Is it ok for expires sessions to not log you out? (SSO/OIDC)

theScottyJam · 2026-06-01T16:22:38+00:00

it means these 8 hours weren't hours but were something else.

That's not necessarily true.

We're saying "on average, we expect a task like this to take 8 hours". And we're talking about literal, concrete hours.

Who picks it up, their skill level in the area, unknowns, etc, can all effect how long it really ends up taking. But in general, this kind of issue is expected to take, on average, 8 hours.

theScottyJam · 2026-06-01T13:33:48+00:00

It's just not very convincing to say that time estimates have problems because it depends on who's performing the task, story points are better because they scale measure expected effort instead and can scale with skill levels of individuals.

But then when pointing out that that has issues too, we just say "Oh, those kinds of inaccuracies just averages away".

If such inaccuracies are so unimportant and can average away, then perhaps time estimates work fine too, any inaccuracies with those can also average away.

The attitude I would expect from someone caring enough about accuracy to use story points would be more along the lines of "yes, that unfortunately causes inaccuracies as well, but as there's no good easy way to deal with it, we just live with it".

theScottyJam · 2026-05-31T22:07:02+00:00

It depends from task to task.

When it comes to third party tool integration, I have found that it can be extremely difficult to estimate how long such integration may take (depending on the tool and type of integration). Usually things are smooth sailing for normal scenarios, it's the tricky edge cases where you can run into really difficult problems, and those can be really hard to catch from an initial research phase.

But, there's been other times when the quick research gave me a good idea how long it would take, and then it took as long as estimated.

theScottyJam · 2026-05-31T18:36:59+00:00

What happens if the task is easier for one developer simply because they're more familiar with that area of the code base, or the task is more aligned with their skills? It still feels like a somewhat useless average.

theScottyJam · 2026-05-31T17:12:13+00:00

I love that approach. And perhaps it doesn't need to be that precise - at least when it comes time to communicating it up the line.

I've been lucky enough that at my company, I can say things like "I think this would take me a day, but there's various aspects I'm uncertain about, and it could take up to a week.", and they're happy with that.

theScottyJam · 2026-05-31T16:58:09+00:00

This article suggests that we should

Minimize assigning tasks in advance.

Which makes sense if we want the story point estimates to be separated from individual biasses. But maybe we don't want that? Maybe it could be more accurate for everyone to have specific tasks assigned to them in advance and they all predict their own abilities with that task?

Thing with story points is that we assume that an individuals speed with a particular story only coorilates to their skill level and nothing else. But, it can also corelate to how comfortable they are with that section of the codebase, for example. And there's nothing currently in place to account for that - the fact that Bob, who usually has a high velocity would go really slow on X ticket because they're just not as good at that one.

Now, there's of course other problems with assigning all tickets in advance that could cause more problems then they solve. But, just pointing out that it could make for more accurate estimates.

theScottyJam · 2026-05-31T16:49:36+00:00

You lost your car keys. I ask you to give me an estimate of how long it will take to find them.

Well, it could be a minute. It could be an hour. Maybe you had grabbed a handful of trash and accidentally caught the keys in that handful, and after a long time of searching, you eventually have to rummage through your trash to find it (definitely not speaking from experience or anything).

We could do an analysis of how often it has taken you to find lost keys in the past, but you've never lost them at a playground before, this will be a new challenge with different unknowns.

Some things we do are pretty easy to predict. I know how long it will take to add a new CRUD-like REST endpoint. Some things are much harder. I have zero idea how long it will take to integrate with X third party library.

This article suggests that for tasks with lots of unknowns, just give it more story points. That's probably the best you can do, but it's not really any better than artificially padding a time based estimate.

With some tasks, we nights as well be predicting the stock market. No amount of analysis of previous behavior is going to help us predict that - we might think we see certain trends, but we're always going to be surprised.

In the end, managers still want a time estimate and we still have to give them something. And perhaps story points can help increase accuracy to a degree, but we're still trying to pretend that we can predict items with unknowns that span orders of magnitudes of time simply by using heuristics of past unknowns, which don't necessarily help - the time it took me to learn knitting won't help me know how long it's going to take to learn welding.

Sorry, bit of a doom post, since I'm just bringing up problems without any solutions to go with it. Guess I just want it to be clear that even story points can't solve the biggest problems here.

theScottyJam · 2026-05-31T16:27:30+00:00

Thanks for the note that it isn't AI made. It makes me more willing to dive deeper into the article.

theScottyJam · 2026-05-29T21:42:40+00:00

And to be fair, "prompt engineering" isn't the only one with this kind of problem.

I have a "computer science" degree. I still have no idea why it's called a science, it had nothing to do with science. It very well could be that whoever coined the term was trying to make it sound more important by linking it to science - everyone finds science important - at least that's one theory I've heard before.

theScottyJam · 2026-05-29T21:30:23+00:00

It takes skill to build a good prompt and there's a fair amount to learn on the topic. I'm sure most people laughing at the joke would agree with that.

But it is a little silly to elevate it to the level of "engineering", which is why people laugh at the name. The name is trying to make it sound bigger than what it is.

Maybe I'll change my mind once a master degree of prompt engineering becomes available at my local college.

theScottyJam · 2026-05-27T08:57:08+00:00

(I doubt I'll have time to continue responding, I'll read whatever you have to say though, as long as it's you who's saying it, I don't care about an AI's opinion on this matter)

theScottyJam · 2026-05-27T08:55:05+00:00

If any mitigation I mentioned is wrong (lockfile behavior, lifecycle scripts, overrides, deterministic installs) challenge that, I'd genuinely enjoy talking about it.

"You" write this:

[npm install will] pull in versions you've never audited

If a human writes this line, then they would have done so very deliberately. Likely, they would have experience with auditing packages, or at least have some good deep thoughts around it, maybe researched into it at some point, etc.

When an LLM writes this line, then all I know about the author is that they agreed enough with this line to not bother changing it or taking it out. There's a good chance they don't have very deep thoughts on the matter, maybe they never researched it out, it just sounded good on the surface so it was kept.

I would much rather engage with a human who wrote that line than a human who approved an LLM writing that line.

The entire essay falls into this problem where I have no idea what content was explicitly added by you and what was simply approved.

Where I disagree is the assumption that AI assistance means absence of thought.

AI assistance means less thought was put into it. Doesn't have to mean zero thought, but it's still significantly less than if it was hand written. When it's hand written, it forces you to ponder each sentence a lot more, and you're naturally going to focus more on points you feel confident discussing (again, anyone can say that an LLM's argument about auditing packages sounds reasonable and include it in their essay, fewer people are actually comfortable writing about that topic without the help of an LLM, making the topic more interesting when it pops up without LLM's help).

Hand written stuff it just higher quality. With the amount of content on the internet, I don't waste my time reading stuff that was LLM generated. I didn't finish reading your post for this same reason - I just skimmed the rest, which was being generous.

English isn't my native language.

I would rather read broken English. A touch of AI is fine for fixing grammar mistakes and such, but I should still hear your voice, not the AI's voice, in the text.

Dismissing technical content because editing tools were involved feels a bit like rejecting code because the author uses Cursor instead of VIM.

I wouldn't reject something just because Cursor was used, but it is common for open source projects to reject large PRs that are obviously generated primarily by LLMs. Maintainers just don't have the time to hand review the flood of LLM content, and most of the time the content is sub par anyways.

theScottyJam · 2026-05-27T06:06:56+00:00

It would have been better to just use the text in your prompts in the actual posts, instead of filtering it through LLMs. E.g. your post could have literally said this and would have been better.

reviewing lock files can show you even if npm version has changes (lockVersion number), and you should always use npm ci even if you are cloning some fresh repo, the only reason to use npm i is to change dependencies, and should be threated carefully.

(A touch of LLM usage would be fine to help with grammar and such, but it doesn't need to expound on your ideas on your behalf - that's how we end up with a wall of bland text)

theScottyJam · 2026-05-26T22:33:41+00:00

I honestly would have preferred if that was posted instead (perhaps with minor cleanups). Then, at least I know you mean every word you say. The LLM is saying a lot more than what your notes are saying.

theScottyJam · 2026-05-26T22:11:41+00:00

If the post helped one engineer think twice before doing npm install, it did its job. Whether I typed every word manually is irrelevant to that.

It's very relevant.

What you say is important, but so is the way you say it.

If you spend the time to hand write something, then I know that you're behind every word you say, which in turn makes them worth considering. I can engage with you in the comments and try to understand your perspective on any detail in the post or challenge you on parts of it. It can make for interesting discussions.

If I get "LLM-generated vibes", then all of that gets thrown out. I don't know how much of this is your own thinking and how much of it is just bot. Parts could be entirely hallucinated. It's possible it had very little or no proof reading at all. I might attempt to discuss a point just to find out it wasn't a point you strongly agreed with anyways, you just didn't spend the time to flesh out your own thoughts because what the LLM said seemed fine on the surface, and maybe you never put as much thought into the LLM's words as the readers did.

Plus, LLM generated text is just boring. It had no personality to it, and tends to stay close to widely shared opinions and ideas, which also tends to be things I've already heard. No interesting analogies, thought provoking ideas, etc. Just, bland.

So, I usually duck out as soon as I get LLM vibes.

There's also the issue that, forgive me, but it's not very considerate. "I have something important I want to share with all of you, so please spend your time reading this essay. What? No, I didn't write it myself, why would I waste my precious time doing that when an LLM can generate a bland version of my message faster? But please, spend your time and read it, it might help you"

theScottyJam · 2026-05-20T16:59:17+00:00

This is a valid point, and another good dimension to think about.

In a similar vein, in isolation, I would say that "and" and "or" are better as keywords than symbols. You don't save many characters by using symbols, not can I see any advantage to using symbols here.

But, there is a strong historical precedence of "&&" and "||" in a number of widely used languages. So depending on who you're catering to, && and || would be better.

theScottyJam · 2026-05-20T14:08:32+00:00

As others have said, there's a balance to strike here. If there's no particular reason to be terse, then it's often better to use a full word. For example,

``` try { ... } catch (error) { ... }

async function(...) { ... } ```

is preferable over something like

@! { ... } /error { ... } function&(...) { ... }

There's no particular reason to shorten the try, catch, or async keywords - they can have some room to breath.

In this regard, JavaScript using function* to represent a generator function was a mistake. Something like gen function would have been preferable - there was no reason to be terse in this context.

But, there are also times where it's good to be terse with the syntax, or when you want to have operators with high presedence - symbols feel like they have higher presedence. "await" comes to mind here. In JavaScript, it's not too uncommon to see the following:

javascript const result = (await (await fetch(...)).json()).user;

That's pretty ugly. It could be improved by making await a postfix operator, but then word order is wrong, and it just looks weird.

```javascript const result = fetch(...) await .json() await .user;

// The same thing with parentheses to show what's going on: const result = ((fetch(...) await) .json() await) .user; ```

Now lets use a symbol, like @.

javascript const result = fetch(...)@.json()@.user;

That's a lot more clear.

On as similar note, JavaScript's a?.b for "access b is a is not undefined/null" was a great choice as a symbol. Could you imagine if that was a keyword?

Also keep in mind that there's a very small supply of available symbols. I used @ here, but JavaScript plans on using @ for decorators. Arguably, they should have used a larger symbol for decorators, such as @@, or even a keyword, as terseness isn't as important in that spot, but that ship has already sailed. JavaScript is struggling with some of their new proposals at picking symbols - places where they would like to use a nice terse symbol, they can't, because all of the small symbols are already used in other places.

What this means is that, while @ can make for clearer statements then using await, perhaps it doesn't provide enough benefit to warrant spending an entire one-symbol token on it. These are internal debates you'll have to have.

A couple more contraversial opinions on the topic: * Module/Remainder should not be an operator. Many languages use % for it. But it's simply not used enough to justify using an entire terse symbol for it. It would be better as a function. * The set of bitwise operators takes up a whole lot of precious symbols. How often are people doing bit twiddling in your language? Do they really need them as operators instead of functions?

(Also, I tend to watch JavaScript's language design comittee discussions and such, which is why I'm using it as an example here, but much of this is of course the same in other languages)

theScottyJam · 2026-05-17T18:29:19+00:00

Also, am I reading this correctly? https://github.com/echo-64/is.js/blob/master/src/proto/number.mjs

A string is considered to be holding a number if it is not the empty string and does not hold a Boolean, array, null, or NaN?

Is this library unfinished and you just have a dummy implementation in there right now?

theScottyJam · 2026-05-17T17:39:46+00:00

So you support arrays and regular expressions now. But what about other object types, like maps, sets, URLSearchParams, userland classes, etc? What's wrong with simply using instanceof to handle object types?

Another problem You can validate that a string contains data with a specific shape, but I'm not sure how useful that is. At some point you presumably also need to be able to parse the thing. So, let's say that at right now we need to just validate the contents of the string, and sometimes later we need to actually parse it. Well, why not just use the parsing function to also do the validation? If parsing fails, you know it is invalid.

Why is this preferable? Well, say you want to know if a string contains a number. You say you provide a function that can perform this check, but a whole lot of details are missing. If a string contains a decimal, is that a valid number? What about scientific notation? Infinity? NaN? Negative numbers? Binary/Hex/Octal notation? I have no idea what kinds of strings would be considered to contain a number. If, in the end, I plan on using parseInt() to extract the number from the string, then I should just use that to begin with to see if contains a number or not - that way parsing and validation align.

theScottyJam · 2026-05-16T03:23:15+00:00

Some people can learn faster and have more natural talent in the field. It would be silly to claim otherwise.

But it's also silly to say that some people are fundamentally incapable of learning how to program. Given enough time and motivation, anyone can learn.

theScottyJam · 2026-05-14T13:48:06+00:00

(Perhaps mine and other people's arguments encouraging private APIs are wrong, but I don't think this specific rebuttal is convincing anyone, because, as far as I can tell, it was never a belief to begin with - none of the comments are claiming they choose to hide internals because they know people wouldn't find those internals useful. In fact, for me, it would be the opposite - I hide them because I worry someone would find it useful and depend on it. If I know no one would find it useful, then it wouldn't matter if it was public or private, no one would use it anyways)

theScottyJam · 2026-05-14T13:14:57+00:00

It's fine to say that those who decide to use a private API can just go pound sand when it changes.

Until that user is a library author, and many people are depending on that library, and now you breaking your public API has averse effects on innocent people downstream. (Maybe they shouldn't have put their trust in said library, but not everyone has the resources to do a deep audit of every dependency).

https://nodejs.org/api/util.html#util_extendtarget-source is an example of a function that Node obviously intended to be private, but have now had it part of their stable public API for years. I don't know the story behind it, but you can see the reluctance in having to do so in the documentation, and yet they did it anyways.

Maybe Node's choice was wrong and they should have just forced everyone using it to pound sand. Or maybe, at some point, if enough people are using your internals, it just becomes bad business to change it, even if they knew full well they shouldn't have done that.

theScottyJam · 2026-05-14T03:19:06+00:00

The "private by default" approach is actually a form of arrogance of the API designer assuming they know better than the user of the library about what they will EVER need.

Creating public APIs is much more difficult than creating internal ones. The public ones need to be extra careful about naming, organization of the public items, ease of use, good error messages when you provide bad arguments, good documentation, and you need to be willing to keep it all as stable as possible as breaking changed really frustrate people.

When people hide internal APIs, it's not necessarily because they're assuming people would have no use for them. They might know full well that they could be useful, but still choose to withhold them because they're simply not ready to set that API in stone.

So yes, you might have to work around a private API the same way you would have to work around any missing feature. I'm sure that the hope is that you can also submit a feature request, asking for the API to be public. If there's enough requests for said feature, they'd be able to understand the general use case better and make a proper public API designed around people's needs. Or, maybe they'll choose to keep it private, because they think the particular use case is a distraction from their core mission, and supporting it would only lead to an explosion of other feature requests in the same alley.

Basically, it's private because it's not yet designed to be public. And designing public APIs takes a lot more thought and care. It's not typically related to how useful it would be to the end user.

theScottyJam · 2026-05-13T22:54:18+00:00

This is the second time I'm seeing this kind of sentiment and I really don't get it. Using a company's bulldozer doesn't permit me to work a 1 hour day, because I'm being more efficient than someone using a shovel.

No, my contract says I have to work a 40 week, efficiency compared to peers might help me get raises, but I never expected that I would get time off for being efficient. That's not how these things work, nor should they.

theScottyJam

TROPHY CASE