To be fair, he was pointing out that the invisible "credentials in cookies" issue was much harder to get fixed:
The turnstiles were visible. They were expensive. They disrupted everyone's day and made headlines in company-wide emails. Management could point to them and say that we're taking security seriously. Meanwhile, thousands of employees had their Jira credentials stored in cookies. A vulnerability that could expose our entire project management system. But that fix required documentation, vendor approval, a month of convincing people it mattered. A whole lot of begging.
Again, not security theater. Signs of general dysfunction yes. Embarrassing. Fun to tease about for sure.
Aside: the more times I re-read the article the more annoyed I am with the self-righteous tone. It feels like the author is mimicking the style of legendary Usenet posts, but the story just isn’t that interesting and the writing not that witty, it falls flat.
I’ll take your word for that. I don’t know how to tell. But I did notice that the writing was conspicuously terrible throughout. Entire sentences make no sense, such as “I'd slip in suspiciously while they contemplated the email that clearly said not to let anyone in with your own card.”
The last two paragraphs are mainly what stood out. I've spent hours trying to get LLMs to stop writing like that. It's hard because you can't just say things like "don't write lists of three items" because sometimes you want a list of three items. The rest of the text could be written by a person as it's kind of disjointed, but that could also be the result of trying to prompt out the AI-isms.
Tests are not free, over proliferation of AI-touched tests is itself a problem, similar to the problem duplicative and verbose AI-generated code.
And tests are inherently imperfect, they may not test the perfect layer, so they break when they shouldn't, and they certainly don't capture every premise.
I'm on board with the tactics you suggest, but they are only incrementally helpful. What we really need is AI that removes duplicative code and unnecessary tests.
I love this article but don't understand the conclusion. Heroku is dead as a doornail, of course.
Salesforce's core product was on bare metal up to a couple years ago. What they should have done is adopt Heroku as their internal Platform-as-a-Service. That would have solved three problems: 1) provided a ready and proven foundation for cloud adoption by Salesforce business units, 2) stimulated Heroku's product roadmap by giving it a very large and loyal design partner, and 3) eliminated the opportunity cost in terms of headcount, developer productivity, and poor imitation that came with the alternative "Falcon" aka "Hyperforce" project that became Salesforce's albatross and black hole for developer energy and goodwill going on 7+ years now.
> 2) stimulated Heroku's product roadmap by giving it a very large and loyal design partner
This is very much a double-edged sword. I've seen products get killed because they had one outsized customer with outsized influence over the product design and made it too specific to that customer rather than building something for everyone the customer would have to adapt to.
If they had, heroku would be very different today, since they aren't even doing enterprise contracts anymore (from what I saw of some other comments here). Maybe that would have been a good thing, maybe not.
> What they should have done is adopt Heroku as their internal Platform-as-a-Service
From what I saw, Heroku was unsuitable for a serious large company. Deploy-on-push is a nice UX for a small company, but once you need something more structured, it wasn't enough.
Can you elaborate on your claim it’s not enough? PasS (platform as a service) has been transformative for modern infrastructure. Containers for better, or worse, have made deployments substantially “easier,” giving every org the ability to provide Heroku like services. But, Heroku provided this sort of ease, and more, long before containers ate the world. And regardless of containers themselves, I fail to see how something “more structured” would even exist. Deploy on push is still subject to being merged and everywhere I’ve worked has had no shortage of checks and approvals to merge.
I previously deployed stuff to Salesforce when I ran a very large Asia-Pacific Salesforce org.
The previous way (prior to SFDX which was clearly influenced by Heroku) was terrible. 12 hour long deploys that end when one unit test times out-style terrible. No code history terrible. There is no way that Heroku was worse for integration.
Whether they could have replaced APEX with Heroku is a different issue.
It’s more than just money, it’s how you set up your life to be resilient to contingencies. For example finding a compatible life partner. For example finding happiness without lifestyle inflation and breaking free from the hedonic treadmill. Or perhaps having a good lifestyle business for some people. Or having extended family support nearby. I call these things unfuckwithability. Money is a big part of it, but may not be the biggest missing piece for many people.
Hmmm! How many meetings do you do in a week? Unless, you are building a Meetings App or your company is about Meetings, I'd suggest reducing the Meetings enough that you don't have to Transcribe everything.
My meeting notes are, well, like comic books; quite a lot more drawings. So, people usually take pictures or I just take pictures and email them.
For instance, I was once in a meeting at a company planning the product roadmap for the next 3-5 years. I did a timeline-of-sort note with circles (inspired by DaisyDisk), complete with a few different colors. That note became the "official" starting base for the plan, shared across the company and referenced by the team.
If you are a manager and having 1-1s the very use case he called out, you may have 1-1s with 15+ people every two weeks.
I am a staff consultant. I am constantly in meetings with customers, sales, my management for high profile clients, people working on projects I’m leading, internal strategy go to market meetings.
Yeah as mvkel said it’s just being a VC with shittier terms.
Why not just be an actual angel? Presumably the author has the capital for it now. And if they’re confident enough to risk someone else’s capital why not risk their own?
reply