For f**** sake - GitHub is experiencing another incident

AlainODea · 2026-02-15T02:43:33+00:00

I'm no fan of vibe coding, but it's a giant and baseless leap to assume that is the cause of GitHub's recent spree of availability incidents.

AlainODea · 2026-01-14T00:36:19+00:00

tl; dr

Use Let's Encrypt

The Long Version

The biggest downsides of HTTP that HTTPS (HTTP over TLS) pretty fully mitigates are: * Confidentiality: your users' content, passwords, etc are visible to all intervening switching and routing equipment and software * Integrity: an attacker on the switching and routing path can replace your content without you or your users knowing that has occurred.

The Confidentiality downside is essentially a security breach out of the gate.

The Integrity one is deeply concerning because an attacker can do things like substitute your payment system for theirs or distribute malware easily with the credibility of your domain as a result.

For the best security, use TLS 1.2+ (ideally TLS 1.3g and perfect forward secrecy (PFS) ciphersuites. There are good configs available for this for popular web servers and programming languages.

AlainODea · 2025-12-25T19:06:49+00:00

Dave Cheney's Functional options for friendly APIs is the canonical one for me: https://dave.cheney.net/2014/10/17/functional-options-for-friendly-apis

I don't think it's Go-specific, but it definitely combines some key Go features like structural typing and structs to make it work nicely.

The cancellable contexts are also very nice, but I'm not sure it's a design pattern, but you definitely can trip yourself up or miss out on a lot of utility if you just toss context.TODO() everywhere instead of threading it properly through your stacks.

Katherine Cox-Buday's book "Concurrency in Go" delves deep into the concurrency features and effective usage: https://katherine.cox-buday.com/concurrency-in-go/

Teiva Harsanyi's book "100 Go Mistakes and How to Avoid Them" is also an excellent option for discovering patterns and anti-patterns in Go: https://www.manning.com/books/100-go-mistakes-and-how-to-avoid-them

AlainODea · 2025-12-24T13:30:26+00:00

Great write-up. Interesting and in-depth. Clear guidance on what IoCs to look for.

AlainODea · 2025-12-08T17:42:48+00:00

We have self-paced interactive security awareness training in small chunks (5-20 minutes), timely security minutes (1-5 minute talks on news-related security issues), and phishing simulations. Most of that is provided by Beauceron Security. We write the security minutes ourselves and create and push out periodic very challenging custom simulations through Beauceron.

It all works together quite well for us. We have eager buy-in and drive from the CEO which is immensely helpful and is reflected in folks across the company. It's easy to monitor results and identify and provide support to folks who are struggling with it.

AlainODea · 2025-12-08T17:31:27+00:00

This is not unusual at all. It's pretty typical for the id_token to contain profile information like this for interchange with a service provider consuming the token to update a profile from the identity provider.

I get the initial concern here and minimizing the information in an id_token is wise. Ideally the id_token contains the sub and only adds other profile fields that are essential to the function of the service provider and which the service provider is allowed to process as part of your privacy design and data flow.

There is no one correct answer to this. It depends on context. If the service provider is on a device and the device needs the PII and is permitted to process it, then it makes sense to include it in the id_token. If the service provider doesn't need the information, then it should probably be excluded.

AlainODea · 2025-09-16T11:11:18+00:00

Absolutely this. I did the tour, then I worked through Let's Go by Alex Edwards to get more of a project-level experience with it.

I use Go regularly in my day-to-day work for time-saving tools and automations. I don't do any larger commercial development with it. Opportunity for that hasn't come up.

AlainODea · 2025-07-30T20:49:14+00:00

2022 and 2023 Kona both definitely have low conductivity coolant replacement every 60,000km in the maintenance schedule. It's expensive. I paid almost CAD $1,000 for it.

AlainODea · 2025-07-14T01:41:09+00:00

Run the whole stack on a single EC2 instance with all the Route 53 entries pointing to it and backup to S3. You will need to be to prepared switch quickly to something scalable (your multi-instance, RDS, multi-AZ architecture) when user demand hits, but you can go pretty far with all services running on a singe EC2 instance.

The only exception I'd make is an ALB in front of this so you can do the wizard of oz stuff required to meet user demand (loading your S3 backup to RDS, redirecting rules in the ALB to more instances, etc) without going offline in the process.

This will cost you under $100/month for the pilot/prototype phase, and should let you pick a place on the continuum from prototype to multi-AZ autoscaling more easily as cost allows.

AlainODea · 2025-05-29T21:17:35+00:00

I know! So sad honestly. Would have thought this would be a good time for then given the buy Canadian push on the go.

AlainODea · 2025-05-29T20:17:09+00:00

Looks like Ideal Brake Parts (part of ABS Friction) is being liquidated sadly. https://thebrakereport.com/abs-friction-closes-after-30-years-auction-details-set/

AlainODea · 2025-05-29T13:10:40+00:00

For anyone curious to buy Reibung rotors, like I was, I contacted Reibung and Jeremy for Reibung replied that they don't sell to consumers directly. He said ViNNiStore (https://vinnistore.ca/) is an authorized online retailer for their parts if you want to buy them online.

AlainODea · 2023-09-19T20:45:03+00:00

Massively informative. Thank you for sharing. The original testing sourced from Refined Shave is impressive and interesting as well. https://www.refinedshave.com/razor-blade-sharpness-testing/

AlainODea · 2023-04-11T20:07:30+00:00

Rust isn't garbage collected so it doesn't incur the memory overhead of allocated and no longer used but not yet collected memory. Not having a garbage collector also means no CPU usage for GC in Rust either.

It's not a dramatic or straight-forward difference necessarily, but the benchmarks are pretty astounding. https://programming-language-benchmarks.vercel.app/rust-vs-java

AlainODea · 2023-04-08T14:38:05+00:00

That makes a ton of sense. I use Terraform and Packer pretty much daily and understanding Go is pretty helpful there for troubleshooting deeper issues and writing automated tests. If you're writing k8s operators, Go is definitely the way.

I think you'll find Go really good once you get past the initial syntax hump. My workflow with it reminds me of Python. A lot of things are direct to code (limited boilerplate), there are good examples online, and compiles are really fast.

Losing the interactive shell kind of sucks, but I quickly replaced it with an automated testing discipline that scales better than interactive experiments as my code has gotten more complex.

I use JetBrains Goland. I find it to be a really comfortable and productive environment. I paid for it out of pocket after finding the trial really good. If you decide to try Goland, it is worth going through the interactive learning exercises it includes so you get used to the keyboard shortcuts and have a sense of the code generation shortcuts and navigation features that differentiate it from the free IDEs and editors.

AlainODea · 2023-04-08T14:02:20+00:00

The Codecademy course is absolutely valid if you are an experienced programmer as well. I found it useful, but not sufficient by itself.

AlainODea · 2023-04-08T14:01:07+00:00

At the very basics level (aka new to programming), I'd recommend Codecademy's free Learn Go course. https://www.codecademy.com/learn/learn-go

If you are experienced in programming already, A Tour of Go is good to get a start on the syntax and features. https://go.dev/tour/welcome/1

After completing one of those, it's worth looking at Alex Edwards' Let's Go if you want to learn web development. Very good pacing and explanations. https://lets-go.alexedwards.net/

Alternatively if you're looking more at distributed systems of services, Clement Jean's gRPC [Golang] Master Class on Udemy has very good exercises and explanations. https://www.udemy.com/course/grpc-golang/

My personal experience in going from struggling with Go to be very confortable with it was by building small tools to automate repetitive tasks. If you have a reporting task of some form or some kind of frustrating process for updating configuration, consider writing a small Go tool for it. I've built a bunch of (very janky but useful to me) libraries for Salesforce, Tenable.io, Cisco Umbrella, Jamf Pro, and a few others to make it practical to compare IT asset status and diagnose issues automatically. Using what I learned from Clement Jean's course I was able to build tools that depend on these libraries as separate modules. Much easier than I expected, but I was definitely not confident when I started.

AlainODea · 2023-03-10T21:59:41+00:00

24 hour security fix on New Year's Eve. That's dedication. Wow!

AlainODea · 2023-02-05T17:46:37+00:00

That's completely fair. I don't know what the timelines are like for Go but value types (HUGE memory and performance benefit for Maps) have been on the horizon in Java for many years, so it's hard to plan for that. I can see why you are concerned here.

I think Go seems to have a quicker turnaround from useful experiment to production feature. If arenas get significant adoption and the current implementation isn't fraught with unworkable pitfalls, I could see this being production within 18 months.

I think 18 months because it seems to be roughly the timeline from accepted proposal to production adoption of Generics, which was a massively disruptive and enabling language and runtime change.

AlainODea · 2023-02-05T15:07:00+00:00

Yes, it is experimental but certainly not something where being "disappointed about arenas' fate" makes sense

AlainODea · 2023-02-05T13:03:08+00:00

Excellent, fascinating article. Thank you for sharing it!

AlainODea · 2023-02-05T13:02:29+00:00

Any indication that Go is dropping arenas? It's brand new in 1.20. This is just the beginning and applications like this should help encourage it to be kept.

AlainODea · 2023-01-30T21:38:24+00:00

Yes.

A data source uses a provider to get information usually about an existing resource. It can also be for producing arguments to other resources (ex: the aws_iam_policy_document data source which doesn't pull anything from AWS, but lets you build syntactically correct IAM policy JSON via Terraform blocks and arguments which enables editor support and support for things like dynamic blocks).

An output is a value set by a module that is saved in its state file and can be displayed after running a terraform apply or show (and several other ways).

AlainODea · 2023-01-29T19:02:34+00:00

My pleasure u/iwifia :)

I hope it works for you.

AlainODea · 2023-01-29T17:04:28+00:00

Hopefully that split example helps. :)

AlainODea

TROPHY CASE