Why devx matters:
- velocity
- productivity
- happiness
- onboarding / training
—
Chat about dora metrics from Google which was just an overview of the basics. Did see https://github.com/googlecloudplatform/fourkeys which is neat.
—
Should there be a dedicated DX component w/i the platform team?
- probably. We should have a stronger product vision within it.
Considerations for dx
- documentation
- infra
- content architecture
- tech writing
- style guide adherence
- seo
contributor experience
- mentoring contribtors
- supporting maintainers
- standardized messaging
- low friction streamlined processes for contributing
product adjacent tools
- clients & API wrappers
- plugins / connectors
- API plugins
- general quality of life improvements
Generally, having ^^ as a priority means prioritizing it over features, etc.
—
OpenSSF. “90^ of modern application code base is open source” 29% of popular projects contain known vulnerabilities.
- via “sonatype, state of the software supply chain”
Issues:
- bypassed code review
- compromised source control system
- modified code after source control
- compromised build platform
- using a bad dependency
- bypassed ci/cd
- compromised package repo
- using a bad package
Open SSF made this “mobilization plan” which amounted to: “How do we fix the broken supply chain shenanigans and make an impact in the next 2 years?”
Areas for the plan:
- security education (they have some available now)
- risk assessment (objective measure for top 10k+ oss components)
- digital signatures
- memory safety
- incident response
- better scanning
- code audits
- data sharing
- sboms everywhere
- improved software supply chain
—
cool discussion of hedy.com, which aims to teach kids programming gradually.
—
Monorepos
it became easier to separate repos due to:
- git
- semver/npm
He calls this “polyrepos” where it’s separate, but linked through dependencies.
upside:
- Allows for more team autonomy
downsides:
- Has later integration of changes b/c of version updates (e.g. folks upgrade whenever they feel like it)
- high setup cost per repo
- difficulty understanding how to innersource (everyone has werid bespoke tooling)
results:
- duplication of code
- ui/ux inconsistency
- silos
Folks are going back to monorepos because of:
- increased cross-team collaboration
- there are better tools now
Monorepo tools:
- bazel (google’s, hard to use at scale b/c it’s powerful)
- nx
- lerna
- turborepo
—
- looking into software around geo, among other things.