If you invent a formal language that is easy to read and easy to write, it may look like Python... Then someone will probably write an interpreter.

We have many languages, senior people who know how to use them, who enjoy coding and who don't have a "lack of productivity" problem. I don't feel the need to throw away everything we have to embrace what is supposed to be "the future". And since we need good devs to read and LLM generated code how to remain a good dev if we don't write code anymore ? What's the point of being up to date in language x if we don't write code ? Remaining good at something without doing it is a mystery to me.

Using a formal language also help to enter in a kind of flow. And then details you did not think about before using the formal language may appear. Everything cannot be prompted, just like Alex Honnold prepared his climbing of El Capitan very carefully but it's only when he was on the rock that he took the real decisions. Same for Lindbergh when he crossed the Atlantic. The map is not the territory.

Everyday I have access to my computer, and since nothing is absolutely urgent I can book train tickets from home, read hacker news from home, etc... I spend several hours per day at home with my laptop so when I am outside I don't need to be online.

I don't listen music when outside since I feel more connected to where I am (sea shore, forest, city, etc...) if I don't listen music.

I nearly don't need take pictures anymore and when I do I have a camera.

I never had an account on social medias and even if I did I would have disable all notifications.

No need for a GPS, usually I know where I am going and if I don't I check on a map before and remind the path (exit metro station, first on left, second on right, done), if I get lost I ask to someone, then happen a true connection to a human being. Road trips: paper maps, I traveled alone from San Diego to New-York like that, including reaching a specific address in Chicago and then in New-York with a paper map. And I like the voice of my wife telling me "in 2km we must take the D25 on the right" (names of secondary roads in France starts with D).

We have a sailboat so we need gps when we sail and we have a rugged tablet. We also use it at home as a remote control for the DAC with Qobuz and for video calls with family with Signal. A smartphone can makes sense in several occasion, like does out tablet, but I don't feel the need to have one (a kind of mini computer) in my pocket all the time.

And since urgent calls can only comes from my wife or from the school (we have a son), when we are together with our son we don't take our dumbphone (nokia 105) with us.

I think anyone can buy a dumbphone for 20$ or € and try for a week.

Each API has its database which contains the accesskey for each user, if this data is stolen the attacker can send HTTP POST requests to API with valid access key. To reject these forged request a code can be sent to the user in the invitation message while each database has a bcrypt hash of the code along the access key. When an API receives a POST requests it can check if the code present in the request body matches with the hash he has in its database. So having the access key is not enough to send request, someone who steal a db cannot do anything with the data and cannot propagate false data to other APIs.

Without the proxy the client would request a specific instance of the API (university 1, university 2, NGO 1, NGO 2), which then would be responsible for forwarding the data to the other. What if he changes the code and forward a false data:

user A votes for candidate X (HTTP POST request received by API deployed at university 1). API deployed at university A is compromised (by the university itself or not) and the information persisted in the DB is "user A votes for candidate Y". This information is then forwarded to other API.

If a proxy like NGINX is responsible for request forwarding the problem is solved (assuming that all parties trust nginx and its "mirror" module). https://nginx.org/en/docs/http/ngx_http_mirror_module.html

I am working on a voting system for a local community, people will vote with their smartphone, tablet or computer. They previously receive a link to the vote form with an access key in the url.

Once someone has voted he cannot see is vote (like in real world polling station), which partly avoid the "cash for vote" problem. "Partly" because someone can still force someone else to vote like he wants. For this, my idea was to allow to vote multiple times but with idem-potency: only the first or the last vote is recorded in the database. "you can give me 5$ to vote like you want, once back home I vote for the one I want".

But since voters cannot check if their vote has been properly recorded they must trust the system.

Block chain that involves several parties (an NGO, an university, etc...) could be an idea but nothing prevent the API that receives the votes and insert records in the blockchain to insert fake data. Code audit (+ CI/CD audit + DNS records audit) can help.

My idea: each party (NGO 1, NGO 2, university 1, university 2, etc...) deploy the API and its database. The source code is obviously open.

Then, a proxy receives the HTTP request and forward them to each API. The goal is to reach eventual consistency.

Outages may occur, if API deployed at university 1 is unreachable some data will be missing in its database. A retry policy at the proxy level can help but only for short time network failure, not for several minutes or hours outage.

So differences between databases at the end of the election will probably happen and should be corrected. If consensus is met on chunks of data (example: 2/3 of the databases have the same data for each 1 hour period) then we can get reach eventual consistency.

The proxy becomes the weak link. Each party should must have access to its configuration for audit purpose and must also have access to the DNS records.

At the ends the voters don't have to understand all these details, they trust the system because they trust the parties who participates.

What do you think ?

Thanks !

Comments URL: https://news.ycombinator.com/item?id=45157509

Points: 1

# Comments: 6

First write after a lot of reads...

I've been using ORM for years in Java and C# and came to the conclusion that the only reason we use these tools are because most Java and c# developers think that the business logic applies on objects and not data.

So when they/we see a entity-relationship diagram we think that must reify these entities as classes. This results, most of the time, in classes with accessors (and nothing else, so OOP purist are also a little bit skeptical when they see theses classes without any behaviors). And then we need a ORM to map this classes with the tables.

But everyone else on the project (dba, domain experts) think that the business logic we write uses data stored in the db, not objects. And if we start thinking like them, the only thing we need is something to manipulate the data and apply business logic on it.

For example if I need to get a piece of information on a bank account to accept or reject a withdrawal:

C# with Dapper:

  var accountInfo = (await dbConnection.QueryAsync<(double balance, int overdraft)>("select balance, overdraft from Account where id=@id", new {id = "..."})).SingleOrDefault();

  record AccountInfo(double balance, int overdraft){}
  Optional accountInfo = jdbClient.sql("select balance, overdraft from Account where id=?").params("...").query(AccountInfo.class).optional();

with an orm (Java with JPA):

  Account account = entityManager.find(Account.class, "..."); // Account is an entity class

of course you can do that with JPA:

  record AccountInfo(double balance, int overdraft){}
  Optional accountInfo = entityManager.createQuery("select balance, overdraft from Account where id=:id", Object[].class)
    .setParameter("id", "...")
    .getResultStream()
    .findAny()
    .map(a -> new AccountInfo(Double.parseDouble(a[0].toString()), Integer.parseInt(a[1].toString())));

Same for lazy loading, which selects all the columns of the lazy loaded entity while you often need one or two properties.

Becoming an expert with an ORM consists in knowing how to use its leaky abstraction so the sql query is the one you would have written without orm. Not very fulfilling (there are tons of more useful things to learn for a programmer) nor useful for the project.

More over, the choice of a database is (or could be) guided by business requirements. If a project benefits from a MongoDB database the developer should have access to the mongodb language, if it needs a graph database the developers should have access to the its query language, etc... It also fosters good relations with the DBA (I can ask for help to write a query) while ORM and their sub-optimal queries breaks the confidence between developers and DBA.

Of course the DB may change in the future (but most of the time it is here to stay) and vendor specific syntax will then break, but running tests against the new db will show which queries must be adjusted. Markers could also be written for vendor specific queries: /specific/ at the end of the string so they are easy to find.

An ORM is useful if you reify the domain model in classes with behaviors or if you sell a product that must be database agnostic. But for most project it is not a requirement.

What to you think ? Thanks !

Comments URL: https://news.ycombinator.com/item?id=40515475

Points: 2

# Comments: 0

It is about rules elaborated by an educated society. Not perfect rules, but at least rules that preserve what this society consider "important". Many example show that humans that live in a given place are very well aware of how important is a "healthy" ecosystem and give rights to "a good life" to this ecosystem: Wanganui river in New-Zeland, lac Erie in US (this attempt failed), constitution of Ecuador, etc... Elinor Ostrom wrote interesting about this rules (governing the commons), she had the nobel prize for that.