The problem only arises when you have to worry about persistent state. As soon as you have to worry about that, you have to think about backups, replicas, disaster recovery drills and so on. It is much easier to solve for that can of worms for one system than three.
Typical production architecture would look like
- frontend only ever sees an opaque session cookie
- bff stores the access token against session and attaches it when calling backend services
Yes, storing JWTs directly in the frontend client is a bad idea but surely there is a better way of communicating that than "JWT is a scam and your app doesn't need it".
> RS256 verification is in the same order of magnitude as a Redis lookup
But the point is that the verification is CPU bound and local to the service - which means that it is horizontally scalable.
> it starts by raising this question, then argues that it’s kind of a cheap and meaningless punch-down.
The cheap and meaningless punch-down in the article is the vibecoding accusation. The question in the title is actually their main line of attack against that accusation, all the way to the end.
>> QED
So.
Where are the vibecoded Photoshops?
WHERE IS THE THREAT YOU MADE UP TO ATTACK ME?
>>I'm waiting.
I find it hilarious that so many people are finding it so difficult to grasp even the general line of argument of the article despite trying earnestly.
Do they really? Do you genuinely that most people asking the "Where Are the Vibecoded Photoshops?" question are those who don't understand that "Level 2 and 3 activities" were the real bottleneck or are they trying to explain that to people who don't and are unreasonably expecting a 10x productivity boost out of them?
This is the first time in my life I have ever felt the need of an LLM to understand an article. Even after understanding the overall gist of the article (thanks ChatGPT!), I still can't make head or tail of many sentences and find many questionable choices made in the way the article was structured.
e.g.
>And the accusers never want to address that, because addressing it means admitting the accusation doesn't hold up.
This is the first sentence that introduces the "accuse" word in the article without establishing what the accusation is, who the accusers are or why should the accuser be worried about their claim being spectacularly successful (zero counterexamples). The last part is still not clear to me at all.
Then the article makes a bunch of unestablished claims to the point of becoming straight up ad hominem. No, the senior developers of the world are not asking this question because they don't understand that the requirement gathering, architecting and decision making (level 2 and 3 activities in the nomenclature of the article) - but precisely because of it. Senior developers world over are being pressured into unreasonable expectations around delivery speed by CEOs and other management types. The entire point of "Where Are the Vibecoded Photoshops?" is to hopefully be able to communicate to these people that the bottleneck hasn't moved, so to expect 10x increase in delivery is entirely unreasonable.
Which is where the "emacsification" analogy breaks for me.
The reason people who like emacs write their one-off program in emacs is that it is an extraordinarily introspectable and debuggable programming environment. There is no "code, compile, run" loop - you just write code against the live running environment. Devoid of that fast feedback loop, writing code just isn't as much fun.
That is because the terminology (and the keybindings) come from the Emacs tradition, not vim. Most shells come with “vim mode” as well, but at least in my experience, the dual mode editing paradigm of does not feel like a good fit for the shell.
> US has privacy laws in place that will protect you
They don't protect us at all. Thanks to Snowden, we all know that the US government has extremely sophisticated and wide-ranging ability to get access to any data we share with American companies.
The original comment was neither false dichotomy nor whataboutism. It was a simple point that the rest of the world is already used to their data being snooped by the US government. So apart from US exceptionalism, there is no particular reason they would be especially alarmed by the prospect of their data being sent to "Chinese servers".
You overestimate how much the rest of the world cares about data being sent to “chinese servers”, when all this while our data was being sent to “American servers” anyways.
At least in India, most popular newspapers actually do this nowadays. Several full page ads including on the front page have become the norm.
It is mostly a function of how little the reader is willing to pay for content. When the price point is too low (which for online content is too low), publishers make their money by other means. It is not rocket science.
I know Jenkins is not fashionable these days, but the warnings-ng plugin is perfect for solving this in a tool-independent way. :chefskiss:
The way it works is - the underlying linter tool flags all the warnings, and the plugin helps you keep track of when any particular issue was introduced. You can add a quality gate to fail the build if any new issue was added in a merge request.