DEV Community: Greg Bulmash 🥑

Moving Apple Music MP3 Playlists To Android

Greg Bulmash 🥑 — Tue, 14 Jan 2025 20:46:45 +0000

I switched from Apple to Android. How can I move my music?
This for people who have large MP3 (or other music file format) collections on their Mac and use Apple Music to organize them into playlists.

This cannot help you copy encrypted or streaming elements in your playlists. It only helps with songs where you have an unencrypted file you own in local storage on your machine. Basically it’s for olds like me who backed up our CD collection to MP3 and still have ALL the files.

If you just want the software: Apple Music to Android Github repository

Every story has an origin

I switched from an iPhone to a OnePlus 13 this weekend. For those of you who aren’t familiar with OnePlus, it makes Android phones with flagship level hardware at a bargain price. When their latest went up for order in the USA last week, it was on special for $899. That included the same processor that will power the upcoming Galaxy S25+ and other hardware and storage comparable to an $1199 Galaxy S24+.

I won’t go into why I’m leaving the apple ecosystem to avoid distracting from the topic at hand… moving my playlists to my OnePlus 13.

I couldn’t find a simple solution

Transferring all my music wasn’t a problem, it was making sure my playlists would survive. I have a variety of playlists based on decade, genre, and intent. Decade would be my 80s collection. Genre would be Ballads. Intent might be my “Rolling Cool” or “Workout” playlists to help amp up a road trip or 2 miles on the treadmill.

The solutions were mostly “transfer the music and then recreate the playlists on the new device” or “upload everything to a streaming service and stream it.” I didn’t want the days of work required to redo the playlists and I didn’t want to stream my music.

I started poking around

The Apple Music app on Mac has an option to export the library. So I tried it. The result was an XML file which contains all the data on your music files and your playlists.

I figured this should be pretty easy to parse and then iterate through the playlists to copy the files and make the playlist .m3u files. Initially, I thought of making a desktop app with Electron or something, but decided to just make a proof of concept with Node.js.

How it works

The XML file assigns a unique number to every song file (and its data), then the playlists are represented as arrays of song numbers. The node index.js analyze command runs through the list of files and outputs a playlists.json file. Edit that down to just the playlists you want to transfer/sync.

Once you’ve edited the file, node index.js export fills a designated folder with copies of all the songs and text-format .m3u playlist files for the files you selected. Move that folder into your music folder on your phone using a program like OpenMTP to facilitate copying the files from your Mac to your phone.

Could this be easier?

Yes. It is possible to incorporate an MTP library that will let it copy all the files to the phone directly so you don’t need to make (and eventually delete) the transfer folder. That will make it easier for the user, but will not necessarily be easy to implement. At the end of the day, wrapping it up in an Electron wrapper would make it possible to also make the playlist selection and exploration easier.

So if people find this useful and it gets good feedback, maybe I’ll make those upgrades.

Where do I get this Apple Music to Android Exporter?

This first release requires you have Node.js installed and know how to edit a JSON file, so it’s mostly for developers right now. Read the installation instructions at the AppleMusic2Android Github repository, and if you’re comfortable using them, please give it a try.

Three Mechanisms to Protect Your Git Repositories

Greg Bulmash 🥑 — Mon, 06 May 2024 19:25:11 +0000

Your version control system, like Git, is a primary vector for secret sprawl, unintentional source poisoning, and intentional source poisoning. In a shift left model, there are degrees of leftness. The most left you can get is to test all the code before the developer tries to commit anything and train them thoroughly in the best practices. But when we rely on people to remember to do things consistently and correctly, we're cutting holes in the safety net. We need mechanisms.

At Amazon they have a saying: "Good intentions don't work. Mechanisms do." Humans can feel fatigued, rushed, distracted, or otherwise encumbered, and despite all intentions to follow best practices, they don't. When you automate enforcement of best practices, you can ensure those practices are followed in a much more consistent and correct fashion.

Force code reviews by "Code Owners"

Git exists independently of GitHub, GitLab, and BitBucket. All of these businesses are providing Git as a service. Rather than categorizing them as "GaaS" (Git as a Service), let's call them GSPs (Git Service Providers). Pretty much all GSPs add functions and features you won't get from setting up your own basic Git server. But while they each add some unique value propositions, they often provide some of the same added value features as well. One of these is called "Code Owners."

Just like you would use .gitignore to specify which files should be ignored and never committed, you can add a file called CODEOWNERS to the root of a branch to specify who owns files, directories, naming patterns, etc. Those owners must review pull requests that impact the files they own before they can be merged.

This is supported by default in GitHub, GitLab, and BitBucket Data Center. For BitBucket Cloud, there's a free plugin. Generally they're pretty similar. Owners must have write permission so they can merge the pull requests. Depending on how the Git service identifies the owners, you might use their handle in the system, their email address, or a team identifier. In general, all three services use a similar syntax for their files, but consult the documentation for each.

For example, to fully protect a GitHub repository end to end, using CODEOWNERS, they recommend adding a CODEOWNERS file to the .github directory of the main branch, using it to set ownership of all the other CODEOWNERS files in the main repo or branches. No one will be able to modify a CODEOWNERS file in a subdirectory or branch without a review except the owner of the CODEOWNERS files.

CAVEAT:

This can get a little fiddly as you deal with various combinations of permissions, settings, and rules. A couple of the fiddly bits from GitHub…

Someone on a team that is set as a code owner, but who doesn't have write permissions, will be able to approve a pull request, but not merge it.
You'll need to set "Require review by Code Owners" in the branch protection rules (see next section) to limit merges to the designated code owners. Without it, the designated code owners will get notified, but anyone with write permissions will be able to merge.

Set branch protection rules / permissions

This goes by different names at the different services. We've got GitHub branch protection, Gitlab protected branches, and Bitbucket branch permissions.

These give you a bit more expansive and varied permissions than a CODEOWNERS file does and can even impact how CODEOWNERS is enforced, but require a bit more of a learning curve, and in some cases, navigating configuration menus in the website instead of just adding files.

For example, GitHub branch protection rules are set up by going to Settings - Code & automation - Branches - Branch protection rules, then adding a rule.

The first step is to define the branches to which the rule will apply using a pattern or a name. Then, in the docs, 21 sentences following that begin with "optionally" before you get to finalizing and applying the rule.

If I've counted correctly, the fourth "optionally" covers setting "Require review by Code Owners" as mentioned in the previous section.

Three other options to keep in mind:

Require status checks to pass before merging: I don't just like this one because it's how you enable a GitGuardian scan on the pull request and block the merge if it fails. You can test for adherence to coding style, software content analysis (SCA) on any dependency changes, etc. And if any of them fail… the merge is blocked.
Allow specified actors to bypass required pull requests: Maybe you're being pressured by a hands-on CTO to use this to let them bypass a Code Owners review on their commits, because they're the CTO and they won't push bad code. Don't. Ask your manager for backup, but resist this with all your might. Even the CTO's good intentions don't work. Mechanisms do.
Do not allow bypassing the above settings: Even with some of the protections you can set, another person with admin privileges (or even you in a moment of weakness) can bypass them. This makes EVERYONE, no matter how good their intentions, subject to the mechanisms.

It's probably obvious to you by now that I like mechanisms.

Get fine-grained control with rulesets

Gitlab's "rulesets" are used to control a number of scans, such as SAST, SCA, and secrets scanning.

In GitHub, branch and tag behaviors can be governed with rulesets. Rulesets, however, are not limited to a single repository. They can be set at an organizational level. And all rules in effect for a branch or tag, at whatever level, are evaluated in a process called rule layering.

This is a very powerful feature, and to help you out, GitHub has its own ruleset recipes repository.

One caveat on rulesets can be found in GitHub's Enterprise Migration Guide. If you're importing commits from another GSP and some or all of those commits don't meet the requirements of rules in your organization, the commit imports will be blocked.

Next steps

Now that you've learned about these three mechanisms, start using them. Start with Code Owners and then move on to enabling it with a branch protection rule. If you're feeling adventurous, enable a GitGuardian scan on pull requests to block secrets from getting merged (and let you remediate them). And once you're a bonafide branch protecting talent, level up into rulesets.

Remember, messing up and not following best practices isn't evil. It's human. Use your skills to build mechanisms that aren't your overlords, but a second set of eyes to help you and everyone writing code for your repository catch mistakes before they become problems.

Do You Need an SBOM?

Greg Bulmash 🥑 — Mon, 06 May 2024 19:12:32 +0000

There's been a lot of talk about SBOMs in tech media. This article will help answer three crucial questions you may be asking:

What is an SBOM?
Why do I need an SBOM?
How do I get an SBOM?

What's an SBOM?

SBOM stands for "Software Bill of Materials." It works hand in hand with the concept of a Software Supply Chain where both terms come from manufacturing and supply chain management. It's essentially a structured list of the third party components that go into your software.

There are a number of SBOM standards, but we'll focus on the CycloneDX standard here. CycloneDX grew out of the Open Web Application Security Project (OWASP), is licensed under Creative Commons Zero v1 (think a "public domain" license formulated to meet the laws of many countries), and is a widely known and respected standard.

We won't dive deep, but here's a component listing for the @babel/polyfill NodeJS module from the ProtonMail web client's SBOM in CycloneDX's examples repository. It provides a variety of information about the component, including a published hash for that release that can be used to verify the authenticity of the component.

You don't need to read the example through and understand it thoroughly. But it's good to look through if you're interested. It provides a standardized way for you or a recipient of your software to understand what is in it, how to validate it, and to check it for known issues.

    <component type="library" bom-ref="pkg:npm/%40babel/polyfill@7.10.4">
      <group>@babel</group>
      <name>polyfill</name>
      <version>7.10.4</version>
      <description>
        <![CDATA[Provides polyfills necessary for a full ES2015+ environment]]>
      </description>
      <hashes>
        <hash alg="SHA-512">f0161c9d5a90e64303d875e81c89c11fb1f56ffb8fdca767c026173aa1675ea82e3b2baee38dd65eeb1b2146d611f6376744f1934335b86ffc62e00c84d97ace</hash>
      </hashes>
      <licenses>
        <license>
          <id>MIT</id>
        </license>
      </licenses>
      <purl>pkg:npm/%40babel/polyfill@7.10.4</purl>
      <externalReferences>
        <reference type="website">
          <url>https://babeljs.io/</url>
        </reference>
        <reference type="issue-tracker">
          <url>https://github.com/babel/babel/issues</url>
        </reference>
        <reference type="vcs">
          <url>git+https://github.com/babel/babel.git</url>
        </reference>
      </externalReferences>
    </component>

Why do I need an SBOM?

An SBOM is essentially a security and licensing analysis tool.

For yourself

1: It helps you ensure the security of the software you use.

Many developers use open source components to speed development and avoid the reinventing of wheels. As some have put it, it allows developers to "stand on the shoulders of giants." But the more third-party dependencies you have, the less control you have over what's in them.

An SBOM helps you ensure the security of the software you run. This shows all of the third-party dependencies in a software package you might be using and provides a machine-readable way to automate security evaluations. For example, the @babel/polyfill module listed above is at version 7.10.4, but it was deprecated at 7.4.0 for reasons of performance and modernity and the last update was issued years ago at 7.12.1.

The SBOM segment above is itself from an example timestamped in August of 2020. You can not only run automated reports on the SBOMs of software you use at the time of installation, but a periodic run will help you see when parts are deprecated and help you understand when you might need to update. If, for example, the version you have is no longer receiving security updates, your regular checks might turn up a CVE for a dependency that you might otherwise not realize applied to your production systems.

2: It helps you ensure you're within the bounds of the licenses in your components.

There's a wide spectrum of open source licenses with a variety of permissions and obligations. When you use open source components, you implicitly agree to those licenses. An SBOM makes it easier to catalog the licenses in your dependencies.

Companies have been sued over open source licenses. Wikipedia has a page on open source license litigation that covers both copyright and patent cases related to open source. In general, open source licenses are intended to promote use and innovation, but may have conditions that some businesses find onerous or incompatible with their intended use. Your stakeholders, shareholders, and customers will appreciate knowing the obligations created by the licenses so you/they can honor them, purchase a less restrictive/encumbered license (if offered), or replace incompatible dependencies.

For your customers

It serves as a transparency tool to give your customers the ability to run their own analysis to prove to themselves the security of the dependencies upon which your software relies and that the licenses to which they may be agreeing are compatible with their use.

Your customers would want an SBOM for the exact same reasons you would want one… or more. Executive Order 14028 ("Executive Order on Improving the Nation’s Cybersecurity") requires vendors to United States federal agencies to provide an SBOM with their software, either as a file in the package, or published on a website. That is part of a worldwide trend among governments and enterprises are following suit.

An SBOM is becoming a requirement to get a sales meeting, especially if you're selling to a government agency or selling to those who do.

How do I get an SBOM?

An important precursor to building an SBOM is running a Software Composition Analysis (SCA). With our new SCA tool, you can use GitGuardian to build your CycloneDX compliant SBOM.

The first step is to run your analysis and use it to learn about your software's direct dependencies (dependencies you specify) and transitive dependencies (the dependencies your dependencies have). If your dependencies have known vulnerabilities, you have the opportunity to remediate those issues and regenerate your SCA before generating your SBOM.

Once you have a report, you can select the sources (one some or all) and generate an SBOM.

While you'll generally create the SBOM before a release, you can use SCA throughout your development effort, adding a trigger as a git hook on developer machines running our gg-shield client. This way you can address vulnerabilities and licensing issues as you go and not get any big surprises when you build the release SBOM.

Summing up

A Software Bill of Materials is increasingly becoming a prerequisite for selling software as government, enterprise, and even SMB customers become more security conscious and security savvy. The good news is that you can not only automate creating one, but the requisite steps give you insight into known issues with both the dependencies you declare and the dependencies they declare. This allows you to develop more secure software, comply with applicable licenses, and give your customers documentation to help their peace of mind.

If you'd like to see how you can produce an SBOM with GitGuardian SCA, book a demo.

RealTek RTL8156B Works With Apple Silicon

Greg Bulmash 🥑 — Tue, 02 Apr 2024 19:35:22 +0000

In February, I tried an experiment, connecting my MacBook Pro to my Xfinity XB7 Gateway with a 2.5 gigabit LAN dongle. But I only got 1 gigabit speeds.

What was wrong?? I looked at the Plugable product description for the dongle I bought on Amazon and it said it would need drivers on Mac. So I went to their download site and saw this:

It said it basically didn’t have drivers for any release of macOS post the update to 11 when the M1 Silicon macs came out in 2020 and they were working on it with Realtek. But that was over 3 years ago.

I was mad. So I checked the Realtek site. They hadn’t updated the drivers since macOS 10.15 in 2020.

Yet, as I was looking for an updated driver or just an idea of what product would actually work, people were saying they were getting the proper speeds with products with RTL8156 chipsets. I tried a couple of port changes as one person suggested. No difference.

What was I getting wrong?

Spoiler: It really wasn’t the Realtek 8156B drivers at all

Then it occurred to me: “Does my XFinity Gateway even support 2.5 Gbps?” So I googled that.

Turns out it did, but only one out of four ports (identified by a colored stripe) supports that speed. The rest are 1 Gbps. I checked, and sure enough, I had the cable plugged into one of the 1 Gbps ports. I plugged it into the port with the stripe.

Lo and behold, it worked. Here are the results of the test I did after that.

So, while it seemed like the Realtek 8156 B chipset was the culprit, it was actually that my choice of router port on the gateway was the problem. I emphasize my choice being the problem, since the port I plugged it into was performing to specification, rather than it being the router’s fault. If you have an XFinity gateway and want the max speed out of it on your LAN, plug the LAN into port 4 (like mine) or a port with the stripe next to it.

Top Secrets Management Tools for 2024

Greg Bulmash 🥑 — Mon, 19 Feb 2024 15:37:59 +0000

Managing your secrets well is imperative in software development. It's not just about avoiding hardcoding secrets into your code, your CI/CD configurations, and more. It's about implementing tools and practices that make good secrets management almost second nature.

A quick overview of secrets management

What is a secret? It's any bit of code, text, or binary data that provides access to a resource or data that should have restricted access. Almost every software development process involves secrets: credentials for your developers to access your version control system (VCS) like GitHub, credentials for a microservice to access a database, credentials for your CI/CD system to push new artifacts to production.

There are three main elements to secrets management:

How you're making them available to the people/resources that need them.
How you're managing the lifecycle/rotation of your secrets.
How you're scanning to ensure that the secrets are not being accidentally exposed.

We'll look at elements one and two in terms of the secrets managers in this article. For element three, well, we're biased toward GitGuardian because we make it. Accidentally exposed secrets don't necessarily get a hacker into the full treasure trove, but even if they help a hacker get a foot in the door, it's more risk than you want. That's why secrets scanning should be a part of a healthy secrets management strategy.

What to look for in a secrets management tool

In the Secrets Management Maturity Model, hardcoding secrets into code in plaintext and then maybe running a manual scan for them is at the very bottom. Manually managing unencrypted secrets, whether hardcoded or in a .env file, is considered immature. To get to an intermediate level, you need to store them outside your code, encrypted, and preferably well-scoped and automatically rotated.

It's important to differentiate between a key management system and a secret management system. Key management systems are meant to generate and manage cryptographic keys. Secrets managers will take keys, passwords, connection strings, cryptographic salts, and more, encrypt and store them, then provide access to them for personnel and infrastructure in a secure manner. For example, AWS Key Management Service (KMS) and AWS Secrets Manager (discussed below) are related, but distinct brand names for Amazon.

Besides providing a secure way to store and provide access to secrets, a solid solution will offer:

Encryption in transit and at rest: the secrets are never stored or transmitted unencrypted.
Automated secrets rotation: the tool can request changes to secrets and update them in its files in an automated manner on a set schedule.
Single source of truth: the latest version of any secret your developers/resources need will be found there and it is updated in real time as keys are rotated.
Role/Identity scoped access: different systems or users are granted access to only the secrets they need under a principle of least privilege. That means a microservice that accesses a MongoDb instance only gets credentials to access that specific instance and can't pull the admin credentials for your container registry.
Integrations and SDKs: the service has APIs with officially blessed software to connect common resources like CI/CD systems or implement access in your team's programming language/framework of choice.
Logging & Auditing: you need to not only check your systems periodically for anomalous results as a standard practice, if you get hacked, the audit trail can help you track how and when each secret was accessed.
Budget and scope appropriate: If you're bootstrapping with 5 developers, your needs will differ from a 2,000-developer company with federal contracts. Being able to pay for what you need at the level you need it is an important business consideration.

The Secrets Manager List

Cyberark Conjur Secrets Manager Enterprise

Conjur was founded in 2011 and was acquired by Cyberark in 2017. It's grown to be one of the premiere secrets management solutions thanks to its robust feature set and large number of SDKs and integrations.

With Role Based Access Controls (RBAC) and multiple authentication mechanisms, it makes it easy to get up and running using existing integrations for top developer tools like Ansible, AWS CloudFormation, Jenkins, GitHub Actions, Azure DevOps, and more.

You can scope secrets access to the developers and systems that need the secrets. For example, a Developer role that accesses Conjur for a database secret might get a connection string for a test database when they're testing their app locally, while the application running in production gets the production database credentials.

The Cyberark site boasts an extensive documentation set and robust REST API documentation to help you get up to speed, while their SDKs and integrations smooth out a lot of the speed bumps.

In addition, GitGuardian and CyberArk have partnered to create a bridge to integrate CyberArk Conjur and GitGuardian's Has My Secrets Leaked. This is now available as an open-source project on GitHub, providing a unique solution for security teams to detect leaks and manage secrets seamlessly.

Learn more about this CyberArk & GitGuardian integration.

Google Cloud Secret Manager

When it comes to choosing Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure (Azure), it's usually going to come down to where you're already investing your time and money.

In a multi-cloud architecture, you might have resources spread across the three, but if you're automatically rotating secrets and trying to create consistency for your services, you'll likely settle on one secrets manager as a single source of truth for third party secrets, rather than spreading secrets across multiple services.

While Google is behind Amazon and Microsoft in market share, it sports the features you expect from a service competing for that market, including:

Encryption at rest and in transit for your secrets
CLI and SDK access to secrets
Logging and audit trails
Permissioning via IAM
CI/CD integrations with Github Actions, Hashicorp Terraform, and more.
Client libraries for eight popular programming languages.

Again, whether to choose it is more about where you're investing your time and money rather than a killer function in most cases.

If this interests you, we've got some tips on using Google Cloud Secret Manager.

AWS Secrets Manager

Everyone with an AWS certification, whether developer or architect, has heard of or used AWS Secrets Manager. It's easy to get it mixed up with AWS Key Management System (KMS), but the Secrets Manager is simpler. KMS creates, stores, and manages cryptographic keys. Secrets Manager lets you put stuff in a vault and retrieve it when needed.

A nice feature of AWS Secrets Manager is that it can connect with a CI/CD tool like GitHub actions through OpenID Connect (OIDC) and you can create different IAM roles with tightly scoped permissions, assigning them not only to individual repositories, but specific branches.

AWS Secrets Manager can store and retrieve non AWS secrets as well as use the roles to provide access to AWS services to a CI/CD tool like GitHub Actions. Using AWS Lambda, key rotation can be automated, which is probably the most efficient way as the key is updated in the secrets manager milliseconds after it's changed, producing the minimum amount of disruption.

As with any AWS solution, it's a good idea to create multi-region or multi-availability-zone replicas of your secrets, so if your secrets are destroyed by a fire or taken offline by an absent-minded backhoe operator, you can fail-over to a secondary source automatically. At $0.40 per secret per month, it's not a huge cost for added resiliency.

If this interests you, we've got some tips on using AWS Secrets Manager.

Azure Key Vault

Azure is the #2 player in the cloud space after AWS. Their promotional literature touts their compatibility with FIPS 140-2 standards and Hardware Security Modules (HSMs), showing they have a focus on customers who are either government agencies or have business with government agencies. This is not to say that their competitors are not suitable for government or government-adjacent solutions, but that Microsoft pushes that out of the gate as a key feature.

Identity-managed access, auditability, differentiated vaults, and encryption at rest and in transit are all features they share with competitors.

As with most Microsoft products, it tries to be very Microsoft and will more than likely appeal more to .Net developers who use Microsoft tools and services already. While it does offer a REST API, the selection of officially blessed client libraries (Java, .Net, Spring, Python, and JavaScript) is thinner than you'll find with AWS or GCP.

As noted in the AWS and GCP entries, a big factor in your decision will be which cloud provider is getting your dominant investment of time and money. And if you're using Azure because you're a Microsoft shop with a strong investment in .Net, then the choice will be obvious.

If this interests you, we've got some tips on using Azure Key Vault.

Doppler

While CyberArk's Conjur (discussed above) started as a solo product that was acquired and integrated into a larger suite, Doppler currently remains a standalone key vault solution. That might be attractive for some because it's cloud-provider agnostic, coding language agnostic, and has to compete on its merits instead of being the default secrets manager for a larger package of services.

It offers logging, auditing, encryption at rest and in transit, and a list of integrations as long as your arm. Besides selling its abilities, it sells its SOC compliance and remediation functionalities on the front page. When you dig deeper, there's a list of integrations as long as your arm testifying to its usefulness for integrating with a wide variety of services, and its list of SDKs is more robust than Azure's.

It seems to rely strongly on injecting environment variables, which can make a lot of your coding easier at the cost of the environment variables potentially ending up in run logs or crash dumps. Understanding how the systems with which you're using it treat environment variables, scope them, and the best ways to implement it with them will be part of the learning curve in adopting it.

Infisical

Like Doppler, Infisical uses environment variable injection. Similar to the Dotenv package for Node, when used in Node, it injects them at run time into the process object of the running app so they're not readable by any other processes or users. They can still be revealed by a crash dump or logging, so that is a caveat to consider in your code and build scripts.

Infisical offers other features besides a secrets vault, such as configuration sharing for developer teams and secrets scanning for your codebase, git history, and as a pre-commit hook. You might ask why someone writing for GitGuardian would mention a product with a competing feature. Book a demo with GitGuardian and we'll show you why we believe we're better.

Aside from the scanning, their secrets and configuration vault/sharing model offers virtual secrets, over 20 cloud integrations, nine CI/CD integrations, over a dozen framework integrations, and SDKs for four programming languages. Their software is mostly open source and there is a free tier, but features like audit logs, RBAC, and secrets rotation are only available to paid subscribers.

Akeyless

AKeyless goes all out features, providing a wide variety of authentication and authorization methods for how the keys and secrets it manages can be accessed. It supports standards like RBAC and OIDC as well as 3rd party services like AWS IAM and Microsoft Active Directory.

It keeps up with the joneses in providing encryption at rest and in transit, real-time access to secrets, short-lived secrets and keys, automated rotation, and auditing. It also provides features like just-in-time zero trust access, a password manager for browser-based access control as well as password sharing with short-lived, auto-expiring passwords for third parties that can be tracked and audited.

In addition to 14 different authentication options, it offers seven different SDKs and dozens of integrations for platforms ranging from Azure to MongoDB to Remote Desktop Protocol.

They offer a reasonable free tier that includes 3-days of log retention (as opposed to other platforms where it's a paid feature only).

1Password

You might be asking "isn't that just a password manager for my browser?" If you think that's all they offer, think again. They offer consumer, developer, and enterprise solutions, and what we're going to look at is in their developer-focused offering.

Aside from zero-trust models, access control models, integrations, and even secret scanning, one of their claims that stands out on the developer page is "go ahead – commit your .env files with confidence." This stands out because .env files committed to source control are a serious source of secret sprawl. So how are they making that safe?

You're not putting secrets into your .env files. Instead, you're putting references to your secrets that allow them to be loaded from 1Password using their services and access controls. This is somewhat ingenious as it combines a format a lot of developers know well with 1Password's access controls. It's not plug-and-play and requires a bit of a learning curve, but familiarity doesn't always breed contempt. Sometimes it breeds confidence.

While it has a limited number of integrations, it covers some of the biggest Kubernetes and CI/CD options. On top of that, it has dozens and dozens of "shell plugins" that help you secure local CLI access without having to store plaintext credentials in ~/.aws or another "hidden" directory.

And yes, we mentioned they offer secrets scanning as part of their offering. Again, you might ask why someone writing for GitGuardian would mention a product with a competing feature. Book a demo with GitGuardian and we'll show you why we believe we're better.

HashiCorp Vault

HashiCorp Vault offers secrets management, key management, and more. It's a big solution with a lot of features and a lot of options. Besides encryption, role/identity based secrets access, dynamic secrets, and secrets rotation, it offers data encryption and tokenization to protect data outside the vault.

It can act as an OIDC provider for back-end connections as well as sporting a whopping seventy-five integrations in its catalog for the biggest cloud and identity providers. It's also one of the few to offer its own training and certification path if you want to add being Hashi Corp Vault certified to your resume.

It has a free tier for up to 25 secrets and limited features. Once you get past that, it can get pricey, with monthly fees of $1,100 or more to rent a cloud server at an hourly rate.

In summary

Whether it's one of the solutions we recommended or another solution that meets our recommendations of what to look for above, we strongly, strongly, strongly recommend integrating a secret management tool into your development processes. An under-protected secret is like an alligator in a kiddie pool. It might not cause harm today, but you never know when it'll get out and terrorize the neighborhood.

Create a REST API with PHP and Laravel

Greg Bulmash 🥑 — Tue, 06 Jun 2023 18:39:01 +0000

PHP came out in 1995, just three weeks after Java. Today, both remain in the top ten most popular languages. With PHP’s general ease of use, options for how to use it abound. Yet, not every PHP tutorial is created equally. That’s why we put together this beginner-friendly Postman Quickstarts tutorial on building a REST API with PHP. We’re using what we think is a straightforward framework for this purpose: Laravel.

Laravel is a popular PHP web app framework that comes with a variety of built-in tools and features for building APIs. In this tutorial, we will be creating a simple API that allows users to add and retrieve data.

Before we get started…

Double check that you’re ready to write in PHP. Only a basic familiarity is needed for this tutorial, and PHP has a notoriously flat learning curve for new users—we encourage you to try at any skill level.

Next, confirm that the following are installed:

Git (Required)
PHP (Required)
Composer (Required)
Homebrew (only for Mac)

If you want step by step instructions for installing any of the above, refer to the full Laravel API quickstart guide at Postman. Plus, you’ll also want to open up your favorite code editor. Now, let’s get started!

Step 1: Start your Laravel project

Scaffold your Laravel project

Before we can write any code, we need to scaffold a Laravel project. Thanks to Composer, this is relatively simple. Open a terminal and navigate to the directory where this project will live. Enter the following command in the terminal:

composer create-project laravel/laravel laravel_project

This could take some time. There are tens of megabytes to download and install.

When it's finished, you will have a project folder named laravel_project.

Give it a test

Navigate into the laravel_project folder and enter the following command in the terminal:

php artisan serve --port=8080

This will launch your project at http://localhost:8080. Change the port to something else if you already have a process using the port. When it's running, visit the URL. It will return this homepage.

Note down in the bottom right, you'll see the Laravel and PHP version numbers. If you're looking for tutorials, finding ones for Laravel and PHP that are as close to those versions as possible will help minimize problems.

Let's move on to adding an API.

Step 2: Build an API

Create the route

This will create a public API with no authentication.

Open routes/api.php in your Laravel project directory in your editor. Add the following code at the end:

Route::get('/hello', function () {
  return "Hello World!";
});

This adds the /api/hello endpoint and returns "Hello World" in plain text to a GET request.

Note how the endpoint was prefixed with /api by Laravel.

Next, let's call this endpoint in Postman.

Step 3: Try your first endpoint

To test this in Postman, open your personal workspace and start a collection. Name it "Laravel QuickStart" or something else you prefer.

Once it's created, select Add a request to get started.

Set the request URL to localhost:8080/api/hello and make sure your Postman Desktop Agent app is running on your machine to prevent any CORS issues while testing locally.

Select Send and the response section below the request section will show a response of Hello World! in plain text with a 200 OK response code.

Congratulations. You created your first API endpoint in Laravel and successfully called it with Postman.

Next, let's make a simple POST endpoint for fun.

Step 4: Add a POST endpoint

Go back to your routes/api.php file and add the following:

Route::post('/reverse-me', function (Request $request) {
  $reversed = strrev($request->input('reverse_this'));
  return $reversed;
});

This adds a POST route for the endpoint api/reverse-me. It will reverse a string you pass in the body of the post with the parameter name reverse_this.

Let's try this in the next section.

Step 5: Try your POST endpoint

Return to your Laravel QuickStart collection in Postman and add a request. Name it "Reverse" and follow these steps:

Set the request type to POST.
Set the endpoint to localhost:8080/api/reverse-me.
Select the Body tab.
In the top dropdown menu in the tab, select x-www-form-urlencoded.
Add a parameter of reverse_this with the value of esrever. That's "reverse" already reversed so the return value will be easy to read.
Select Send

The API will return the string reverse in plain text. Congratulations! You’ve created a REST API with PHP and Laravel.

Summary

In this blog post, we explored how to create a simple PHP-based API with the Laravel framework. We created both GET and POST API endpoints and used Postman to test those endpoints. By following this tutorial, you should now have a solid understanding of how to create a basic API with Laravel and how to test it using Postman.

Going further…

If you want to deepen your knowledge of Laravel and Postman, try these exercises:

Dive into the Laravel 10.x documentation to add a controller for handling more complex requests and/or add a model to connect a database.
Review the Laravel 10.x error handling documentation to learn best practices for error-handling in Laravel, such as what might happen if someone submitted a binary file instead of a string to your string-reversing endpoint.
Explore the Postman testing documentation and write a test on the POST request to make sure the reverse_this string is being reversed properly.

Check out Postman Quickstarts for more step-by-step guides like this one. If you’d like to contribute your own, head over to the Postman Quickstarts repo on GitHub.

Adding (Partial) Skill Sets

Greg Bulmash 🥑 — Tue, 21 Mar 2023 16:16:54 +0000

One of the things I intended to do with some of my spare time during my job hunt was update my skills; dive a bit deeper in Python, maybe pick up some Go.

But tutorials can be so boooring

I never seem to get beyond the same place in a Python tutorial I bought on Udemy because I get so bored. It's not the teacher's fault, but it's the fact that I'm trying to sift the wheat from the chaff in the early parts.

See, I already know how to program. I know about (most) data structures, comparison operators, basic flow control. I'm not one of those guys looking to learn how to do "Hello World!" in 18 languages. What I need to understand is how Python does it differently from the languages I know. How do I adapt my skills, then dive deeper into unique things?

I did this once, then forgot I did it

I didn't do this with Python, but Java. As a member of the Dev Rel team at Avalara, we sat under Customer Success. Besides doing outbound awareness and developer relations, we were also "platinum" support for our Technical Account Managers (TAM's). I was under the gun to debug a customer's Java code. They were having an intermittent authentication error with our API that caused API calls to fail more often than they worked.

The customer did not have time for me to learn Java from the ground up. Since I got the assignment late in the week and I was a PHP developer at the time, I hunted down a "Java for PHP Developers" tutorial and got into it over the weekend. It was what I needed to get started quickly, get the skills I actually needed, and I got their code debugged on Monday.

For those interested in what the bug was

Avalara used a load balancer that assigned your authentication call to a random server in the pool behind it. When you authenticated with the server the balancer assigned, it sent a cookie you needed your code to pass back in the headers of subsequent calls in the session, so those calls could be routed by the load balancer to the server that had your current session in memory.

The customer's code was ignoring the cookie, so every subsequent call was being assigned to a random server. Therefore, calls would only succeed when they happened to hit the same server that had performed the authentication. I added a couple of lines of code to preserve the cookie and add it to subsequent calls in the session.

Yet, I try to do "from the ground up" tutorials

I bought a Python "boot camp" tutorial on Udemy and have wasted hours on it because I go through the same skills and data structures as if I'm new to programming, not just Python. Recently I thought "I need a Language X for Language Y developers tutorial, not this beginners' boot camp." And then the memories of that Java tutorial came flooding back (because it was 7.5 years ago).

I've been doing some PHP recently, but I gradually switched over to Node 7 years ago and haven't used PHP much in the last 6 years. So I hunted for some "Python for JavaScript Developers" tutorials. There are a bunch.

Look for tutorials aimed at developers who already know a programming language you know.

This should help prevent you getting bored and quitting before you get the knowledge you need.

Yes, I need to know how Python treats strings differently than JavasScript does, but not what a string is and what strings are for.

I do not need to learn boolean logic, but I do need to know that Python uses True while JavaScript uses true.

I do not need to know what OOP is, but JavaScript's OOP is very particular because of its prototype-based system, so pretty much every language should have very meaningful differences.

I'll write a post reviewing some of the "Python for JS Developers" tutorials I explore in a couple of weeks, but I wanted to put this out there now. If you know of a good one, please share it in the comments.

Learning Python By Example #2: Bagels

Greg Bulmash 🥑 — Mon, 23 Aug 2021 15:00:00 +0000

My Intro

I'm improving my Python skills by coding through The Big Book of Small Python Projects by Al Sweigart. I've written a few Python scripts in the past, but never went very deep and had big gaps of time between uses.

In 1981 style, I'm manually typing in the code from the book. In 2021 style, I'm blogging about each program as I go to help me reinforce the learning even more and hopefully support others on the same journey.

Here's a direct link to read All Sweigart's "Bagels" code, though I suggest you buy the book if you're finding the code useful.

Note: Sorry for the line number references in the text below. My blog lets me start and end them as I need to, but Dev.To... not so much it seems.

Don't worry, this game is gluten free

"Bagels," in this instance, is a guessing game, not a gluten-laden ring of chewy goodness. I have actually baked home-made bagels a few times, but that's another story for another time.

As I started the process of typing this in, I realized something...

I didn't want to type in his intro comments that didn't contain anything useful about programming. So just as I wouldn't have typed that stuff in out of Compute, I am not now. But out of respect, since I'm publishing my version (instead of just writing it to a single-sided 5.25" floppy), I'm allowing myself to cut and paste that part..

Strolling through Al's intro

# Adding Al's header
# His version and my subsequent version of it are
# CC-BY-NC-SA - https://creativecommons.org/licenses/by-nc-sa/4.0/
"""Bagels, by Al Sweigart al@inventwithpython.com
A deductive logic game where you must guess a number based on clues.
View this code at https://nostarch.com/big-book-small-python-projects
A version of this game is featured in the book "Invent Your Own
Computer Games with Python" https://nostarch.com/inventwithpython
Tags: short, game, puzzle"""

import random

NUM_DIGITS = 3
MAX_GUESSES = 10

def main():
  print('''Bagels, a deductive logic game.
By Al Sweigart al@inventwithpython.com

I am thinking of a {}-digit number with no repeated digits
Try to guess what it is. Here are some clues:
When I say:      That means:
  Pico           One digit is correct but in the wrong position.
  Fermi          One digit is correct and in the right position
  Bagels         No digit is correct.

For example, if the secret number was 248 and your guess was 843, the
clues would be Fermi Pico.'''.format(NUM_DIGITS))


# If the program is run (instead of imported), run the game:
if __name__ == '__main__':
  main()

Above are the first 26 and last 3 lines of Al's script. It's collapsed so you can look at the code or leave it minimized.

You might be asking "why the last three?" Because those are the ones that actually start the game loop when you python programname.py on the command-line. My process for authoring is to write to a point where I can run the code and it should work, then test and make sure it works before I move on.

One thing I learned from copying in programs from magazines was to test early and test often. So I added those lines to be able to test the printout of those instructions.

Intro Notes

As I added the intro, something stood out.

I'm used to percent-prefixed letters like %s or %d in JavaScript string formatting. Seeing him use {} on line 18 of his code (20 of mine) made me go look this up to understand how and why he used it. I found an article on Python string formatting that helped me understand the how and why of using curly braces. I have a feeling I'll revisit that article and get a deeper understanding of string formatting a few times before I'm done with this book.

The game loop

  while True:
    #This stores the secret number the player needs to guess:
    secretNum = getSecretNum()
    print('I have thought up a number.');
    print(' You have {} guesses to get it.'.format(MAX_GUESSES))

    numGuesses = 1
    while numGuesses <= MAX_GUESSES:
      guess = ''
      #Keep looping until they enter a valid guess
      #Greg's Note: "valid" = 3 digits
      while len(guess) != NUM_DIGITS or not guess.isdecimal():
        print('Guess #{}: '.format(numGuesses))
        guess = input('> ')

      clues = getClues(guess, secretNum);
      print(clues)
      numGuesses += 1

      if guess == secretNum:
        break # they're correct, so break the loop
        # Greg's note: Congrats come in the getClues function
      if numGuesses > MAX_GUESSES:
        print('You ran out of guesses.')
        print('The answer was {}'.format(secretNum))

    # Ask player if they want to play again
    print('Do you want to play again? (yes or no)')
    if not input('> ').lower().startswith('y'):
      break
  print('Thanks for playing!')

Above is the Game Loop, lines 28 - 56 of Al's code, lines 30-?? of mine. Yes, I know the last sample ended at 33, but it also included the final three lines of the whole game, so the code above goes above those.

Game Loop Notes

Reminder: Python has case-sensitive booleans

What was important for me was the reminder that the T in True (a boolean literal) is capitalized in Python, though it isn't in a number of other languages. That caught me up the first few times I tried writing Python. Nice to get an early reminder of it.

Coding conventions prevent bugs

While writing line 34, I accidentally typed numGuesses from line 36 as the variable in the string formatting. But something looked wrong to me. At this point A) numGuesses hadn't been defined and B) the number used there should have been a constant. Since a constant is usually defined in ALL CAPS.

Noticing that caused me to check my code against Al's reference and catch my error moments after I made it (instead of catching it at run time).

Autocompletion FTW

Back when I was copying code from magazines, home PCs didn't have IDEs or text editors with autocompletion; at least not in the Commodore, Tandy, or Apple II systems I got to use. Autocomplete makes this a less arduous process.

This won't run yet

Although the instructions ran without issue, now that the game loop has been added, the code won't run because it calls functions that have not yet been defined. The last part of this will be to define them and then I can test it.

Helper functions... aaand scene.

def getSecretNum():
  # Returns a string made up of NUM_DIGITS unique random digits
  numbers = list('0123456789') #create a list of digits from 0-9
  random.shuffle(numbers) #shuffle them into random order

  # Get the first NUM_DIGITS in the list for the secret number
  secretNum = ''
  for i in range(NUM_DIGITS):
    secretNum += str(numbers[i]);
  return secretNum

def getClues(guess, secretNum):
  #Returns a string with the clues based on the guess
  if guess == secretNum:
    return 'You got it!'

  clues = []

  for i in range(len(guess)):
    if guess[i] == secretNum[i]:
      clues.append('Fermi')
    elif guess[i] in secretNum:
      clues.append('Pico')
  if len(clues) == 0:
    return "Bagels"
  else:
    # sort the clues into alpha order so their position doesn't give info away
    clues.sort()
    # join the clues into a single string
    return ' '.join(clues)


# If the program is run (instead of imported), run the game:
if __name__ == '__main__':
  main()

Above are the helper functions that get called by the game loop, lines 59 - 98 of Al's code, 62-96 of mine. The final three lines of the game reappear.

These functions power the game's important features... picking a secret number and checking your answers against them. Once these are added, I can test my code and play the game.

Helper Functions Notes

Where should you import packages?

One thing that immediately stood out to me was you don't use random anywhere else except the getSecretNum() function. I wondered if it might be better to import it at the top (where it is imported) or in the function.

Apparently it gets cached on the first import so there's no major performance hit if the function runs again. Therefore, for illustrative purposes, you could import it here.

Best practices dictate importing it at the top of the script (as in most languages) so you can see everything you're importing at the very beginning and all packages are globally available. However, that StackOverflow question I linked to did make an interesting point in one of the comments. If this function were not a core function, but only got called in specific instances, that might cause an exception to the rule.

For example if you're running the script on-demand with a service like AWS Lambda, this package is needed only for a function that gets invoked less than 1% of the times it's run, and you're getting billed by execution time and memory used, you might want to only import the package inside that function to improve speed and cost.

Why loop when you can slice?

Lines 69-70 bugged me. I had it in my head that numbers was like a string, and thus wondered why we were iterating through it to create the secret number rather than just lopping off the bit we needed.

But it's not a string. It's an array ("list") of digits that needs to be joined and turned into a string, which could be more compute cycles than the loop which doesn't need to join it and only converts the digits being used.

Wrapping it all up

When all was said and done, I only had two transcription errors. I left off a parentheses after lower in line 58 of the Game Loop section and used square brackets instead of parentheses around NUM_DIGITS on line 69 here in the Helper Functions.

This took longer than I expected for two reasons... 1) I followed butterflies fairly often (for example: looking up information on when to import), and 2) spent some time correcting my mistaken assumptions like a number of questions I had around the numbers list because I was mistaken about its datatype. I didn't blog most of them because they made no sense if it wasn't a string.

Well, knowing just enough to get into trouble got me this far. I'm looking forward to project #2. I'd originally hoped to post these daily, but now it feels like that's overreaching. Perhaps a twice a week or so frequency will be better.

Want to read the next one?

I'll link it in this last section when it drops. But you can also follow me on Twitter or LinkedIn. I may also start livecoding these on Twitch/YouTube/LinkedIn (that's right, baby... simulcasting). Would you watch? Leave a comment below.

Read Python Project #2: The Problem with Birthdays in.

Code Output

K:\MyProjects\PyProj>python 01-bagels.py
Bagels, a deductive logic game.
By Al Sweigart al@inventwithpython.com

I am thinking of a 3-digit number with no repeated digits
Try to guess what it is. Here are some clues:
When I say:      That means:
  Pico           One digit is correct but in the wrong position.
  Fermi          One digit is correct and in the right position
  Bagels         No digit is correct.

For example, if the secret number was 248 and your guess was 843, the
clues would be Fermi Pico.
I have thought up a number.
 You have 10 guesses to get it.
Guess #1:
> 123
Pico
Guess #2:
> 345
Bagels
Guess #3:
> 678
Pico Pico
Guess #4:
> 278
Pico
Guess #5:
> 168
Pico Pico
Guess #6:
> 167
Pico Pico Pico
Guess #7:
> 716
You got it!
Do you want to play again? (yes or no)
> n
Thanks for playing!

5 Tips For Setting Up Local Debugging for Alexa Skills

Greg Bulmash 🥑 — Sat, 20 Jun 2020 20:00:26 +0000

I've been livecoding on my Let My People Code Twitch Channel as I build an Alexa game I'm calling Word Fight. It's sort of like "Rock, Paper, Scissors," in the ease of play, but there's enough complexity that strategy comes in at higher levels.

One thing I've been doing is coding locally using Visual Studio Code (VS Code), then running a local Alexa skill server to test my code. I use ngrok to set up a tunnel, and then use the tunnel URL as my skill endpoint in the Alexa skill configuration.

I can test using the simulator in the Alexa developer console or the simulator functions in the ASK CLI (Alexa Skills Kit Command Line Interface).

What are the benefits of local debugging?

For me, it's just fewer steps. I don't have to deploy to a lambda every time I want to test. I just turn on the VS Code debugger when I want to begin testing, then hit a reload button to update with changes when I make them. And I get a bunch of tracking and error information in the VS Code Debugger console panel, instead of having to dig into my Cloudwatch logs.

For me, that's quicker.

I also developed a local persistence adapter so I can store persistent attributes (values that last between sessions) locally. I don't have to go into S3 every time I want to read or delete the persistent attributes for my user. Essentially, I can do everything I want with one window open and skip a number of steps that slow me down.

Don't try to also manually edit your dialog model. I started trying to tool around with my dialog model in a text editor and broke it.

My five tips for debugging Amazon Alexa skills locally

I won't even count this as a tip: this excellent blog post on debugging Alexa skills locally helped me get started.

And here are some tips from my experience getting it set up and using it.

1: Know your relative paths

The VS Code workspace doesn't need to be the exact folder where all your skill code is. My skill code directory is a couple of levels deep from there. When setting up the debug configuration in VS Code, be sure of the relative path from the workspace root to your debugger script and index.js script. For example, my relative path is ${workspaceFolder}\\repo\\lambda\\local-debugger.js.

This is because I have a number of working folders for graphics, sounds, and JS experiments in my workspace root folder. The actual skill is in the "repo" folder which contains the skill package as a local copy of a GitHub repository.

2: Know your tunneling options

I use ngrok, which I pay for, but there's a free level and you can also use localtunnel for free.

If you're going to use sounds or graphics in your skill, you need to host them. One of the reasons I use ngrok is so I can reserve subdomains and keep them consistent (a paid feature). You can request subdomains with localtunnel, but can't grab an exclusive on them.

3: You may need multiple servers

Since I have sounds and graphics I want to use, I also have http-server installed to set up a separate web server I can launch with my "external content" directory as root. You can set up multiple tunnels via ngrok using an ngrok configuration file, which basically gives you two URLs... one for the skill, one for your content server.

4: Abstract your content locations

Be mindful that the first way to break your code the moment it goes to a test server is to not abstract the paths/URLs to the various files that won't live in the skill package itself. I'm having to go back and turn hardcoded links into variables that will be correctly set for my dev, test, and prod environments.

Think of it like localization, but instead of localizing UI strings for spoken languages, you're localizing paths for runtime environments.

5: Level up your error info

Some of the Alexa Samples, like the Node.js first skill tutorial will have an ErrorHandler function that gives you the error message, but no other information:

console.log(`~~~~ Error handled: ${error.message}`);

Where in the code did it happen? That can be frustrating. In the Hello World sample, it has this:

console.log(`~~~~ Error handled: ${JSON.stringify(error)}`);

But in the local debugger, it stringifies the error object to {}, so that's not too helpful either.

There are two good ways to deal with this. In the debugging settings of VS Code, set a breakpoint on all exceptions and go through them for lots of data. Or a more simple option is to put this in the error handler:

    console.log(`~~~~ Error handled: ${error.message}`);
    console.dir(error);

Then in the debug console, you can expand the error object to see more info.

Thanks for reading

If you've got some good tips for using a local debugger when crafting Alexa custom skills, please share in the comments. I might share them on the Let My People Code Twitch Channel and credit you.

Clone ALL Github repos for a user on Windows

Greg Bulmash 🥑 — Fri, 24 Apr 2020 19:45:20 +0000

Recently I had to do this, found a shell script that cloned all repositories matching a search query, and edited it to meet my purposes.

You’ll need

A working installation of Git with GitBash.
A copy of jq in a directory that’s in your path (or in the directory where you’re running the script)
Git set up to work with SSH. Alternatively, you might want to try changing “ssh_url” below to “clone_url” and that should pull the https link.
An approximate count of the number of repos you’ll be cloning. Set the end of the loop in the first line to that number divided by 100, rounded up to the next whole number. For example, I had a little over 100 public repos to clone, so my loop is 1..2.

The Script

for i in {1..2}
  do curl "https://api.github.com/users/[your user name]/repos?per\_page=100&page=$i" \ | jq -r '.[].ssh\_url' >> urls.txtdonecat urls.txt | xargs -P8 -L1 git clone

Then just run the script in GitBash. sh [scriptname]

And that did it for me. Hope it helps.

Programmer Bedtime Stories: The Recursed Army

Greg Bulmash 🥑 — Thu, 14 Nov 2019 18:48:44 +0000

This fairy tale has it all... soldiers, yak-shaving, over-optimization, and recursion.

Pixel 4: Three Tips from My First 36 Hours

Greg Bulmash 🥑 — Fri, 25 Oct 2019 17:27:28 +0000

After some trouble getting my number swapped over from my old phone to my new one, I settled into enjoying my new Pixel 4.

But I didn’t. As much as I hated Bixby and a number of other crapware features on my Samsung phone, I’d gotten used to the UI. Getting used to the Android 10 UI and how I had to navigate through it was a bit painful. But after a little research, I added the Nova launcher and felt like I had more control over my experience.

Tip 1: Add a Launcher

I don’t fear or hate change, but settling into a new routine with a new UI is difficult. I’d built up years of muscle memory and habit to move my fingers in certain ways to do certain things. Now when I did that, I got the wrong results. It was frustrating. Adding a custom launcher helped me put things where I wanted them and reduce the “friction” between what my hands wanted to do and how the phone wanted to respond.

As I noted, I added Nova. A friend of mine swears by the Microsoft launcher for Android (yeah, it’s a thing) and he’s not even a Microsoft employee.

Tip 2: Facial Recognition != Fingerprint Recognition

If you’re thinking of upgrading right now, you will fall victim to an early-adopter issue. Lots of apps that let your log-in or activate them with your fingerprint are NOT capable of using facial recognition the same way. It’s a different API. So it’s going to be a slow and painful wait to get to parity as different apps start adding that capability. Until then… it’s back to passwords…

No fingerprint sensor in the Pixel 4 means all the apps/services that supported fingerprint-based login now require typed passwords again.

Shittiest Throwback Thursday Ever.@Google #Pixel4

— Greg Bulmash (@YiddishNinja) October 25, 2019

At least some of the earliest adopters of facial unlock appear to be popular password managers.

Tip 3: Advanced Display Settings Are Your Friend

I also sort of found it disconcerting to pick up my phone and have the lock screen disappear. I like my lock screen. I use it as a pocket watch of sorts. Back when I had fingerprint unlocking, I could look at my lock screen, get what I needed, and then put the phone away. Here are two tips.

Display Settings -> Advanced Display Settings -> Lock Screen Display make sure “Skip lock screen” is off and “Show lockdown option” is on.

The first makes sure you can look at your lock screen and see just the time and alerts without going right back into the main UI.

The second allows you to do a long-press on the power button and select a “lockdown” option. When you do that, face unlock is disabled until you enter your PIN/password. This is good for any time you think someone might use the face unlock against your will. I still think face unlocks should have a “panic expression” which initiates lockdown.

“Team America World Police” – panic signal

That’s all for now, more as I make this phone my daily driver and get used to using it. Got any tips of your own? Add them in the comments!