Why Would You Do That?

Posted on December 9, 2024 by way0utwest

I was listening to someone at Microsoft talk about their product recently. I can’t disclose which one it was, but lots of people use this product and are impacted by changes. The particular thing that caught my attention was that the presenter noted there was a breaking change in the new version for some people. This wasn’t a huge change or one that would affect a lot of people, but it was a breaking change for a few.

Another attendee asked this question: I would tend to do xxx instead of what you showed, so why would you do this?

It wasn’t an antagonistic question, but more curiosity. However, it was a good question since any changes that cause breakage can be disruptive to other people. The thing I noticed was that the questioner’s frame of reference was completely different than the presenter’s. The questioner couldn’t imagine writing code in this way.

As I work with more and more customers, I find that many of them get tunnel vision in that they approach their work or code in one of a few ways and don’t think widely about other approaches. In general, I think that’s a good way to work as we ought to use patterns and avoid anti-patterns in our work. The more we all code in a similar structure and style with the same patterns, the easier it is for any person to maintain the codebase (or infrastructure).

Of course, we have to be willing to add new patterns when we find them and drop older patterns that no longer work (and perhaps refactor the code). That’s another hard thing for humans to do. We rarely want to let go of patterns and who has time for refactoring?

At Microsoft, they have to consider lots of different ways to look at code. I saw awhile back one of them writing that building Windows was like ordering pizza for a billion people. You’ll never get it perfect and someone will always be upset. I get that. I couldn’t imagine making changes to something like Windows, where every little thing upsets some group of people and sometimes those are a very loud minority.

Many of us approach the world in similar ways, and we can appreciate or understand small differences. When we meet someone who sees things very differently, then it becomes hard to reconcile their view with our own. In code, this often means we want to use different patterns than others, which creates a less maintainable codebase.

Communication continues to be one of the hardest parts of building software (and most endeavors). Part of our communication should be to try and understand others’ points of view, get them to understand ours, and come to a shared understanding of how to approach problems. That shared understanding is what helps us build better teams.

Steve Jones

Listen to the podcast at Libsyn, Spotify, or iTunes.

Note, podcasts are only available for a limited time online.

Posted in Editorial | Tagged | Comments Off on Why Would You Do That?

Monday Monitor Tips: Am I Patched?

Posted on December 9, 2024 by way0utwest

One of the things that I think is neat is that Redgate Monitor helps you track patching on your systems. This is something that has been challenging in every position I’ve had, with some systems being forgotten or remaining unpatched for too long.

This post looks at how you track patches and versions.

This is part of a series of posts on Redgate Monitor. Click to see the other posts

The Challenges of An Estate

There are two aspects to tracking your systems: the version and the patch level. Microsoft releases versions periodically and unless you’re in the cloud with a PaaS service, you may or may not have just one version of your database platform. Azure SQL Database is evergreen and updates every quarter or so.

If you install SQL Server 2016, unless you upgrade, it stays at 2016.

The second part is the patch level. SQL Server 2016 has had 3 service packs, multiple CUs in between those, and a few post-SP3 security patches this year (2024). Are you up to date?

It’s a good question since you might be vulnerable to issues, and you certainly can be out of compliance with auditors if you aren’t patched.

What Systems Are Behind?

The estate tab has a versions page, in which we list the installed versions of SQL Server. I hope PostgreSQL is coming soon as well (and others). Here is the overview, where you can see this estate spans SQL Server 2008 R2 to 2022, and includes the cloud.

2024-11_0251

This helps me with upgrades, as I can see which systems might be old and in need of an upgrade plan. I can filter at the top for different groups, tags, etc., but I can see what I have, and I get quick links to the current patch.

Below this, I have details. Here is where I can dive down to individual groups and systems to see if they are patched, how long ago the last patch was released, and the end of support

2024-11_0252

This is a good way for me to see at a glance how patched I am. The yellow up arrows mean I need to patch. The green check mark means I am patched.

This is a good view so you can tell how out of date you are. It’s one thing if there are patches released within the last month and not applied. It’s another thing when you have systems that are months or years out of date.

Using This Data

This isn’t something I’d check every day or week, but I would set reminders to have this monitored monthly and have plans in place to get patched. While lots of patches might not affect security, they often to affect support if you need it, and certainly these affect compliance and auditing.

Even if no one audits you, if you have an issue and you aren’t patched, someone will use that as an excuse to blame you in some way. Get patched, at least within 60 days if not 30.

BTW, this data is maintained by Redgate and updated as patches are released. Redgate Monitor downloads a file that populates the latest patches for each version. If your Redgate Monitor Base Monitor cannot reach the Internet, you can update this yourself by downloading this file and copying to your system.

Summary

This short posted highlighted what data you get about versions and patches, and my recommendation, which is to review this monthly.

Having Redgate Monitor keep all this for you is nice and helps you keep a healthy, up-to-date estate.

Redgate Monitor is a world class monitoring solution for your database estate. Download a trial today and see how it can help you manage your estate more efficiently.

Posted in Blog | Tagged , , | Comments Off on Monday Monitor Tips: Am I Patched?

The Pervasive Nature of Open Source

Posted on December 7, 2024 by way0utwest

This week there was a headline that said “Open Source Software Powers 96% of Modern Applications, New Study Finds” and if you stopped reading there, you might think, hey, it’s not in the apps I work on. Or you might think that because you use OSS software, most of the world also does. Microsoft, Oracle, etc. are headed for disaster.

If you read a little further, there’s this gem: Open source components are present in 96% of codebases. That’s a far cry from OSS powering most modern applications. I think a better headline might be that OSS helps build most modern software. However, this isn’t an editorial on bad journalism.

I do think OSS stuff is amazing. Many of us in the Microsoft Data Platform space use sp_whoisactive or the First Responder Kit or Diagnostic Queries or some other OSS in our work. Lots of commercial products are built with OSS libraries or components, or there are free versions. Flyway (from Redgate) has an OSS version. OSS helps us build better software, though commercial packages also help.

One of the interesting things about OSS is that many very popular projects have just a few people maintaining them. If those 1 or 2 people disappear, then the project might stagnate. Or worse, if there are security issues, no one addresses them. One of the main attractions of OSS is that anyone can provide a fix or enhancement, but the reality is that most people don’t. Most people just use whatever is out there.

And most people rarely upgrade their OSS. They get something that works and don’t want to change. I get that, as I feel the same way often, especially in the real world. I have shoes, gadgets, tires, etc. that work and I don’t want to change. In the software world, this creates vulnerabilities and security issues, as the report shows with many people still using Python 2. I both understand and don’t understand why this is the case, but I do worry about security.

The other concern is that few people review changes to OSS packages, which has led to previous supply chain attacks with backdoors or vulnerabilities introduced in packages that many other software developers use. Again, OSS is supposed to be better than closed software at preventing this, but the reality is that most (the vast majority) of us are just too busy to look for issues. Even when vulnerabilities are published, far too few developers see the information. Automated scans in CI/CD systems are great, but again, too few people add these to CI/CD pipelines consistently.

Software is hard. In some sense, I’m glad databases don’t have external compilers or use anything other than raw code, but plenty of people still write SQL Injection vulnerabilities in their functions and stored procedures, and many don’t have good visibility into the code that is submitted to their databases, often because the code is assembled at runtime. I wish more people just used stored procedures and included more testing and vulnerability scanning, but that’s a dream. For now, I suggest most of you developer patterns your staff can use and stick with them.

And use version control. At least then we can find all the old, bad code and fix it with some search and replace.

Steve Jones

Posted in Editorial | Tagged , | Comments Off on The Pervasive Nature of Open Source

Big Queries, Big Money

Posted on December 6, 2024 by way0utwest

I had been meaning to post this, so as I finished a piece that referenced this, I decided to post the picture. This was from Small Data SF, where the opening keynote referenced the Google BigQuery demo of a 1PB database.

Here was the slide shown later in the talk.

2024-12_0187

The thing the demo didn’t explain was that query cost $5,580. The conclusion, big data is just too expensive to query often.

Posted in Blog | Tagged , | 4 Comments