So Apple's developer sites have gone offline for a couple days now, apparently due to security issues. One security researcher called Ibrahim Balic came forward with with a story of how he found a bunch of vulnerabilities and notified Apple about his findings. Basically, he claims to be completely white hat.

On the other hand, developers have been getting password reset emails, and Apple apparently decided this issue was critical enough to throw the entire site offline for multiple days.

To me, that doesn't really seem like appropriate action. They could have also replied to him and thanked him but asked him to stop his actions while they worked on a fix. Then they could have simply set up some checks to make sure the vulnerabilities wouldn't be exploited until a fix was ready.

My guess? They looked at their log files, and found that the holes Ibrahim notified them about were being actively exploited by someone other than Ibrahim, and therefore that had little choice other than to shut the whole thing down.

This would make sense in that Ibrahim can actually be the white hat researcher he claims to be, while being consistent with the immediate shut down (and the reports of password reset emails developers seem to be getting -- though that can also simply be a side-effect of all the attention this issue is getting, people searching for other exploitable holes).

Yehuda comes up with the precise description of the problems I'd immediately suspected would be an issue when I heard of Turbolinks. Seems to me like Turbolinks is likely to become Rails 4's shitstorm I they do turn it on by default.

Browser plugin (Firefox/Chrome) that turns a piece of (markdown-formatted) text in a text area into nicely formatted HTML. Works with Gmail, and also with GitHub Flavoured Markdown (code highlighting!). I'm so gonna use the heck out of this. Unless I forget I've got it installed of course. Which tends to happen.

This fixed it for me. Obviously, it's my own fault for using the dev-channel.

Recently where I work we have changed our agile process a bit. When we decided to switch to scrum, we’d started by doing it the way it’s described most of the time: a product owner organizes the backlog, team gives stories estimates, and repeat this for each sprint.

Now, it might be because we have a small team (3 part-time developers), or it might be other reasons, but after trying this process out for a few months, we didn’t feel that this style of doing scrum was the best match for our team and product.

We do sprints of two weeks long, and deploy to staging after every sprint. Every two sprints we deploy to production as well. We feel that this is long enough to get up to speed, but short enough not to lose a lot of flexibility.

All of this is still pretty much a standard scrum setup. However, we felt that the role of the product owner was hard to fill in our situation.

For every release (i.e. two sprints) we choose a few goals. Anyone can add goals into Pivotal Tracker (as epics), and we add a release planning meeting where the epics for the coming two sprints get chosen. Everyone present at this meeting gets to promote one epic and has to explain why they feel that epic is the most important one at that moment. Usually some consensus will be formed, but ultimately the choice of epics for a sprint lies with the product owner.

Epics are about features at a higher level than stories, but should still be able to be completed within the two sprints of the release. Anything that’s bigger than even two sprints should really be possible to be broken up, otherwise it’s probably not fleshed out enough to be broken further down into stories anyway.

After this preplanning meeting the team will ensure that the stories for the chosen goals get created. The developers will form and arrange the backlog for the coming sprint, and meet up to rate the stories.

At the start of the sprint last minute details like incoming requests from customers (this is stuff we should have an administration interface for but currently haven’t, and thus needs to be changed by developers using migrations) get added to the sprint and rated, and any stories that do not fit within the sprint anymore get moved back to the icebox. We do this because these were arranged such that they were the least important, and it’s highly likely that the next release will not have the same goals (in fact, in general this is our rule), and hence will have no place for these overflowing stories.

We religiously trim the backlog in this manner because we have noticed that a backlog cannot be maintained past a few sprints anyway. Any new stories that come up will usually feel more important than whatever is near the end of the backlog, which leaves the backlog with a perpetual long and sad tail. Recognizing this, we have decided to forcefully chop this tail off rather than drag it along.

Analyst Watch: Water-Scrum-fall is the reality of agile SD Times: Software Development News:

Organizations are increasingly adopting agile software development methodologies through a combination of bottom-up adoption and top-down change. However, the reality of agile adoption has diverged from the original ideas described in the Agile Manifesto, with many adoptions resembling what Forrester labels water-Scrum-fall.

And immediately I forgot to write this up for a few times… So here’s what I’ve been up to the past weeks:

• hubot-scripts. I added a Prowl/NotifyMyAndroid notification script to our work Hubot, that will push every mention of your name to your iOS or Android device.
• rails: I fix a small bug where parts of ActiveSupport were not able to be loaded in isolation.
• simplestats is a small Sinatra app to collect web statistics from your visitors and save them in MongoDB. I wrote this out of frustration with Google Analytics, which is probably very powerful, but all we really wanted to know were some browser usage stats, specifically the width of the viewports of our users. While you could push this to GA with a script someone posted somewhere, I simply couldn’t figure out how to get the results back out…

Inspired by Mike Gunderloy’s attempt at doing something for the open source world every day, I figured I should be able to at least do something every week.

So here’s what I’ve been up to the past week:

• watchmen is a new extension for Python’s Fabric library that is aimed at monitoring a set of servers. At the office, we’re growing pretty tired of Nagios, so I did a little test to see how hard it would be to build something better. The actual checks would be pretty doable with this library, though we’d still need to build a webbased dashboard and notifications via e-mail/irc/campfire/sms.
• soundcheck is my unified interface to running tests. I recently came across the need to run a Minitest suite, so I’ve added something to support that. Not quite happy with how it works yet, I’ll probably improve it next week.
• bootstrap I fixed some JS with regard to the buttons, when they are <input type="submit">s, instead of divs with class button.

FakeFS: File system faker to make testing stuff that depends on the FS easier.

Personally, I tend to dependency-inject some IO class when I need to test file stuff.

DocHub:

Much better place to look up stuff than w3schools. I find this a little easier to browse than the Mozilla dev center.

Sprintly

Very pretty scrum tool. I especially like the preformatted form for new stories which forces you to write it in a certain format, I wish Pivotal was a little more opinionated in that area.