Tag web

Entries 14 Total

APIs should have test error endpoints

Dec 13, ’11 5:34 PM

Most of the time, when you start coding against an API, either with or without an API client, you end up producing enough errors that your error-checking is fairly robust. However, sometimes most or even everything “just works.” Which produces a conundrum:

You now have no idea how robust your error handling is (or is not).

As an example, that – ahem – may or may not have just inspired this blog post:

Say you are polling something to check for an update, every 60 seconds or so. If it fails, you want to know that and decide whether or not you should keep polling the endpoint. Everything works great. Until you get a 500 which you haven’t handled correctly (or there was a bug in your logging call or… something, ahem). Now you have an exception in your own code which breaks out of your loop independently of your API error handling. So your polling has stopped and you’ve cutoff your own ability to see what went wrong on the other end.

What I propose, is that we as API providers should include error test endpoints. Something like:

/tests/errors/500
/tests/errors/503
etc

(note: 404 is obviously easy)

In theory RESTful APIs would all return errors in the same way with HTTP error codes and the like, but the practical reality is that this just isn’t the case. Some even return 200s with JSON strings that include errors. Even if they we’re all perfect, you still might want to wrap them in behaviors (like sending an email notification) depending on the message contents, which really leaves you in a predicament if the errors are hard to intentionally produce. You can even make a compelling argument that API client development should start with these endpoints.

I’ve opened an Issue to add these endpoints for YourTrove’s API and I will follow this up with a blog post on the Trove blog when those endpoints are deployed.

Comments

Python logging tutorial | Pingbacks

Jul 15, ’11 11:34 AM

This is the easiest-to-follow of the various Python logging guides/posts/docs that I’ve seen:

Python logging tutorial | Pingbacks.

Comments

Identity, SSO, and networked namespaces

Jul 13, ’11 9:54 PM

Jud Valeski had a notable observation about how potentially powerful an OS level namespace and single sign-on capability could be for internetworked applications:

Everyone’s talking about the power of Twitter and Apple’s native single sign-on model in iOS 5. While this is a phenomenal coup for both Twitter and Apple, it’s only the tip of the iceberg. Having a widespread, networked, account namespace (Twitter) baked in at the operating system level is one of the few things that can truly revolutionize the network again.

I am certainly not going to be one to criticize this desire at all. But (of course there’s a “but”), I have no real reason to believe that a big company team-up is going to actually enable this desire. The history of big software companies’ attempts at some kind of unified, distributable identity is littered with bungles, with everything from Passport to Apple’s own MobileMe.

There, is of course, the big advantage that there are already a lot of integrations and knowledge about Twitter auth and users, but is that enough?

I’ve always thought that “user-awareness” was incredibly key to making applications powerful and much more user-friendly, but I don’t write about it enough. So, here goes the following…

I still think the solution to this “who is the user/omfg passwords everywhere” nightmare has to be something that provides “connectedness” and an extra layer of security that is used pretty rarely at the moment.

What does that mean? Glad you asked. I think it looks something like this:

  1. A user connects to an Internet service (through a browser, mobile app, desktop app, anything).
  2. A hashed key is provided to the service along with that request. The hash initially blinds the service from the user’s identity.
  3. The service sends the hash off to a third party.
  4. The third party then contacts the user, most likely through a mobile app: “The service MyHotNewThing wants to connect with your information, do you want to share the following info?…”
  5. The user says Yes (or No and the process stops and the user gets a “not logged in” view of the service), makes any customizations to what info they want to share with the service, and the third party then provides a key to the service that allows them to access the user’s information.
  6. The user is logged in to the service and any approved content or other connections(!) are also now available to the service.

Boom. It’s a bit similar to OAuth, but not the same: No browser required, no bouncing through URLs, no confusion about who is asking for what.

A few additional key points:

  1. Those hashes have to include, behind the scenes, devices. In normal language this means something like “User X has approved access to Service Y from Device Z.” Now, implicitly, the user is probably approving this for all the user’s devices, but all of those keys are different. This lets a user completely disable access from a (stolen, lost, broken) device for everything in one action. It also lets the user disapprove access from an unknown (hacker) device.
  2. This also makes all the keys and hashes different for the triple combo of service/user/device as opposed to most current schemes, which are just service/user.
  3. By handing off the approval process to a third-party this opens the door to things like social authentication (my friends trust this, so I will too) and content-sharing without conflict of interest.

Getting back to the original post, I’m not saying that possibility isn’t there, but I don’t see the big players thinking about this problem in this way.

Thoughts?

Comments

Is the sorry state of American education actually good for software innovation?

Jul 12, ’11 11:22 PM

The following is a bit in the realm of pointless mind games and Devil’s Advocate, so grain of salt applies.

It struck me that America’s currently abhorrent state of education may, in an odd, counterproductive way actually be helping to fuel software innovation. Imagine you’re a smart student being put through the low-expectations, rote-memorization wringer that is America’s current state of public education. In other words, you’re bored senseless and completely unchallenged in school. Yet, you possess a curious mind and enjoy learning and figuring out how things work and making things that do things.

So what do you do? Well, you turn to the Internet of course. And sure, there’s Facebook and porn and sexting and reddit and political flamewars. But there’s also Wikipedia and open source software and entire datacenters of videos and blog posts about how to do things and how they work.

And you get curious and start fiddling with some of this stuff and then you start making things. And the things you make, do things. Maybe they even do useful things. And so you share them and discover that other people, even if its only one or two, find the stuff you made useful.

And suddenly you’re hooked. Now you want to make even more useful and complex and interesting things.

So, the question is: does this happen if you aren’t bored senseless at school? At some level, absolutely this question is completely irrelevant beyond the individual. But at the same time access to good programming education, fast Internet and computing equipment is no longer primarily an American or even Euro perk. We’re seeing good software and startups from all over the world.

Despite all this, there is a distinctly cultural “thing” to American software innovation. There’s a drive and passion that is more prevalent here. I’m not saying it doesn’t exist elsewhere, it absolutely does, I’m saying that this is at a critical mass in America that you don’t really see anywhere else and it irks me as to why.

I’m really not trying to be a rah rah American here (I’m attributing this on our crap education!), I think our country is a mess. But the one thing that’s undeniably working is our leadership in software innovation and I find it a curiosity that exists in spite of all our other problems.

And, of course, the easy counter to this entire argument is the volume of great stuff that comes out of Stanford, MIT and elsewhere. But there are also an awful lot of really good developers who never bothered with, or dropped out of school. And there are an awful lot of CS grads who are crap developers and even worse innovators.

Comments

A few great things to read on REST (technical)

Jun 28, ’11 5:21 PM

I’m not sure how I missed this post by Jacob Kaplan-Moss, where he’s throwing the kind of REST question out there that has, in the past kept me thinking for hours:

It seems like URIs like /people/{my-uid}/photos and /people/{my-uid}/photos/{photo-id} are more “pure.” But now that’s weird because only one single user ever has access to a given URI (e.g only user #7 gets to access the entire space under /people/7). And the information in the URI is redundant with the information in the Authorization header.

http://www.jacobian.org/writing/rest-wankery-question/

Then things get really interesting in the comments, with links to two great posts (which I also missed):

The last constraint is incredibly simple, but nobody actually does it. It’s named Hypertext As The Engine Of Application State. I still haven’t decided how to pronounce the acronym, I always try to say “Hate ee ohs,” which sounds like a breakfast cereal. Anyway, let’s break this down. We’re using Hypertext, fine, that makes sense. But what’s it mean to be an engine? And application state?

Now, when I said ‘nobody’ does this, what I meant was ‘for APIs.’ This is exactly how the Web works. Think about it. You start off on the homepage. That’s the only URL you have to know. From there, a bunch of links point you towards each state that you can reach from there. People would consider it ludicrous if they had to remember a dozen URLs to navigate a website, so why do we expect the consumers of our APIs to do so as well?

Haters gonna HATEOAS

Finally, comes an elegant, much more RESTful solution to the API version dilemma:

You can simply define a new media type – sayapplication/vnd.mycompany.myapp-v2+xml – and associate new multi-email format with it. Clients can then request whichever format they want. Older clients don’t know the new media type so they get served the older single email format.

Newer clients do know the new media type so they can have access to the new functionality.

VERSIONING REST WEB SERVICES

All three of these posts/discussions are worth reading, but if you only read one, read Steve Klabnik’s HATEOAS post.

Comments

7 Things Ive Learned at South by Southwest This Year

Mar 16, ’11 8:04 PM

1. Blog lists should always be three, seven or ten items (actually I knew this already but Ned Vizzini put it in really funny terms)

2. Identity and privacy online are epic fail broken. Shit, I already knew that too.

3. Texas is dry. However much non-alcohol you think you need, drink twice that amount. I probably learned this last year, but forgot.

4. The centrally located hotel room is worth the extra money.

5. The etsy dev team is even more awesome than I thought.

6. When interactive ends, my phone stars working again, but phone calls are still useless because music has started and music is LOUD.

7. I enjoy panels that have nothing to do with my areas of expertise a lot more than those that do.

Comments

OAuth is really all about asking a friend if someone you want to date has cooties

Feb 14, ’11 8:55 PM

In honor of Valentine’s Day…

Even if you’re not a techie or a developer, you’ve probably “Logged in via Twitter” or “Connected with Facebook.” If so, the following (in very general terms) is what’s going on when you click one of those buttons.

For the purposes of this exercise:

Girl = User in the OAuth nomenclature

Guy = Consumer in OAuth nomenclature

Friend = Provider in OAuth nomenclature. Pretend the Friend is a friend of both the Girl and Guy…

Girl to Guy: Yo, what’s up, you’re cute.

Guy, to Girl: Hey, wanna go out?

Girl, to Guy: Yeah, but I need to check you out with a friend first.

Guy, to Friend: Yo, this hot girl I know is interested in me, I TOTALLY wanna sleep with her, can you vouch for me? Like tell her that I’m good in bed and don’t have cooties and stuff? Speaking of, can you make sure she doesn’t have cooties.

Friend, to Guy: I need to make sure everything is cool for everyone involved, tell her to come talk to me. I don’t even know yet that she’s the person I think you’re talking about.

Guy, to Girl: Cool, I understand, go talk to our Friend and let’s make sure neither of us is sketchy.

Girl, to Friend: Hey, what’s up, can you tell this cute guy who I am and can you tell me a little bit about him?

Friend, to Girl: Oh, hey! What’s up? So yeah, this Guy says you’re interested in him and he’s definitely interested in you. He said he wanted to sleep with you. I can vouch that he doesn’t have any cooties or anything.

Girl, to Friend: What? I’ll make out with him, but even if you say he doesn’t have any STDs, I’m not sleeping with him yet.

Friend, to Girl: Okay, that’s fine, I’ll tell him you’re cool with making out but not ready for sex yet. He can tell you to come back and tell me when you are ready for sex and I’ll pass that along when the time comes.

Girl, to Friend: Great, thank you! I’m heading back over!

Guy, to Friend: She’s back, did you vouch for me?

Friend, to Guy: Dude, okay first off yeah, I know her and she does not have cooties. Also, she’s into you, but don’t push it. She’s okay with making out but she’s not gonna sleep with you right now.

Guy, to Friend: Okay, can you tell me if she likes tongue or not?

Friend, to Guy: She said she’d make out with you, of COURSE she likes tongue.

Guy and girl make out.

And that’s OAuth for you. It’s really all about checking for cooties and making sure no one is doing anything they don’t want to do before you hook up. Maybe next year I’ll write about how HTTPS is like condoms…

Comments

A silver lining in the new net neutrality rules?

Jan 4, ’11 10:22 PM

I put together a little primer at work on the FCC’s new net neutrality rules. As I was fact checking myself, a thought struck me…

Might the new wireless rules be a politically brilliant policy disaster?

Hear me out.

After ISP lobbying, what is the biggest obstacle that net neutrality faces? Public opinion. Not that public opinion is against net neutrality per se , but that net neutrality is too confusing and drowned out in the midst of unemployment, the Tea Party, Don’t Ask Don’t Tell, Wikileaks and all around apathy and ambivalence.

In other words, the American public takes it for granted, if they have been bothered to understand what it’s about at all. And what’s the best way we learn about something we take for granted?

That’s right, we take it away.

By altering the rules for wireless, the FCC is providing an testbed to show the public what it would be like if net neutrality went away while still protecting  the old, wired internet. The changes to wireless are already in motion and I am just waiting for AT&T to inform me that my (already comically expensive) plan is changing.

One has to think there will be an outcry when people starting getting hit in the  wallet just for watching a YouTube video. Will it be enough to sway against the massive lobby effort? The experience with the TSA body scanners says no, but it’s hard to tell where tipping points are, especially in mass psychology.

One can hope, and after the news cycle of the last quarter of 2010, I am trying to look on the potential bright side of things.

Comments

The Ass-Backwardness of Our Technology, Copyright Laws and Privacy

Oct 14, ’10 12:38 AM

Consider this current state of affairs…

We live in an age where large corporations or their associations (think RIAA) are suing individuals and file sharing services for millions of dollars, while not making it any easier to actually, ya know, buy their copyrighted material. There are millions more dollars being spent on developing ever more complex DRM to secure said copyrighted material. Joel Tenenbaum got hit with a $675,000 ruling (note: the judge later took a zero off of that) for illegally sharing 30 songs. RIAA unsucessfully sued the Russian allofmp3.com for $1.65 trillion – yes, with ‘T’.

I don’t want to even get into the fact that this state of affairs is a shaky business strategy, that ultimately technology makes it impossible, or that the value proposition of suing everyone in sight is dubious at best (and nevermind the fact that file sharing is a free distribution channel…). Instead, let’s compare it to the flipside…

Individuals are sharing their data like crazy. More than at any point in history, people are sharing their thoughts, photos, social graph, fiction, music, videos (yes, even their porn). While many people are choosing to take advantage of better privacy settings at sites like Facebook, a lot of people are taking full advantage of how easy it is to get material into the public space. However, when indviduals do want to control the distribution of some of our content, and something goes wrong, how does the reverse look? The people who sued Google over privacy issues with Buzz? They got $2500.00 each (that’s without a ‘T’… or a ‘B’ or and ‘M’). Granted, several million dollars in the Google ruling is going to privacy organizations, and that’s a good thing, but the point is that this disparity is so totally, absurdly out of whack.

Corporations are spending gobs of money on technology, lobbyists and legal proceedings to protect themselves from (I would argue perceived rather than actual) damages. Now, of course, there are a lot of people in the technology and speculative fiction world who just sort of “get” how retarded this is and that the sell-a-physical-thing-or-sue-the-world! business model is going to eventually die and move to some sort of whuffie-based economy (assuming, of course, we aren’t all thrown back the 18th century cause of an energy crash, in which case this is all academic and hopefully I remembered to print this blog post before the lights went out).

However, that doesn’t really help the individual out right now. Individuals need better, easier to use tools to protect themselves. They also need better recourse and education. Facebook’s updates to privacy controls and industry efforts like OAuth are steps in the right direction, but we still aren’t there. Think about this: the single best set of keys you have right now to protect your online identity? Your smartphone.

Now, what would happen, for me, if this blog post was stolen a million times? How would I sue all those – wait what? Are you crazy? It would be fantastic. Please, by all means share the shit out of this.

Comments

The 00s in review, part 1, possibly of 1

Jan 5, ’10 12:15 AM

Well, since everyone is doing lists…

Best moment

The US electing Obama.

Worst moment

Katrina. Yes, it was worse than 9/11. Sorry, it just was. 9/11 may have had a more profound impact on world events and American politics, but ultimately Katrina was a far more horrifying event. (note: I realize this is a profoundly American view. The worst moment for humanity was by far the Indonesia tsunami.)

Douche of the decade

Wow, it was a spectacular decade for douchebaggery. On the list of obvious choices you have Bush or anyone in his administration, Osama bin Laden, Brownie, credit card companies, all the neocon leadership, James Dobson, H1N1, Musa Hilal, RIAA, Mahmoud Ahmedinejad, Pope Ratz, Rupert Murdoch, and anyone who voted or lobbied for deregulation of the financial industry. Ultimately, unfortunately, it has to go to us, all of us. For letting these idiots get elected, for not doing enough to fight to curb carbon emissions, for not holding anyone in our government or media accountable. Sorry, but you and me and everyone else is the Douche of the Decade. You may now buy yourself a hat or a shirt or whatever as a prize.

Idiot of the decade

Pseudo-tie: Intelligent Design proponents and climate change deniers. Its pseudo since these two crowds often happen to be the same idiots. Both of these movements are like the new religions of the 21st century. ID isnt even pseudoscience, its really just mythology: a bunch of made up horseshit used to control people. And climate change deniers. Wow. I really dont care how financially beneficial it is for you to spout your nonsense. You know why? Cause all that money you might be able to leave to your progeny wont be worth fuckall if the planet becomes inhabitable. Or even if it just starts to suck hard enough to throw us all back to the stone age and your accrued currency will be laughed at for not being potable water.

Sucker of the decade

I could repeat the above, but that’s lazy, so instead: Anyone who bought real estate in 2005/6. Bonus points if you got an ARM.

Best movie of the decade

In retrospect, there were actually a surprising number of great movies, from Fellowship of the Ring to Fahrenheit 9/11 to Food Inc to District 9 to An Inconvenient Truth. I’ll give the nod to Al Gore, if for no other reason than Truth was the most important topic.

Worst movie of the decade

Attack of the Clones. If you had told me in the 1990s that there would be three more Star Wars movies and that I would fall asleep during one of them I would have been sure you were high. Alas… Plenty has been written about all the failings of this movie, from the comical courtship to the astonishingly tensionless action sequences, to say nothing of the actual title. What gets the film the award is that it confirmed that, indeed, the prequels were going to suck. The Phantom Menace left some doubt, after all the lightsaber duel at the end kicked ass, but AotC took a big fat wooden stick and stabbed it deep into the heart of our Star Wars Childhoods, and then twisted it a few times.

Runner up: Cloverfield. The only movie where I’ve actually seen people go to the theater manager and ask for their money back.

Best tech of the decade

RSS and Blogs. That’s right, stupid and simple. Nothing did more to empower so many as keeping web sites simple, giving non-technical users better software, and bringing about a standardized distribution format (Atom is still better, but that’s irrelevant to the point here…). I get asked whats the difference between a blog and web site? a lot. For a long time, I used to just say nothing really. But then I started answering a different question: what makes a blog a blog? A blog is a web site whose format is a list of content. That sounds like a non-answer, but when you look at all the various attempts to revolutionize web navigation (remember when mouseovers were like the greatest javascript trick ever? Or, anything in Flash, see the next entry), the revolution was make a list, and do it in a way that computers and humans can digest the list with equal accuracy.

Best tech of the decade 2

Cloud computing. Despite it befuddling CNN reporters, on-the-fly provisioning and scaling are one of the most fundamentally positive changes to computing. From the short-turnarounds to the benefits of everyone getting their data into a datacenters. And don’t listen to those CNN reporters. Your data is MUCH better off in a datacenter than on DVDs stored in your file cabinet. Yes, there have been a few outages, and there will certainly be more. Guess what, your stuff is still better off in the cloud. Seriously, just ask yourself, who is more likely to lose all your precious photos, Flickr or you? Does your home office have redundant power and backups and electronics-safe fire suppression? I didn’t think so.

Worst tech of the decade

Flash. Yes, I realize that it was around in the 90s, but Youtube, banner ads and ActionScript 3 took Flash to a whole new level of distribution and ambition in the 00s. Never has a technology put more power to crash more computers into the hands of so many.

Im not even sure where to start with all the ways that Flash is awful, but Ill try: Its proprietary, it incurs tremendous overhead for development and maintenance (and bandwidth…), its chock full of opportunities for memory leaks and namespace collisions, its only pseudo-searcheable (and even that is a recent development)… sigh, this is just making me angry. Heres a google link if you need more reasons.

Final thought: If you want to see just how much Flash wrecks your browsing experience, install Flashblock.

Worst tech of the decade 2

Identity. Or the lack thereof rather. How many logins and passwords do you have? How many times do you have to update your physical address if you move? This might be the singular failure of this century, so far, by the tech industry. OpenID isnt going to get it done. OAuth is promising, but it still doesn’t really feel like a solution to this problem. There is a lot of work to be done on identity in the Teens.

Best TV

Battlestar Galactica.

Worst TV

Battlestar Galactica.

Best album

American Idiot.

Most obnoxious musical phenomenon

I couldn’t really do Worst album since Im sure its something I would refuse to listen to. In lieu of that, I have to go with Maroon 5 and all their similar genre of pop. This Loves whiny, choppy, horrid self was inescapable in public spaces for much of the middle part of the decade and personified a large amount of the useless, annoying music that drives people away from pop after they get out of puberty.

And you thought I was going to say Britney.

Neatest phenomenon

Voter turnout. Its amazing how well a bad president motivates people.

Most annoying phenomenon

The destruction of written English. I’m as guilty as the next person of having typed lol a gazillion times in the last ten (okay, 15 for me…) years. But really look at this. Wow, just wow.

That’s it for now.

Comments