The Changelog: Software Development, Open Source - A different kind of rug pull (Friends)
Episode Date: July 5, 2024Adam & Jerod discuss the news! But first, we discuss how you can keep up with the software world (good question, Tyler Boyd!) On the docket: Developer job postings trend, the Ladybird Browser Initiati...ve, the Polyfill.js supply chain attack & is the future self-hosted?
Transcript
Discussion (0)
Finally it's time for change loggin' friends With Adam and Jared and some other rando
We hope that you love it and stay until the end We're not offended if you can't go
We know you're probably busy coding And your deadline is pretty foreboding
Your caffeine intake is an actual problem So why don't we walk outside
And we can listen to the change-logging friends
From Adam and Jerry in Silicon Valley
We know one day the gag will come to an end
But honestly that will probably be our finale What's up friends.
I'm here with a new friend of mine, Jasmine Cassis, product manager at Sentry.
She's been doing some amazing work.
Her and her teams over many years being at Sentry and her latest thing is just awesome. User feedback. You can now
enable a widget on the front end of your website powered by Sentry that captures user feedback.
Jasmine, tell me about this feature. Well, I'm Jasmine. I am a product manager at Sentry and
I'm approaching my three-year anniversary. so I've spent a lot of time here.
I work on various different customer-facing products. More recently I've been focused on
this user feedback widget feature but I've also worked on session replay in our dashboards product
with user feedback. I am particularly excited about that. We launched that a few weeks ago.
Essentially what it allows you to do is it makes it very easy to
connect the developer to the end user, your customer. So you can immediately hear from your
basically who you're building for, for your audience. And you can get basically have a good
understanding of a wide range of bugs. So Sentry automatically detects things like performance
problems and exceptions.
But there are other bugs that can happen on your website, such as broken links or a typo or permission problem.
And that is where the user feedback widget comes in and it captures that additional 20 percent of bugs that may not be automatically captured. I think that's why it's so special. And what takes it a step level above these other feedback tools and these support tools that you see is that when you get those
feedback messages, they're connected to Sentry's rich debugging context and telemetry. Because
often I've seen it myself, I read a lot of user feedback, messages are cryptic, they're not
descriptive enough to really understand the problem the user is facing. So what's great about user feedback is we connect it to our replay product, which essentially
basically shows what the user was doing at that moment in time, right before reporting
that bug.
And we also connect it to things such as screenshots.
So we created the capability for a user to upload a screenshot so they could highlight
something specific on the page that they're referring to.
So it kind of removes the guesswork for what exactly is this feedback submission
or bug report referring to.
Now, I don't know about you,
but I have wanted something like this on the front end
pretty much since forever.
And the fact that it ties into session replay,
ties into all your tracing,
ties into all of the things that Sentry does
to make you a better developer
and to make your application more performant and amazing. It's just amazing. You can learn more by
going to Sentry.io. That's S-E-N-T-R-Y.io. And when you get there, go to the product tab and click on
user feedback. That will take you to the landing page for user feedback.
Dive in, learn all you can.
Use our code changelog to get 100 bucks off a team plan for free.
Now, what she didn't mention was that user feedback is given to everyone.
So if you have a Sentry account, you have user feedback.
So go and use it.
If you're already a user, go and get it
on your front end. And if you're not a user, well then, hey, use the code changelog, get a hundred
bucks off a team plan for three-ish months, almost four months. Once again, Sentry.io. We bet you sling A1s and 0s
And that makes you one of our heroes
Your list of to-dos will be waiting for you
So why don't we walk outside
And we can listen to
ChangeLogging Friends
With Adam and Jared and people you know ChangeLogging Friends, the Adam and Jaren people you know.
ChangeLogging Friends, let's get back into the flow.
ChangeLogging Friends, ChangeLogging Friends, it's your favorite ever show.
Favorite ever show.
All right, let's start here.
So we are here to discuss the news, not cover the news, but talk about it.
What's up, Adam? How are you, man?
So good. So much happening out there.
I feel like so much, but yet so little.
Way too much.
A lot going on, but how much of it actually matters?
Well, I'm paying less attention to AI hype, that's for sure.
Yeah.
I'm AI hyped out. However...
Thank you. You joined me.
I've been hyped out for
a little bit here i'm still using it so in internally lots of hype you know lots of excitement
about using lots of internal hype oh yeah i mean i use it on the daily but i've i've actually had a
couple conversations at least one conversation recently that's actually a pretty good use
of a of AI for developers.
They're not sponsoring us yet,
so I'm not going to mention their name,
but when they do, I will tell you.
Until then, they might sponsor the newsletter,
let's say in August.
We'll see.
Okay, so stay tuned.
Until then.
Perhaps.
Perhaps.
Well, you know, the old BMC theme song
says Adam and Jared and some other rando, but today it's falsified.
Just the two of us.
Just the two of us digging in.
Digging in. Let's dig into some stuff. to listener Tyler Boyd, who put in an episode request May 15th
about the news, not our news show,
but how to actually stay updated in our tech world.
That was the title of his request.
And he says this,
I find that most of these tech blog sites
have so many tutorials and random stuff,
which is awesome,
but outside of listening to the ChangeLog
and a few other podcasts,
I'm struggling to actually stay up to date
with what's going on in tech,
and does it even matter if I do?
Yeah, the last part is...
Which I think is an interesting question, right?
It's a punch in the gut.
Does it even matter if I do?
Not to me, but I think just generally.
Oh, I thought I punched you in the gut.
I mean, I can get how that would land.
But what I find, Jared, and I realized this not literally last night,
but I had a slight aha moment last night.
There's a YouTuber, I think he goes by the name of BeatEmUps.
Do you know this guy by any chance?
BeatEmUps?
BeatEmUps.
I do not know beat him ups.
I believe he is Australian.
I believe he is in the United States.
I believe he was living in Pennsylvania.
I think he recently moved to Austin,
but I think he's actually suffered some from some burnout because he works a
lot.
Like he's like a creator.
Like he would be what I would consider a content creator.
Like if your life is constantly creating content, you even identity wise a content creator right okay and what i realized
was that if i'm trying to i'm a gamer by i suppose association i'm not like a hardcore gamer i'm a
nostalgic gamer you don't actually play video games right Right. I am not on the edge of the game
world. However, I enjoy games.
Sure. And I find that my kids are actually
getting better at games than
I am. We've been playing Sonic on
Nintendo Switch. I'm getting to the point. Trust me.
Okay. And I'm realizing
like, wow, there's so much faster
thinking or
whatever. Fast Twitch muscles. Yeah.
Yeah. And they're beating me.
But then I realized when we had dinner,
I was telling my wife, I'm like,
you know, when we buy these video games for these kids,
I always, our source is go to this beat-em-ups guy
because he has a great opinion.
So he's a video game-oriented content creator.
Right.
And if I'm going to buy a new game for the kids,
I want to kind of sift it through
his lens.
And I think what
Tyler might be pointing to
is that
the blogs,
and this is the point,
the blogs
that just have tutorials
and random stuff
are not opinions.
They're just sort of facts.
Right?
How to get to here.
How to go there.
And maybe the tutorials sprinkle with some opinion but i
think that what you find here is hard opinions that are scrutinized that it's waypoints to the
future rather than a blueprint to today's software necessarily i think it's where we're going and this
the reason i shared that story was that I realized that I
value that person's opinion a lot.
How does this person
look at the new Zelda game or the new
Donkey Kong game or the new
even the latest
Mario Wonder. That was an
interesting game that came out
and I'm like, I want to kind of hear this guy's
opinion before I go and buy this game.
Because I may or may not buy it, not necessarily because of his opinion but I do value it and so
I feel the same thing that Tyler's feeling is like how do you actually keep up with what's going on
and I think we need more we've called ourselves tastemakers that's a synonym to curator but
you know yeah that's where I'm going I tend to agree with you I think that it's a synonym to curator. But, you know, that's where I'm going.
I tend to agree with you.
I think that it's a lot easier to find a few trustworthy tastemakers
that you jive with than it is to keep up with everything yourself.
Because there's just so much.
Whether it's in tech, in video games, in music, in culture, in science,
whatever you happen to traffic in,
I don't think you have to keep up all that much.
I agree.
That's one of the things that I've said many times around these parts
is that we cover what's going on in the world of software,
but it's not like everything we cover is then like adopted and used and leveraged.
And a lot of stuff is just like,
well,
now I know that I kind of have my finger on the pulse or my thumb.
I'm not sure which one's better to put on the pulse,
but I think your thumb has its own pulse.
And so you shouldn't use it.
So you should use your fingers.
I am not a doctor.
Your pointer,
I believe is what you use.
Your first two fingers is what you use for pulse checking.
That's right.
Because your thumb actually has its own little heartbeat in there, I think.
I think there's something with latency, too, with the beat between the two fingers,
because it travels down the vein.
Your index finger is faster than your thumb is.
I learned this because I volunteer at the homeschool track meet,
and they have us doing the timers, and it comes down to the millisecond sometimes
on these close races, and they say, if you use your thumb to start the timer it's going to be a half
beat slower than if you use your index finger it's just faster really no they just told me that i
didn't fact check it i just believed it it is your trigger finger too so that might be totally
accurate that's true and i got an itchy trigger finger especially when i'm timing it's not called
the thumb finger it's's called the trigger finger.
Or a trigger thumb.
The thumb is necessary, though.
For the, you know,
the opposable thumbs is what makes us, you know,
as good as we are
as humans.
Just amazing.
Yeah.
Anyways, back to the topic.
So, finding curators
and finding tastemakers
and letting them
keep up for you.
I mean, that's kind of
what we do with news.
It's what we've done
for a very long time.
Obviously, Tyler's plugged
into the changelog already. So, you know, we're not here to promote what we do with news. It's what we've done for a very long time. Obviously, Tyler's plugged into the changelog already,
so we're not here to promote what we do necessarily.
Everyone who's listening to this already has found us
and is at least listening to a little bit of what we're up to.
But find more people like that in different niches
and then let them do that work and support them
and what they're doing, and that way you don't have to.
It's so much
easier than keeping up yourself. Now, of course, you still want to make your own informed opinions
about stuff. So sometimes when you find a new thing, you have to look into it. And maybe Jared
thought it was interesting, but he didn't really dive into it. And you're thinking, wow, maybe this
is worth diving further into. And so you go do your own follow-up and stuff like that. But I don't know.
I think that you can also do that with individual blogs.
I mean, that's a lot of what I do
is I just read individual engineering blogs.
And I find the stuff that I think is interesting
and I pull the thread.
And I think that that's manageable for folks via RSS
and not having to check it daily or hourly as we do with
other things that we think are important, like the Hacker News homepage. You pretty much don't
have to go to the Hacker News homepage, and you'll be just fine. Let the Hacker Newsletter
come to you once a week and see the best stories, for instance, which that's a great
aggregator of the top stories
on Hacker News throughout the week.
And then you just get it once on the weekend
and you can just scan that real quick
and be relatively up to date in that way.
Same thing with Peter Cooper's newsletters.
If you're in Go, GoLang Weekly.
If you're into JavaScript, JavaScript Weekly.
He does a great job and has for many years.
How long has Peter been putting out those weeklies?
15 years.
Longer than we have with regard to the newsletter.
Was it really longer?
With newsletters it was, yeah.
100%.
I think we were, like the original inception was similarly dated.
I think around 2009 is my guess.
Not weekly.
If it's before that, like I know he's been doing stuff,
but I don't know if he's been doing the weekly newsletters.
Changelog Weekly definitely goes after him, doesn't it?
No, I know that.
I'm not suggesting that's not true.
I'm not talking about a podcast.
I'm talking about newsletters.
Me too.
Yeah.
Yeah.
Oh, so you're talking about a different newsletter we used to do?
No, I don't think, well, we didn't start weekly until 2013.
That's my point.
Right.
So I think 2009 is our real birth date.
So I don't think it was, I don't think he began before 2009.
But we're talking newsletters, not podcasts.
He was certainly playing the newsletter game before we were.
I'm not arguing against that.
I'm just saying like.
Oh, what are you arguing?
I'm not sure what you're arguing.
No, I'm not arguing at all.
Oh, okay.
I was just trying to think like, was it, does it predate us generally?
Not us in terms of similarity.
When we began in 2009, 2010 range, was he doing newsletters then?
Because if that's the case, then...
I do know that Ruby Weekly was his first newsletter.
Right.
And if we can find Ruby Weekly issue one.
Let's do that.
Let's do that.
I was using our birth date and age
as a proxy.
15 years.
He's on issue 709
of that particular one.
Issue one.
Oh, no.
It redirects.
Come on, Peter.
Maybe it's 001.
Maybe there's...
Is it 709?
He's on 709.
And I'm trying to
URL hack
and just go back
to issue number one.
Just based on the fact that there's 52 weeks in a year,
that maps to like 13 and a half years.
And then you add breaks and stuff
because he takes some time off.
He's from London and those Brits,
they like their vacations,
their holidays as they call them.
Yeah, so 15 years.
Point being, he's been doing weekly newsletters.
So long, yes.
For so long.
He's so good at it.
I subscribe to many of his, especially I read JavaScript Weekly.
And I check Golang Weekly when I'm trying to help the GoTime folks
find interesting stuff to talk about.
So that's an option.
Newsletters, curators, you know.
I would say don't worry about it too much.
If you're listening to the changelog, you're already kind of plugged in, right?
I think so, honestly. I mean, like you said, I don't think we cover about it too much. If you're listening to the changelog, you're already kind of plugged in, right? I think so, honestly.
I mean, like you said, I don't think we cover the entire software world.
No.
Which does not upset me.
But I think we cover enough to give you the required pulse,
the required dip in, thread pull.
Should I go further myself?
Does this spark my curiosity?
Are there others piling on?
You know, is there a proxy to leverage?
Yeah.
And I think the only challenge is choosing the wrong,
I don't want to say content creators, I really don't,
but choosing the right opinion makers, I suppose,
when you have a bubble by proxy.
Because you're kind of getting your opinion
and your waypoints by proxy, obviously.
And if you, I suppose that's a job of us too, right?
And I think we do this well,
is point to others that are not us.
I think that's kind of what we do a lot.
We're really outwardly facing,
far more than we're inwardly facing.
I mean, aside from this podcast episode here, they're not coming here necessarily for you and I to sit down to go through the stuff.
We do that a small handful of times throughout the year where it's just you and I solo.
And I enjoy those times too.
I enjoy just having fun conversations with you.
The one on 1999 at Build was so random.
But I look back on that with like fond memories
like wow like there was some aha moments on both sides where we i didn't recognize and realize as
much of a movie buff as i am how much in 99 was published and then you with johnny cash and hurt
like you know like there was two two major revelations there you know, like there was two, two major revelations there. You know, I think that was kind of cool.
Yeah.
We both learned something that day and it was, and a good time was had by all.
And by all, I mean, by both of us.
That's right.
If anybody else liked that episode, it was only for plus plus people.
So, you know, small audience and that was fun too.
Well, let's go through the stuff then.
So hopefully Tyler, I don't know if that helped you out at all, but episode requests are cool,
and we like to service our listeners directly, if possible, by the way,
to you listening.
If you do want to request an episode,
whether it's an interview or a friend's episode or a JS party, whatever,
changelog.com slash request.
You can select the podcast that you want the show to be on,
and then you can give a guest.
You can give a topic.
You can fill out the form and let us know.
We read every one.
We don't make every episode, but we read them all.
So what's been going on lately?
Well, first of all, this is the July 4th week here in the United States,
and so it's the peak of summer, holiday times.
So hot. And yet there's the peak of summer, holiday times. So hot.
And yet there's still a lot going on.
I think we should start with some,
should we start with the scary thing that I put in news on Monday?
The bell curve?
Yeah, the bell curve.
I say let's go there because I really appreciate, personally,
and enjoy Mondays for Change All News okay and uh i like how you include this
is chapter data that's so cool that even while i'm in my truck driving listening because i literally
was going somewhere and it was about an eight minute trip and i was like sweet i can get news
in perfect timing yeah there you go i was like you, I can compartmentalize. I can get my fix. And there I'm driving.
And thankfully, my Apple Play system supports the data that comes through.
So I got the image on my heads-up display kind of thing.
On your dash.
Isn't that cool?
So cool.
Yeah.
So, I mean, let's pause for chapters and just, like, do an applause.
Right, right.
These chapters are awesome.
Insert applause break right here.
Cheeky!
Do you like my subtle digs at people who use podcast apps
that don't have chapters?
I'm always like, if your podcast app supports chapters,
I tell them how much better of an experience they're having.
And for everybody else, I described it.
What this is is a chart which comes out of the Federal Reserve Bank of St. Louis.
I'm not sure why they in particular have this information, but they do.
And this made the rounds this week.
A chart from 2020 up until current times, I mean May of 24.
The software development job postings on Indeed in the United States.
And like you said, Adam, it's a bell curve.
And it peaked mid-2020 really high, and it has then precipitously declined
back down. And so we're trending down in
software development job postings, and indeed
in the US, but probably a nice proxy for
what's going on in the software world. And so that's
bad. Are we at the lowest ever? It's right down there
near lows of these last five years. And so this has a lot of people kind of up in arms wondering
what's going on. Is this the new normal? They said, you know, COVID was the new normal. Turns
out that was not. It was an anomaly. Is this the new normal? Is this an anomaly? Is it going to go back up again? Will it ever be what it was? A lot of just maybe FUD, maybe just uncertainty. A lot of folks out of work and looking for work and realizing why it's so hard to find new employment is because the jobs are just not there right now. If you zoom into this graph though,
tell me if this is accurate to you,
where it begins in May of 2020.
There seems to be like a rise just before May of 2020,
where there was a big dip.
And this like COVID was announced roughly in March.
Right, March 2020.
For at least here in the US. I think it was happening and I paid attention to it.
You know, Thanksgiving, Christmas, January
February in
you know the far east like in
Asia and India and different places
and I was like
this is getting scary like I see that thing moving
and I was like is it coming here
what is this you know
and then obviously March
and I know because my son's
birthday is early March,
we had a birthday party,
and the last thing we did that was major with crowds
was his birthday.
And shortly after, he and I got super sick in our chests.
And looking back, I think I got COVID early on.
And that's just how...
But anyways, that's beside the story.
I'm bearing the lead here.
Does it drop from 100 on this graph down to 60 in May, 2025?
Is that how you're reading it?
So like there was a, an up and then an obvious down.
Cause it looks like March would have been right before that.
Obviously like it's March, April, May, and it's kind of going every other month or so
for me, at least on my graph.
I do think that the lockdowns began and hiring probably froze for a while
while nobody knew what was going to happen next.
And so it makes sense that the postings dropped, yeah, like you said,
from 100 down to the 60s in a matter of a few months.
And then just climbed, climbed, climbed,
probably as stimulus money was injected.
We had the PPP loans.
The markets were going crazy.
Valuations were high.
Money was easy.
We were still at ZER zerp zero interest rate policy and it just climbed to where it was just
just sunshines and rainbows up until mid-22 and then it just drops from there and of course we
know what happened in our industry you know in the tech world everything tightened up money got
more expensive layoffs began hiring free began, and it seems like we're
still on our way on the downslope of that.
And where does the downslope stop?
Who knows?
What's explaining this?
Some people are saying this is AI already, hitting us where it hurts.
I think that's premature.
I don't think anyone's losing their job because of AI.
Maybe on the margins.
In the tech world, obviously, in art and other places,
there are people who aren't as valuable as they were
because their job has been somewhat offset
by language models and image models, et cetera.
But I don't think any software developers,
unless their bosses are pointy-haired bosses
who don't understand what's going on,
are flat out not getting hired because ai is so productive right now i just don't think that that's the case
no that's that's my that's my two cents i agree with that sentiment what i do see though is as
it goes to the right past the bell into what seems like maybe a flattening of sorts. It's not quite a flattening, but it seems it's down. It's going
down and we can't see beyond May. Here it is July. So we've got two months or at least one month in
the past that it continue down. At the same time, when you look at a market and you just inject,
as you mentioned, we were in Zerp and you have so much free money you're going to
have some version of bell in a job market this i suppose the chicken little thing that you
referenced in the in the audio version of this and i think also in the newsletter because i
i don't read the newsletter i'm sorry how dare you hate to admit that you miss all the extras i want
the extras i don't know how to subscribe.
I'm just kidding.
I know how to subscribe.
It was a joke.
Is that it was fairly high.
It's not like a little bell curve.
It's a very big bell curve in comparison to what would be considered if the lows are the normal, the non-normal, the high is just so high.
And what drove that really, I believe, because I study this loosely,
I say I pay attention to it, is when you have access to free money
and you have, I mean, we saw valuations in the pandemic era so high.
I was like, we saw unicorns being born on the weekly.
Companies you never thought would be unicorns were born on the weekly you know companies you never thought
would be unicorns were like wow we're a unicorn well i mean that's just because it was a matter of
inflation which i think the entire world is filling i don't know about you jared when i go
get groceries even like anything these days it's just like everything's expensive yeah you gotta there's some things
i'm like that cost that much there's no way how in the world does that thing cost that much
i'm gonna go ahead and skip that i don't want to go on the debbie downer but i think it's because
of free cash in the market when you have when you have zerp and you have zero interest or very low
interest or very free money and then even not free, but like a large injection of it.
Because when you have money that is free to lend
and you have balances that come in as a result of those coming out,
it creates money in the market
because money in a bank can be lended based on a multiple.
So that's really how a lot of this, I think, worked
was that there was a lot
of free money in the marketplace and they had to use it. And so they thought, like you had said,
is this the new normal? Well, let's invest in that new normal. And then it was like, whoa,
this is not the new normal. But what do you think caused the decline because obviously in the 2022 range we had non-zerb
right we had this sure interest rates went up dramatically they're in you know in my lifetime
some all-time highs i think probably your lifetime as well at least here in the u.s so as a proxy
yeah so when you have that kind of thing happen, it's more expensive to grow. It's more expensive to expand.
It's more expensive to invest.
And so you have to, I guess, be more cautious or more calculated with your growth.
And you have to sort of be more planned to win rather than we might lose.
Yeah, I just think it's a lagging indicator.
You know, I think it was just we see it now and we can plot the curve and watch it of what was happening then.
And there are leading indicators and there are lagging indicators.
And it just seems like new job postings over time is a lagging indicator of what was going on, which a lot of us felt very acutely.
I think if you recall the beginning of this year, my sentiment was like,
hey, we're on the other side of it. We're kind of coming out. And I was dead wrong on that. I mean,
I just felt like the sentiment had changed. And I think now looking back at the first six months of
24, maybe some sentiment has changed, but has it been actual change?
Seems like not so much.
But the stock market's back,
so some people are feeling like we're all right.
The Fed hasn't done what they said they were going to do with their cuts.
They're still holding off on cuts,
and so a lot of that stuff was priced in and expected
and hasn't happened.
And so I think people are still kind of just...
Waiting....trepidatious. Yeah, and it's an election year, so. Yeah. priced in and expected and hasn't happened. And so I think people are still kind of just waiting.
Yeah.
And it's an election year.
So yeah,
there's so much uncertainty.
I do think the other side of this curve does change a lot because like you said,
just now it's an election year.
I think with,
with it being an election year,
regardless of which way it goes,
there's always change in this perspective here.
I wonder,
and I don't think there's any data to back this,
like I wonder could you map, because I guess my question is like, okay, so if this is true,
which it is, it's data backed, or if it's even by proxy true, and again, you cavitated this
in the audio of the newsletter, you did say, hey, by the way, this is indeed data based on
the United States. So it's definitely compartmentalized. Yeah, which is just one company in one country.
So I guess the question is, for me at least,
and I don't know what questions you're asking yourself
as a result of this, but is like, what can I do?
Okay, so what?
So if this is true, so then what kind of thing?
And I wonder if there's any data
or if it's even possible to put the same timeline together
with similarly marketed
data of sorts i'm not even sure what this would be what kind of index would go against is opportunity
because jobs being available does not equal lack of value to be created in the marketplace this is
where a lot of innovation happens the status status quo, go get a job,
work somewhere on somebody else's idea,
move that forward is changing.
And so what can I do is,
where is the most value you see in your purview?
Like if you can't get a job,
you're having a hard time getting a job,
which I just feel for you, that totally sucks.
It is, if it were me, I would be like,
okay, where, what do i have career capital in what
do i have domain knowledge in where do i see a lack of value being created because money exchanges
hands when value when problems are solved basically like if i solve a problem and the bigger bigger
the problem is the more money and the more value in the problem solving and the value exchanging happens.
So if you want to get money, you've got to solve problems.
So I would say look for problems.
I don't think this bell curve tracks to opportunities slash problems being solved or to be solved.
It just tracks to job opportunities in the existing marketplace.
Yeah, I agree. I'll echo what I said, I think, last fall,
or maybe it was January with Gerge Arose when we had him on the show
talking about this questionable tech hiring market,
is that there's never been a better time to start a business,
especially if you are out of work.
What are your options?
Well, you can just keep pounding the pavement.
I'm not saying don't do that, looking for that next full-time job, but also there is a lot of
opportunity to create value, create new businesses. And where does that, where are those opportunities
right now? Well, it seems like similar to the past where you found small businesses and maybe
medium-sized businesses who are
handling all of their back-end accounting,
all of their processes, their operations
on paper previously, or
on spreadsheets in Microsoft Excel
and providing web development services
to those companies in order to break them out
of those little silos
and really streamline their operations.
I mean, so much money was made
turning Excel spreadsheets into web forms.
I think similarly, first of all,
that work is still out there.
It's not like it's done.
There's tons of opportunities still there to this day,
and there's a lot of people making good livings
doing that work.
But if you want to be more on the cutting edge, of course, there's a lot of people making good livings doing that work. But if you want to be more on the cutting edge, of course,
there's a lot of low-hanging fruit with this AI stuff.
I mean, there's a lot.
We talked about summaries.
It seems like the killer feature of the current wave
of text-based models is summarizing stuff,
taking a lot of words and making it a few words, and taking a few words stuff, taking a lot of words
and making it a few words
and taking a few words
and making it a lot of words.
So summaries and slop, basically.
And the real value
is in the summaries, isn't it?
I mean, the slop is sloppy
and it's whatever,
but the summaries
are like super valuable.
So summarizing this document,
summarizing this meeting,
summarizing these emails,
summarizing whatever. Raw summarizing this document, summarizing this meeting, summarizing these emails, summarizing whatever raw data a company has, huge value in that.
I mean, you save so much time with a good summary.
And there's so many verticals, right?
There's so many individual industries
in which you can go into that industry
and apply the basics of language models
in a productionized way
and hook them up with some summaries
that they will pay you happily for.
I think that's low-hanging fruit.
I think there's lots of opportunity there.
Can I mention the sponsor as a
way of an opportunity?
I really don't want to do this necessarily,
but I talked to David
Shue recently from Retool.
I've always been a fan of them.
And they are a sponsor.
So take this with a grain of salt, listeners.
We also don't like to blur the line.
This is not an ad spot.
But as an example, there's a lot of opportunity in the internal tool space.
Inside of companies.
People are being tasked with doing more with less.
And that's a lot of the reason why Retool is very successful.
Because they help you do more with less. You that's a lot of the reason why Retool is very successful, because they help you do more with less.
You can be a backend engineer or an API developer and leverage Retool and build out tooling for your company and not have to be a front-ender.
And so you kind of get to minimize that footprint of a person. a specialist in understanding what SaaS companies need from an internal tooling standpoint and find
the ones that aren't using Retool and specialize in that and join their team temporarily as a
consultant and say, I would just come in and tell you how Retool works and implement Retool for you.
And I bet your Retool would even sponsor you if you added so much value to them that you went to
company to company to company and did that kind of thing and then there's versions of that right there's versions
of like leveraging like you said these these companies that are you know doing their accounting
differently you mentioned a paper with excel i thought the place we're going was where they're
outsourcing to tooling that specializes where they don't have to be specialists they could be
generalists and spend money on a tool
versus having to become the domain expert
and do it themselves.
They can sort of outsource a task, so to speak.
But I'm thinking like, gosh,
if I was a backend engineer,
somebody who really understood APIs,
really understood how a lot of the internal tooling
needs to happen or should happen for SaaS companies,
I would become that kind of
expert and go out there and just implement Retool for people. And you get to leave all the management
behind, right? Because Retool is going to do it all. All you are as an implementer, you provide
your value, you get in, you get out. Maybe you stick around for some consulting or some future,
whatever. But at that point, you're like in and out. Maybe that lasts for a season.
Maybe that lasts for the season
between the dip in the bell curve and the rise.
Maybe it's not a long-term thing,
but I really didn't want to use the sponsor, Jerry,
but that was the best.
It was what came to mind.
It was what percolated, like coffee.
Sure.
No, I like it.
I like it.
I think Retool will like it also.
Not a sponsored mention. Let's move
on to some cool news. Some good
stuff because, you know, we're down here in the
mucky muck. I'm excited about this one. I know you're going.
What's up, friends?
I'm here with Michael Abbott and staff software developer at 1Password.
Michael, I want to talk about how 1Password helps secrets management,
secret sharing with teams, with orgs, with production, even really easy,
even so much so that when you spin up a new person onto a team or you add new people to a team,
even if you take away people from a
team you know you want to focus on access and you also want to focus on security so if you want to
remove somebody you want to make sure they no longer have access to your secrets and then the
flip side is when you add somebody to a team you want to make sure they have access to their secrets
so help me understand how one password helps teams be efficient with secrets management. So when you have a dev team storing their secrets in 1Password, then it makes it really
easy to bring new people on.
They already have so much to do and so many new things to learn.
You don't need them to have that extra burden of creating a dozen different accounts to
be able to access your payments or your errors or your monitoring.
You can have that all set up for
them already within 1Password. And each of those particular services gets pulled into your local
application, your production application at runtime through the 1Password CLI. From there,
you have your new developer downloading the repo. They don't have to spend time setting up their
environment. All of the different services are ready to go because they're already stored in 1Password.
All they have to do is use the 1Password CLI to spin up and run the application,
and it's ready to go. It's like developing in the future.
Well, we must be in the future, Michael, because we use 1Password just like that.
All of our team secrets, all of our personal secrets,
all of our application secrets, they're all in 1Password and we're using exactly this process to make our lives easier. So friends, go to 1Password.com slash changelogpod. They've given
our listeners an exclusive extended free trial to any 1Password plan for 28 days. It should be 14 days, but no, it's 28 days.
But make sure you go to 1Password.com slash ChangeLogPod to get that exclusive signup bonus
or head to developer.1password.com, of course, to learn about 1Password's amazing developer tooling,
the 1Password CLI, 1Password for SSH, and Git, CICD integrations,
service accounts, and so much more.
Once again, 1Password.com slash changelogpod.
The Ladybird browser initiative.
Of course, listeners of our interview show, The Changelog,
remember us speaking with Andreas Kling from SerenityOS and how he was really into this browser
that he and the Serenity team had been building for SerenityOS.
Well, since then, he has left Serenity
to focus on Lady Bird, that's the name of the browser,
and has been working on breaking Lady Bird free
from Serenity's clutches.
Of course, Serenity doesn't really clutch it,
but it was built for Serenity OS.
But now he's working on having it work on Mac OS and Linux OSs.
And so that was a really cool change
that happened a few months back.
Well, just this week, just yesterday, July 1st,
Andreas and others announced
the Ladybird Browser Initiative,
the next chapter of Ladybird,
which is being called the truly independent
open-source web browser we've been developing from scratch for the past few years. First of all, before we being called the truly independent open source web browser we've been developing
from scratch for the past few years.
First of all, before we get into the details of this initiative, which are interesting,
can we just be excited about this open source, cross-platform, completely independent browser?
I mean, haven't we been talking about how cool that would be in light of the various walled gardens that we live in and
Chrome becoming, you know, weaponized by Google for lack of a better term and Firefox losing
its way with various initiatives that are not Firefox inside of Mozilla and Safari,
which you and I both enjoy, but obviously has Apple's best interests in mind.
Like to have the new Firefox, right?
Instead of getfirefox.com, it's like getladybird.com.
And because it's not just SerenityOS now, or will be soon, I'm not sure the status of that work,
it's going to be a standalone cross-platform browser built by a guy and his team who really understand browsers, right?
Yeah.
Pretty cool.
Very cool.
I echo your sentiment and excitement, so I won't layer on there.
But what didn't surprise me was when we talked to Andreas, I think it says,
does he say Andreas or does he actually put something in there?
Either way, Andreas.
I'll just say Andreas because I speak English and I don't have that accent so i won't try was that he you know had come from the nokia
days you know this because you're on the podcast with me and then later to apple and was on the
web kit team so like he this was an itch for him like you know he did for his passion and for
various reasons you should listen to the show episode 554 So changelog.fm slash 554.
We'll get you there.
The Serenity of Building Your Own OS.
He's got a great story.
And it's very touching.
And I think, you know, he got into Serenity OS for the reasons that it's touching story.
And then ended up at Lady Bird.
And that's why he sort of like stopped touching Serenity OS.
Because he was back to where his itch really needed to be
scratched if that translates yeah and he has the history of nokia and apple web kid and was on that
team and so he he was primed to be a good person to lead this kind of initiative i'm very excited
i was actually just somewhere last night for dinner and was standing in line uh to order
because it's a place we had to go to the
counter and order it's strange and the person in front of me get firefoxed the clerk really i just
barely overheard it she's like gosh i'm gonna go home tonight and install firefox thank you
that's all i heard and i said to my wife i'm like did he just get firefoxer
but anyways like he might have to he might have to get ladybird her him whatever
yeah what is the domain for this uh ladybird.org i should have tried get ladybird.org just for
just for i think you can have both you can have like the get ladybird and redirect or something
yeah for sure i think it's a cool i remember i think get firefox nerds will enjoy get Lady Bird yeah especially if it's like
a nostalgic nod and homage
to what was
was promised was for a bit
and then isn't much anymore
I would personally enjoy that
I mean I was in the days of like
tabs were awesome I know you were too
IE's dead
long live Firefox get Firefox
the whole push like what an amazing global grassroots effort I know you were too. IE's dead. Long live Firefox. Get Firefox.
The whole push.
What an amazing global grassroots effort at the right time.
So crazy.
Yeah.
It was like the nerd uprising.
Yeah.
And we helped everybody free them from the shackles.
So what they announced specifically
is the Lady Bird Browser Initiative,
which is a US 501c3 nonprofit, which will be tax-exempt.
Its purpose is to drive work on the browser and make it easier
for supporters of all shapes and sizes to sponsor development.
They say, unlike traditional business models that rely on monetizing the user,
Ladybird is funded entirely by sponsorships and donations
from companies and individuals
who care about the open web. Our
nonprofit will not pursue corporate deals
or revenue outside of unrestricted
donations. The software and
its source code will be available for free
forever. And they have a board
of directors starring
Andreas himself, of course,
and the surprise
entrant for me, I was like, this is so cool.
Chris Wanstroth, co-founder of GitHub, CEO of GitHub for many years, now working on a games company called Null Games.
Chris will be the secretary and treasurer of this new initiative. And I believe he personally donated, he and his wife donated a
million dollars as part of a seed funding for this nonprofit. So an injection to get things going. I
mean, pretty cool by Chris. Very cool by Chris. And I would even say, I don't think I've seen Chris,
definitely not personally, in the wild, I would say. Like, I don't know I've seen Chris, definitely not personally, in the wild, I would say.
I don't know how to phrase it otherwise.
In quotes, in the wild, on the internet, since, I think, being on stage at Universe or something with GitHub.
The last moments of the acquisition by Microsoft of GitHub.
I think that was the last time I've seen him out there proclaiming anything.
Yeah, so in addition, he's been on Twitter slash X talking about things for a while, but he
actually put out a video, like a three minute video.
Right.
Announcing his participation in this deal.
And that was the first time I was ever looking at him and being like, I don't think I've
seen him since he had long hair.
Yeah.
Like he looks a little bit older, a little wiser, a little more cleaned up.
Yeah.
And yeah, pretty cool to see him.
First of all, he disappeared for many years.
Now he came back with this gaming company
and has been talking on social media some,
but really getting out there
and putting some of his personal money behind a very cool initiative.
The free-for-ever aspect of this is the clincher.
I love that Chris is involved.
I think that Chris being involved in his family, donating a million dollars to this initiative
is telling.
And I think him coming out of the woodwork, if that's a phrase you want to use, which
is known, but I don't think that's necessarily the case.
Because as you said, he's been on X talking, but not visually like this was a video. This video this is like hey i'm going to put my full likeness and personal words my voice even behind
this new push but the fact that it's software and its source code this is quoted quote the
software and its source code will be available for free forever end quote and just the need of
i think chris said it best was we're not trying to beat Chrome.
It's not about winning.
It's about choice.
It's about something that is not owned by the big market players, something that's independent, something that is backed by a nonprofit, something that is for the people, for individuals.
And with it being open source means that you'll have your
opportunity if you feel so inclined to participate and to be involved probably on github right that's
probably what's happening for sure as we know which is a good thing so i think great news but
let's let's uh let's consider if you don't mind, hypothesize, Jared, two years from now, what changes?
Where do you think they'll be in two years?
What will change?
Well, I do believe they will have those Mac OS
and Linux versions out there.
It will be freed from Serenity OS.
And I do think that it will probably be packaged up nicely
in every Linux distribution that's mainstream.
So you can apt-get install Ladybird, and who knows?
Maybe in two years' time it'll become a pre-installed browser
on a few big distros, which would be great.
There are, of course, many things that go into a modern browser initiative.
I think they'll have a good foundation of websites rendering correctly.
That, of course, is the main thing.
It must render websites correctly.
But there'll be a bunch of stuff missing, which may or may not ever be there.
If you think about a Windows version, they don't have any plans to support Windows in
the short term.
They want to eventually, but it's not a priority.
Will it have an iOS or Android version
that syncs to your browser?
No.
This is going to be very much a desktop browser.
This is going to be a focused thing
for especially in the short term of two years,
but maybe for a very long time.
And so there are things where it's like,
why do I use Safari?
Well, a lot of the reason why I use Safari
is because of the integration between my laptop
and my phone
and that continuity stuff
and so all that stuff
is not going to be a thing
and so this will be very much a choice
to use this browser
and one that will still require
especially for those of us inside our walled gardens
some sacrifices in order to leave the walled garden.
It's not going to be a one-for-one switch.
And so that will be a challenge for Lady Bird as adoption means you have to give up something that you are otherwise happy with.
But I think a lot of people are definitely willing to do that, especially on the Linux side.
What do you think? I have a lot of people are definitely willing to do that, especially on the Linux side. What do you think?
I have a couple more questions.
And I do have a point too, my own thoughts.
But I know you all covered on GS Party,
and I haven't listened back to this episode yet,
more so the development, I suppose, with Apple and multiple web browsers.
Can you catch me up on what the status of that is?
I think that's the clincher.
If we can get native Lady Bird
that doesn't have to have Safari or WebKit, I suppose,
as its underpinnings,
then you can do a lot of what Safari offers you
and I as Apple users
when you have the application installed on iOS
and you can have cloud syncing with tabs and whatever
if that's something that Lady Bird wants to offer.
But give me a one-minute update on what that status is
for, I suppose, everyone in the Apple world,
not just the EU.
So historically, every web browser in the App Store
was a skin on top of WebKit.
So Chrome, Firefox, Vivaldi, you name it, Brave. Every web browser in the app store was a skin on top of WebKit.
So Chrome, Firefox, Vivaldi, you name it, Brave,
all of these iOS apps, as you mentioned,
have WebKit under the hood and have to use Apple's APIs.
So they're basically the Chrome UI and maybe the Chrome sync engine on top of that.
So Google's very much hamstrung in what they can do.
The recent EU laws that have passed
break that bond in the EU.
And so Apple will allow,
A, they're allowing alternate app stores,
although it's a huge pain in the butt
to get one of those spun up.
They made it significantly difficult.
But they will also allow alternate rendering engines
and I believe, and I'm happy
to be fact-checked on this because it's been a while since I
looked at it, I believe it's in the EU only.
So, and here
in these United States of America
nothing changes, but
in European Union
countries, you will have
the ability to have alternate
rendering engines, which means Chromium
can run on your iPhone, which means Gecko or whatever the Firefox thing is currently called
can run on your iPhone. And this will be great because then we'll at least be able to have the
comparison and say, oh, it looks like Chromium on iOS is faster than Safari on iOS and et cetera,
which will spur some innovation and some competition.
But in the day-to-day lives of Westerners,
I know that many, many countries in Europe
are also in the West, but you know what I mean?
Those of us on this side of the pond,
our lives are pretty much going to be the same,
at least for now.
So I think when it says in the same announcement,
it says, quote, but it is still
very far from finished. We want to turn Lady Bird into a browser that you can use every day for all
your web related tasks. It should be fast, stable, support web standards and protect your privacy,
a browser for you, end quote. And so that's why i went to that it's like i feel like you're gonna
have the pain right i'm a safari user i'm only truly really a safari user because it's minimalistic
on ios which i appreciate and it's also on my mobile device and there's continuity that's like
the only real thing i think that from the surface now there may be other things
i under i uncover by using something else and it falling short but thus far that's the true reason
the true feature i'm for is that continuity and the cross device availability i think if this has
a real shot to do i wouldn't say damage because that's not the right phrasing, but the good, I suppose,
that it's trying to do for the people. There's so much in the protect your privacy quoted phrase
in what I just read that I think needs to be examined because Apple is notoriously known for
protecting your privacy and caring about that as a feature of their business. However,
if you make all app installations in my country require your engine, is that for you?
Some would say yes, and some would say no, because of how deeply Apple wants to own the entire
spectrum from zero to one, so that they can provide the, in quotes, best user experience.
That's their innovation factor.
That's their moneymaker is their ability to care so deeply and preemptively know what
you want to give you what you want without even knowing it.
I think for me, it's got to have, and maybe this pushes it.
Maybe this is what we need as a tipping point to say we as users want choice and why
should it only be given to the EU because
there were certain laws passed
that is not a thing you should do
because a law was passed it's a thing
you should do because you care about your users
and I think that innovation happens
whenever there's competition
and you can't have competition when you're forced
to use the same rendering engine
yeah I don't know.
Time will tell on Apple's positioning after the floodgates kind of have opened.
Because at a certain point, you're just holding back the flood.
Once you get a break in the dam, it's just a matter of time
and it's kind of a fool's errand to try to stop it.
But I think they still have a pretty strong stranglehold on the market.
I agree.
Especially outside of EU countries.
And so I don't expect it to change too much unless the United States legislature follows
suit.
And I think our lawmakers have proven themselves across the board to be highly incompetent in regards to many topics and especially technology.
So I don't trust.
It's a series of tubes.
It's a series of tubes.
Let's end this segment here with a congrats then.
Congrats to Andreas.
Congrats to Chris for seeing that vision.
Congrats to Andreas getting through what you went through to get to Serenity OS and then ultimately Lady Bird, and now you're on this new trajectory.
So stoked for you by way of just hearing your story
and talking to you one time on a podcast.
I'm excited.
So congrats to both of you guys doing this new mission, this new initiative,
and to anyone that is so excited about it that they start to personally get involved
in whatever way they want to, whether it's a user, whether it's a developer,
contributor, community, whatever. Sponsor.
There you go. Ladybird, what is it?
Ladybird.org. Too easy. It's just
too easy. Alright, too easy alright back to
some bad news
Polyfill
supply chain
attack
hits 100,000
plus sites
this one has
made the news
a few times
and so it's not
exactly new news
but I wanted to
bounce off
you
what I said
on Monday
on Chainsaw News
and get your take
on it
because in light of this,
which as for those of you who didn't hear this news,
there is a JavaScript library called polyfill.js.
It provides, as is the name,
some polyfills for features
that don't exist in older browsers.
It was served up via a CDN
that the polyfill people set up very kindly,
cdn.polyfill.js,
which I'm sure served tons of bandwidth and traffic
for many years, probably free of charge,
sponsored by, subsidized by whoever it is
that was putting out the open source
and eventually got sold to a malicious company.
The domain got sold, polyfill.js.
And so they set up a CDN at the domain got sold, polyfill.js. And so they set up
a CDN at the same
address
that did some nefarious things.
And so this is kind of your
rug pull not cool situation.
Different kind of rug pull.
Not an open source rug pull.
A domain rug pull.
Super not cool.
And so
a lot of people have been trying to react.
Like I said, it hit 100,000 plus websites,
including some pretty big ones who were using that particular asset.
And I said this in yesterday's or Monday's news.
I said yesterday's best practice are today's malpractice,
which is kind of interesting.
Everybody pretty much said,
well, you should be loading off of a CDN
because it's faster than yours,
it's closer to them than yours.
You have HTTP pipelining with separate domains,
so it's faster in loading as well.
It's easier because you don't have to pay for bandwidth.
There's like 17 reasons why it was the best practice
to just load your JavaScript, your third-party JavaScript,
especially like jQuery and jQuery UI and React
and all these things from a CDN and not from your own domain.
That was standard operating procedure for many years.
And here we see some serious, I guess, myopic, myopism,
I don't know, short sightedness on that is like, well,
when you don't have control over everything,
things change and not always for the better.
And so that becomes, that goes from best practice and malpractice.
And then I thought,
I started thinking about Jeff Bezos' regret minimization framework.
I'm not sure if you've heard about that, his decision-making process.
When faced with two choices, his framework is make the choice that minimizes your potential regret.
And so if you're going to go left or right, think about which one you might regret the most and do the other one.
Minimize the regret.
And I said, maybe it's time to have a dependency minimization framework.
I don't want to be a not-invented-here zealot, but dang, it sure seems like we're getting bit often by our supply chain.
And so maybe if we limit that supply as much as possible,
that's a framework that we should be operating under.
Your thoughts?
Okay, so I want to pause for a second
and just lean into your copywriting, if you don't mind.
Okay, I'm a little nervous.
Yesterday's best practice are today's malpractice.
That's yours, right?
Yeah, I wrote that.
I mean, just dude, bravo.
That's phenomenal writing right there.
That's how you know that you've fine-tuned, repeated, made easy, as you've said, by doing something over and over and over to make it easier.
Sure.
That's an art right there.
Writing that line right there alone is why you listen to Change Love News.
And if you don't, you're wrong.
Okay.
Well, let me say everything's a remix, of course.
Okay.
I'm sure it is.
And when I thought of that phrase, that phraseology.
Oh, yes.
I know you're going to reference.
I was referring back to Chris Brando's, you call it tech debt, I call it malpractice.
And then I realized that best practice rhymes with malpractice. And I was like, you're just
changing the front. And so I giggled and I wrote it down. So, you know, shout out to him. And that's
how it is. Take the praise, man. That's good stuff there. Well, thank you. I'll take a moment
to appreciate that compliment. Okay. That moment has passed. Now let's dig in okay i like the idea of the supply chain
there's a reason why the supply chain exists what i don't like is how it's being weaponized
against us and i think there is now an opportunity and i don't really want to mention one more
sponsor but for us as a friend first before he's a sponsor. And I think there's, like, Feroz is in a blue ocean sort of scenario
when it comes to the open source supply chain in regards to dependencies.
This would have not have stopped this particular best practice term malpractice,
as you so eloquently wrote.
But I wonder, I don't think we should be linking to CDNs
I think that practice is dead
I'm going to let that one go
however I don't want
your sentiment
what you had said there was
I guess the vulnerableness we have
with our supply chain
there's a reason why open source won
there's a reason why
we lean on other people's
amazing code
there's a reason why
for all those reasons
there's reasons
I'm going to say reasons 17 more times
so I would prefer folks to lean in like faraz has in his particular niche which was
javascript web development and dependencies and now it's transcended simply npm to all the others
you know there's like four of them in the list now that uh they support when it comes to dependencies and checking those things right i like to see better security tooling that aids a
developer does that shift left right versus being like nah third party not cool rug pull not cool
super not cool right you know i i would like to have more security tooling in there that's for developers and developer focused and doesn't like become this.
And I hate to use the word like in there doesn't become this signal versus noise issue where you're just getting alerted to things that don't matter.
Right.
We talked about this recently on securing GitHub.
Sure.
With Jacob.
Yeah.
The priest.
And so I think my stance is really like, this sucks.
Like that definitely, like linking out the third party CDNs, that's dead to me.
Based on this for sure.
Because you can't trust the domain ownership anymore, right?
You can just download that file and re-host it yourself.
And you're just free from this particular problem.
Gosh, yes.
I mean, and CDNs are, you know, apparently a pipe dream.
And potentially a dime a dozen.
Yeah, exactly. I mean, we replaceNs are, you know, apparently a pipe dream and potentially a dime a dozen. Yeah, exactly.
I mean, we replace them ourselves potentially.
Yeah.
So I think that's even why I asked you, I think in the post show, like, is there a product here for this pipe dream?
So that's that, y'all, that's a reference to the last Chainsaw and Friends episode 50.
So go back a clip, a click, a clip, an episode, whatever, or several if you're in the master
feed and listen to that because we've had this pipe dream and I've been pushing back
against it because I'm like minimizing how much software we develop and manage.
I'm trying to and you are trying to create more in that case, but hey, whatever.
I get it.
So if there's hedons everywhere, this practice is dead, but I want, I would prefer that the future be, okay, who
has got a security mind and can help us not allow attackers to leverage the supply chain
of any supply chain, whether it's a CDN or dependency tree or transient dependencies
or whatever it might be.
Let's put some good tooling in there that at least surfaces.
And I think thus far back to Firas and socket.dev,
I'm so stoked for him.
I think what they're doing is truly helping applications be better.
It's truly helping developers
not feel like, oh my gosh,
I need to build a new feature.
And so I go out there
and I find things
that are trusted in the marketplace
and I randomly do the wrong typo thing
and I install this thing and I'm owned.
Or whatever might happen
is you're building this thing on. There's nothing, there hasn't been much out there
aside from you literally having to dig through, has the core contributors changed? Has the code
been rewritten, you know, basically from scratch recently? Has there been like this
slow burn of a social engineering against somebody. We as individual developers just don't have the patience nor the time to do that.
We need tooling.
And that would be where I would welcome AI to help us.
That's pattern matching is amazing features
for summarization basically.
In that kind of scenario,
that's where I would love people to lean in.
So if you go back to the bell curve that's going down
and you find yourself in a position
where you've got some knowledge and security
and you see areas of the supply chain that is under attack
and no one's solving the problem
or there's a team that's small or disparate
solving the problem, they need more resources,
maybe step in there.
And maybe there's an opportunity
to create something brand new like Frosted
that begins to solve that problem.
Because our supply chain needs to be secured.
And it won't be unless it is secured.
And it can't be unless it's secured.
There you go.
That's my two cents.
I think that's a solid take.
I think I'm more thinking like make the rug as small as possible so it can't get pulled.
And you're thinking, let's lock that rug down.
Because that's a valuable rug and somebody put a lot of work into it
and it's better than making your own rug.
And I think that you can probably happily deploy both strategies.
I'm not saying never use third-party code.
Go look at our website and see how many dependencies we have.
And I agree with you that security tooling
may be a very good avenue.
And I also agree with you that this particular practice
should just be dead.
If you're listening to this and you have JavaScript files
that are loading from a third-party CDN
that you don't control, just stop listening,
pause it, go download those files,
and re-upload them to something that's inside your control. And just sleep better at night, knowing that this
can't happen to you, this particular threat vector, there's just no reason for it. But I still think
that we could individually and on our teams, deploy a dependency minimization framework,
and just reduce the size of that rug
just in case it gets pulled, man.
Because there are real threats that are unmitigated.
And yes, I think that the path forward includes
companies like Socket, Frost's company,
that this is another non-sponsor mention in the show.
They may actually sponsor this episode.
I don't even know.
They may be a sponsor.
Every time you say that, it happens with our 1Password one.
They are our current sponsor, and it might happen.
So if it does, I don't know.
Let me actually check the sponsor list real quick.
So this happened, actually, on our recent episode
with Justin Sorrells talking about the Apple keynote.
And you said, we talked about 1Password
and are they getting Sherlocked
and what's going to happen with them?
And you're like, they might even sponsor this episode.
And they literally sponsored that segment,
which we just had fun with it.
We put a non-sponsored portion.
By proxy, they were sponsoring as a mid-roll.
And we placed them there because it made the most sense
to put them in that mid-roll.
Because it didn't make sense to skip the mid-roll
and let them come later.
It was more on point to literally land it there.
Yeah, it was kind of funnier that way.
We had a not-sponsored and we had a sponsored.
I have confirmed that Socket is not a sponsor this week on these episodes.
However, they may be a sponsor.
Let me check on other shows.
Sure.
Well, that's going to happen.
And they're a sponsor of GS Party this week.
So if you listen to GS Party this week, you will hear kind of what I've been talking about.
Like these ad spots.
Can we just pause for a second and like give me a little praise?
Do you mind, Jared?
Let's do it.
Can I self-praise?
Yeah, man.
Go for it.
Maybe you can praise me.
I don't know.
Like I just love producing our ad spots with our sponsors, really.
I just love digging in because I do learn their story.
In a lot of cases, these interviews I do with folks are very much like a literal podcast. And you and I have hypothesized how we can turn that into additional content. But they're not always clean content. Some of it's coaching. It's a lot of it's stuff in there. So it doesn't always fit well. So it's not a repeatable thing what is repeatable is what i get out of them is i want
to know why people should use it why does it exist who cares who's getting value from it and i'm
asking from various questions from that lens and so i did this with for us like for us okay you've
got these things out there tell me what's happening here here. And he just, he just leans in. And so as doing these, these ad spots, I learned a lot more and to some degree
become more, way more bullish or way less bullish on these folks, you know?
So if you see somebody come through the system, let's just say, and they go away,
it's either because they didn't get value or I didn't think they really made sense for us long term.
So it's one of those two things.
And the don't get value thing does happen
if we're not speaking to an audience they care about.
Totally get it.
You shouldn't waste your money or spend your money
in places you're not getting value.
However, these ad spots to me are like
almost just as hard as producing one more podcast
because I'm meeting with multiple people in the week,
having deep conversation with them
and distilling that down into a minute or two.
And I've just been enjoying the process a lot.
And this one for Farash you'll hear,
or this one you'll hear from Farash on Socket
on Friday on GS Party is an example of that.
Well, I would agree with you.
I truly enjoy them.
Of course, when I'm listening to our shows,
I'm listening for QA purposes, also for clipping purposes.
So a lot of what I'm doing is for speed.
And so yes, I will skip our own sponsorships.
But sometimes I'm mowing, I'm driving,
I'm not in a skipping position.
And I will listen and I'll say,
you know what, this is stinking good.
It's almost like a mini little podcast
right there inside the podcast.
And so of course, if you don't like our ads, there is an option for you.
If you like our shows but not Adam's ads, first of all, how dare you?
But secondly, go ahead and skip them.
changelog.com slash plus plus.
It is better, I've heard.
It's better.
It is better.
It's been better for years.
B-N-C.
B-2-B-1.
Group hug everyone.
B-N-C. B-2-B-1 and group hug everyone. BNC beats B1 and group hug everyone.
BNC beats B1 and group hug everyone.
What's up, friends?
This episode is brought to you by our friends at Neon,
on-demand scalability, bottomless storage, and database branching.
And I'm here with Nikita Shamganov, co-founder and CEO of Neon.
So Nikita, one thing I'm a firm believer in is when you make a product,
give them what they want.
And one thing I know is developers want Postgres,
they want it managed, and they want it serverless.
So you're on the front lines.
Tell me what you're hearing from developers. What are you hearing from developers about Postgres managed and they want it serverless so you're on the front lines tell me what you're
hearing from developers what are you hearing from developers about postgres managed and being
serverless so what we hear from developers is the first part resonates absolutely they want
postgres they want it managed the serverless bit is 100 resonating with what people want
they sometimes are skeptical like is my workload going to run
well on your serverless offering? Are you going to charge me 10 times as much for serverless that
I'm getting for provision? Those are like the skepticism that we're seeing and that people are
trying and that they're seeing that the bill arriving at the end of the month and like,
well, this is strictly better. The other thing that is resonating incredibly well is participating in the software development lifecycle. What that means is you use databases in two modes. One mode is you're running your app and the other mode is you're building your app. And then you go and switch between the two all the time because you're deploying all the time. And there is a specific part when you just build an audio application from zero to one,
and then you push the application into production, and then they keep iterating on the application.
What databases on Amazon, such as RDS and Aurora and other hyperscalers are pretty good at is running the app.
They've been at it for a while.
They learned how to be reliable over time.
And they run massive fleets right now,
like Aurora and RDS run massive fleets of databases.
So they're pretty good at it.
Now, they're not serverless.
At least they're not serverless by default.
Aurora has a serverless offering.
It doesn't scale to zero.
Neon does. But has a serverless offering. It doesn't scale to zero, Neon does,
but that's really the difference.
But they have no say in the software development lifecycle.
So when you think about what a modern
deploy to production looks like,
it's typically some sort of tie-in into GitHub, right?
You're creating a branch
and then you're developing your feature
and then you're sending a PR.
And then that goes through a pipeline and then you're developing your feature, and then you're sending a PR. And then that goes through a pipeline, and then you run GitHub Actions, or you're running GitLab for CICD.
And eventually, this whole thing drops into a deploy into production. So databases are terrible
at this today. And Nian is charging full speed into participating in the software development lifecycle world.
What that looks like is Nian supports branches.
So that's the enabling feature.
Git supports branches.
Nian supports branches.
Internally, because we built Nian, we built our own proprietary.
And what I mean by proprietary is built in-house.
You know, the technology is actually open source, but it's built in-house
to support copy and write branching for the Postgres database. And we run and manage that
storage subsystem ourselves in the cloud. Anybody can read it. It's all in GitHub under
Neon Database repo, and it's quite popular. There are over 10,000 stars on it and stuff like that.
This is the enabling technology. It supports branches. The moment it supports branches, it's trivial to take your production environment and
clone it. And now you have a developer environment. And because it's serverless, you're not cloning
something that costs you a lot of money. And imagining for a second that every developer
cloned something that costs you a lot of money in a large team, that is unthinkable, right? Because
you will have 100 copies of a very expensive production database. But because it is copy and
write and compute is scalable. So now 100 copies that you're not using, you're only using them for
development, they actually don't cost you that much. And so now you can arrive into the world
where your database participates in the software development lifecycle. And every developer
can have a copy of your production environment for their testing for their feature development.
We're getting a lot of feature requests, by the way, there, people want to merge this data,
or at least schema back in into production, people want to mask PII data, people want to
reset branches to a particular point in time of the parent branch or the production branch
or the current point in time, like against the head of that branch. And we're super excited
about this. We're super excited. We're super optimistic. All our top customers use branches
every day. I think it's what makes Neon modern. It turns a database into a URL and it turns
that URL to a similar URL to that of GitHub.
You can send this URL to a friend, you can branch it,
you can create a preview environment, you can have DevTest staging,
and you live in this iterative mode of building applications.
Okay, go to neon.tech to learn more and get started.
Get on-demand scalability, bottomless storage, and data branching.
One more time, that's neon.tech.
Well, Piling On.
I like this one.
Should we play the Pile On song?
We're all saying the same thing.
It's a pile on.
It's a pile on. It's a pile on.
Piling on to this CDN issue, this third-party hotlinking.
Basically, that's what it is, right?
You're hotlinking to somebody's JavaScript, and you get,
if you hotlink to polyfill.js, you get the traditional GOATC, right?
Only worse.
And if you don't know what Goatsy is,
don't go Google that.
But if you know what it is,
you know what I'm talking about.
Piling on is Alex Lazar,
writing at leetsoftware.com.
I thought you might like this one, Adam.
The future is self-hosted.
Alex thinks the future is self-hosted.
And in light of me saying,
go take down your third-party JavaScript loading
and self-host it, I don't know, man.
Maybe the future is self-hosted.
This is what Alex says.
A few points.
He says privacy is baked in.
This is if you're self-hosted.
The pricing is simple.
It's distributed by design,
which that one might take some unpacking.
And it's easy in 2024.
So he thinks the future is self-hosted.
Those are four reasons that I can unpack the full paragraphs if you like.
And then he goes on to ask what's stopping us, complacency, etc., etc.
Trying to describe why we don't self-host.
But what do you think about this response to the supply chain?
It's like, well, use the supply chain, but just self-host it yourself. you think about this response to the supply chain it's like well use the supply chain but just self-host it yourself redundant but still if i wrote this
headline i would write the same headline but i would add parentheses to it and i would i would
add the words for some because when he says in the intro let's first praise it. Awesome. I think it is a great idea, but I still agree that it's for some.
And this is why.
Because when he describes self-hosting being easy in 2024, in the very first sentence,
Docker is mentioned.
You go find somebody who cares about their privacy as a layperson who is not really into
tech.
They use tech.
They're users of tech.
They buy products they're
generally not savvy with donker does that mean they can't use it no because then you can build
another abstraction layer on top of that and i think trunas is a version of that kind of
abstraction but i i was using trunas recently because I got this test unit from them that I'm testing out,
which I think it's just amazing hardware, by the way,
and amazing software.
But at the same time,
this is designed for a nerd.
And that's not a bad thing.
It's just not designed for this headline,
the future is self-hosted,
because I think it is.
But I think for some,
because if I wanted to,
on my 10 gigabit network,
put my Raspberry Pi, which will not be 10 gigabit,
I don't even know if the RPi 5 is 2.5,
and host my own JavaScript files,
be my own single node CDN, is that going to scale?
I mean, I don't know, because then you've got this personal ISP.
What is self-hosted?
Can you get your own colo space at a data center?
That's what I'm thinking over here while you talk.
Tim Stewart, aka TechnoTim, did this recently.
He moved a lot of his stack, his home lab stack.
A large portion is in a colo data center.
Is that home lab anymore?
That's colo lab. I mean, yeah, like it's like, I love Tim.
He's amazing. And he's doing it for exploration. So it's not like he's trying to extend the idea
of Homelab. Like this is Homelab. The future self-hosted is Homelab or some version of it.
Like I agree with it. I want that to be the case. I think there needs to be this marriage between
available hardware and available software that doesn't require the end user to know or understand docker it should
not deploy kubernetes on this thing it's like and use helm charts like that's just too nerdy
so i agree with it for some for now i think the future though there is an opportunity to build
some software and some hardware that marries each other together it says put this in your home and
here's a ui that anybody can pretty much use,
but back to the supply chain that's an attack vector.
So it needs to be secure, right?
And it needs to leverage the open source supply chain in wise ways.
They should be using some of our sponsors to secure themselves.
So yeah, I like the idea.
Long story short.
Yeah, I agree.
I think it is difficult to define exactly what self-hosted means and what the audience is of this particular thought.
Is this your self-hosting your business in your house?
Is this your self-hosting your JavaScript files on S3?
I mean, what exactly does he mean by self-hosting? And I think at the consumer level,
and it's a completely different conversation.
We're talking about businesses, consumers,
developers, et cetera, home labbers.
I think when it comes to consumer tech,
and I know that NextCloud, for instance,
does a lot of this stuff.
But I remember the good old Apple,
what was Apple's router called?
Apple Airport Extreme. That thing was awesome, right? I remember the good old Apple, what was Apple's router called? Airport.
Apple Airport Extreme.
Oh, that thing was awesome, right?
They abandoned the whole market, but that thing was awesome.
I remember when they first announced iCloud,
and they changed kind of the orientation of what they saw your computer setup to be,
where it used to be like, here's your desktop,
and that was like the source of truth.
And maybe you have a laptop, maybe not. But this computer in and that was the source of truth. And maybe you have a laptop, maybe not.
But this computer in your house was the source of truth.
And then they, this is even back in the jobs era, they inverted that.
And they're like, no, the cloud is the source of truth.
And your machines are going to sync to the cloud.
And it took them a long time to deliver on that because iCloud was terrible for years.
It's actually gotten to be pretty reliable now.
But I remember when they first announced that, I was like, I feel like that sucks
compared to making an airport extreme in your house
with some sort of hard drives and stuff, like a NextCloud.
Your own personal cloud in your house. That seemed to me
like that was a cool future. Which is self-hosted cloud, basically.
And I know companies like Next future, which is self-hosted cloud, basically. And I know companies like Nest Cloud,
which also has open source stuff going on,
that's open core, I believe,
have done a lot of that work,
but they haven't brought it to the masses.
Is the future actually self-hosted?
I think it's going to be,
if Apple had gone that direction,
then I think for consumers,
I think the future could have been self-hosted.
I think that'd be a better place for your cloud to live
than on Apple servers,
but obviously it didn't go that route.
So yeah, I guess my thoughts all revolve around
who are we talking about, in what context,
what does self-hosted mean?
And I do not think the future of web development
and running servers is self-hosted.
Unless by that you mean self-managed
somewhere else.
Because, I don't know, I'm not going to stand up
a rack in the closet
and host our business
off of it myself.
I like the idea of this thought being
pushed forward.
I think it has merit.
Yeah.
But like you had said,
NextCloud, I believe,
for the most part,
is being built for mostly nerds,
not quite fully nerds,
but mostly nerds.
I agree with more sentiment share,
which was, I'll paraphrase,
I'm not going to read it exactly,
you know, reducing hardware costs,
long-term costs, etc.
I think having privacy
is kind of to some degree there
because you can still have non-VPN traffic
or non-SSL traffic happening.
So even then, you've got to become
a bit of an expert on that stuff too.
You may choose a networking system that aids you in that
but doesn't remove it completely.
But then it also puts all
the ownership on you. And then you multiply that by everybody who self hosts and you got
a lot of people. He does say there are billions in quotes. There are billions of people in the world.
Tens of millions of them turn 18 every year and they all need software end quote. And I don't have an 18-year-old, Jared.
I have a 20-year-old,
and she is not at all interested in purchasing hardware
and self-hosting anything whatsoever.
And I know you have children that are close to that age,
not quite that age,
and so that's an up-and-coming milestone for you.
Maybe you can share it.
Is that even on your daughter's radar
that that would even be like,
she doesn't want to self-host anything.
That's why I say for some.
She doesn't even know what that means.
Yeah, I don't.
I don't as much as I want to believe this.
I think the words for some
could have been in there
or maybe for nerds,
maybe just for nerds,
because for nerds,
I think self-hosting is here.
You go, you hop into,
OK, here's an invitation.
changelog.com slash community.
Hop in our Homelab channel there.
There was some cool stuff recently shared
by that Colin Dean.
And in terms of his migration
to different unified hardware.
And I love that.
You know, we just like chatted quickly yesterday.
I threw like a couple of liners out there.
But there is a Homelab channel in our Slack community.
And if you disagree with me or agree in some cases,
but mostly disagree or even agree,
hop in to Homelab.
Or disagree.
Or agree.
Whatever your opinion is.
If you have an opinion, share it in there or even in Maine,
but it's probably more better or better applied in the Homelab channel
because it's kind of like
a synonym for self-hosted.
Homelab is self-hosted.
And that's your great invitation. Hang your hat
here. You're welcome. It's free.
It's a precursor in
my eyes to ChangeLog++
or just getting a little closer to
the free ChangeLog medal.
And yeah, I want this to be true though.
So I'm like an advocate for this becoming true.
I just don't think it's going to come true.
It requires decent hardware that's made well,
that's affordable and mostly user-friendly as an interface
that does all the techie Docker, Kubernetes, whatever,
however this maps out in the future,
but it needs to be non-nerd only,
in my opinion.
I think that's fair.
Should we call it a show?
Well, that's it for me.
You came up with a bunch of good topics just by way of what you do.
One more time, okay?
Give it up for yesterday's best practice, our today's malpractice.
Phenomenal writing, Jared.
Oh, now you're just flattering.
And one more nod to
changelog.com
slash news
and subscribing,
listening,
and paying attention to
actually
staying up to date
with what's happening
by listening to ChangeLog News
or reading ChangeLog News
every Monday.
That's awesome.
Very good.
Well, by the way,
many, many, many, many
Kaizen, did you notice
i changed the play button on our change log news home page to green and i made i put the word play
underneath it i did notice i liked and i pushed and i was happy sweet i was very happy constantly
improving i don't know.
I was like, maybe this is a little bit draws your eye. I think the green draws your eye more than the white.
All right.
There you go.
We'll save that for Kaizen 16, which will be coming not so soon, but eventually.
Soon enough.
Soon enough.
That's right.
On our regular two and a half month cadence.
All right.
Well, that's Change Logging Friends for this week, I guess.
Now we just say bye friends
bye friends
bye friends
alright friends
that is all we have
for this July 4th
week of developer pods
if you made it this far
you're a trooper
and if you're still
hungry for more
there is a bonus
15 minutes
coming up for changelog++ ears only.
Happy Independence Day to all of our fellow Americans and to everyone around the world who enjoys some of the same freedoms that Adam and I do.
We are truly blessed to get to make these shows for you, and we hope they're a blessing in your life as well.
We couldn't do it without our partners.
Thanks again to Fly.io,
to Breakmaster Cylinder, to 1Password, Neon, and Sentry. Don't forget, code CHANGELOG saves you 100 bucks when you sign up for a Sentry team plan. Use it or lose it. Next week on the Changelog,
news on Monday, Paul Cobblestone from Supabase on Wednesday, and we are working on something
for Friday, but we could use some fresh ideas. Please do submit episode requests at changelog.com slash request. We love
your help on this. Have a great weekend. Leave us a five-star review if you haven't already,
and let's talk again real soon.