-Incomparable harnesses

-Misuse of the library's api

-Build switches

-UA sniffing

-Not measuring or controlling for system/net load

This isn't a post about why you shouldn't use libcurl; it's a post about why you shouldn't benchmark your way to blind conclusions.

But on the other hand, I see nothing but assurances and a woefully low cut that I can't imagine could keep this train chugging without shoveling time (=money) into the furnace. At ~$140 revenue a pop, if even 4% of projects go off the rails, the "insurance" policy already puts the company in the red -- forget profit.

There is a huge problem to solve here, for sure. I want someone to solve it. But I'm not seeing a solution.

Perhaps it's worth considering that maybe the reason that checklists aren't the norm in the FOSS "meritocracy" is that they hinder progress, for a certain value of progress. Maybe there was a stealth project that could have been OpenSSL, developed with scrict adherance to checklists, but OpenSSL won because it didn't have that burden? I suspect this applies more broadly to startups, too.

Maybe checklists are a silent killer in the natural selection of the software ecosystem, and that's why so much of our software is tripping over peacock feathers?

Just a thought.

But second, no enterprisey company will use a service that bills like this, because

-$4 and $250 per month all rounds down to zero, so it's not a selling point

-$4 signals no support when the shit inevitably hits the fan

-$4 signals this company will tank along with your data in a month

An enterprise company with actual money will take an hour or two of dev time to boot up one of the open source registries (https://github.com/dotcloud/docker-registry) and stay in control.

Source: working at a Docker startup for almost a year

I recommend reading up on rocketry, orbital mechanics, and modern space programs because a) it's really cool stuff! and b) you'd quickly realize how ridiculous, dangerous, and counterproductive this suggestion is.

Vocab is hardly more twisted now, though; journalism has always chosen its words deliberately.

I don't know who's right here, but it's definitely not that simple.

First off, TLS is crypto bread-and-butter that's used for a lot more than HTTPS. You're not out of the woods because you're not running a webserver.

Second, SSH itself doesn't use TLS; it has its own protocol, so sshd isn't vulnerable.

But third, read overflows like this can be escalated in countless ways to total compromise if some credential, key, canary, or such gets leaked. So just because sshd isn't vulnerable doesn't mean you're not screwed.

-You can cash out (steal) an arbitrary amount of people's coins, blaming it on a "hack". If technically competent you can make it look as legitimate as you like, even giving a detailed post-mortem.

-This will probably tarnish your operation and possibly your internet rep if the Google juice flows that way.

So how much is your internet reputation worth? Personally, there's probably a number that would sway me.

Until these incentives are changed somehow, with regulation or otherwise, it will happen.

I have no idea what the likelihood of this is, but it's in the realm of plausibility with all of the feces hitting the fan at Gox.

So unfortunately, I hate to break it to you that as an end user the money you're giving Microsoft for their products never gave you control.

But on the bright side, pissing off the end users that provide sustenance and influx for their volume-licenses cash cows doesn't serve Microsoft's bottom line either. So even if you pay nothing, your usage of Microsoft's products is very much something Microsoft would prefer to continue.

The amount of ifs, ands, and buts in this caveat means it's time to defer to one of my favorite xkcd's of all time. [0]

[0] http://xkcd.com/55/

The touted benefit is marginally increased parallel performance, but even if you buy this (I don't), the best case scenario is this buys you a slightly decreased server bill for the price of closedness, lock-in, and compatibility headaches. If your code shards horizontally like this then you can already trivially parallelize and shard across servers with first-class node core clustering.

I spend most of my waking hours writing all sorts of crazy things in node, and I still can't think of any scenario in which using this makes sense.

Although contrary to popular belief Gox was never a Magic exchange, they were a Bitcoin startup at a time when Bitcoin was not much more than internet lols and pizza deliveries. The first thing you do when hacking together a stupid exchange for a joke e-currency isn't writing unit tests. You just write the code and blast it up on a domain you had lying around for a different project.

Cue runaway success, a company sale or two, scaling issues with complicated technology and not much precedent legal or otherwise, and this is what you get.

There is nothing at all surprising about this code. And it seems Gox's problems were much more deeply rooted than the subjective non-compliance of their code with "best practices".