours, we had to add six additional exploits, design-choice errors, and privacy concerns.

Zoom has gone into what’s known as “technical debt.” The company’s developers made a lot of poor decisions in the past, which are likely difficult and costly to fix. The longer it takes Zoom to address the core problems, the harder and more costly future fixes will be, as additional code is built upon that weak foundation.

20200403 - (Washington Post) - Thousands of Zoom video calls left exposed on open Web:

Videos viewed by The Washington Post included one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people’s names and phone numbers; small-business meetings that included private company financial statements; and elementary school classes, in which children’s faces, voices and personal details were exposed.

20200403 - (Citizenlab) - Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings:

Until a few weeks ago, it would have been uncommon for high stakes business negotiations, high level diplomacy, political strategy conferences, and cabinet meetings to be conducted over platforms whose security properties are unknown.

Zoom has not publicly disclosed information such as statistics of requests for data by governments, and what Zoom has done in response to these requests. Zoom’s policies concerning notifications to users over breaches or the handing-over of data to governments are also unknown

During our analysis, we also identified a security issue with Zoom’s Waiting Room feature. Assessing that the issue presented a risk to users, we have initiated a responsible vulnerability disclosure process with Zoom. We are not currently providing public information about the issue to prevent it from being abused.

As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality

For those who have no choice but to use Zoom, including in contexts where secrets may be shared, we speculate that the browser plugin may have some marginally better security properties, as data transmission occurs over TLS.

In the meantime, we advise Zoom users who desire confidentiality to not use Zoom Waiting Rooms. Instead, we encourage users to use Zoom’s password feature, which appears to offer a higher level of confidentiality than waiting rooms

20200403 - (Politico) - Multiple state AGs looking into Zoom’s privacy practices
20200403 - (Bruce Scheiner, legendary security researcher) - Security and Privacy Implications of Zoom:

Privacy first: Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.

I'm sure lots more of these bad security decisions, sloppy coding mistakes, and random software vulnerabilities are coming.

But it gets worse. Zoom's encryption is awful. First, the company claims that it offers end-to-end encryption, but it doesn't. It only provides link encryption, which means everything is unencrypted on the company's servers.

20200404 - (Steven Bellovin, security researcher and professor) - Zoom Cryptography and Authentication Problems:

When companies roll their own crypto, I expect it to have flaws. I don't expect those flaws to be errors I'd find unacceptable in an introductory undergraduate class, but that's what happened here.

20200404 - (Chalkbeat, organization related to American schools) - NYC forbids schools from using Zoom for remote learning due to privacy and security concerns:

Instead, the guidance says, schools should switch to Microsoft Teams “as soon as possible,” which the education department suggests has similar functionality and is more secure.

20200404 - (Techcrunch) - Zoom admits some calls were routed through China by mistake:

Zoom said in February that “rapidly added capacity” to its Chinese regions to handle demand was also put on an international whitelist of backup data centers, which meant non-Chinese users were in some cases connected to Chinese servers when data centers in other regions were unavailable.

20200410 - (The Verge) - Google bans its employees from using Zoom over security concerns:

“Recently, our security team informed employees using Zoom Desktop Client that it will no longer run on corporate computers as it does not meet our security standards for apps used by our employees. Employees who have been using Zoom to stay in touch with family and friends can continue to do so through a web browser or via mobile.”

20200412 - (NY Times) - Bob Iger Thought He Was Leaving on Top. Now, He’s Fighting for Disney’s Life.:

After a few weeks of letting Mr. Chapek take charge, Mr. Iger smoothly reasserted control, BlueJeans video call by BlueJeans video call. (Disney does not use Zoom for its meetings for security reasons.)

Changelog: updated API docs!

rhymes — Fri, 13 Mar 2020 17:57:32 +0000

We recently updated the documentation of the DEV API (beta) to add detailed information on the following resources: comments, followers, listings, podcast episodes, tags, users and video articles.

The API documentation portal is generated from an OpenAPI 3 specification file, built with Redoc and deployed on Netlify. ❤️