HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ah1508

36 karmajoined vor 3 Jahren

Submissions

Ask HN: Data integrity in a decentralized trustless system

1 points·by ah1508·vor 10 Monaten·6 comments

comments

ah1508
·vor 3 Tagen·discuss
When I start using a chainsaw or a car I hope it has been tested (!) Without tests before delivery the one who tests is the end user. Disaster for a unreliable chainsaw, very unpleasant for a software.

But you're right, the goal is not to write test but to ensure delivery of a reliable software. However each software is a prototype, something that has never been made before (unlike a manufactured car or chainsaw) so the customer must be ready to some unexpected behaviors when the software is released.

Since tests are often sloppy or does not cover every edge case, I see a real value for GenAI. It also forces to write good spec: very clear about inputs and the invariants for each use case. I think that AI (especially GenAI) should first be a solution to existing problem, lack of tests and good specs is often one of them.
ah1508
·vor 5 Tagen·discuss
I agree, easy and much more pleasant. Walk down the street, go into the bookshop (which is by essence a place in 3D, much more pleasant than a screen), search for a book, find it, turn a few pages, chat with the seller or with someone else interested by a book you liked, buy the book you came for, and another one you did not plan to buy, stop somewhere to drink a coffee, open the first few pages, etc... How can a website reproduce this "quality of life" ?? No need to live like during covid and lockdowns. If you live 30 km away from the nearest bookshop (like I did for 4 years) a phone call to check if the book is available and order it if it is not. Never bought anything on amazon (don't want, don't need), and maybe 10 times online in the last 25 years for very specific stuff.
ah1508
·vor 10 Tagen·discuss
What I dislike about the term "clean" code is that it dismiss objective criteria.

"I did it like that because it's cleaner" is a non sense. A program must be maintenable, efficient, observable, testable, scalable, performant, readable, secured. Each criteria can be objectively measured in a kind of radar diagram and can be maximized as long as it does not sacrifice another criteria. Form follows function.

Even "simple" (from KISS) is too vague, fortunately in the conference "simple made easy" Rich Hickey defines what is simple: not interleaved. simple comes from sin plex, the opposite of con plex. Not always easy to make something simple.

However I don't see anything wrong with SOLID. Separation of concerns is how a modern society or a football team works, and S brings D because specialization involves good relationships ("no man is an island" wrote John Donne ), and D is strongly related to L. I has no drawbacks.

However I don't separate data from business logic anymore (no data access layer). Business logic applies on data, not on objects that hide data. Translating a ER diagram into anemic classes while the DBA do the same in the DB does not have any value and forces to use obstruction pattern like repository. If entity classes have properties and methods (a Plane class that has a 'takeOff' and 'land' methods for instance) it is different but must most backend I see don't implement entity classes that way. Because their classes represent data, not animated concept. Player class with a shoot method might makes sense for a video game, User class with a addComment method for a CRUD app makes less sense to me.
ah1508
·vor 11 Tagen·discuss
> while also not losing understanding

That's a key point. Keeping knowledge and know how inside the company is strategic. For most people GPS did not result in better sense of direction, spellchecking did not help to write without making mistakes, and delegating translation to deepl does help to be better in a foreign languages. I don't see the gain for an individual, a company, a society if a technology reduces the ability to think, do stuff, understand complex problem, working hard at something. Hiring junior also matters, what is boring for a senior dev is useful for a junior, like the "wax on wax off" in Karatekid. Then when the senior dev retired the junior is not junior anymore and the know how is still here. I want to to transfer my knowledge to a junior, not to anthropic or google or openai.

Ideally, working hand in hand with an AI could be like driving a motorcycle vs riding a bicycle. Both are fine, but you go much faster with a motorcycle and you don't lose any ability. But prompting a motorcycle auto-pilot by voice sound a bit stupid and boring. Insane use of energy rarely comes into the equation, which is a bit weird. Personally it is why I am never tempted to use AI. However I see value in AI for finding weakness in a code (inverse of flattery), writing tests with all the edge cases based on specs since tests are often sloppy, asking a fresh view on a very difficult problem. I'd love to hear about the equivalent of move#32 in game 2 (AlphaGo vs Lee Sedol) in a difficult programming task. But I think that massive delegation of code writing is how you lose the knowledge and the know how: what keeps us sharp.

Final word: I asked once a review to claude, the codes involved a db transaction. Nothing complicated, Claude said everything was fine. However the transaction isolation level was not set (I did it on purpose, like if I did not know about isolation levels). He did not ask me if it was my intention to keep the default level. I would have preferred a challenging feedback: why did you chose the default isolation level ? Is it on purpose ? Do you know that the default depend on the db ? Do you know about isolation ? Tell me about the business use case and I'll explain which one would be the best.
ah1508
·vor 17 Tagen·discuss
I just discovered bunny.net thanks to this post. I'd be happy to move my static websites on bunny.net, but is it possible (like on cloudflare) to map requests to /foo to the foo.html file ? According to what I read on the documentation it is not a edge rule.
ah1508
·vor 22 Tagen·discuss
virtual thread instead of async/await is a counter example.

Java is more used than C#, they can wait before delivering a new feature (given their leader position) but cannot deliver a flawed implementation that would stay in the language forever. Glad to have virtual threads and the backward compatibility that comes with it instead a Async version of sync methods + async and await keywords all over the code and Task as a return type in my interfaces methods to allow implementations to do non blocking I/O calls if they need.

I use Java and C# and appreciate them both.
ah1508
·vor 2 Monaten·discuss
I think that words like "clean code" or "beautiful code" does help juniors to learn best practices of software architecture.

  - Junior asks to senior: what did you we use an ORM ?
  - senior answers: because it's cleaner.
  - junior: ???
I prefer when people are able to define a clear list of objectives:

  - maintenable;
  - performant, scalable;
  - efficient;
  - resilient;
  - observable;
  - testable (and tested);
  - secured;
  - readable for new devs that come on board.
Each criteria balance the others, and the more we add criteria the more it helps to make good choice when we hesitate. It is also meaningful for people outside of the dev team, we can reach an agreement with the customer so he knows what he pays for.

"maintenable" can be also defined, since a project is mostly in maintenance mode during its lifetime (which means the project is successful, which is good !). The ability to incorporate new features without breaking architecture or even without breaking a single method signature is a good starting point.

Being super careful with abstractions. Here someone wrote something like that: "abstraction often hides how what you want is simple". True, ORM I am looking at you. In most case data should be threaten as first class citizen, it also fosters good collaboration with the DBA.

Thinking beyond "the happy path" without falling in premature optimization is also a challenge. A nice one, once again to it avoids to go head first in implementing a good idea without considering drawbacks.

I also tend to imagine that the one that will work on my code had a very bad day so it must be pleasant to read what I wrote. Comments here and there, locale variable here and there even if they can be avoided, variable naming, etc...

Being selective about frameworks. They are good servant but bad leaders. "Be an engineer, not a frameworker" says an article.
ah1508
·vor 2 Monaten·discuss
In this case I don't think the status should depend on the number of results. Here are you results, [] is a valid response body when there are no result. Returning 404 if there are no result (GET /books?title=a for instance) is misleading, the caller may think that /books is a non existent route and may conclude that books are reachable via another URI. To me, the querystring has no influence on the response status.

/books/1 could return 200 or 404 depending on the existence of the book#1, here it make sense because if /books/1 does not exist the API must tell it explicitly. However 404 belongs to the 4XX family which means "client error", is it an error to ask for a non existing book ? If you enter in a bookshop and ask for a book they don't have you did not "make a mistake". It's not like if you asked for a chainsaw. But in an API, especially with hypermedia, you are not supposed to request a resource that does not exist (unless the API provides a link to an existing resource that is was deleted before the caller try to reach it).
ah1508
·vor 3 Monaten·discuss
So you need to find something better. In an article "How NASA writes 'perfect' software (1996) (fastcompany.com)" (comments on HN), the author explains that adding GPS support required 1500 pages of spec, and to avoid ambiguity the spec used pseudo code to describe expected features and behaviors.

If you invent a formal language that is easy to read and easy to write, it may look like Python... Then someone will probably write an interpreter.

We have many languages, senior people who know how to use them, who enjoy coding and who don't have a "lack of productivity" problem. I don't feel the need to throw away everything we have to embrace what is supposed to be "the future". And since we need good devs to read and LLM generated code how to remain a good dev if we don't write code anymore ? What's the point of being up to date in language x if we don't write code ? Remaining good at something without doing it is a mystery to me.
ah1508
·vor 3 Monaten·discuss
Agree: house architects have their language (architectural plans) to translate people needs in non ambiguous informations that will be useful for those who build the house. Musician uses musical notes, physician uses schemas to represent molecules, etc... And programmers use programming languages, when we write a line of code we don't hope that the compiler will understand what we write. Musical notes are a kind of abstraction: higher level than audio frequency but lower level than natural language. Same for programming language. Getting rid of all the formal languages take us back 2000 years ago.

Using a formal language also help to enter in a kind of flow. And then details you did not think about before using the formal language may appear. Everything cannot be prompted, just like Alex Honnold prepared his climbing of El Capitan very carefully but it's only when he was on the rock that he took the real decisions. Same for Lindbergh when he crossed the Atlantic. The map is not the territory.
ah1508
·vor 4 Monaten·discuss
I have a dumb phone, my last smartphone was a blackberry, 7 or 8 years ago. To people who ask me how can I "live" without a smartphone I answer: I have a computer.

Everyday I have access to my computer, and since nothing is absolutely urgent I can book train tickets from home, read hacker news from home, etc... I spend several hours per day at home with my laptop so when I am outside I don't need to be online.

I don't listen music when outside since I feel more connected to where I am (sea shore, forest, city, etc...) if I don't listen music.

I nearly don't need take pictures anymore and when I do I have a camera.

I never had an account on social medias and even if I did I would have disable all notifications.

No need for a GPS, usually I know where I am going and if I don't I check on a map before and remind the path (exit metro station, first on left, second on right, done), if I get lost I ask to someone, then happen a true connection to a human being. Road trips: paper maps, I traveled alone from San Diego to New-York like that, including reaching a specific address in Chicago and then in New-York with a paper map. And I like the voice of my wife telling me "in 2km we must take the D25 on the right" (names of secondary roads in France starts with D).

We have a sailboat so we need gps when we sail and we have a rugged tablet. We also use it at home as a remote control for the DAC with Qobuz and for video calls with family with Signal. A smartphone can makes sense in several occasion, like does out tablet, but I don't feel the need to have one (a kind of mini computer) in my pocket all the time.

And since urgent calls can only comes from my wife or from the school (we have a son), when we are together with our son we don't take our dumbphone (nokia 105) with us.

I think anyone can buy a dumbphone for 20$ or € and try for a week.
ah1508
·vor 10 Monaten·discuss
You're right, we can get rid of the proxy. If the multiple API calls are made from the browser it is even more traceable, user can see these requests in the source code and from the devtools network console.

Each API has its database which contains the accesskey for each user, if this data is stolen the attacker can send HTTP POST requests to API with valid access key. To reject these forged request a code can be sent to the user in the invitation message while each database has a bcrypt hash of the code along the access key. When an API receives a POST requests it can check if the code present in the request body matches with the hash he has in its database. So having the access key is not enough to send request, someone who steal a db cannot do anything with the data and cannot propagate false data to other APIs.
ah1508
·vor 10 Monaten·discuss
Thanks for your answer.

Without the proxy the client would request a specific instance of the API (university 1, university 2, NGO 1, NGO 2), which then would be responsible for forwarding the data to the other. What if he changes the code and forward a false data:

user A votes for candidate X (HTTP POST request received by API deployed at university 1). API deployed at university A is compromised (by the university itself or not) and the information persisted in the DB is "user A votes for candidate Y". This information is then forwarded to other API.

If a proxy like NGINX is responsible for request forwarding the problem is solved (assuming that all parties trust nginx and its "mirror" module). https://nginx.org/en/docs/http/ngx_http_mirror_module.html