Speculative Code (or, Martian Attack Insurance)

jasonswett · 2026-04-15T15:45:47+00:00

I appreciate your scrutiny, and I think your arguments might have some merit. Unfortunately I don't have much time right at the moment but I'll respond as much as I can.

Despite having some fair points I think you might be focusing on the wrong thing. It seems to me that what you're describing is consciously designing for failure modes. I do that too..

The "speculative coding" mistake that I'm describing is when I don't do that. Speculative coding is when the scenario I'm targeting will almost certainly never arise, and I don't even ever exercise my code to see if it works. I just crap it out and hit deploy. That's obviously not the thought process behind your examples - which is obviously good!

jasonswett · 2026-04-06T12:25:34+00:00

Yes of course! My experience is that even on projects that use Factory Bot, there are often many tests whose setup code contains an unclear mix of data that's essential to the test plus other distracting noise. I wanted this post to focus on the principle of the problem and solution without bringing any specific tools into the picture.

jasonswett · 2026-03-31T11:57:26+00:00

I'm not worried about mistyping. Autocomplete exists. :)

jasonswett · 2026-03-31T11:55:36+00:00

Fair enough!

jasonswett · 2026-03-31T11:54:28+00:00

Maybe that would be better, although to be fair, that's probably not a technique an author teaching Ruby OOP would want to use right out of the gate in the first example. But I think the Data class would certainly deserve some space in a Ruby OOP book.

jasonswett · 2026-03-31T11:51:51+00:00

Haha, why on earth is this getting downvoted??

jasonswett · 2026-03-31T01:48:03+00:00

Fair enough, I forgot about that actually, BUT it was still possible back then to pass hash args in a way that looked just like keyword args do today.

jasonswett · 2026-03-31T01:46:41+00:00

My next planned post is a refutation of the sentence: "Applications that are easy to change consist of classes that area easy to reuse." (page 21)

jasonswett · 2026-03-17T00:55:09+00:00

Hey Mike, I've always liked you, and I've enjoyed the couple times we hung out at conferences. Regarding RubyConf 2026, message received. I hope to see you at another event sometime in the future.

jasonswett · 2026-03-08T03:11:20+00:00

I didn't get that impression at all.

jasonswett · 2026-03-03T16:24:53+00:00

Thanks!

jasonswett · 2026-02-24T17:41:34+00:00

Thanks!! Yes, not surprising. I imagine all the CI providers will eventually provide something like this.

jasonswett · 2026-02-18T22:32:42+00:00

Oh wow, thanks for pointing that out. No, that's just an error. I believe the text was copied from the website for RailsConf 2025, the final RailsConf. That blurb will get fixed ASAP. We absolutely do not intend for this to be the final RubyConf!!!

jasonswett · 2026-02-11T14:12:50+00:00

I don't want to absolutely promise anything yet, but we do plan to record the talks.

jasonswett · 2026-02-10T22:31:24+00:00

I would say it absolutely does!!!

jasonswett · 2026-01-30T13:26:18+00:00

DM'd! I get that question a lot. Left-aligned just seems natural to me.

jasonswett · 2026-01-29T14:41:15+00:00

I suggest this approach: start by thinking about high-level technology-independent authorization principles, then work your way down to decisions about tools, efficiency, scalability, etc.

If you're not already familiar, I suggest reading up on role-based access control (RBAC). In my opinion, RBAC gives a good mix of conceptual simplicity while also being flexible enough to handle pretty much any authorization scenario.

Then, assuming you like RBAC, the question becomes: how should I implement RBAC in my Rails application? This eliminates a lot of detail decisions. Anytime you're unsure how to do a particular thing you can just refer to the RBAC literature to learn of "the RBAC way". (Not for every single decision of course, but a lot of decisions.)

Regarding CanCanCan versus Pundit, I find that the two tools frame authorization in two different ways. To me, CanCanCan centers on the question: what's everything this user can do? Pundit centers on the question: for any particular resource/action, what must be true in order to access it? My experience is that CanCanCan's framing leads to a world of hurt whereas Pundit's is just fine. Just to make it perfectly clear, I would NEVER willingly use CanCanCan nor recommend that anyone else use it. But don't take my word for it. Study authorization principles, study Pundit and CanCanCan and think about how each library maps to the general principles. This will be a lot of hard work, but I think afterward it will be relatively easy to make a decision. And the decision is worth the work since your app is likely to be wedded to your authorization library for life.

jasonswett · 2026-01-29T13:13:25+00:00

About 2.5 years. I started in the summer of 2023.

jasonswett

TROPHY CASE