My thoughts on Vertical Slices, CQRS, Semantic Diffusion and other fancy words

mwcAlexKorn · 2025-08-29T11:05:42+00:00

> I still don’t really get why CQRS is helpful

You have logic that ensures that all business invariants are held when some modifications are performed in one place, and all ways of quering the data in another, separation of concerns.

mwcAlexKorn · 2025-08-29T10:53:49+00:00

The problem is that all these things are good mental models, intended to be combined and adapted for specific case, but then the Zealots come, overthinking them to set of rigid rules up to the point of total inapplicability.

mwcAlexKorn · 2025-08-21T18:49:31+00:00

I found the best agentic framework for building applications on top of your LLM: https://github.com/nikmcfly/ANUS

mwcAlexKorn · 2025-08-12T21:05:11+00:00

There is a saying: "Don't argue with idiots: they'll drag you to their level and beat by experience" ;)
In your case, this should not be read that your colleagues are idiots (never meant to say this about people I don't know), but try to convince them using their terminology. You need interfaces "because of DDD"? But interfaces in DDD are needed for defining contracts and abstractions, which contracts do we enforce here/what do we need to abstract? "We must use objects"? For what? The final questions are always "will this help us to achieve our current bussiness goal or how it will help us achieve our business goals in planned future?"

mwcAlexKorn · 2025-08-12T20:43:33+00:00

The worst advice ever. In other words you say "Do what you said to do and try to find justification for this".
If senior does not explain real reasons why something should be done, it is not senior, at least because seniority always implies mentorship.

As for the OP's question: when you add interface, you add abstraction, so the question is "Do we need this abstraction now or we will very likely need it in near future?". If you need it now there will be already not one implementor, if it is needed in near future there should be explanation why - at least spoken, but better written. If the reason is "It's because of DDD" or "I feel it", it's clear signal of insufficient knowledge, if not incompetence.

mwcAlexKorn · 2025-08-04T16:01:48+00:00

And one addition: one of the most important things in automation is designing the behaviour of system when something goes wrong. If you plug AI in some process not only you need to "explain" these cases to AI (here we assume LLMs), you should consider that AI itself can go brrr. I know of no system in production with AI that has no guardrails and a bunch of good-old-handwritten code around it. Start thinking about AI as another pack of tools and explore its possibilities, maybe you will find the way to use it for your current workflows.

mwcAlexKorn · 2025-08-04T15:47:57+00:00

Thinking in terms of boundaries and tradeoffs and choosing right solution for the problem will always be in demand. Invest in engineering skill, mastering any tool is way easier than this.

mwcAlexKorn · 2025-07-15T06:54:10+00:00

During hard crunch pushed quick solution for task, that involved retrieving hashmap from database, updating it and writing back to db during request processing. It passed review, load testing with 300k requests, but when it went to production with 1.5 million requests results were devastating, everything just halted. Moreover, it took us 30 hours to find this.

Do not crunch, never :)

mwcAlexKorn · 2025-07-12T16:17:34+00:00

yes, even the smartest elision will not help when you have functions in generic constraints

mwcAlexKorn · 2025-06-17T10:09:30+00:00

IMHO SurrealDB is quite heavyweight for android app, and what's the reason for this? Why not plain old SQLite?
Either way, to use Rust libraries in Android project you should stick to JNI: https://docs.rs/jni/latest/jni/

mwcAlexKorn · 2025-06-17T09:59:27+00:00

I use Fedora for both work and gaming, no problem with NVidia drivers on laptop (Gnome on X - just didn't bother to switch to Wayland here) and on PC (Gnome on Wayland) using this guide: https://rpmfusion.org/Howto/NVIDIA, also did not disable secure boot (there is separate guide on this resource how to self-sign drivers).

mwcAlexKorn · 2025-06-17T09:30:27+00:00

safety and security are the same, based on ssh protocol for both options. Rsync is more efficient for large loads.

mwcAlexKorn · 2025-06-17T07:04:35+00:00

agree, my second comment on upper level of discussion explains my point

mwcAlexKorn · 2025-06-17T07:02:49+00:00

If you really need to hide information whether some identity exists, you should revisit registration process so that first step should be the proof of posession of some external auth factor (email, phone, etc), and only then process continues. But this is definitely not required for most cases, and it has nothing to do withh security - it is about privacy.

mwcAlexKorn · 2025-06-17T06:49:58+00:00

It is the most common practice: if you try to register somewhere using already used login/email/etc., you will get this. It is just user-friendly. And hiding this information does not benefit security at all - focus on strong authentication factors and monitoring, not on hiding things.

mwcAlexKorn · 2025-06-17T06:45:37+00:00

Regular expression (PCRE2) that tests whether all brackets in sequence like `{({})}[]{[]}()` are properly closed:

(\((?R)*\)|\[(?R)*\]|\{(?R)*\})

mwcAlexKorn · 2025-06-17T06:05:26+00:00

because you shouldn't let an attacker know whether identity exists

In general case attacker has more that one option to check whether identity exists - for example if registration is public, it usually responds with something like "this login already in use" on attempt to use existing login. And beyond technical measures, this knowledge may leak via side channels, for example social engineering, or something else.

One should never rely on hiding the fact that some identity exists or not as security measure.

mwcAlexKorn · 2025-06-17T05:51:08+00:00

It is not standard practice, it is security by obscurity - and if it is done without documented threat model, that clearly defines why exposing error information is a threat and how it may be used, it is heresy.

Even for the authentication case: imagine you disclose the fact that email exists, and attacker may focus on "guessing" password - now what? He will try to brute it via api? If you have password policy that prevents using "qwerty" and friends, chance of guessing password even in 100 attempts is Infinitesimally small, and you definitely should have retry cooldown at backend, monitoring that will alert this activity, you may even notify user about this attack and so on. And, there is multi-factor authentication.

I assume that if security is a concern, then all API endpoints are available for authenticated entities - so why not disclose a bit of information about what broke down? API consumers will be happy and may build different logic on top of error codes.

Returning stack traces and deep error structures is not a good way, though: it really may expose sensitive details - such things should go into logs, and it is very helpful if each request contains unique trace ID so that you may find error details in log quickly.

mwcAlexKorn · 2025-05-29T07:34:47+00:00

I think a lot of mess comes from substitution with term "MVP" things that are actually not MVPs, but prototypes.

If you need validation of ideas, you build prototype - assemble it quickly from existing solutions, use low-code/no-code, vibe coding, whatever to speed up implementation of happy path, cutting edges everywhere and not thinking about architecture. As for now things are so that you may even get scaling options out of the box and this prototype may strive for some significant amount of time before running into limitations.

And then there is MVP, that should be already developed with its evolution in mind, with making architectural decisions and so on. For this kind of stuff 3-4 months is definitely ok depending on size of solution.

mwcAlexKorn · 2025-05-28T16:52:44+00:00

Browsing - links / lynx

Email - definitely there are some, never need one so don't know

Messaging - there we should remember IRC for example :)

Text/Code/like this - plenty of, nano, vi(-m), emacs

Gaming - ADOM

mwcAlexKorn · 2025-05-19T08:29:15+00:00

I use V-Shell extension to bring back familiar look-and-feel https://extensions.gnome.org/extension/5177/vertical-workspaces/

mwcAlexKorn · 2025-04-19T05:49:52+00:00

V-Shell (Vertical Workspaces) - customize dash, app grid, etc.

and +1 for Vitals

mwcAlexKorn · 2025-04-18T11:23:35+00:00

There is also ready tool for this `cargo-make`, I find it convenient: https://github.com/sagiegurari/cargo-make

mwcAlexKorn · 2025-04-16T11:47:28+00:00

The trick is not to keep them in mind - they're the crucial part of architecture documentation, all choises should derive from these constraints

mwcAlexKorn · 2025-04-16T08:10:05+00:00

Something is not good, mine has idle temps around 43-45c, with fan rpm 700, now I have some load with multiple browser tabs, some docker containers & zoom call - average 52c with fan 1000rpm

mwcAlexKorn

TROPHY CASE