WDRL — Edition 250: Efficient Servers, Doka, Permission Blocking, Payment Security and Thinking in Triplicate UX

Celý článek

Hey,

Everyone here has different thoughts on Open Source. It’s a topic widely discussed between developers and it causes a lot of trouble. Just recently again, we faced a major security incident in a popular npm package. It happened because the initial author of the free and open source package wasn’t interested in maintaining it and trusted someone who asked to maintain it who then, after publishing a few well intended updates finally introduced some malware script that steals specific Bitcoin wallets on a user’s device. The incident shows the problem with Open Source very well: We put our trust into someone we don’t know at all. We depend on them, their packages and cannot properly monitor everything. We build whole companies that depend on an experiment from someone who gets nothing (except maybe some fame but even that is rare) out of this. The problem is that we all love open source — whether we write open source code ourselves or use it. But we’re not keen in supporting the people writing it. We’re using the resources but don’t care if the authors can still make a living or not while we charge our clients money for using these free sources.

We shouldn’t be angry about them, we should show empathy if an accident like a security issue happens. We should support the people who caused the problem and not blame them. If we rely on the tools, we should give them some money and show them that you honour their work. If you can’t put in some money, maybe write them a letter that you like what you do and value it. Let’s change perspective on how to look at open source tools, who drives them, who benefits from them. And next time you build a project, keep that in mind. Keep in mind that you don’t know if these dependencies are evil or not. Keep in mind that not all updates will be fine, they will introduce bugs or security vulnerabilities or even carry malware. Ensure that this will not affect you that badly that you’re losing money with it.

News

• Firefox will soon offer users a browser setting to automatically block all permission requests. This will affect Autoplaying videos, Web Notifications, Geolocation requests, camera or microphone access requests. It shows how horribly wrong developers are using these techniques and annoy users so that there’s now the need to auto-block these requests. Sad news for those who rely on such requests for their services, like WebRTC calling services.

UI/UX

• Erica Hall shows us examples on why most of ‘UX design’ is a myth and why a good product is not made only by design but by the right product strategy and its business model. The best example why you should read this is when she says “Virgin America. Rdio. Google Reader. Comcast. Which of these offered a good experience? Which of these still exists?” — a truth you can’t ignore and gladly this is not a pessimistic article but has really good thoughts on how we can use that knowledge to improve our products. With strategy, with design, with a business model that fits the product.

Security

• Terence Eden explores that a lot of big sites offering payment are including unauthenticated, unverified JavaScript from third-parties and elaborates what this means, why it’s so harmful and what would be the solution to this. That said, the Stripe JavaScript bundle that you need to include is also not offering Sub Resource Integrity.
• Another security incident happened this week with a very popular npm package: event-stream was published with malware code that steals specific Bitcoin wallets from computers. Please check your dependencies on your machine and ensure you update to the latest package versions. npm audit also helps identifying such issues.

Privacy

• Do you have a husband or wife? Kids? Other relatives? Then this essential guide to protect your family’s data is something you should read and turn into action. The internet is no safe place and you want to ensure your relatives understand what they’re doing and it’s you who can protect them by teaching them or setting up better default settings.

Web Performance

• Amazon's cloud unit launches Arm-based server chips and by that they’re able to reduce costs by about 45% for e.g. web servers. This means that the energy consumption is much lower and overall efficiency is higher which is a good sign for our planet as well. We need more of these evolutionary infrastructure upgrades that lower the impact of tech on our climate.
• Ire Aderinokun reminds us why it’s a good idea to offer WebP images today and how we can do so. This gets even more relevance now that Firefox announced and offers WebP support in their Nightly builds and Edge supporting it since the last release.

HTML & SVG

• Michael Scharnagl on why the madness of bashing people due to their preference of HTML, CSS or JavaScript as language of their choice needs to stop.

JavaScript

• Doka is a new standalone JavaScript image editor worth keeping in mind. While it’s not a free product, it features very handy methods for editing with a nice user experience and by paying an annual fee you ensure that you get bugfixes and support.
• The Power of Web Components shares the basic concepts, how to start using them and why it can give you so much relief using your own HTML elements instead of needing to glue HTML, the related CSS classes and a JavaScript trigger together.

Work & Life

• Paul Robert Lloyd writes about Cennydd Bowles ’ book “Future Ethics” and while explaining what it’s about he also points out the challenges of ethics by a simple example — something we all can understand.
• Jeffrey Silverstein is a teacher and struggled a lot with working full-time and having time for side-projects. He struggled with his beloved job but now found a solution which he shares with us in this great piece of text about How to balance full-time work with creative projects. A fine read that I can totally relate to and got quite some inspiration from.
• Ben Werdmüller on why lifestyle businesses are massively underrated. But what’s a lifestyle business? He defines them as non venture-funded businesses that allow its owners to maintain a certain level of income but not more. As a fun side note here, this article shows how crazy rent on the West Coast in the U.S. has become.
• Jake Knapp on how he survived six years with a distraction-free smartphone — no emails, no notifications. And he has some great tips and an excercise to try for us. I recently moved all my apps into one folder on the second screen to ensure I need to search for the app which usually means I really want to open it and don’t just do it to distract myself.
• Ryan Avent about why we work so hard. This essay is well researched and explains a lot of why we see work as crucial, why we fall in love with our work and why our lifestyle and society embraces to work harder all the time.

—Anselm