The notes of Justin Abrahms

Recently updated

cdcon keynotes

Aug 25, 20242 min read

cdCon

Why devx matters:

  • velocity
  • productivity
  • happiness
  • onboarding / training

Chat about dora metrics from Google which was just an overview of the basics. Did see https://github.com/googlecloudplatform/fourkeys which is neat.

Should there be a dedicated DX component w/i the platform team?

  • probably. We should have a stronger product vision within it.

Considerations for dx

  • documentation
    • infra
    • content architecture
    • tech writing
    • style guide adherence
    • seo

contributor experience

  • mentoring contribtors
  • supporting maintainers
  • standardized messaging
  • low friction streamlined processes for contributing

product adjacent tools

  • clients & API wrappers
  • plugins / connectors
  • API plugins
  • general quality of life improvements

Generally, having ^^ as a priority means prioritizing it over features, etc.

OpenSSF. “90^ of modern application code base is open source” 29% of popular projects contain known vulnerabilities.

  • via “sonatype, state of the software supply chain”

Issues:

  1. bypassed code review
  2. compromised source control system
  3. modified code after source control
  4. compromised build platform
  5. using a bad dependency
  6. bypassed ci/cd
  7. compromised package repo
  8. using a bad package

Open SSF made this “mobilization plan” which amounted to: “How do we fix the broken supply chain shenanigans and make an impact in the next 2 years?”

Areas for the plan:

  1. security education (they have some available now)
  2. risk assessment (objective measure for top 10k+ oss components)
  3. digital signatures
  4. memory safety
  5. incident response
  6. better scanning
  7. code audits
  8. data sharing
  9. sboms everywhere
  10. improved software supply chain

cool discussion of hedy.com, which aims to teach kids programming gradually.

Monorepos

it became easier to separate repos due to:

  • git
  • semver/npm

He calls this “polyrepos” where it’s separate, but linked through dependencies.

upside:

  • Allows for more team autonomy

downsides:

  • Has later integration of changes b/c of version updates (e.g. folks upgrade whenever they feel like it)
  • high setup cost per repo
  • difficulty understanding how to innersource (everyone has werid bespoke tooling)

results:

  • duplication of code
  • ui/ux inconsistency
  • silos

Folks are going back to monorepos because of:

  • increased cross-team collaboration
  • there are better tools now

Monorepo tools:

  • bazel (google’s, hard to use at scale b/c it’s powerful)
  • nx
  • lerna
  • turborepo

Linux Foundation Research

  • looking into software around geo, among other things.

Graph View

Backlinks

  • No backlinks found