Our worst fears have been proven true. Sandboxed code execution on most Intel chips in the past 20 years has been unsafe. And it’s even worse than that: there is no fix, as Intel has been trading security for performance with a technology called “speculative execution”. For more information read about the Meltdown and Spectre CPU flaws. This post will explain the impact and what we can do about it. Tin foil hat People laugh at me when I tell them running untrusted code in a sandbox is doomed to fail. ...

In a previous post I told you that there is no such thing as the “right tool for the job”. And this true for most businesses. Nevertheless there are companies that want to prepare for scaling up operations to “world domination” level. In that case there is one more factor to take into consideration when choosing a web development stack: performance. Why performance matters To understand why performance matters you first need to know that we are not talking about a few or even tens of percents of better performance. We are talking about factors and even magnitudes of better performance. Also we should consider the costs of rewrites and the costs of switching stacks. ...

I have ported the core of PHP-CRUD-API to Python and the results are encouraging. In PHP 7 the core executes at 6500 requests per second, while in Python I can get it to do about 9000 requests per second. It must be noted that I’m not using connection pooling, but just reusing the same single connection per thread. With connection pooling (as PHP and other implementations do) I can’t get it above 2600 requests per second. ...

Async (asynchronous) programming is very popular. It is advocated in JavaScript (NodeJS) and in the JVM (Akka). In this post you find 10 reasons why it may not be such a good idea. 1. Async makes your code hard to read IMHO the most important reason to not do async is that synchronous code gets executed more linearly and is thus easier to reason about. The amount of possible states in an async programming model easily explodes, which makes the code hard to read and understand. Of course there are people with strategies (like Flux) to avoid your code to turn into a big ball of mud (also known as spaghetti code), but why would you when you can better say “no” to async programming anyway? ...

Discussions about “the best programming language or technology” are common in software development, but also arguably pointless. Choosing a programming language is very unlike construction work: you don’t need the “right tool for the job”. It is more like choosing clothes to wear: you shouldn’t pick shorts when it’s freezing, but all sensible choices are a matter of taste and maybe even a way of expressing your identity as a developer. ...

I noticed that when I was helping a friend on the Linux command-line I was struggling. Spelling the commands over the phone or trying to read their screen over a bad Skype or Hangout screen sharing connection is not really fun. That’s why I spent the time to create something that works (for me at least). It allows your friend to connect to your Linux server on which you can open a shell on your friend’s computer. ...

After postponing setting up SSL for this site for about one and a half year I finally did it. Like anything I do with this blog I wanted to make it fast and secure. In order to find out whether or not I configured SSL correctly I used SSL Labs. They have a form where you can enter your domain. After a minute or two and you will receive an extensive report on your SSL setup (for free). The report is also summarized in a rating and the highest rating is an “A+”. I configured this site to receive such an A+ rating and in this post I will explain how you can do the same. ...

15th of July was the last day of GopherCon 2017, the “Largest event in the world dedicated to the Go programming language.” It was held in the Colorado Convention Center in Denver. Today (only 9 days later) the videos from the conference are online! There are 26 videos online now and 32 lightning talks, so most of the conference is available here (also from last year). GopherCon 2017 Peter Bourgon - Evolutionary Optimization with Go [39:18] Tammy Butow - Go Reliability and Durability at Dropbox [27:21] Joe Tsai - Forward Compatible Go Code [26:29] Russ Cox - The Future of Go [24:37] Fatih Arslan - Writing a Go Tool to Parse and Modify Struct Tags [35:36] Kavya Joshi - Understanding Channels [21:45] Filippo Valsorda - Encrypting the Internet with Go [41:43] David Crawshaw - Go Build Modes [44:19] Keith Randall - Generating Better Machine Code with SSA [34:44] Kris Nova - Valuable Lessons in Over-Engineering the Core of Kubernetes kops [25:02] Aaron Schlesinger - Functional Programming in Go [35:28] Scott Mansfield - Creating a Custom Serialization Format [37:32] Mitchell Hashimoto - Advanced Testing with Go [44:59] Ashley McNamara - My Journey to Go [12:25] Michael Hausenblas - The Fallacies Of Distributed Gomputing [34:15] Edward Muller - Go Anti-Patterns [38:14] Jon Bodner - Runtime Generated, Typesafe, and Declarative: Pick Any Three [39:55] Sam Boyer - The New Era of Go Package Management [32:00] Marty Schoch - Building a High-Performance Key/Value Store in Go [34:00] Liz Rice - A Go Programmer's Guide to Syscalls [34:45] Alan Shreve - grpc: From Tutorial to Production [43:51] Rhys Hiltner - An Introduction to “go tool trace” [37:21] Ian Schenck - Operability in Go [19:56] Kelsey Hightower - Self Deploying Kubernetes Applications [22:03] Waldemar Quevedo - Writing Networking Clients in Go [40:33] Will Hawkins - Go at the DARPA Cyber Grand Challenge [35:42] GopherCon 2017 - Lightning talks Areg Melik Adamyan - Let NFV Go: Experimental Framework for Network Functions [9:37] Harvey Laue - Interface Driven HTTP Response Writers [8:12] Joey Geiger - Regular expressions, do you need them? [3:12] Landon Jones - AI and Go II: Time For Action [9:54] Michael Stapelberg - RobustIRC [9:46] Aarti Parikh - A tale of two chat servers [7:23] Nyah Check - Becoming a better hacker, lessons learned from Poetry [7:02] Sukrit Handa - Introduction to Hyperledger Fabric [7:35] Daniel Selans - Distributed Remote Monitoring in Go [8:51] Pete Garcin - Building an ML-Powered Game AI Using TensorFlow in Go [7:45] George Tankersley - I wanna Go fast [8:22] Darren McCleary - Beating GCP's MapReduce with Go at The New York Times [9:45] Matt Layher - Ethernet and Go [5:34] Aditya Mukerjee - Translating Go to Other (Human) Languages, and Back Again [9:42] Chris Short - Golang to the rescue: Saving DevOps from TLS turmoil [5:55] Carolyn VanSlyck - go dep in 10 minutes [9:30] Emile Vauge - Effective ingress traffic management with Traefik [6:45] Tim Burks - A Go Platform for Polyglot REST API Code Generation [9:03] Owen Ou - Godzilla: a ES2015 to Go source code transpiler [6:04] Sergey Ignatov - Gogland Tips and Tricks [9:28] Bryan C Mills - An overview of sync.Map [8:10] Vladimir Vivien - Calling Go Functions from Other Languages [9:11] Vitor De Mario - Abracadabra - Finding genetic mutations in Go [8:22] Ramya Rao - Go with Visual Studio Code [10:07] Brian Scott - Go at Disney [8:04] Tom Elliott - Introducing Edward for Simplified Microservices [9:23] Marc Antoine Ruel - periph.io: a lean performant hardware library [9:43] Marcin Spoczyski - Anomaly Detection in Go [7:03] Blain Smith - Generating Hundreds of Video Catalog Feeds in Seconds [8:51] Bob Argenbright - Simple Plugin Architectures in Go [9:53] Sharon Allsup - Ultimate Coffee: It tastes as good as it smells [9:09] Jonathan Amsterdam - Errors as Side Notes [4:55] That should keep you busy for a while. Enjoy! ...

You may download Microsoft’s TrueType core fonts for free, even on Ubuntu. They are available in a packaged named ttf-mscorefonts-installer. But it is really annoying that when you try to install ttf-mscorefonts-installer it keeps failing with strange error messages like: W: Can't drop privileges for downloading as file '/var/lib/update-notifier/package-data-downloads/partial/andale32.exe' couldn't be accessed by user '_apt'. or: E: Failed to fetch https ://heanet.dl.sourceforge.net/project/corefonts/the fonts/final/andale32.exe Protocol "http" not supported or disabled in libcurl ...

We currently see that MVVM frameworks like Angular and React are booming in popularity. Not taking anything for granted, I was wondering last week: does “Client side rendering for scalability” even make sense? Is it a beneficial to send JSON over the wire and render it on the client? Does that lower the load on the server, compared to rendering the HTML? How expensive is the HTML templating? Is it more expensive to generate HTML than to generate the JSON it is based on? My feeling says it does, but is it true and how much does it matter? ...