If you don't setup any access rules in Firebase, by default it'll deny access.
This means someone setup these rules improperly. Even if, you're responsible for the tools you use. We're a bunch of people getting paid 150k+ to type. It's not out of the question to read documentation and at a minimum understand how things work.
That said I don't completely disagree with you, if Firebase enables reckless behavior maybe it's not a good tool for production...
And I don't necessarily disagree either; good callout that it _was_ about improperly configured ACL's, I meant more that it wasn't related to keeping test rules alive.
For 150k+ salaries, frontend dev salaries are generally a lot less than their backend counterparts. And scrappy startups might not have cash for competitive salaries or senior engineers. I think these are a few of the reasons why Firebase becomes dangerous.
I don't think it's out of the question to expect professionalism at 150k. These are VC funded companies, not a couple of college kids scraping together a prototype.
Then again, if I was a CTO seeing stories like this I'd be inclined to NOT use Firebase. I'm actually using Supabase right now since I don't like vendor lock in. Deploying Supabase manually is really difficult, but it is an option.
I imagine if I ever run a serious company, which I don't think will ever happen, I would take something like Supabase and run it on prem with some manner of enhanced security.
It's interesting though... For decades the industry has been trying to push this narrative that you don't need servers. You can handle everything using some magic platform, and throw in a couple of custom lambda functions when you need to execute logic.
Parse, Firebase, Appwrite and dozens of others emerged to fill this niche.
ToDesktop, provides even another layer of abstraction. We don't want to handle our own app updates, cool let someone else do it. That someone else doesn't want to manage their own backend, cool let someone else do it.
You end up with multiple layers of potential vulnerabilities which shouldn't exist... Cursor, Arc, etc could run their own update servers.
Maybe the solution is a Steam like distribution platform. Or just using Steam itself. That's a 30% cut to let someone else figure out your app distribution...
> I don't think it's out of the question to expect professionalism at 150k. These are VC funded companies, not a couple of college kids scraping together a prototype.
You can expect whatever you want, just prepare to be disappointed. We have absolutely learned by now that unless there very real consequences for doing or not doing something, you will regularly see the worst possible thing happen. This is why licenses exist and legal 'sign-offs' exist. There needs to be a licensing organization that can revoke people's ability to get certificates or to even be employed working on certain aspects of software if we ever want to solve this problem. I mean, you even need a license to cut hair in many states.
Asking people to be responsible for the damage they cause is called 'accountability' and not 'dystopia'.
Software is not just something someone uses for hobbies or for word processing or whatever. A bad design decision in some critical software can have just as much of an impact as a bad design decision in a bridge or an airplane. If we want to be called 'engineers' then we need to put more on the line than just a public apology when something goes wrong due to a decision someone actively made to save money or reduce the work involved. And of course it should involve the people who make those decisions and not just the grunt who implemented them.
But if the 'grunts' had the power to say 'no, I will not do this because it is insecure and my license is on the line' then that's a good thing. No?
>But if the 'grunts' had the power to say 'no, I will not do this because it is insecure and my license is on the line' then that's a good thing. No?
This will never work in a global economy. If you outsource the software you're just begging companies to find someone making 15$ the fall guy.
Sounds pretty bad. Your manager tells you to do something stupid or your fired. You do so, and when it fails they blame you and your software engineering license is revoked. You can't find a job and now get to live in a homeless shelter.
Meaningful fines for companies is the only way to fix this.
Maybe... For some sensitive things like location data an expensive permit should be required. But this needs to be a corporate responsibility, not an individual one.
In your scenario bad companies are going to ruin the lives of their employees by making them risk their licenses.
Arguably this whole thing wouldn't happen if these apps were distributed and updated via the OSX app store. If that's the future you want, it's largely already here.
You can check a setting in OSX to make it so.
Who decides what software to regulate. Do I need a permit to install Python ?
I don't want to regulate software. I want people to have something to lose if they make a decision that has a large impact.
> Arguably this whole thing wouldn't happen if these apps were distributed and updated via the OSX app store. If that's the future you want, it's largely already here.
I don't understand this point.
> Who decides what software to regulate.
Who decides any laws or regulations?
> Do I need a permit to install Python ?
Does you installing Python have potential consequences for large numbers of people or could it cause a significant amount of harm?
Why do you take the most extreme possible position and apply it to me? Is it that difficult to argue against a sensible one?
> Arguably this whole thing wouldn't happen if these apps were distributed and updated via the OSX app store. If that's the future you want, it's largely already here.
I don't understand this point.
The core of this issue is an insecure updating mechanism for desktop apps. You can argue for security sake, users may opt to only use the official Apple app store or the official Microsoft store. In this case instead of having a random startup manage the update process, you have a couple of multibillion dollar companies.
I'm trying to figure out what exactly you want to happen here. Would you essentially make it a legal to distribute software without a permit ? Would distributing certain software require a permit ?
I am expressing long held frustration that software engineering as a culture is trying to eat its cake and still have it. Wanting to be called an engineer, demanding a high salary and running the largest sections of the economy and disrupting society in highly impactful ways, yet whenever someone asks them to take responsibility for any damage caused they downplay their role and anyone else's in the industry. It is time to grow up. If you make a decision to make more money or do less work, knowing that it has a risk to cause major problems for infrastructure, economy, or other people, then there should be something more on the line for you than a 'oopsie' at the end of it if you lose that bet.
If you want to run your company using vetted software and limit your developers to only use a small list of approved software. You can do that. I've worked in such environments. You can lock down the corporate firewall. The point is choice.
It's completely different if you basically want a regulatory agency which will decide what software people are allowed to build.
Outside of work I like to use niche Linux distros. If I accidentally wipe my vacation photos during the install process, that's a risk I took. I don't have a right to complain that I destroyed my own data and blame it on software largely built by volunteers.
However I don't disagree completely. If you want to build a hardened fork of Linux with software vetted by your private certifying authority, that could be a good market. If all engineers working on your custom fork need to be "licensed" by a privately run organization, that is also fine.
What exactly is the difference between an official 'private' organization and an official 'state' organization? The only real difference I can see is that one can actually enforce the rules it makes. I think you may be using this ideological opposition to the State as a way to have something absorb blame for things you do not want to attribute to complex human mechanisms.
This means someone setup these rules improperly. Even if, you're responsible for the tools you use. We're a bunch of people getting paid 150k+ to type. It's not out of the question to read documentation and at a minimum understand how things work.
That said I don't completely disagree with you, if Firebase enables reckless behavior maybe it's not a good tool for production...