Architecture Weekly #174 - 8th April 2024
Welcome to the new week!
If you'd like to know how to avoid event modelling anti-patterns like Property Sourcing, CRUD Sourcing, Clickbait Event and others, check the recording of my talk at KafkaSummit; it is already available!
Watch it here:
I heard that it was both funny and educational, curious if you agree with that!
That’s not all; I gathered all my resources about even-modelling anti-patterns in one place. You'll find both articles and videos there.
Read also the next thorough article about challenges in Event-Driven Architecture from Mario Bittencourt:
Some time ago, Maciej "MJ" Jędrzejewski did a webinar for us about Evolutionary Architecture. I love his pragmatic approach based on his strong experience with real projects.
Now, he decided to spin up a few initiatives. One of them is the newsletter Fractional Architect, in which he shares his experience with software architecture.
The other is his podcast; I’m happy he invited me to talk about Event Sourcing; you can join us live tomorrow, Tuesday, at 7 PM CET:
Going to the news, last week's laudest event was the XZ breach. Probably the biggest Open Source supply chain attack ever. At least from those that were found… Didn’t you hear about that? No worries, I got you covered:
Gynvael Coldwind - xz/liblzma: Bash-stage Obfuscation Explained
Andres Freund - backdoor in upstream xz/liblzma leading to ssh server compromise
Rob Mensching - A Microcosm of the interactions in Open Source projects
What’s a supply chain attack? Per Wikipedia:
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components.
The most known so far was the SolarWinds breach. Read more here. But this one takes it to the next level. This beach was spanning a few years of grooming a single person who was maintaining one of the most popular Linux compression tools, xz. It’s like on this xkcd image:
Many big tools, including Clouds, are standing on the shoulders of tiny giants. Tiny because those are regular, passionate people. Giants because they’re building extraordinary stuff. Yet, they’re exploited by gigantic tinies. You can read the whole coverage; links are showing it from many angles:
how technically sophisticated was the breach (they were using test blobs that were transformed, decompressed forming an executable during GitHub actions build, allowing to inject malware into source code)
how long game was the social and managerial part of that,
response by the OSS maintainer
For me, the saddening thing was the part where the maintainer was clearly burning out and the only offer for help he got from those scammers playing good cop and bad cop…
So the answer is not to drop OSS—that’s not going to happen—but to ensure that the creators of your favourite tools are getting the support to make it sustainable.
Also interesting part is how many similar but uncovered issues we have boiling underneath…
Read also more on the human-to-human histories of skilled jerks in our industry, jerks telling us to return to office
Not surprisingly, that’s not ending as they’d like to.
Let’s move on to something positive. I told you earlier that Open Telemetry is finalising the CNCF graduation process; here are a bunch of links showing how useful it is and how different vendors ensure that they’re providing telemetry data. Recently, Elastic did a big boost around it. Read more:
Elastic - Elastic now providing distributions for OpenTelemetry SDKs
Steve Gordon, Martijn Laarman - Introducing Elastic's OpenTelemetry SDK for .NET
Check also:
I’m planning to soon make telemetry support a first-class citizen in Emmett.
About the positive aspects, I also read a nice story from Brent Ozar with his thoughts on 12 years working in a startup. Unusual case:
Check also other links!
Cheers
Oskar
p.s. I invite you to join the paid version of Architecture Weekly. It already contains the exclusive Discord channel for subscribers (and my GitHub sponsors), monthly webinars, etc. It is a vibrant space for knowledge sharing. Don’t wait to be a part of it!
p.s.2. Ukraine is still under brutal Russian invasion. A lot of Ukrainian people are hurt, without shelter and need help. You can help in various ways, for instance, directly helping refugees, spreading awareness, and putting pressure on your local government or companies. You can also support Ukraine by donating, e.g. to the Ukraine humanitarian organisation, Ambulances for Ukraine or Red Cross.
Architecture
DevOps
Elastic - Elastic now providing distributions for OpenTelemetry SDKs
The NewStack - Can OpenTofu Become the HTTP of Infrastructure as Code?
Databases
AWS
Azure
Java
.NET
Chris Patterson - Using Open Telemetry with the MassTransit Test Harness?
Steve Gordon, Martijn Laarman - Introducing Elastic's OpenTelemetry SDK for .NET
Khalid Abuhakmeh - Responsive Images Crash Course for ASP.NET Core Developers