DeveloPassion's Newsletter - Less is more

Hello everyone! I’m Sébastien Dubois, your host. You’re receiving this email because you signed up for DeveloPassion’s Newsletter or the Dev Concepts project. Thank you for being here with me ✨

If you enjoy this, please forward it to your friends 👍. If this email was forwarded to you, then don’t forget to subscribe and become a supporter.

Another week, another newsletter! I hope that you all had a great one 🤩

This week I’ve continued helping colleagues and clients troubleshoot the monumental mess created by the discovery of a huge security vulnerability in log4j.

Aside from that, I’ve launched a new product (one more small and riskless bet), read a ton, and learn cool things about our world :)

I’ll tell you more about all that in a second. But before that, let me wish you a Merry Xmas in advance (or whatever else you decide to celebrate in the coming weeks :p).

Alright, let’s go! 🚀

As I’ve announced two weeks ago, I’ve launched a paid version of this newsletter for those who want to learn faster with me. The price is pretty low and mostly aims to help me keep going as a creator.

Whenever I read articles, books, and watch videos, I take tons of notes. I capture everything that resonates with me and that I find interesting: ideas, thoughts, quotes, stories, etc.

Next year, I’ll be reading even more non-fiction books, and I’ll share summaries and learnings with my members.

Currently, the topics I’m most interested in are: entrepreneurship, bootstrapping, knowledge management, design, psychology, and neuroscience. Of course, software development and IT are still near and dear to my heart ;-)

As part of this initiative, I intend to share more and more of what I learn, day after day, week after week.

If you want to support my work and join our learning community, then hop on the train with us 🎉

I’ve launched a new product this week: The Personal Knowledge Management (PKM) Library. It’s a Notion space that contains hundreds of resources about Personal Knowledge Management: blog articles, videos, books, courses, templates, etc.

If you want to get started with PKM and more easily find your way around, then this is an awesome starting point.

PKM is a subject that I’ve been passionate about for a very long time, and I’ve spent a huge amount of time researching it further this year while preparing for my next startup project.

To me, PKM is a top skill to acquire to learn and grow faster in life. I really wish I had heard about Zettelkasten, BASB, PARA, etc way earlier in my life.

You can find more information about it here: https://developassion.gumroad.com/l/PersonalKnowledgeManagementLibrary

❤️ The first 20 people who’ll use the “pkm-20” discount code will get 30% off! ❤️

Last week and this week I’ve been quite busy helping colleagues and clients of mine understand and fix a critical vulnerability in Log4J. Even if you’re not a Java developer, you’ve probably heard of the story by now 😂.

That’s the fun part about my part-time job; it’s really varied. I get to work on software development, software frameworks, troubleshooting problems, PaaS, IaaS, DevSecOps, RFPs, IT security, etc.

This vulnerability is really a monstrous one. Very easy to exploit, and incredibly impactful. Basically, if you attack a vulnerable host and can inject a string into the logs, then it’s game over, you own the machine. Ouch! You can learn more about it here, and here.

Soon after the main vulnerability was announced, additional ones were uncovered and reported. Not a huge surprise given the fact that all eyes turned towards that codebase.

The situation could’ve been better handled (the fixes and communication around were messy at best), but I won’t be the one to criticize harshly. By the way, LunaSec has published a very interesting article explaining how to properly discuss and fix vulnerabilities in Open Source libraries.

I’m saddened to have read so many negative comments about Log4J and the team behind it all around the Web. It’s the way of the Internet, but the team behind this Open Source project really doesn’t deserve this. I wouldn’t like to be in their shoes right now. Open Source work is mostly thankless, unfortunately…

People only care about today’s RCE and forget about everything that Log4J has done for the ecosystem and all the time the maintainers have given away for the community. Log4J has been a great addition to the Java ecosystem many years ago and has served us well. When Ceki created it (20 years ago!), we were stuck with limited and clunky JDK APIs. Log4J 1 introduced configurable loggers, configurable logging patterns, and many other much-needed innovations. No wonder that this library became so popular and so present all around the place. It actually influenced libraries in other programming languages.

What’s interesting to me is that this vulnerability has been introduced because the library maintainers tried to please too many people. Or at least that’s my understanding.

Yes, it is nice to have a way to dynamically fetch information from the environment through JNDI and other means, but is it actually a must? No, absolutely not. That information could be fetched in various ways without extending the logging library.

To me, it is obvious that for some things in life, less is more. Low-level tools and libraries need to do one thing only and do it well (i.e., the Unix philosophy). Whatever’s going a tad too far should actually live elsewhere in the software stack.

This story highlights two points:

No new articles this week!

I won’t shut up about PKM these days 😂

If you’re also thinking about your goals for 2021, then consider adding learning more about Personal Knowledge Management to your list. You’ll thank me later 🎉

This week I want to mention a book that a friend has recommended me recently:

You’ve been surprisingly enthusiastic about this idea, so here goes. Each week I’ll try to mention a board game that I like.

This week, I’ll start with a game that we just bought: Last Message (3-8 players, ~15-30 minutes per game, 8+).

You need to have at least 3 players for this one. One will play the role of the criminal, another will be the victim, and the rest of the players will be detectives.

Last Message is a very simple family game in which detectives have to try and recognize the culprit based on drawings/explanations given by the victim. The victim is unable to speak but can draw and write to give some clues. Unfortunately, the criminal will make some of those clues disappear on each turn, making the job much harder for detectives ;-)

Here are a few links that I found interesting this week:

I hope that you’ve liked this edition.

If you want to support my work, then become a supporter and share the link to the newsletter with your friends: https://newsletter.dsebastien.net ❤️

PS: check out my Dev Concepts books, join the Software Crafters community, the Personal Knowledge Management community, and come say hi on Twitter!