So you want to serialize some DER?| alexgaynor.net
What is a Benchmark?| alexgaynor.net
Standard Libraries and their Discontents| alexgaynor.net
Putting a Price Tag on Open Source| alexgaynor.net
Postel's Law and the Three Ring Circus| alexgaynor.net
Notes on coreutils in Rust| alexgaynor.net
Toby: I read it, I think, 16 years ago. It was about El Salvador and he had it stricken from the record and there was a reason. Will: What? Toby: I don’t know, but things have reasons. Will: Do they? Toby: Yes, they do. – The West Wing, Inauguration Part I We might describe this as a Chesterton’s Fence sentiment. Chesterton’s Fence is the principle that one should not remove a fence until they understand why it was put there in the first place.| Blogs on Alex Gaynor
Generality| alexgaynor.net
Do tech workers have a reason to love monopolies?| alexgaynor.net
The SSO Tax is Smart Business, and Bad Security| alexgaynor.net
Stop Demanding Performance| alexgaynor.net
Challenges to funding open source| alexgaynor.net
Risky Business| alexgaynor.net
I’ve maintained a popular cryptography library for years and in that time I’ve realized that many of the differences between cryptographic libraries flow from their creators' philosophies. Users of those libraries also have philosophies, which shape their expectations. These philosophies are often both in tension with one another, but also often implicit, leading to frustrating conversations. The goal of this post is to flesh out common philosophies, and how they come to be in tension wit...| Blogs on Alex Gaynor
I’m indebted to a colleague who many years ago succinctly told me: Backups don’t matter, only restores matter. It’s a deceptively simple observation: if your goal is durability, what you truly care about is your ability to restore from a backup. The existence of the backup itself is meaningless – backups are not magic totems of durability. Teams that are serious about durability don’t just take backups; they actually verify that they can restore from them.| Blogs on Alex Gaynor
The impact of memory safety on sandboxing| alexgaynor.net
Safer C++| alexgaynor.net
I’m a staunch advocate for need to migrate away from memory unsafe programming languages, in order to address the endemic security issues they produce. This sentence contains a number of terms that are worth defining, and a number of asterisks that are worth explicating. My objective with this blog post is to add increased precision to this discussion. What is a memory unsafe language? It’s a programming language which, by default, allows code to introduce memory-related vulnerabilities (...| Blogs on Alex Gaynor
Software packages have version numbers. Thinking about them from scratch, the first thing we might want from version numbers is to know if two pieces of software are the same, we could accomplish this by making version numbers into an opaque value, like a UUID. Of course, a UUID isn’t a very useful version number because in practice we also want to do things like order versions, to know which is newer.| Blogs on Alex Gaynor
Complexity in software, whether it’s a programming languages, an API, or a user interface, is generally regarded as a vice. And yet complexity is exceptionally common, even though no one ever sets out to build something complex. For people interested in building easy to use software, understanding the causes of complexity is critical. Fortunately, I believe there is a straightforward explanation. The most natural implementation of any feature request is additive, attempting to leave all oth...| Blogs on Alex Gaynor
Every Passover, Jews around the world sing Dayenu, which translates roughly as “it would have been enough”. The lyrics are basically a list of things God did for the Jewish people, any of them alone would have been enough. “Taking us out of Egypt, that alone would have been enough. Giving us the Sabbath, that alone would have been enough. Giving us the Torah, that alone would have been enough.”| Blogs on Alex Gaynor
software engineering is programming integrated over time This quote, from Titus Winters, expresses an important notion: that software engineering as a discipline must be considered not just with programming at a point in time, but with programming over an extended period. One of the things that tends to happen to a codebase as time is added, is that it tends to scale. We often think of scale in terms of amount of traffic to be served, or volumes of data to be processed.| Blogs on Alex Gaynor
In January of this year, I put together a wish list for security in 2019. As the year draws to a close, I wanted to look back and reflect on what was accomplished, and where there’s still work to do. Rust breakthrough Original success criteria: Adoption of Rust as an official development language by another major OS and browser. Public talks/writing from teams that adopted Rust in these domains describing the value it added from a security perspective.| Blogs on Alex Gaynor
I’ve been a ferocious critic of C, C++, and other memory unsafe languages, and a booster of memory safe languages such as Swift, Go, and particularly Rust. And though I believe there is a more-than-sufficient body of evidence to support the claim that the time to start migrating is now, there are still open questions related to how we migrate systems to memory safe languages more scalably, and how we maximize the safety of code written in these languages.| Blogs on Alex Gaynor
As software engineers, we overwhelmingly focus on the skill of writing code. This is clear from how we teach new programmers, how we interview software engineers for jobs, how we encourage engineers to improve their craft, and the kinds of talks you find at conferences. The lack of emphasis on developing code reading as a skill does people a disservice. Reading code is a distinct skill and practicing software engineers should work to improve this skill.| Blogs on Alex Gaynor
I’m a frequent critic of memory unsafe languages, principally C and C++, and how they induce an exceptional number of security vulnerabilities. My conclusion, based on reviewing evidence from numerous large software projects using C and C++, is that we need to be migrating our industry to memory safe by default languages (such as Rust and Swift). One of the responses I frequently receive is that the problem isn’t C and C++ themselves, developers are simply holding them wrong.| Blogs on Alex Gaynor
It’s no secret that I’m a big believer in the adoption of security keys. I think they provide a strong technical solution to a problem that was previously unsuccessfully solved in user-hostile ways (don’t click on links in your email! look at the URL when entering your password!): security keys are the only second factor which are resilient to credential phishing. They’re also more ergonomic than many other second factors. However, the ecosystem is not without challenges, my goal here...| Blogs on Alex Gaynor
Earlier this week the Google Security Team disclosed a pair of vulnerabilities, known to be exploited in the wild, one in Windows and the other in Chrome. These represent a fairly standard exploit chain: code execution in Chrome’s sandboxed renderer process and then a kernel bug to escape the sandbox and gain privileged code execution. There’s a publicly visible patch for the Chrome bug, however there aren’t a lot of details on the Windows kernel bug.| Blogs on Alex Gaynor
ImageMagick and GraphicsMagick are two popular libraries for manipulating images. GraphicsMagick is a fork of ImageMagick that diverged well over a decade ago. OSS-Fuzz provides continuous fuzzing for high impact open source projects. In December, 2017 Paul Kehrer and I worked to add ImageMagick to Google’s OSS-Fuzz, and in February, 2018 we added GraphicsMagick. Both ImageMagick and GraphicsMagick had been widely fuzzed and audited before this. Hanno Böck 1 observed: “In the past it was...| Blogs on Alex Gaynor
About 3 years ago I wrote about five projects I thought were very important for advancing the state of computer security. Looking back at that old post, I was reasonably pleased to find that all are having real positive impacts and none turned out to be busts. So I decided to take a stab at writing down the things I want to see happen in 2019, in the hopes that the universe will provide a few of them.| Blogs on Alex Gaynor
When we write code, we optimize for many different things. We optimize for writability: how easy it is to write the code in the first place? We optimize for maintainability: how easy it is to make ongoing changes? We optimize for readability: how easy it is to understand what the code does? However, we rarely optimize for auditability: how easy it is to tell if the code has a security vulnerability?| Blogs on Alex Gaynor
Attackers just need one vulnerability, defenders need to be perfect This may be the single most repeated truism in information security. Just this week, a colleague invoked this, with the quip that those of us who’ve chosen defense must be pretty dumb, given the challenge of that task, and the possibility of an easier career in offense. There’s just one problem: it’s not actually true, and it’s harmful to reasoning about information security, particularly for non-practitioners.| Blogs on Alex Gaynor
From 2015 to 2017 I worked for the United States Digital Service, a team within the US Government, created after the launch failure of healthcare.gov, dedicated to improving the government’s ability to use technology. I learned about a lot of different things there: bureaucracy and PowerBuilder, organizational transformation and Classic ASP, to name a few. However this post will instead be about two meta-lessons I learned from my time at USDS.| Blogs on Alex Gaynor
This past week Google’s Project Zero disclosed an unfixed security issue in Microsoft’s Edge browser. This is not the first time Microsoft failed to patch an issue within Project Zero’s disclosure timeline. This produces strong feelings in the information security community, generally in one of three categories: praising Google’s vulnerability research criticizing Microsoft’s response criticizing Google for publicly disclosing the vulnerability before it was patched The debate over ...| Blogs on Alex Gaynor
My day job is working on sandboxing for Firefox. In the context of a browser, sandboxing refers to the processes that run web pages, generally called “content” or “renderer” processes. These are in contrast to the “parent” or “browser” process, which coordinates the content processes and is not sandboxed, so it can do things like write files anywhere on disk to save downloaded files or access the camera. A related computer security technique is exploit mitigation.| Blogs on Alex Gaynor
Heartbleed, POODLE, Shellshock. Giving vulnerabilities names may be controversial, but there’s no doubt it’s effective. These, and many other, vulnerabilities attracted widespread awareness and drove tons of work improving ecosystem security. Heartbleed drew attention to OpenSSL’s small team of maintainers and drove funding and code quality improvements. POODLE led to SSLv3 being disabled on clients and servers nearly overnight. Shellshock directed researchers' attention to bash and res...| Blogs on Alex Gaynor
This week Deputy Attorney General Rod Rosenstein gave two speeches on encryption; one at the U.S. Naval Academy and one at the Global Cyber Security Summit. I recommend you read them, as the remainder of this post will make considerably more sense. I would like to focus on the structure of the second speech. Mr. Rosenstein states that he wants to describe “the scope of the global cybersecurity threat that confronts us” and “the challenges we face in countering the threat”.| Blogs on Alex Gaynor
If you’re a software engineer or work in tech, there’s a decent chance that your first thought after hearing about the Equifax breach was “oh my god, how incompetent do you have to be to get owned like that?” Don’t worry, I had the same reaction. After a few days of introspection and reviewing the evidence, I’ve come to the conclusion that Equifax made one uncommonly disastrous mistake: not upgrading Struts immediately after a remote-code-execution vulnerability was disclosed in i...| Blogs on Alex Gaynor
There’s a lot of different types of work that tend to get put into the bucket “security engineering”. This goal of this post is to describe how I categorize different kinds of work, and why this is useful. At the highest level, security work goes into one of four buckets: Work that prevents us from getting owned. In this bucket are things like fixing bugs as well fixing root causes so bugs don’t appear.| Blogs on Alex Gaynor
An alternate title for this post would be “Why GPG isn’t ok in 2017”. Imagine you were designing a new encrypted messaging system, what kinds of things would you worry about? You’d want to make sure you were using good encryption algorithms, authentication for senders, a high quality random number generator, maybe you’d spend some time thinking about side channels for things like message length. Unfortunately, if you’re thinking about your protocol in the context of something like...| Blogs on Alex Gaynor
Say you’ve got a website, and because you care about protecting the privacy of your visitors and the integrity of the content you serve to them, your website is served over HTTPS. If your website is particularly high impact, you might be concerned about some other CA misissuing a certificate for your domain; or perhaps you have a very distributed engineering organization and it’s hard to keep track of who is issuing what certs.| Blogs on Alex Gaynor
For a year or so I’ve been running a Chrome extension I wrote, which tracks which origins my Chrome makes the most http:// requests to, in an effort to make my https:// advocacy more data driven. Websites that top this list are disrespectful of my privacy and show no regard for whether bytes make their way to me unmodified. Over the past year, I’ve seen several websites that used to top this list migrate to https://, for example Amazon, Netflix, and the Washington Post.| Blogs on Alex Gaynor
In Richard Feynman’s appendix to the Roger’s Commission report on the Space Shuttle Challenger disaster, one of the issues he describes is a lack of understanding of the term “safety factor” by NASA managers: This is a strange use of the engineer’s term, “safety factor.” If a bridge is built to withstand a certain load without the beams permanently deforming, cracking, or breaking, it may be designed for the materials used to actually stand up under three times the load.| Blogs on Alex Gaynor
In case you haven’t heard, this week Google announced a project called OSS-Fuzz. The basic idea of fuzz testing is take random inputs, throw them at a program, and see if it breaks. The basic idea of OSS-Fuzz is to use buttloads of servers that Google has lying around to do fuzz testing for open source. OSS-Fuzz already has an impressive trophy case of vulnerabilities found, from running over 4 trillion test cases per week.| Blogs on Alex Gaynor
What is threat modeling? Threat modeling is a computer security technique to help defenders (that’s you, I assume) understand their own systems and drive the process of building better defenses. Core to the idea of a threat model is the idea that the things you need to do to protect yourself vary depending on what you’re defending against. Therefore, threat modeling forces you to be explicit about who you’re going to defend against.| Blogs on Alex Gaynor
Before I describe the vulnerability, I want to give huge thanks to Ben Bangert and Alessandro Molina for quickly responding to my report, and to Paul Kehrer for reviewing and confirming my findings. Sessions are a core part of many web applications. Put an opaque identifier (e.g. a UUID) in a cookie, then in your web app find the session in a database of some sort. The session might contain data like the currently logged in user, whatever.| Blogs on Alex Gaynor
If you haven’t heard, Let’s Encrypt is a brand new certificate authority offering free, automated, and trusted HTTPS certificates. It’s extremely exciting. Let’s Encrypt is built on a protocol called “ACME”, which defines a standard HTTP API for a certificate authority. letsencrypt-aws is built on that to easily orchestrate your AWS infrastructure to make sure certificates are automatically issued and kept up to date. You can grab a copy on Github.| Blogs on Alex Gaynor
It's an unfortunate reality, but one of the few things we know about software quality is that lines of code is positive correlated with bugs, or as Notorious B.I.G. would say, "Mo Code Mo Problems". Code review faces a similar challenge: the larger a patch you're reviewing, the less effective your code review is [1]. There's a few reasons for this: The more code you're changing, the more you need to focus on the big picture.| Blogs on Alex Gaynor
Information security is hard. Really hard. But all too often the face of our failure is not cutting edge research with intricate implementation, but rather trivial buffer overflows, databases with plaintext passwords, or binaries named tacos_and_malware.exe. ‘tis a bleak and barren landscape of horrors and awful things untold. That said, amidst our dystopian present, there are a few critically important projects doing great work to push the needle forward on security, and I’d like a momen...| Blogs on Alex Gaynor
I’ve been following along with Rust for quite a while. It’s a pretty neat language which offers the promise of the control (and performance) of C, with unparalleled safety, protecting both against segfaults and against concurrency bugs. I spent the weekend playing with Rust, and the thing that struck me most was not the language itself, but how refreshing the tooling around Rust was. Rust comes with a build and packaging system named Cargo.| Blogs on Alex Gaynor
Security is hard. That’s not a secret. Defenders need to be perfect, attackers only need to find one mistake. That said, there’s a lot you can do to improve your company’s security. User Credentials Store your users' passwords for your site responsibly. This means using PBKDF2 (with high iteration count), bcrypt, or scrypt. There’s no reason for you to use anything else. Offer two factor authentication for your users. If your product is for teams, make it easy for administrators to ch...| Blogs on Alex Gaynor
This blog post is a short list of things you can do, on basically any web project, to improve performance, scalability, and cost. In 2015, a medium sized server (8 cores, 24GB of RAM) is capable of serving hundreds-to-thousands of HTTP requests per second. This post is a guide to making sure you aren’t wasting your resources on things that are already solved problems. All of these assume you have monitoring to track your availability, and metrics to track various aspects of your site’s pe...| Blogs on Alex Gaynor
Fuzzing is a technique in computer testing and security where you generate a bunch of random inputs, and see how some program handles it. For example, if you had a JPEG parser, you might create a bunch of valid images and broken images, and make sure it either parses them or errors out cleanly. In C (and other memory unsafe languages) fuzzing can often be used to discover segfaults, invalid reads, and other potential security issues.| Blogs on Alex Gaynor
Red Hat has a pretty interesting business model, which is offering support for software that is a decade old, and which its maintainers want nothing to do with. This post isn’t about whether maintaining old software is a good or a bad idea. It’s about the effect it has on the community. The Python core developers have ceased providing any support for Python 2.6 as of October 2013, but Red Hat will continue to support it in RHEL 5, until 2020.| Blogs on Alex Gaynor
If I put 10 people in a room and asked them what “DevOps” was all about, I think I’d get 17 different answers. As my colleague David Reid says though, “DevOps is something you do, not something you are.” So what practices are associated with DevOps? Using software to automate operations tasks Using configuration management tools such as Chef and Puppet Treating servers as “cattle not pets” Database as a Service is to Database as Load Balancer as a Service is to Load Balancer as ...| Blogs on Alex Gaynor
22 days ago I became a founding member of the new Digital Service team at the United States Department of Veterans Affairs. We’re a group of developers, designers, and other folks who are passionate about using our technology skills to make a difference. Our goal is to dramatically improve the ability of the VA to use technology to execute on its mission of serving veterans. More broadly, my hope is that our work will demonstrate that all of government is capable of delivering fantastic use...| Blogs on Alex Gaynor
About six weeks ago I blogged about the state of the news and TLS. Spoiler alert, it wasn’t great. Happily, there’s been some good news on this front. First, the New York Times wrote a piece calling for more news websites to expose their content over TLS. While the Times is not yet available over TLS, based on this post I’m hopeful it will happen in 2015. The second major piece of news was the Chrome Security Team’s announcement of their plans to move towards a negative security-indic...| Blogs on Alex Gaynor
Two commissioners resign from the Federal Elections Committee. Though nominations for the FEC are made by the President, traditionally the nominees have been selected by the congressional leadership from both sides of the aisle. Danny Concannon, the White House correspondent for the Washington Post, has obtained a copy of a memo Mandy Hampton, a senior member of President Bartlet’s campaign and now White House staffer, had written while she was working a Democratic senator who opposed the P...| Blogs on Alex Gaynor
I’ve previously written about the importance of TLS. There are few domains that I can imagine the protections TLS offers are more important for than the news. The idea that articles I read could be manipulated be an attacker on the network is absolutely frightening to me, and the fact that I have no privacy from anyone else on the network with respect to which articles I’m reading is similarly disturbing.| Blogs on Alex Gaynor
About seven months ago, I abruptly quit Twitter. Though I’d been thinking about it for a while, ultimately leaving was a snap decision for me. Lately I’ve been reflecting on why I hate Twitter so much. The obviously uniquely identifying feature of Twitter is the 140 character limit, but I don’t think that’s a sufficient explanation for why Twitter is the way it is. I think Twitter is defined by the fact that it’s about broadcast.| Blogs on Alex Gaynor
Here’s what a day looks like in my ultimate development environment: Get into the office on Monday morning at 9; I’m a big fan of working from an office on a “normal” schedule (it’s not important to me that everyone else do this though). I’ll take a look at the issue tracker, and find the top priority outstanding bug. I like to get started with a bug fix, rather than feature work, I couldn’t tell you why.| Blogs on Alex Gaynor
After three months, Robert Mendoza is confirmed by the Senate as Associate Justice, United States Supreme Court. The President’s nominee for Assistant Attorney General, Civil Rights, wrote an endorsement for a book advocating slavery reparations for African-Americans in the US. This has made several members of the Senate Judiciary Committee upset. We don’t see any of his confirmation hearings, but we’re left with the impression that he’ll get the position.| Blogs on Alex Gaynor
Our episode begins with the First Lady and a 14-year old boy appearing on television to talk about the exploitation of child labor around the world. Then Bernie Dahl, the Chair of the Federal Reserve passes away suddenly. (In the process of these discussions, it’s confirmed that the economy is still humming along nicely.) The President announces that out of respect for Dahl’s memory, he’s waiting a day to nominate a successor (who is widely reported to by Ron Erlich).| Blogs on Alex Gaynor
The President is taking a trip to Los Angeles! To get his day started right, a bill is introduced into congress to ban gays from serving in the military (we later learn that the West Wing universe presently has a Don’t Ask, Don’t Tell policy). No one seems to take the bill very seriously. There’s also a Senate vote on an ethanol tax credit, it looks like it’s going to be 50-50, which means the Vice President would have to break the tie.| Blogs on Alex Gaynor
Today’s episode contains more behind-the-scenes than usual. That’s because in this episode Josh Lyman speaks at a university, describing his job, anything he shared there I considered fair game. Our story begins with the Secretary of Housing and Urban Development calling a Republican congressman a racist. The President signs a major education bill, and then while taking questions from the press, says that he will ask the Secretary to apologize. Concurrent to this, C.| Blogs on Alex Gaynor
The President is flying back from Stockholm on a Friday evening when the Supreme Court reject a request for a stay of execution for Simon Cruz, a man convicted of multiple murders. It was expected that the Supreme Court was going to send the case back to the 6th circuit court. The President seeks council from the Pope as to whether he should commute Cruz’s sentence. Ultimately, the President does nothing and Simon Cruz is executed.| Blogs on Alex Gaynor
This episode covers “take out the trash day”, a Friday where the White House releases all the news stories that they don’t want to get too much attention (the idea being each of the stories will compete with the others, ensuring none get too much attention). As a result, there’s quite a few items in the public eye, but in the show’s cannon, none of them get too much attention.| Blogs on Alex Gaynor
There’s a trend I’ve seen recently where folks will make ridiculous or offensive arguments, and then say “I’m just playing devil’s advocate” as if that means something. Devil’s advocacy is not a license to make ridiculous, incoherent, or illogical arguments. Advocating for the devil means taking a position opposite your usual one. You are still bound by all the same rules of debate and logic, to make a coherent argument. And if all the arguments you find yourself coming up with ...| Blogs on Alex Gaynor
It’s January, and the State of the Union is just a few days. We learn that the economy is doing pretty well overall, which highlights the fact that the economy has hardly been mentioned thus far. However, the President collapses in the Oval Office, with flu-like symptoms. It’s not totally clear to me whether this would be public or not, but I’ve decided to err on the side of completeness.| Blogs on Alex Gaynor
As a result of Congressman Lillienfield’s claim that one in three White House staffers used drugs, Josh Lyman performed an internal investigation. Now, a group named “Freedom Watch” is subpoenaing senior White House staff to learn about the results of the investigation, pursuant to the Freedom of Information Act. It’s unclear how much of this would be known by the public, but all the facts are at least notionally available.| Blogs on Alex Gaynor
A gay high school senior is killed in an extremely gruesome hate crime in Minnesota. The case garners national attention. The President has a Christmas photo-op with some extremely photogenic seven year olds.| Blogs on Alex Gaynor
Justice Joseph Crouch of the Supreme Court announces that he’s retiring. It’s widely reported that the President will nominate Judge Payton Cabot Harrison III as his replacement. Concurrent to that, Congressman Peter Lillienfield holds a press conference at which he states that one in three White House staffers use recreational drugs on a regular basis. The White House says it’s looking into it. The President nominates Judge Roberto Mendoza for Associate Justice, United States Supreme C...| Blogs on Alex Gaynor
This episode is all about a major banking reform bill in the house. It’s just about to pass, when at the last minute two congresspeople attach a land use rider. The President declares the land in question, Big Sky, Montana, to be a national park and states that he will sign the bill. It seems a bit too cute to ever happen in real life, but frankly, I’m salivating at the idea of a real president slamming the door on an overreaching congress.| Blogs on Alex Gaynor
The White House is holding a state dinner for the President of Indonesia and his wife. During the President’s toast (which I assume is the only public part of the event itself), he whacks Indonesia over the head for their human rights abuses. With that in the foreground, there are a number of events going on in the country that the White House is interacting with, all of them public.| Blogs on Alex Gaynor
Welcome back to “The West Wing Revisited”, where I try to track down what the plots of The West Wing would look like to the general public. First up for this episode, a “mentally unbalanced” woman hops the fence of The White House. Unlike in our present reality, where the Director of the Secret Service just resigned over a similar incident, no one loses their job. Next up, we have a census bill.| Blogs on Alex Gaynor
Last year I wrote about how it was possible to do code review without being a jerk, but I didn’t show you how. Linus and LKML, once again, find themselves in the spotlight, so I thought I would show how it can be done. On a whim today, I clicked on a random message from Linus, here’s what I found: Yeah, this is pure crap. It doesn’t even compile.| Blogs on Alex Gaynor
Returning visitors: notice anything different? No, not the design (although thanks Kenneth Love!). I’m talking about the lock icon! Accessing this website now requires TLS (and a fairly modern client to boot). But Alex, it’s just your blog! There’s nothing confidential on here, why does it need TLS? First, TLS doesn’t just guarantee confidentiality, it also provides authentication and guarantees the integrity of this page. That prevents an attacker on the network from serving you bogu...| Blogs on Alex Gaynor
This episode covers “Big Block of Cheese Day”, where individuals who normally couldn’t get the time of the day from the White House get to meet with senior staffers to pitch their pet issue. This episode shows the viewer that the senior staff are dedicated and hard working public servants, committed to serving the issues. Absolutely none of this episode is public however. How could our real public servants ever compete with the standard set by the fictional ones?| Blogs on Alex Gaynor
This episode follows the White House’s attempt to get a gun control bill through congress. The episode begins with the staff finding out that they’re five votes down, and tracks their attempts to win the votes back. As a result, almost all the political wrangling is invisible to the general public. There’s a few side-plot elements that are public though. First, the Chief of Staff, Leo McGarry, breaks up with his wife.| Blogs on Alex Gaynor
The last episode ended with the Syrian Army downing a US military air craft carrying more than 50 people. This episode takes place three days later. It’s not clear what’s been said publicly thus far, but based on the President’s crappy demeanor, not much. Most of this episode is behind the scenes on how the President is handling the situation, but there are a few public story lines. First, the President hires a new body man, this might make the news, every once in a while the press in r...| Blogs on Alex Gaynor
Welcome to the second edition of “The West Wing Revisited”. Today’s episode touched on a few different plot lines. First, a prominent Democratic senator agreed to leave Bill 443 in committee, since the White House didn’t like it. It’s never said what the substance of the bill was (my guess is social security or medicare related). In reality it would never become public that it was the White House which put the kibbosh on a bill like this, so this would probably be another “Democra...| Blogs on Alex Gaynor
Last year I wrote about why I think it's important to support diversity within our communities, and about some of the work the Ada Initiative does to support this. The reasons I talked about are good, and (sadly) as relevant today as they were then. I'd like to add a few more reasons I care about these issues: I'm tired of wondering if I should recommend a local meetup to a friend: what if a known harasser shows up?| Blogs on Alex Gaynor
(This post contains spoilers) Regular readers of this blog will know, I’m a big Aaron Sorkin fan (If you’re not a regular reader, now would be a good time to get started, there’ll be a quiz at the end). The West Wing, specifically, is one of my favorite television shows. I don’t fit particularly well into the political spectrum, but most folks would say I’m a liberal. As a result, I have a lot of conversations with liberal friends, and they say things like: “I wish Jed Bartlet was...| Blogs on Alex Gaynor
When I was in the third grade my friend Alexander and I invented a math game (whereby invented I mean, “I’m unable to precisely track down the origins of this game, so I’m assuming we created it entirely on our own”). In this post I’m going to describe how to play the game, and why I think it was really a really excellent tool for teaching several skills. Rules To start with, you need a deck of cards, we used some special math cards where the number of cards with each value were not...| Blogs on Alex Gaynor
This year has been marked, for me, by many many discussions of Python versions. Finally, though, I’ve acquiesced, I’ve seen the light, and I’m doing what many have suggested. I’m taking the first steps: I’m changing my default Python. Yes indeed, my global python is now something different: $ python Python 2.7.6 (32f35069a16d, Jun 06 2014, 20:12:47) [PyPy 2.3.1 with GCC 4.2.1 Compatible Apple LLVM 5.0 (clang-500.2.79)] on darwin Type "help", "copyright", "credits" or "license" for m...| Blogs on Alex Gaynor
I’ve spent just about every single day for the last 6 months doing something with Python 3. Some days it was helping port a library, other days it was helping projects put together their porting strategies, and on others I’ve written prose on the subject. At this point, I am very very bored of talking about porting, and about the health of our ecosystem. Most of all, I’m exhausted, particularly from arguing about whether or not the process is going well.| Blogs on Alex Gaynor
If you’ve been around an Open Source community for any length of time, you’ve probably heard someone say, “We’re all volunteers here”. Often this is given as an explanation for why some feature hasn’t been implemented, why a release has been delayed, and in general, why something hasn’t happened. I think when we say these things (and I’ve said them as much as anyone), often we’re being dishonest. Almost always it’s not a question of an absolute availability of resources, b...| Blogs on Alex Gaynor
This year was my 7th PyCon, I’ve been to every one since 2008. The most consistent trend in my attendance has been that over the years, I’ve gone to fewer and fewer talks, and spent more and more time volunteering. As a result, I can’t tell you what the best talks to watch are (though I recommend watching absolutely anything that sounds interesting online). Nonetheless, I wanted to write down the two defining events at PyCon for me.| Blogs on Alex Gaynor
When I was younger, I started watching the TV show House M.D., and I really liked it. At some point my mom asked me if I was more sarcastic since I started watching the show. I said of course not, I’ve always been extremely sarcastic. I was wrong. Watching House made being sarcastic cool. Using Twitter makes being snarky and not putting thought into things cool. So I’m quitting Twitter. I’m already snarky and not-thoughtful enough, I don’t need something to incentivize it for me.| Blogs on Alex Gaynor
People who follow me on twitter or github have probably noticed over the past six months or so: I've been talking about, and working on, cryptography a lot. Before this I had basically zero crypto experience. Not a lot of programmers know about cryptography, and many of us (myself included) are frankly a bit scared of it. So how did this happen? At first it was simple: PyCrypto (probably the most used cryptographic library for Python) didn't work on PyPy, and I needed to perform some simple c...| Blogs on Alex Gaynor
In the unlikely event you’re both reading my blog, and have not heard of Travis CI, it’s a CI service which specifically targets open source projects. It integrates nicely with Github, and is generally a pleasure to work with. I think it’s particularly valuable for the Python community, because it makes it easy to test against a variety of Pythons, which maybe you don’t have at your fingertips on your own machine, such as Python 3 or PyPy (Editor’s note: Why aren’t you using PyPy ...| Blogs on Alex Gaynor
For the past few weeks, I’ve been spending a bunch of time on a side project, which is to get better insight into who uses packages from PyPI. I don’t mean what people, I mean what systems: how many users are on Windows, how many still use Python 2.5, do people install with pip or easy_install, questions like these; which come up all the time for open source projects. Unfortunately until now there’s been basically no way to get this data.| Blogs on Alex Gaynor
Introduction to Memory Unsafety for VPs of Engineering| alexgaynor.net
What science can tell us about C and C++'s security| alexgaynor.net
CSVs: The good, the bad, and the ugly| alexgaynor.net
On Safety Critical Software| alexgaynor.net
Don't have environments| alexgaynor.net
Looking for work| alexgaynor.net
Telemetry for Open Source| alexgaynor.net
Buffers on the edge: Python and Rust| alexgaynor.net