DEV Community: Jane

Let's go opensource

Jane — Fri, 15 Mar 2024 15:50:29 +0000

The other days, I watched clips of CEOs of big companies being called out in court and asked tremendous questions - some very absurd. Most of that concerns privacy and safety online. I did not do extra research but at least there doesn't seem to occur much regarding open-source software.

To me, open-source is more than a free software/platform that allows everyone to access/utilize it in exchange for personal data being tracked or receiving overwhelming advertisements. It is something that is completely free/open and thrives through community spirit and contribution.

So I thought of making a change starting with myself. Of course, I have been using open-source software/tools for some time but I am still using some propriety software. I know I can't eliminate entirely but I'm gonna do as much as I can.

For instance, I switched from writing articles on a platform that requires a paid membership to read and start writing here in this community.

I have been using Linux distributions since I was in my college years which is almost around 6 years.

I switched from Chrome to Firefox for better privacy. I am exploring the option still.

I switched from vscode to codium which is an open-source version of vscode.

Most of the programming languages are open-source which I am very grateful for. I hope we can utilize such programming languages to build free and open software as well.

There are some many more that I couldn't list them all.
Let me know if you have any recommended tools I can benefit from.

Now that I am a user of those software/tools, it is also a time for me to contribute back to the community. For the past year, I have contributed to a few projects. I am keeping my eyes on projects of interest and am ready to give back.

As I once read somewhere: Learn, Earn and Return

Linux is not only Ubuntu

Jane — Mon, 27 Nov 2023 10:03:14 +0000

My very first Linux operating system was Ubuntu. I switched from Windows to Ubuntu when I was in university. At that time, I felt like it was a whole game changer. Everything was and is easier on Linux starting from installing packages, setting up path environment, updating packages and software...etc. All I need is: sudo apt-get ....

It's true that Ubuntu was quite famous among newbies to Linux's world. To be fair, a lot of articles often refer to Ubuntu when referencing Linux (if you notice :)).
And for the majority that is into the command line, of course, they have Arch Linux. That's all I knew back then and probably most newbies nowadays as well.

I have switched to Fedora and I am happy about it. But before Fedora, I also used RHEL for quite some time.

Honestly, I don't notice many differences between all these Linux operating systems.
I like Fedora because it has a very fast-growing environment. Its open-source community is huge and strong. Okay, but this article is not only about Fedora and neither Ubuntu. The purpose is to invite everyone to explore the rest of the Linux operating systems and dive more into the open-source community.

Let me at least link to some useful articles/documents:

Fedora: https://fedoraproject.org/
CentOS Stream: https://www.centos.org/centos-stream/
RHEL (downstream of Fedora): https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux
Debian (IMO, very similar to Ubuntu): https://www.debian.org/
Arch Linux: https://archlinux.org/

And here is the list from Wikipedia: https://en.wikipedia.org/wiki/List_of_Linux_distributions

Disable MacOS auto enable Mouse Keys on startup

Jane — Fri, 27 Oct 2023 15:07:54 +0000

If you're having an issue when you start your MacOS and you can't type the password on the keyboard, your MacOS might auto-enable Mouse Keys on its own.

You might also notice that a few seconds after the lock screen asks you to type the password, there is a pop-up show that "Mouse Keys on".

If that's the case, there are a few solutions:

Connect the external keyboard so you can type again
Try to press the option key 5 times if you're on MacOS Sonoma and see if you can type
Or as soon as you see the input box, type the password as fast as you can before you see the pop-up message

Okay, but the important thing is how to disable it so next time you won't struggle with the same issue again...

Go to setting -> Lock Screen -> Scroll down to Accessibility options -> click on it -> then turn off Mouse Keys.

A simple script to set up GitLab runner on AWS EC2 instance

Jane — Mon, 18 Sep 2023 13:04:18 +0000

Pre-requisite:

AWS EC2 instance - in this case, I have RHEL9 as the base OS (could so work for CentOS)
GitLab's runner token: export RUNNER_TOKEN="your-runner-token" - you can get it from your GitLab's project

Steps to set up the runner:

Create a file: touch set-up-runner.sh (copy code below to set-up-runner.sh)
Then in the same path of your set-up-runner.sh, on your terminal, run set +x set-up-runner.sh: this is to set execution permission for your script
Finally, run ./set-up-runner.sh

#!/bin/bash

set -euxo pipefail

#Download and install gitlab-runner
curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash
sudo yum install -y gitlab-runner

#Add docker repository to RHEL
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum makecache

#Check for existing docker, podman before installing docker
sudo yum remove docker \
                  docker-client \
                  docker-client-latest \
                  docker-common \
                  docker-latest \
                  docker-latest-logrotate \
                  docker-logrotate \
                  docker-engine \
                  podman \
                  runc

#Install and enable docker
sudo yum install -y docker-ce docker-ce-cli containerd.io
sudo systemctl enable --now docker

#Register gitlab runner
sudo gitlab-runner register \
    --non-interactive \
    --url "https://gitlab.com/" \
    --registration-token $RUNNER_TOKEN \
    --description "gitlab-runner-ec2" \
    --executor "docker" \
    --docker-image alpine:latest \
     --tag-list "container-builds"

#Start service
sudo gitlab-runner start
sudo gitlab-runner verify

Code reviews 101

Jane — Wed, 07 Jun 2023 15:05:37 +0000

Behind every non-interrupting production codes stand a sequence of process called code review. How does code review rule in your team look like?

Hers are some of the criteria to merge new lines of code to a production branch in my team:

There should be at least minimum 2 approvers to verify the code is safe to land on the main branch
Tests must be included to verify that the new adding code won't break anything
Tests coverage percentage, ideally it should be increase rather than decrease. In some special case, it can stay the same
CI/CD pipeline passed - no explanation needed because if it's not green then it won't going in...
One MR/PR one functionality - we will always nitpick about mixing differences features in the same commit or branch
Clean commit message - commit message should explain what the change is about for future traceability
Always rebase from main branch
Add document/README if necessary - by default there should be README in the repo but in case there is new feature in the change, adding more info is best practice

In order for the criteria above to be working, we need good collaboration from reviewers and code assigners. I've listed some of the points that reviewers and coders should keep in mind based on my own experiences.

First of all I think, as a decent reviewer, one should:

Ask questions to clarify any ambiguity
Give comments: if it's good it's encouraging to point it out and if it needs some improvement it should not be overlooked
Site resources: always attach detail reading to help coders learn and broaden their knowledge
Give code suggestion to clarify on the comment: if it seems complicated by writing alone, it's best to give a code suggestion
Always ask for tests/doc if not provided
Review in one-off manner, avoid giving review on the 1st version after the 1st round of change is already applied
Be kind - leave judgemental out of the process and focus on making the code better
Give ETA - if you're requested to review some codes while you're working on other thing, please at least let people know and don't let them hang in there
Clone the code and run locally - if needed, we should try running the code locally to make sure it works as expected

And for the review requester, before asking for code review, make sure to:

include description of what the change is about
pick reviewers that are more likely familiar with the piece of code
attach the MR/PR to the related ticket requirement
specify which part you most would like to request another pairs of eyes
ask back questions if you are not clear with any comments/suggestions
be open to take good suggestions
give reasons to your different point of view

These are all I have so far, feel free to drop yours. Happy coding/reviewing :)

Best practice for artifacts downloading

Jane — Thu, 02 Mar 2023 22:38:11 +0000

Here comes another post related to security. Well, I don't think it is new. I am writing this blog thinking that any new software engineer might find it useful like I did. To me this is not the thing that I learned from school (I guess anyone that is doing security major already has a decent insight about it). Anyway, my point is I am learning things from working in my current projects and working with a bunch of experienced engineers. I hope everyone else also has the same privilege otherwise I am trying to share what I learned here as much as I can.

Let's get to the point!

With the daily usage of computer comes a bunch of software or application on the Internet that helps enhancing the users' usability. Those add-ons are unavoidable unless you choose to build everything on your own. We're pulling thing from the Internet everyday no matter as a common user or as part of our job. Until this point, I want to point out that security bridge could be plugged in here while our network traffic is in progress of dragging those app/software to our local machine. One small thing that I adapt for myself as for security sake is to always use software verification method such as checksum or GPG (you may need to install them if you don't have them locally already).

What is checksum?

Wikipedia stated here

A checksum is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. By themselves, checksums are often used to verify data integrity but are not relied upon to verify data authenticity.

It looks like this 56430090dd471e106fdc48463027d89de624759f8757248ced9776978854e4f6. This chunk of number works in pair with another object for example the application or the software you download from the Internet. How it works is that it tells whether the target object is actually the original one and it was not going through any modification while downloading.

For example, if you intend to download pycharm and install it on your machine, you obviously don't want to install any other malicious software however who knows an attacker might get control to your network and replace that pycharm with some virus software. So for best practice, you should verify that software before you run the installation. Here how you can use checksum with pycharm example:

In your terminal, navigate to path where your download locates and you can run:

shasum -a 256 pycharm-professional-2022.3.2.tar.gz

It will return this sha256:

56430090dd471e106fdc48463027d89de624759f8757248ced9776978854e4f6

You can compare it to the original checksum that may be provided in the download page of the application/software you intend to pull.

In my case, pycharm has it here.

Another way of checking the integrity of software is to use GPG. Here is more info about GPG.
For this option, in addition to downloading the software, you will have to download the signature file as well.
For example, in your terminal, you can run the following command

gpg --verify gnupg-2.2.41.tar.bz2.sig gnupg-2.2.41.tar.bz2

Some softwares like zoom provide public key and you will have to import it. Here is what I extracted from the download instruction page of zoom for Fedora:

*Zoom's rpm packages are signed with a GPG key. Please run "rpm --import package-signing-key.pub" to import the key in case package management utility asks for a missing public key.

Checkout the original page here

I think there are more ways to verify the authenticity of the software out there. Feel free to leave the comments to let me and other know all the options out there.

Lastly, what I find pretty useful is when engineers who write Container file where it is required to install some library or package always make sure to include such a verification step. This one little thing can prevent a loophole in our application and enhance a huge security of software/application.

I started to use password manager and I think you should do it now too!!!

Jane — Fri, 20 Jan 2023 10:55:27 +0000

"Security is extremely important!" is the phrase that I heard everywhere, I am totally onboard, and I entirely encourage people not to overlook even a teeny-tiny loophole. However, it is a shame to expose that I myself using the same password for many accounts I registered online (Just to clarify, only for not really critical accounts). It was always fine; I get by without any issues and my password consisted of all the mixes from capital letter, number through symbol. The thing that added on to my clumsiness (using the same password almost everywhere) was the flaw in the sites I registered with. So recently, I found out through this site (Declaimer: I googled whether this site is legit and most of the answers are yes so I decided to share it here) that some of the websites I used to have account there were hacked and most users' credentials were exposed which is true because I was one of the victim.

Let me share the story. A few weeks ago, I received a ton of messages on my phone with a security code to login into my GitHub account (I set up my GitHub account with 2-factors authentication). The fact that I received messages means that the attacker (maybe bot) holds my correct email, username and password. I was anxious and furious. It is very offensive (and shameful) to be the target of attacker given the fact that I am someone who is in the tech sector. In short, it was not a successful attempts but I was very paranoid because the same email and password were registered somewhere else as well. I went ahead and change password of all the accounts I own. Here comes the challenge, how could I remember all the passwords given that I owe so many accounts? There, I decided to use password manager. I heard about bitwarden which is an opensource product and is also used by the current company I am working at. Again, disclaimer, this post is not to promote bitwarden and I don't get any money, commission, or benefit from them at all. I am here to share how easy it is to start adopting it. Bitwarden or any password manager can generate a secure password for you which can consist of range of random letters, symbol, number and with the length as you set up. It also has a function to check if the password that it generates (or you have been using) is under any data bridge situation before or not. There is an app for mobile which you can record all your password there so the next time you need to log in any sites from mobile, you will just configure to load the password from the app. The same goes to browser, I haven't checked all the browsers but there is a chrome extension for that.
Once you use password manager, next you will only need to remember your master password (which is recommended to set it as secure as possible). You can configure the app or browser to log out immediately after using it or with specific duration. There is also 2-factors authentication and many more settings that you can set up to make sure that you will not lose it.

One last scary thing that I want to share is that a few days later after trying to login to my GitHub account, I received another email which is the email that is sent by a website for the purpose of "verifying email address". It is obvious that (maybe) a person was using my account to register to some sites. My anxiety level increased and until now I am scared and always alert to check my email, bank accounts and everything to make sure that nothing is compromised. I was also curious so I tried to login into that site with the email and the old password that was leaked. Boom, I logged in. It's terrifying. I didn't know what the best solution was. I just went straight to delete the account. Until now, it is quiet but if anyone knows a better approach to response to such situation please let me know.

Okay, so this is the story. I hope my story could convince people who do not put too much concern over security to start picking up a habit of better securing their credentials.

Automate sending good night text to your loved one's telegram with a simple python script :P

Jane — Mon, 02 Jan 2023 16:04:57 +0000

I was just googling around on how to automate sending daily message to a telegram user. Most of the results are leading to sending the message to a bot (which is subscribed by user) - in short it is when a user connects to a specific bot and that bot sends message to the user. Another thing is the telegram feature of scheduling the message but it does not have the option to repeat the schedule daily. These are not what I want at all. What I want is to automate sending a message from my own account to a specific user and do it daily.

After a more thorough search, I finally found a python library telethon that makes sending message to telegram user very simple with a few line of codes. I will describe below the process I went through.

First, we will need our telegram api_id and api_hash. Please keep in mind that it must not be shared with anyone else as it is a bridge to our authentication.
To get that, you need to login here: https://my.telegram.org/auth?to=apps using your phone number with the country code. Then you will ask to provide the confirmation code. If you never generate the app configuration before, you will need to enter some information. Then you can proceed to get your api_id and api_hash which will then be used to authorize your identity to send the message. You should have something as the image below.

api_id and api_hash will be used to establish telegram client. And after that, we can start the client and perform any api functions.

from telethon import TelegramClient, events, sync

client = TelegramClient('session_name', api_id, api_hash)
client.start()

Just a side note, I set values of my api_id and api_hash to the environment variables and took it later as following:

import os

api_id = os.getenv("TELEGRAM_API_ID")
api_hash = os.getenv("TELEGRAM_API_HASH")

Then, it is a matter of calling the client function which in this case is send_massage. It is as easy as following:

client.send_message(username, randomize_message())

username is the target (receiver) with @ sign as prefix. For example @janesoo

Then comes to how to set the script to send the message daily. For this, I used python library schedule. I set a specific hour and did a random for minute (so the receiver won't suspect if it's automated LOL) but overall it is in this piece here:

schedule.every().day.at(f"00:{randomize_minute()}").do(send_message)

while True:
    schedule.run_pending()
    time.sleep(1)

The last while True is to make sure that the code keeps running.

One last note is that, when you run the application for the first time, you will be prompt to enter your phone number and confirmation code. However, you will be kept logged in on your host machine for sometime (longer time) and you don't have to do it even after you stop the application and run again.

And with that, we can easily send a daily message to any telegram users.

Here is the full script:

import os
import schedule
import time
import random

from telethon import TelegramClient, events, sync

MESSAGES = [
    "good night!",
    "good night ;)",
    "dobrou noc!",
    "dobrou noc ;)"
]

#in order to get the info below you need to request here: https://my.telegram.org/apps
api_id = os.getenv("TELEGRAM_API_ID")
api_hash = os.getenv("TELEGRAM_API_HASH") 

#this is a telegram username with @ as prefix
username = os.getenv("TARGET_TELEGRAM_USERNAME")

client = TelegramClient('session_name', api_id, api_hash)
client.start()


def randomize_minute():
    return random.randint(0,59)

def randomize_message():
    return random.choice(MESSAGES)

def send_message():
    try: 
        client.send_message(username, randomize_message())
    except Exception as e:
        print(e)    

schedule.every().day.at(f"00:{randomize_minute()}").do(send_message)

while True:
    schedule.run_pending()
    time.sleep(1)

Introducing fancy open source terms

Jane — Tue, 26 Jul 2022 13:57:00 +0000

If you are like me who never really worked in a real opensource community, then there is a possibility that you might not know what exactly some of the terms I am going to elaborate below mean. Or maybe it happened to me because my limited access to English vocabularies. But first, let me take the definition of open source and paste it here.

Open source is source code that is made freely available for possible modification and redistribution. Wikipedia

To add on that, it is worth mentioning that anyone can use the code, modify for personal or business purpose.

Okay, let's dive deep into the first term which is upstream. Upstream, in the context of IT/open source world, defines the original destination of project/code available on the Internet. The most common example is the public git repositories on GitHub, GitLab or any version control tools. If we further dive into any of the upstream repository (public repository), we are likely to see a number of contributors working on that certain project. Those contributors are not paid. They do it voluntarily. Contribution means are varied ranging from writing features, fixing bugs, raising issues, writing documentation...etc.

On the contrary, there is another term downstream. Downstream refers to a copied version of upstream which could include any slightly changes but not abandoning the identity of the upstream. An individual programmer or company who would like to add specific feature on top of the existing upstream project absolutely can copy the whole upstream and add the changes need to use for their own purposes.

Most of us might know the fork functionality in version control tool like GitHub already. That serves the purpose for open source workflow.
Now visualize the public repository for cupcake recipes. That repository contains ton of different of cupcake recipes. As a baker myself, I want to share my own recipe to people out there. So, I fork the repository (creating downstream), create my own branch for the recipe, create request to merge that to the upstream and wait for approval. Then, if any authorized maintainer of the repo thinks that my recipe is good, he/she can merge it to the upstream. So now, my recipe is available worldwide.
Now let's look into another case when I see the good recipe in the upstream. I have a cool idea to add one more ingredient that could light up the cupcake. So, I fork the recipe and create a branch for my changes. But, in stead of merging it into the upstream repo, I only make it available in my own repo (downstream) and only me and my team can access it. Therefore, my little cupcake shop now has a unique menu that no one else has.

Up until this point, I hope you learn something and most importantly the concept of open source. I think open source is beautiful. It starts from community of people who dedicates their time and effort for the community and it even allows business derivation from the community.

Merge party

Jane — Thu, 21 Jul 2022 07:01:10 +0000

Have you ever fallen into a situation when you're trying to refactor your project and ended up dumping thousand line of codes all together in one merge/pull request? Then it becomes hard to split them up.
On the other hand, as a reviewer, do you feel frustrated with the overwhelming changes and get procrastinated to even start the review? And for the beginner reviewer who has no idea what most of the code is all about, that's very challenging to even try to understand.

What about a situation when reviewers come with different opinions? That's right because everyone is different and everyone has different background and experiences.There's also time when the owner of the MR/PR would like to present new functionalities or fancy programming concepts in which he/she needs to convince the team that it will not break the project.

Until at this point, this is the reasonable time to introduce merge party concept to the table. I, myself, just learned this when I joined the current company I am working for. I am blessed as everyone is very competent and open to sharing their bit of useful information.

Okay, so what is merge party? Basically, it's just a group of programmers, engineers, developers of your own team, or any stakeholder who is familiar with the project, the concept, programming languages or beginner who would like to learn sit together and go through the code (hopefully not line by line). The owner of the MR/PR presents the changes, explains reasoning, and most importantly how it is work. Experienced people in the team can ask questions for clarification and offer feedback/suggestions. Beginners, of course, could also do the same.
Merge party comes with the assurance that everyone in the team knows what is going on. Everyone comes out of it with consensus on whether to merge the code or to further adjust something. Most important of all is that we as the MR/PR owners will feel even more safe to merge the code as there are many eyes on it before it will land to main branch.
Additionally, as engineers, we get the chance to improve our presentation skill and also understand what we write even better when explaining to people.