unicolet.org

Since I could not find a quickstart to run opengrep with the full set of rules from their fork I thought I'd document what I found out. Setup Download the opengrep binary from github and make it executable with chmod +x . Clone the rules repo: git clone git@github.com:opengrep/opengrep-rules.git and clean it up to make it usable to opengrep: cd opengrep-rules rm -rf ".git",".github",".pre-commit-config.yaml", "elixir", "apex" find . -type f -not -iname "*.yaml" -delete rm -rf .github rm -rf .pre-commit-config.yaml Ensure opengrep can load the rules with: opengrep_manylinux_x86 validate . The same can be done for custom rules maintained in a separate repository. AFAIU Multiple repositories can be specified by repeating -f option as needed, see below. We are now ready to scan a repo, from the repo root directory run: opengrep_manylinux_x86 scan \   -f <path_to>/opengrep-rules \   --error \   --exclude-rule=VAL some ti...

Today April, 1st 2025 marks the 25 years anniversary (quarter of a century sounds more impressive, doesn't it?) working professionally in ICT. My first working day as an ICT professional was on April 1st 2000. I had just graduated from uni (literally the week before) and one of the profs offered me a position at this company. The daily commute over bus and train was about one hour and a half, but I got to work on something really fancy: writing a c-shell script to daily sync data over ftp from an Oracle 7 database running on AIX (looked a lot like this one ) to a Bull mainframe. Development occurrent from a Windows NT4 workstation over telnet (I think). c-shell was a b1tḉh to work with and vim wasn't available (only vi IIRC) so my productivity wasn't great but I got it done and it ran until one of the two system (AIX) was eventually decommissioned. The AIX system might still be in the basement at my $OLDJOB. After that I moved on to more interesting e...

Came across this interesting article  by Nicole Tietz-Sokolskaya on sw ownership vs stewardship (think of Github codeowners feature) and I love how it explains why stewardship is a much better term to use in this context: Owners are concerned with the value of what they own. Stewards are concerned with how well it can serve the group. And this makes all the difference in producing better outcomes.

TL;DR: impressive 🤯 I wanted to play with D3 to create a visualization, so I picked an example ( Bubble chart) and then started hacking at it (literally) in VS Code. Before long, I realized I had just downloaded Cursor , but not had an occasion to try it out. I thought this might be as good as any. Opened the project folder and its one HTML file, then stated prompting away. It got all the modifications right: add axis labels add labels to the bubbles change the tooltip to show all the data of the particular record; one of the attributes is confidence and goes from 0 to 1: Cursor guessed it is a percent and formatted it as such!  added a line showing the break-even point Cursor edited the file for me, and I just had to accept the change, save, reload in the browser. Made some tweaks myself where it was simple enough. Much better than copying and pasting in the chat. Where it blew my mind was when I resized the chart and added a section below which I titled "Explanation:" ....

I recently added Acquired to my go-to podcast short list and picked the Enron story from 2022. The story comes out hot on the heels of the FTX scandal/tragedy/fraud because of their similarities (and why the regulation that came after it helped prevent other Enrons). It's a long episode (1h 50m) but it's narrated so well and the story is so riveting that I didn't even notice. Theres this passage that I found interesting about half-measures and how they can and will be gamed (emphasis mine):

Many moons ago I was an enthusiastic user of OpenDNS  (when it still was a standalone company), then between one move and the other I forgot to enable it again and found Google/Cloudflare to be equally capable and fast. However I always missed the protection capabilities of OpenDNS, and today I spent some time looking for alternatives. That's how I came across Quad9 : an open DNS recursive service for free security and high privacy. Importantly: Quad9 is operated by a Swiss public-benefit, not-for-profit foundation with the purpose of improving the privacy and cybersecurity of Internet users. Quad9 is headquartered in Zürich and is subject to Swiss privacy law (Swiss government extends that protection of the law to Quad9's users throughout the world, regardless of citizenship or country of residence). I enabled Quad9 on my home router and then proceeded to test it. But first I had to find a malicious url, which funnily enough is harder than I thought :D Quad9 does not support ...

In his book Clear Thinking , Shane Parrish explains how to avoid finding the perfect solution to the wrong problem have two meetings: one to define the problem and another to find the solution(s) At least to me, it seems immediately apparent how a well conducted post-mortem facilitates exactly that. In the first phase we gather the data, establish facts and timeline. Once that is written down (emphasis on written!) we can start exploring solutions to prevent, detect and/or mitigate. At the same time, what we're achieving is slowification  (i.e.: taking work outside of the normal flow and make time to analyze it), which is another critical step towards continuous improvement. It's a simple process, but not an easy one.

Came across this inspiring post by Psych Safety on Ikigai last week, and I immediately felt I had to save it here, if not for the sake of better interiorising it by writing about it. The post immediately resonated with me because it captures exactly how I felt, many moons ago, when I came across the Internet, around 1996. I felt that the internet, with its rebel, distributed architecture would have changed the world, and for the better. I wanted to be a part of it because I thought I would be good at it, I would enjoy it and I could earn an income at the same time. 25 years later I still find that it's the same combination of things that motivates me the most deeply and ultimately allows me to be effective: Am I good at this (or willing to improve)? Does this benefit others and have a positive impact on the world? Will this help me make a living (or am I consciously choosing to do it for free)? Does it feel good? Do I love it? If I had to point at something that I feel is missing ...

In the past years we've heard all kinds of statements on LLMs and sw development: from AI will replace developers to AI lowers code quality . I think it's a bit of both, and the reality most organizations will face is that they'll need BOTH humans and AI. The optimistically proclaimed cost-savings from replacing humans with AI will most likely not materialize in the long term. By following Simon Willison blog in the past two years, I came to the conclusion that the most effective humans are those that can bend and craft their own AI tools and are willing to go to the extreme extent of completely reworking their coding workflow to suit this new technology . For example, see Harper Reed's LLM workflow  or Simon's Willison own setup . Everybody else who's "just" relying on the IDE integration of chat will reap limited benefits, because this approach is tailored for the human and not the LLM. I would also argue that platform, integration and helpdesk/sup...

Most people quit before they reach their best work. Excellence lives in doing a bit more than others. From:  https://fs.blog/brain-food/february-16-2025/  

From:  https://www.abortretry.fail/p/work-at-the-mill On the 15th of December in 1995, DEC made the AltaVista search engine publicly accessible on the World Wide Web. The search engine ran on two machines named Scooter and Turbo Vista. Scooter had a 20GB hard disk and 1GB of RAM and it did the page fetching/crawling while Turbo Vista had 250GB hard disk and 2GB of RAM and handled the index and web serving. Naturally, these were both Alpha machines. The company took advantage of its head count to test the system with 10,000 employees trying it out prior to launch. While the minicomputer and workstation company might seem out of place on the Web, Digital had registered dec.com in 1985 and digital.com in 1993. Let us not forget, DEC’s wonderful hardware had even powered many of the earliest networks that comprised the early internet. AltaVista was success. The site had approximately 300,000 hits on its first day of public availability; by the end of the year, the count had grown to 19...

Dirt cheap and easy, just two things: give them the best IDE you can afford a large screen display (27" or above)

Via:  https://changelog.com/news/131 Bill Maher is new to me, and in a bit over 8 minutes he just became my favorite satirist. In a new segment called New Rule Bill Maher lamented the shitty status of technology driven forced improvement which I'm the first to admit, a lot of times, does not make our lives materially better. He makes the examples of streaming services which drive the user experience back to where we were 20 years ago (or worse), disappearing car handles and apps to do everything. As a European I can't really relate on the car valet experience, but I do find infuriating the growing number of restaurants forcing me to scan a QR code, register with my email, and then squint at my phone screen trying to decide what to order. Bring paper menus back 😠 It's a well worth watching 8 minutes. Especially if you work on the field. The lack of ethics in our field is really showing, and TBH I think we got away easily in this critique. It could have gotten much worse...

A note-to-self kind of post on a playbook to turning around a struggling sw engineering team. Core principles always behave trustworthily slow down and make time to address problems do you have the right people? if you can't get consensus, seek consent Foundational engineering best practices With regards to engineering best practices, the following are foundational and should be part of the execution somewhere between steps 4 and 8 of the playbook: trunk-based development continuous integration no separate tester or devops team (this can be relaxed after the team begins performing), seek out a stream-aligned team instead SCRUM with its process is useful to align the team and at last one main stakeholder automate as much as you can, especially the parts that come up often for discussion; one obvious but often overlooked example are customized coding styles (use the consent-over-consensus principle to reach a decision) If the team resists them or does not make progress, then see the...

Debating whether to go no-code but worried about unclear licensing, the dreadful we-need-to-rewrite-it dram down the road or django/rails/spring boot and its relatively higher upfront cost? There's a third way: quasi-code with Apache Camel . It still amazes me how few people know about the swiss-army knife of integrations.

I was reading this interesting analysis on Nvidia competition (as usual, his blog should be on your feed) from Simon Willison and this bit caught my attention (emphasis mine): Technologies like MLX, Triton and JAX are undermining the CUDA advantage by making it easier for ML developers to target multiple backends - plus LLMs themselves are getting capable enough to help port things to alternative architectures . I found it curious that the very same thing that's been fueling Nvidia's success could also help reduce/eliminate their moat.

When you have, when your engineers know what the right answer is, but they also feel that the right answer is culturally unobtainable, you have a cultural problem. Bryan Cantrill on Intel after Gelsinger @ 33:22

Another golden nugget from The Knowledge Project podcast in episode  Dr. Jim Loehr: Change The Stories You Tell Yourself [The Knowledge Project Ep. #193] : time only has value in its intersection with energy or how I have it memorized: time has no value without energy . And how I picture it: one hour on the couch has not the same value as one hour studying or exercising. And this becomes even more important when we consider our relationship with others. Dr. Jim Loehr continues (emphasis mine): Well, I will tell you, time has no value, has no valence, has no force. Until time intersects with energy, you really have nothing.” I mean, you’re just there. You can be present with your family, but because you’re there, is that going to move the needle toward being a loving, caring mother or father? And the fact is no; you’re going to have to invest energy aligned with the mission. Time doesn’t give you anything except the opportunity to make the investment of the one thing that moves the...

John Cutler has been posting some supremely interesting content on LinkedIn recently, and I felt I had to save it somewhere for finding it more easily later. This is one is about attributes of good and bad process: Good Process Encourages mindfulness. Flexible to local concerns. Adaptable, frequently challenged/improved. Mostly "pulled" because it is valuable. Core principles understood. Encourages conversations/collaboration. Co-created/designed with "users." Value to all participants. Increases confidence in outcomes. Distilled to core "job" (lightweight). Achieves desired consistency with minimal impact on resiliency. Improves global outcomes. Delivers value to end-customers. Guide/tool/navigate/remind. Enhances trust/safety. Bad Process Encourages mindlessness. Inflexible to local concerns. Set in stone. "Just because..." Mostly "pushed" onto participants. Automatic/forced adherence. Reduces quality/quantity of conversations. Desi...

One of the things I always tell to those who come to seeking advice on a process improvement is the following: prepare for the inevitable downturn: things will get better in the short term, but then something bad will happen and things will get much worse than they are now. This is ok, and totally expected. Be prepared for it, know that the only way forward is through and then things will really get better. Then I usually draw this curve in the air with my hands: Most people stop at the first downturn, and that why most process improvements fail. Enough failures and people stop believing in any improvement at all, creating a death spiral. Another way to look at this is to think about is described in Gary Gruver's book A Practical Approach to Large-Scale Agile Development : [...] after you have chosen an approach you don't need to worry about getting the advantages of that design because it will come naturally. Where you need to provide management focus is on addressing the dis...

Besides Entropy , the Buffett/Munger duo is another rabbit hole I find myself going down into often in these last days of the Xmas break. I liked this quote in particular: We can handle bad news, but we don't like them late

Technical Debt is Entropy In Software  (via lobste.rs ) made me run dow a rabbit hole of Entropy/Second Law of Thermodynamics. Youtube is full of videos on the topic. This  by Sabine Hossenfelder is one is the most clear and practical explanations I found so far. Another one is this interview with Stephen Wolfram .