Jan 10, 2020 newsletter

It's in my (web) DNA

MDN Web DNA Report

MDN, the Mozilla Developer Network, released its first annual Web Developer Needs Assessment (DNA) Report, a new survey of web developers designed to help guide the development of the world’s most popular web platforms.

What is it? In the survey, developers are asked to express their needs and wants for the web based on their current frustrations. According to Mozilla, Web DNA aspires to be the "voice of developers and designers working on the web."

That aspiration is backed by some serious firepower, too. With responses from 28,000 web developers across 173 countries and the support of big influential tech organizations—like Google, Microsoft, Mozilla, Samsung, and W3C—Web DNA has the potential to help shape the future of the web.

What’s the biggest complaint? Fragmentation. Web developers dislike navigating the murky web ecosystem that has splintered across browsers, browser versions, and a ballooning number of development frameworks.

The top three frustrations for developers:

  1. Having to support specific browsers
  2. Outdated or inaccurate documentation for frameworks and libraries
  3. Avoiding or removing a feature that doesn’t work across browsers

Four of the top five complaints are related to supporting different browsers. Unsurprisingly, developers’ top request is greater browser compatibility and consistency across browsers.

What’s the impact? With so much energy and frustration focused on juggling different browsers—including legacy browsers—and frameworks, developers have less time to focus on new and innovative technologies.

At the top of the developer wishlist for new tools: better access to native APIs, access to hardware APIs, and full PWA support.

Despite its shortcomings, more than 76% of developers are either satisfied or very satisfied with the web as a platform. Fixing fragmentation problems and freeing up developer time could push that number even higher.

I've made a venti mistake

Starbucks exposed API

Starbucks, the largest coffeehouse chain in the world, accidentally exposed an API key in a public GitHub repository that could have been used by an attacker to access internal systems, manipulate lists of authorized users, or completely take over Starbucks’ AWS account.

What’s the damage? None, yet. But it could have been far worse.

The critical vulnerability granted access to an API connected to Starbucks’ deployment of JumpCloud, a directory-as-a-service authentication tool to manage employee access to application resources. While there are no reports of any bad actors taking advantage of the security flaw, any developer could have taken control of Starbucks’ AWS account to execute commands or add and remove users.

Payday. A lone developer discovered the misplaced API key in a GitHub repository and disclosed the bug through HackerOne, a bug bounty platform that pays developers for finding and reporting security issues. The developer took home a $4,000 bounty from Starbucks for the disclosure.

Since launching its bug bounty program in 2016, Starbucks has solved more than 800 bug reports and doled out $500,000 to hackers—equal to roughly 105,000 venti cappuccinos.

The big picture: APIs are a growing security issue for many companies—tech and non-tech alike. Starbucks is no exception.

Why? Development teams increasingly rely on APIs to integrate various parts of their technology stack. Microservices, cloud providers, and code repositories are all interconnected with APIs that need to be managed and secured.

As development stacks grow in pursuit of faster and more efficient engineering, more people work with these APIs across many different functions and roles, opening the door to new security threats.

Apple's endless war against jailbreaking

Apple jailbreak

Apple filed a lawsuit against Corellium, an iOS virtualization company that sells access to virtual machines running Apple’s operating systems. With Corellium’s services, security researchers can analyze iOS for security flaws and developers are able to simulate mobile devices in their browsers.

That’s not all, though. Corellium customers can also hunt for vulnerabilities and jailbreak iOS devices, a process that removes Apple’s operating system restrictions and lets developers install custom software.

In an effort to restrict widespread access to jailbreaking tools, Apple hopes to limit the sale of Corellium’s products.

In Apple’s defense. As part of its Walled Garden strategy, Apple maintains a tight stranglehold on user experience across its iOS devices. Jailbroken devices enable piracy—when users can download untested and unregulated applications—and compromise the security of its users, making them susceptible to malicious software. That can tarnish Apple’s reputation.

Apple claims Corellium sells exact copies of its software, a copyright violation, under the pretense of aiding security researchers.

In Corellium’s defense. Corellium claims its software is fair use of Apple’s technology because its virtualization product is used for an entirely different purpose than the original software.

Loopholes abound, too. The US Copyright Office makes exceptions to jailbreaking for good-faith security research.

What’s the developer impact? Many products today, similar to the Apple iPhone, include cybersecurity locks. Everything from smart refrigerators to smart tractors prohibit tampering with underlying software.

That threatens hacker communities and discourages security researchers. Worse, restrictions can render hardware completely useless when companies stop supporting their platforms or refuse to update firmware.

Apple’s tight grip on its platform has certainly been a boon to many developers who build apps for its lucrative App Store. Whether more developers will be able to operate outside of that walled garden remains to be seen.

Linux year in review: what’s changing

Linux in 2019

Linux development is evolving. According to the latest end of year report, the open source Linux project had fewer authors and fewer commits in 2019.

What’s changing: In 2019, Linux saw the fewest commits since 2013. While the Linux kernel has grown by roughly 80k commits each year over recent years, last year dropped to 75k commits.

The number of individual contributors has declined over the last few years, too. Linux had 4,402 contributors in 2017 and 4,362 in 2018, but dropped even further to 4,189 in 2019.

What’s not changing: Linux is a stalwart of the free and open source world—and a software behemoth. The Linux kernel ended 2019 with 27.8M lines of code, nearly 888K commits, more than 21K authors, and 66.5K files.

In 2019, developers added 3,386,347 lines of new code and removed 1,696,620 lines, which is on par with recent years. Red Hat and Intel—both server software juggernauts—remain as the top contributing companies.

Why you should care: Linux is everywhere, even if we can’t see it. From embedded systems to smartphones to nearly every supercomputer, the Linux kernel is core to most modern day computing—despite being released more than 28 years ago.

The cloud, too, depends heavily on Linux. Linux is the most popular server operating system in the world, even surpassing Windows on Microsoft Azure.

Still, losing 5% of contributors in two years and a noticeable slowdown in commits could be a signal that the codebase or community is maturing or consolidating. Linux will undoubtedly remain dominant, but the core community and enterprise contributors will likely play a growing role in pushing the Linux kernel forward.

Small bytes

  • Levels.fyi released its report covering the highest paying companies of 2019. Lyft, Airbnb, and Stripe were consistently ranked with the highest paid developers across job levels [LEVELS.FYI]
  • Researchers from MIT built a new machine learning tool to predict how fast code will run on different processors. The new tool should someday help developers write better code that executes more quickly on a variety of processors [THE NEXT WEB]
  • Some developers fear that frequent iOS 13 notifications are scaring away users. Apple’s iPhones are notifying users about location tracking, possibly driving users to limit tracking in apps that require location data [SLASHDOT]
  • GitHub, Mozilla, and Cloudflare are concerned about India’s new intermediary rules. Many companies benefit from safe harbor laws that prevent them from being held liable for user-created content on their platforms. Developer platforms are increasingly being dragged into debates about content moderation [TECHCRUNCH]
  • Enterprise tech is in, consumer tech is out. A new report reveals that enterprise technology companies attracted $30.4B in venture funding last year, while consumer companies raised only $23.3B. This is the first time in fives years that funding for consumer tech has dropped below enterprise tech [BLOOMBERG]


  • Rhubarb is a lightweight WebSocket library for multiplayer JavaScript games [GITHUB]
  • DevYouTubeList is a curated list of amazing development channels on YouTube [GITHUB]
  • Elebase is a backend-as-a-service development tool to build apps with advanced location and mapping features [ELEBASE]
  • Memo is a sleek app that lets you take private notes with GitHub’s gists [MEMO]
  • Snowpack helps you build modern web apps (with React, Vue, etc.) without a bundler (like Webpack, Parcel, Rollup) [SNOWPACK]
Never miss the big news

Every week, our team will send you three of the most important stories for developers, including our analysis of why they matter. Software development changes fast, but src is your secret weapon to stay up to date in the developer world.

Featured articles
Made with by Software. Read more about our mission.