Fork me on GitHub
#off-topic
<
2018-06-25
>
borkdude13:06:54

given the link what is called?

eggsyntax13:06:56

"path" or "stem", I think, but no guarantee there 😉

eggsyntax13:06:25

No maybe those are just /bar/baz...

Aleksander14:06:45

path is /bar/baz

Aleksander14:06:12

not sure there is one name for

Drew Verlee17:06:41

Whats a thing from another programming language that you miss when working in Clojure? I see the reverse situation quite often. Note. I just realized this is quite a large question. I’m in between tests on my Python project and i’m missing destructuring a ton at the minute.

chrisblom13:06:35

type safety, fast startup times (for scripts or cli tools), good tooling for refactoring and static analysis

gklijs17:06:43

Type safety sometimes, although the optional use of spec gets you pretty far.

andre.stylianos17:06:21

I was going to say that as well! Type safety for sure

Drew Verlee17:06:03

Hm. Roger. Thats a well trodden ground. I have a fairly limited experience to Python, Ruby, Java, Clojure. I’m always curious if their are idioms in Scala, Haskell, etc… that i’m not familiar with, that other people find interesting.

andre.stylianos17:06:34

Well, the type system of Scala, Haskell and related are a huge improvement over Java

andre.stylianos17:06:56

I think it's worth playing with them to get a feel for it

andre.stylianos17:06:18

I came from Java, to Scala and then Clojure

andre.stylianos17:06:42

Half the times I wish I had a type system, and half the times I'm amazed at how much simpler clojure code tends to be

eggsyntax18:06:01

The self-documenting-ness of class-based objects. The set of methods defined on a class gives you an immediate sense of the sort of things the class author envisioned you would want to do to an object of that class. There's real value in it. Whereas a complex nested map -- you can do a million things to it, but it's not immediately obvious which of those million things is the appropriate one for what that map is intended to represent -- which itself may not be obvious the first time you look at new code. And that set of methods is easily discoverable through introspection, which gives you some extra velocity. I'm more than willing to trade that away for the other advantages clj/s offers. And it has inherent disadvantages -- as RH has said, it means having to learn a new mini-DSL for each new type of object. But I think it's worth recognizing the value it has, and thinking about ways to bring that same value into clj/s. If anyone has thoughts/ideas about the best ways to do that, I'd love to hear about them.

eggsyntax18:06:00

(records + protocols is the obvious answer, but in practice, using them doesn't always appeal, or feel like it necessarily gets me the whole way there)

borkdude18:06:00

@eggsyntax I think you could argue the same for Haskell which is not class/object based, but it does define functions/lenses etc. on specific data structures instead of just maps which makes the API stand out more

borkdude18:06:44

but when I have to write it, I’m like, pfff, this is too much work, I could do it in Clojure faster, etc. So it’s more work in advance, but you’ll get the benefits later when you have to refactor something or learn a new API.

eggsyntax18:06:28

:thumbsup: I haven't used Haskell in anger, so I don't have much intuition there.

borkdude18:06:18

I haven’t used Haskell in anger either, just worked half way through Haskell Book and did some toy projects

dominicm20:06:13

Is anyone here doing: - application platforms - compliance And happy to share any knowledge on the topic? Bonus points for datomic 😊

val_waeselynck22:06:11

Compliance to what?

dominicm06:06:29

PCI for us, but potentially others in the future

val_waeselynck07:06:26

Ah OK, I don't know anything about PCI compliance, sorry. If Datomic's immutability is troubling you, maybe this will be useful: http://vvvvalvalval.github.io/posts/2018-05-01-making-a-datomic-system-gdpr-compliant.html.

dominicm07:06:01

No, our lawyers are quite happy with retraction for gdpr. I'm more looking into whether we can make a lot of annoying work on PCI (audit logs, logging, breakglass, alarms, firewalling) go away to some degree by relying on an application platform abstraction. Unfortunately, datomic feels potentially awkward on some of these systems.

chrisblom13:06:24

what do you mean by an application platform? Stuff like Java EE / Spring?

dominicm13:06:19

@U0P1MGUSX I was thinking more along the lines of Heroku, Kubernetes, Mesos, etc. But anything which satisfies the constraints of being a higher level description of infrastructure would be sufficient.

chrisblom16:06:15

ah ok, no I have no experience with that

jonahbenton05:07:25

@U09LZR36F I had a PCI system for a $100M business for several years. The architectural problem with PCI is that the PANs bleed. So the underlying platform- if it is shared by apps that you do not want under PCI- needs to provide the controls and segregation, both for in-transit and at-rest PANs. Can k8s do this? At first blush, I think one should be able to segregate workloads sufficiently, such that a single k8s cluster can run both PCI and shielded-from-PCI apps. Does k8s provide any special magic for PCI? Not really, other than what it does to run software on a bunch of a machines from a uniform control plane, where a lot of that software needs unique configuration.

dominicm05:07:18

I was wondering things like whether k8s had a concept of firewall isolation of containers. But also if the logging story would satisfy PCI easily, along with all the other controls like FIM which have to be implemented or countered somehow.

dominicm05:07:58

We have done a lot of work around integrating logs with aws CloudWatch, and fiddling with micro segmentation, and I'm wondering how much k8s or similar might give you for "cheaper"

jonahbenton12:07:32

Yeah, gotcha. Hmm, I don't think it's going to be cheaper, for most definitions of cheaper, certainly not upfront. It could be more ergonomic in the long run.

jonahbenton12:07:50

Solving for both PCI and non-PCI within a single AWS tenant strikes me as awkward, challenging. With k8s, there is a lot more control, though that means a lot more configuration work. Raw k8s does relatively little out of the box. It doesn't do anything about logging other than connect stdout/stderr from the container runtime to syslog on the host. It doesn't do anything about networking other than assign each pod its own netblock. It literally does nothing about durable storage. It has a tenancy model, but no platform I'm aware of has a specific-to-PCI model of tenancy.

jonahbenton12:07:33

So one has to pick and choose and integrate and then configure components, though here one is working with pieces of software rather than interfaces offered by cloud services.

jonahbenton12:07:14

A PCI tenant is an interesting idea, though. k8s involves a lot of declarative configuration. This configuration can be generated, templated and shared across environments. The ease and scalability of doing so has been a major factor in k8s adoption. So- I would guess that at some point, there will emerge a set of configuration templates for PCI compliance, to be applied to one's k8s cluster.

dominicm15:07:09

That's disappointing. I had hoped that Google's eye would have put a really strong security perspective on things. Sounds like a similar cost to the one we've paid on AWS already. In terms of networking, k8s does nothing to firewall pods from each other?!

jonahbenton18:07:38

Sorry, that was a little too much shorthand- k8s decided that the cross host pod->pod communication, pod->outside, and outside->pod were all problems to which there are many, many potential solutions, both in terms of mechanism and in terms of policy, with lots of competing things to optimize for. So when one is building a cluster, among other things, one has to pick a cluster network plugin from a very extensive list: https://kubernetes.io/docs/concepts/cluster-administration/networking/ that meets one's particular requirements and capabilities. From the outside, networking is just something k8s does, it's really not, there are many distinct machinery, configuration and observability choices involved, and implicitly or explicitly, you have to make all of them. With that machinery in place, you can then manage it with declarative policy resources, which is extremely powerful, much better at scale than e.g. committing a change and then hoping puppet picks it up when it runs across your plant and that the churn as things are changing doesn't break anything. But one has to get to that point.

dominicm20:07:08

I found the policy resources which pertain to networking, which does permit you to perform segmentation. That's relieving. This is all quite interesting. Are there any other declarative aspects I might appreciate? Policies are neat, but AWS has them, even though they're a little painful to write.

jonahbenton21:07:03

On the surface it's not dissimilar to other templated, declarative-esque approaches to infrastructure, e.g. cloudformation, terraform, but instead of describing your infrastructure, you describe your workloads. The underlying model is that you post your desired workload end state- a set of services, or some jobs, etc- as "resources" to the cluster, and "controllers" gradually converge the state in the cluster with the state described in the resources. This machinery is also extensible, so you are not limited to the resources k8s comes with, but can create your own, and still take advantage of the convergence machinery. This most recently has led to the creation- by a third party, outside of google- of the concept of an "operator"- a set of resources that, for instance, declaratively describe the full lifecycle of managing a database, including backups, restores, failovers, etc. (Relevant for PCI :) The level of abstraction is very high. Google has a terrific paper describing their Borg cluster manager- the system that motivated the creation of kubernetes. Recommended for getting a flavor of the concerns that k8s is solving for, and the approach it takes: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43438.pdf

dominicm13:07:04

> The underlying model is that you post your desired workload end state- a set of services, or some jobs, etc- as "resources" to the cluster, and "controllers" gradually converge the state in the cluster with the state described in the resources. Is this not pretty much the same as terraform/cf? I'm missing the distinction I'm afraid. Being able to describe the database system like that (and anything contextual) sounds very powerful. I'll take a look at the paper, thanks.

andy.fingerhut23:06:53

Huh, Apple must really not want me to file a bug report via their developer site. Every time I try, on my company's VPN or not, with any of Chrome, Safari, or Firefox, I get an error when trying to go to the bug reporting page.

Alex Miller (Clojure team)23:06:54

You should file a bug about that

andy.fingerhut23:06:40

Clojure JIRA coming up 🙂

sb03:06:35

I don’t know do you have info or not, but maybe.. will be native Clojure API for Jira?