Architecture Weekly #139 - 7th August 2023
Welcome to the new week!
Last week Jeremy D. Miller joined paid subscribers and me showing and discussing how we can simplify the architecture.
We discussed the assumptions behind the Wolverine, learning in practice Jeremy’s way and confronting that with my thoughts.
I think that it's also interesting to see our kitchen. Sometimes we have different points of view, not always agreeing, but always able to come to a conclusion and keep it going. We also showed that during the webinar. I think that's also the reason why we're pushing things forward.
There's no progress when we all think the same.
Watch the recording and share your thoughts!
Setting up integration tests pipeline sounds easy with Docker, GitHub Actions and other free services. Surprisingly, it's not so simple if we want to make it straightforward, reliable and fast.
I wrote today about how I'm taming the complexity with my frictionless approach based on experience from my past commercial projects and working in Open Source.
I also explained why I'm not (yet?) using TestContainers for that.
Internet Engineering Task Force just released a new RFC explaining the Problem Details for HTTP APIs making the older one obsolete.
This is an important RFC as it addresses the lessons learned and issues while applying the JSON and XML error messages in the past.
I noticed that too many companies are still handcrafting their ways of dealing with HTTP error responses. There’s no reason to do that, especially since modern frameworks like ASP.NET or Spring Boot already provide solutions to support that.
If you don’t know and not using Problem Details yet, check the RFC. You may be surprised by the accessible language and portion of knowledge that’s there.
Speaking about mature APIs, check the nicely written article on InfoQ describing how to approach it.
Darshan Shivashankar proposes the four levels of the maturity ladder:
Level 1: “The API Dark Age” - APIs as Tools for Data Acquisition
Level 2: “The API Renaissance” - APIs as Components for Process Integration
Level 3: “The Age of API Enlightenment” - APIs as Platforms for a Unified Experience
Level 4: “The Age of API Liberalization” - APIs as Ecosystems for Business Transformation
Those levels may sound a bit cheesy, but they have a good focus on why we create the API and what we need to do. We might not need to finish on the top level of enlightenment. The article also provides decent heuristics for maintaining and evolving the API.
Standardisation is not always good; it can also be used for malicious things.
For instance, Google with their so-called Web Environment Integrity proposal. Official Goals:
Allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device.
Offer an adversarially robust and long-term sustainable anti-abuse solution.
Don't enable new cross-site user tracking capabilities through attestation.
Continue to allow web browsers to browse the Web without attestation.
The first intriguing thing it’s that the specific person officially sent it. And the person is a Google employee, the same as others that signed it.
Why is it bad, and why should you care? Over a year ago Austrian Data Protection Authority announced that Google Analytics went against the European Court of Justice's “Shrem II” decision. What’s Shrem II? In 2020, the Court of Justice (CJEU) decided that US providers violate the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities.
Google killed 3rd party cookies over a year ago. This effectively allowed them to continue tracking users, not as cookie, but through Chrome by itself. Chrome is used by most people today. You may even read this from it.
So now Google is trying to go with clean hands, imposing standards that can potentially increase the gatekeeping and also lower the trust using their monopoly.
Read more in:
Is Chrome a new Internet Explorer?
Don’t be evil, right?
Regarding security and privacy, Microsoft is also not having a great time. Or maybe MS does, but definitely not some of their clients. ArsTechnica did extensive coverage of the frustrated clients’ reaction
On Wednesday, Yoran took to LinkedIn to castigate Microsoft for failing to fix what the company said on Monday was a “critical” issue that gives hackers unauthorized access to data and apps managed by Azure AD, a Microsoft cloud offering for managing user authentication inside large organizations. Monday’s disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.
Reading the text, it’s clearly visible that if those accusations are correct, then that doesn’t look great on Microsoft.
The question rings in my head: is it just a Microsoft issue, or the general too-big trust in Cloud providers? I wrote about our mindset in: Form a wall! And other concerns about security.
When I’m looking at OWASP recommendations, I always think: “Are those cases really still an issue?”. It’s sometimes unbelievable that we’re still making such dumb mistakes. But we do. So it’s nice that OWASP also made a list of the most common issue in our favourite wild west Large Language Models:
If you’re playing with those tools, check that.
Large Language Models hit StackOverflow hard; now, many developers moved to other tools like ChatGPT. They started by setting the moat and highlighting that Generative Giants should pay for using their data. Now they’re trying to regain position by releasing their own AI.
Personally, I think that this may be already too late. But those are the right moves; now the question is how fast they will iterate to regain the time and enhance that. Definitely, they still have the biggest source of answers for technical questions.
The other power, but geopolitical, is also arming itself in this Generative AI battle. China is investing a looot in Nvidia chips.
Check also other links!
p.s. I invite you to join the paid version of Architecture Weekly. It already contains the exclusive Discord channel for subscribers (and my GitHub sponsors), monthly webinars, etc. It is a vibrant space for knowledge sharing. Don’t wait to be a part of it!
p.s.2. Ukraine is still under brutal Russian invasion. A lot of Ukrainian people are hurt, without shelter and need help. You can help in various ways, for instance, directly helping refugees, spreading awareness, and putting pressure on your local government or companies. You can also support Ukraine by donating, e.g. to the Ukraine humanitarian organisation, Ambulances for Ukraine or Red Cross.