Open Source 2026 Notes

Everything You Learned about TLS is Deprecated: New SSL

Todd Gardner (CertKit, Founder)

• RSA: acronym for Rivest, Shamir, and Aldeman (founders of RSA security)
  • RSA, key exchange
  • RSA, cert key
  • RSA, signature algorithm
  • RSA, the company

TLS Before ~2013:

• Domain Validation - proves you control the domain.
• Organization Validation - CA "verifies" your org exists.
• Extended Validation - Green banner with company name
• Same encryption for all levels of validation.

Certificates

• CA/Browser Forum
  • Self-regulating body of CAs and browser vendors
  • Baseline requirements: rulebook for CAs to be in browsers.
  • Pay CA, cert valid for 5 years
  • Basically a protection racket.
• In 2011, DigiNotar was completely compromised.
  • Issued rogue certificate for Google.com in Iran
  • Hacked by unpatched software, internet-exposed internal services, and default passwords.
  • They had passed their security audits.
• In 2013, Snowden happened.
  • Raw data collected from commercial partners
  • Extracted raw data from fiber-optic cables
  • "Harvest now, decrypt later" philosophy was followed.
  • NSA got decryption keys via coercion or collaboration.
• Perfect Forward Secrecy
  • Cert still proves identity.
  • Encryption uses ephemeral (one-time) keys (using Diffie-Helman).
• Google: stop trusting audits, start logging.
• Certificate Transparency:
  • Public, append-only log of issued certificates.
• wget certkit.io/tools/ct-logs/?example.com -> Todd's company.

Encryption

• 2005: SHA-1 was shown to not be collision free.
• 2015: "The SHAppening" - freestart collision.
• 2017: CWI & Google: "SHAttered" - full collision.
• 2014: Heartblead: buffer overflow in OpenSSL
  • Sites with PFS: "our key may have leaked, but pas sessions are safe."
  • Without PFS: "assume everything is compromised"
  • Hundreds of thousands of certs needed to be revoked, infra coulnd't handle it.
• CRL: Certificate Revocation List -> grew huge, slow, stale, and almost no one looked at them.
• 1999: OCSP: Online Certificate Status Protocol -> poor reliability, privacy, considered optional, leaks entire browser history through calls to OCSP.
• 2003: OCSP Stapling: hard to implement.
• 2012: Chrome drops OCSP: "seat belts that snap in a crash".
• 2015: Let's Encrypt: Free, atuomated CA, and a automated certificate issuance protocol.
  • ACME: the protocol
  • Let's Encrypt: the CA.
  • Free Certs, short lifetime (90d), fully automated.
  • Other CA's: enterprises can't handle automation.
• 2017: Google proposes 1 year cert lifetimes.
  • Symantec was caught issuing unauthorized certs, including google.com.
  • Submitted audits from unlicensed auditors, more than 30,000 miss-issued certs.
• 2018: Bygone SSL: domains change hands, certificates don't.
  • 1.5m domains with certs owned by someone else.
  • 45-day certs would reduce takeover by 95%.
• 2019: EV Death: nobody checks the company name, so not secure, so DV, EV, OV went away.
• 2020: CA/Browser Forum: Apple announces certs no longer trusted over 398 days.
• ACME became an IETF standard
• Cert lifetimes:
  • 2026: shortened to 200 days
  • 2027: shortened to 100 days
  • 2029: shortened to 47 days
  • ...
  • Cert authorities must handle distributing fast-changing certs.
• certkit.io: a certificate lifetime manager.
• Quantum computing is expected to break Diffie-Hellman.
  • PFS might not be so perfect anymore.
  • NSA might break traffic with Quantum computing.
  • Post-quantum cryptography is coming.

Earning Trust One Metric at a Time

Shaun Jurgemeyer, Ewan Ng, rbauction.com, ritchiebros.com

• Symptoms of Broken Data Platform
  • Stakeholders building shadow spreadsheets
  • Sprawl of one-off reports
  • analysts reconciling instead of analyzing
• Data plumber problem
  • No official definitions
  • Multiple sources of truth
  • No consistent tooling
  • Legacy systems onboarded and never revisited
  • No data governance
• Enabling clarity with semantic views
  • "Semantic": getting the definition that works for the business.
  • "Ontology": a map of your business domain.
• Semantic Modeling:
  • Shared meaning
  • Reuse over rework
  • Built-in governance
  • Foundation for AI
  • Types:
    • Knowledge Graphs
    • Governed Metrics; definitions written once, not copy-pasted into every dashboard or query.
    • Ontologies
    • Metadata Model

Business ontology

A formal description of the entities, attributes, and relationships that make up a business ― the shared vocabulary.

• Describes the business, not any particular system or table. Definitions persist when the tech evolves.
• Captures relationships.
• Shared vocabulary.
• Why it matters:
  • Terminology based on business definition.
  • Shared vocabulary across all domains.
  • Foundation for every metric downstream.
  • Business and data speak the same language.
• Building an Ontology:
  • Engage with business owners.
  • Mine existing docs using AI tools.
  • Produce a structured strawman (ed: plant a flag in the ground)
    • The output is a first-cut ontology ― not a source of truth, but something concrete for business owners to react to. A blank page produces nothing, but a strawman produces a working session.
• Publishing the data matters as much as defining it.
  • End users need definitions in the moment.
  • Discovery is part of governance.
  • The catalog has to be accessible to everyone.
• Define once, reuse everywhere.
• How do you know it's working?
  • Quantitative: certified content adoption, decline in ad-hoc report requests.
  • Qualitative: stakeholder confidence in reviews, analysts shifting from reconciling to analyzing.

Four Principles of Governance

• Trust earned in small, consistent decisions, not big launches
• Governance is a service, not a gate.
• Semantic layer is where the business and the data meet.
• Start with metric definitions. The technology follows.

3 Questions to Ask

• Have you defined what your core business terms actually mean?
• Can your end users find the governed definition without asking IT?
• Does your data team understand the business meaning of what they're building?

Small Language Models

Kelly Calendine (Genesis10), Chike Okonta (Health Partners)

• Task-Specific AI Models
  • Contextualized, reliable, and cost-effective
  • Latency matters
• SLM:
  • Typically 1M to 10B parameters
  • Able oto run in environments where compute and memory is limited
  • Inference efficiency (cents per 1M tokens)
  • Specialized intelligence in a specific domain
  • Accessible - lowers the abrrier for researchers and developers to experiment with
  • Factual trade-off - smaller sizes might be better at reasoning, but have reduced capacity for retaining broad, trivia-based knowledge.
• LLM:
  • LLM: 70B to 1T parameters
  • Dollars per 1M tokens

SLM flow:

flowChart LR

LM --> Controller --> t1[Tool #1]
Controller --> t2[Tool #2]

Shrinking Models

• Distillation
  • Training a smaller model to mimic behavior of larger model.
• Quantization
  • Reducing numerical precision of weights.
• Neural Pruning
  • Removing redundant pathways that contribute minimally to model's final predictions.
• Mixture of Experts
  • Activating only a specific subset of parameters during inference to minimize latency and energy consumption.

See: TurboQuant, gemma4

Duplicating Layers

• LLM Neuroanatomy: Topping the LLM leaderboard without changing a single weight.
• Duplicating middle layers increases curve fitting?

Agentic AI Tools

• Helios: EVTOL command center
• Finocurve
• Node enterprise/Dynamic Agent Network
• Synescura
• A2A - "MCP for agents", standardizes communication between agents

Challenges

• Bias, generaliation: SLM's can inherit and amplify biases from larger teacher models
• Adversarial Robustness: more prone to errors when faced with ambiguous scenarios or adversarial inputs.
• Increased hallucination.

Real-World Applications

• Predictive maintenance
• Vehicle nav
• Content summarization

From Vibe Coding to AI DLC

Paul Delaria, John Husemoller, AWS Solution Architects

• Your own chief of staff?
• They've shortened their architecture problem solving time from 2w to 2.5h.
• Context is king, as always for LM's.
• Kiro - AWS AI IDE.
• Don't get attached to outputs?
• Share skills for interviews and such.

AI-DLC

DLC: "Development Lifecycle" (without the software? :D)

• AI orchestrates development.
• AI DLC Steps:
  • Mob Elaboration
    • Build context on exxisting code
    • Elaborate intent with user stories
    • Plan units of work
  • Mob Construction
  • CI/CD

Building your own MCP server

Isaac Johnson, Sr. Staff Cloud Architect, Abbot

• Skills vs. MCP servers
• Skills:
  • Minimize context (fewer tokens)
  • Can sym link
  • Must be local
  • Detailed instructions
  • Can run code
• MCP Servers:
  • Full context (more tokens)
  • Support secrets
  • Can use docker
  • Can be remote
  • Can control access
  • Can access private data
  • Can run over HTTP or STDIO

Making an App With AI

• Use Figma or Stitch to create a DESIGN.md app
• Use CI/CD
• Use Harbor to scan for High CVEs
• Chainguard Images - open source hardened images

Building an MCP server

• Use FastMCP
• MCP Inspector - useful for testing and browsing MCP server APIs
• Use skills to easily interact with MCP server

Women in AI - Building for Social Good

Jena Zangs, Esse Komlanvi, and Shannon Seaver

• Nuse: AI-driven financial access in the user's native language.
• Women Build the Future: platform for women presenting at tech conferences.

Building Your Own Socially-Driven Project

• Ideating with chatbots as always.
• Dedicate 30m to every day and see if momentum is sustained.
• Most expensive models don't always give the best results.

Panel Discussion

• Chatbots lower the expertise barrier.
• Low-resource communities' voices are still missing from AI built systems.
• K12 children are being told they can't use AI, but they're told they'll be replaced by AI as well.
• Most dangerous phrases in AI today: "We will fix it later", "AI will take your job", "AI can't be used for good."
• Dealing with parent emails via AI is useful for separating emotionally from angry parent emails.
• Notebook LLM is really useful for note taking.
• How to avoid "offloading" when students are learning with AI?
  • Should we rethink what's important in school?
  • Better to have the teacher's introduce it and teach its flaws.
  • Writing with precision is really important, writing by hand is really important.

April 3rd, 2026

New Picture of Home

Artemis II is already sending back beautiful images of home. When seeing this, although the picture is a much larger of our Earth than the "pale blue dot" seen from Saturn, I'm reminded of Carl Sagan's essay on Earth:

Look again at that dot. That's here. That's home. That's us. On it everyone you love, everyone you know, everyone you ever heard of, every human being who ever was, lived out their lives. The aggregate of our joy and suffering, thousands of confident religions, ideologies, and economic doctrines, every hunter and forager, every hero and coward, every creator and destroyer of civilization, every king and peasant, every young couple in love, every mother and father, hopeful child, inventor and explorer, every teacher of morals, every corrupt politician, every "superstar," every "supreme leader," every saint and sinner in the history of our species lived there--on a mote of dust suspended in a sunbeam.

The Earth is a very small stage in a vast cosmic arena. Think of the rivers of blood spilled by all those generals and emperors so that, in glory and triumph, they could become the momentary masters of a fraction of a dot. Think of the endless cruelties visited by the inhabitants of one corner of this pixel on the scarcely distinguishable inhabitants of some other corner, how frequent their misunderstandings, how eager they are to kill one another, how fervent their hatreds.

Our posturings, our imagined self-importance, the delusion that we have some privileged position in the Universe, are challenged by this point of pale light. Our planet is a lonely speck in the great enveloping cosmic dark. In our obscurity, in all this vastness, there is no hint that help will come from elsewhere to save us from ourselves.

The Earth is the only world known so far to harbor life. There is nowhere else, at least in the near future, to which our species could migrate. Visit, yes. Settle, not yet. Like it or not, for the moment the Earth is where we make our stand.

It has been said that astronomy is a humbling and character-building experience. There is perhaps no better demonstration of the folly of human conceits than this distant image of our tiny world. To me, it underscores our responsibility to deal more kindly with one another, and to preserve and cherish the pale blue dot, the only home we've ever known.

— Carl Sagan, Pale Blue Dot, 1994

Source: Hello, World - Nasa

Events as state or events as notifications?

Much less interestingly, I came across a post on LinkedIn that perfectly crystallizes a difference I've been struggling to define between event sources and event busses: events as state vs. events as notifications https://www.linkedin.com/posts/dcomartin_the-term-event-driven-architecture-has-activity-7444866038204125184-QJ5J

March 30th, 2026

Combining Handheld and TV views

In my eternal "wood-carving" project, project blue, I am now attempting to whittle my two root view application (one for TV and one for handhelds) down into one view: the view will automatically assume the split-screen "Browser"/"Now Playing" view when the canvas is wider than it is tall; otherwise, it will still be split, but the Browser and the Now Playing view will be two pages that you swipe between. I'm hopeful that this brings the entire design into one single design that is easier to maintain and use. My plan so far.

March 8th, 2026

When Cory Doctorow speaks of AI, he usually uses a "centaur" metaphor, split into two separate concepts: the "centaur", where the human is assisted by the machine, and the "reverse centaur", where the human has to help the machine. The "centaur" is preferable; a machine helping us do our jobs is the entire point of these things.

Code review is one such case where a language model is a useful tool that assists the human instead of demanding the human help it. Deepseek r1:14b hits a sweet spot for me ― useful feedback that runs quickly on a local GPU with 12GB of ram. I've also found that if the changes are so large that it starts spitting out nonsense, then that probably means that the changes in the commit are too large in the first place!

Keep this quote in your back-pocket

Programs must be written for people to read, and only incidentally for machines to execute.

Harold Abelson, Structure and Interpretation of Computer Programs

Easy Delegation with a C# Source Generators Library

In my last post I posted a wish list for C# that would make program construction easier. One of these was easy implementation of delegation, or in other words, Composition over Inheritance; that is the ability to automagically do this:

interface IAccess
{
    Task<Value> GetValue();

    Task SetValue(Value value);
}

class NetworkAccess(HttpClient httpClient) : IAccess
{
    public async Task<Value> GetValue()
    {
        var response = await httpClient.GetJson<Value>();
        return response;
    }

    public async Task SetValue(Value value)
    {
        var response = await httpClient.PostJson(value);
    }
}

class CachedAccess(ICache cache, IAccess innerAccess) : IAccess
{
    public async Task<Value> GetValue()
    {
        var response = await innerAccess.GetValue();
        await cache.SetValue(response);
        return response;
    }

    public Task SetValue(Value value)
    {
        return inner.SetValue();
    }
}

Well, after I got over the flu this Christmas, I began looking in anger at how to build source generators for C#, with the hope that I could make something like this reality. Using Decorator Generator as a base (which was very close to what I wanted - but I wanted less configuration), I created TypeAdoption, which auto-wires up inner implementations using an [Adopt] attribute. So taking the above example, you can do this:

interface IAccess
{
    Task<Value> GetValue();

    Task SetValue(Value value);
}

class NetworkAccess(HttpClient httpClient) : IAccess
{
    public async Task<Value> GetValue()
    {
        var response = await httpClient.GetJson<Value>();
        return response;
    }

    public async Task SetValue(Value value)
    {
        var response = await httpClient.PostJson(value);
    }
}

// The class needs to be partial
partial class CachedAccess(ICache cache, IAccess innerAccess)
{
    [Adopt]
    private readonly IAccess _inner = innerAccess;

    public async Task<Value> GetValue()
    {
        var response = await _inner.GetValue();
        await cache.SetValue(response);
        return response;
    }
}

This will generate this implementation of IAccess:

partial class CachedAccess : IAccess
{
    public Task SetValue(Value value)
    {
        return _inner.SetValue();
    }
}

Note that GetValue has no auto-generated implementation, since it was implemented in the actual class. This can also be useful for choosing between multiple implementations. For example, say there is another interface that has SetValue with the same signature, and both are adopted, then you'll now have to determine how SetValue works:

interface ICache
{
    public bool IsCached();

    public Value Value { get; }

    public Task SetValue(Value value);
}

partial class CachedAccess(ICache cache, IAccess innerAccess)
{
    [Adopt]
    private readonly ICache _cache = cache;

    [Adopt]
    private readonly IAccess _inner = innerAccess;

    public async Task<Value> GetValue()
    {
        // ICache memebers now available as first-class members of the class.
        if (IsCached())
            return Value;

        var response = await _inner.GetValue();
        // Still just want to go directly to cache for this usage of SetValue()
        await _cache.SetValue(key, response);
        return response;
    }

    public async Task SetValue(Value value)
    {
        // Set both inner values - set the network access first, once that succeeds, cache the value.
        await _inner.SetValue(value);
        await _cache.SetValue(value);
    }
}

Using these contrived examples, one can imagine how it would extend to interfaces with many members; perhaps you are using Refit to implement an extensive API, and a few methods need manual intervention: manually implement those methods and delegate the remaining members to the Refit implementation!

Again, the library is called TypeAdoption, and it's already available on NuGet.

My Ideal C#-Like Language

Some of these ideas could live with the current language, some would be drastic changes.

An on keyword for use after an await statement

To make it trivial to switch your synchronization context, an on keyword. Usage:

var updatedValue = await service.GetValue() on UiSynchronizationContext;

I first had this idea in 2022 so I've been on this one for a while.

Easy Implementation of Delegation

If you've been doing this programming thing for a while, you've likely come across the idea of composition over inheritance, that is, prefer delegating implementation to another type instead of inheriting it from a sub-type. Kotlin provides this capability with the by keyword, which seems fine to me. In C#:

interface IAccess
{
    Task<Value> GetValue();

    Task SetValue(Value value);
}

class NetworkAccess(HttpClient httpClient) : IAccess
{
    public Task<Value> GetValue()
    {
        var response = await httpClient.GetJson<Value>();
        return response;
    }

    public Task SetValue(Value value)
    {
        var response = await httpClient.PostJson(value);
    }
}

class CachedAccess(ICache cache, IAccess innerAccess) : IAccess by innerAccess
{
    public Task<Value> GetValue()
    {
        var response = await innerAccess.GetValue();
        cache.Set(key, response);
        return response;
    }

    // SetValue is automatically delegated to innerAccess...
}

Even better would be if we could have automatic decoration. This is a tougher one, how do we handle the infinite number of method combinations? Maybe visitors are a way?

Public Methods Async By Default

In the spirit of more extensive language additions, all public methods should be async by default. A developer should always assume that public methods don't complete immediately. A developer has to instead declare a method sync to state that the method executes immediately. Example:

interface IAccess {
    Value GetValue();
    sync Value GetValueImmediately();
}

var value = await access.GetValue();
var value = access.GetValueImmediately();

What I like about this idea is that method "coloring" works in reverse: the writer of a method has to instead say "this method executes immediately with no I/O access, no computations on another thread", since in the real world, all operations execute asynchronously. One consequence of this idea is that the Task type is hidden, and I do not like hiding "magic" too much, so this definitely has its flaws. Maybe the underlying Task/Promise could be exposed via reflection?

Public Properties Observable By Default

This is another thing that Kotlin/Jetpack Compose sort of has with Mutable State and snapshotFlow, but since it's not a default, you have to kind of guess whether a property is observable or not. In my new language I propose that properties are observable by default. The properties wouldn't need be an IObservable and take on all the baggage of that type, they could just implement IAsyncEnumerable. Example:

class Person {
    public string Name { get; set; }
}

var person = new Person();

var updateNameTask = Task.Run(() => {
    person.Name = "Bob";
    person.Name = "David";
});

await foreach (var name in person.Name)
{
    // Prints "Name: Bob" and then "Name: David"
    Console.WriteLine($"Name: {name}");
}

await updateNameTask;

But you should also just be able to read the current value (see the Interaction State primitive), so you should also be to just call it like a normal property:

class Person {
    public string Name { get; set; } = "John";
}

var person = new Person();
// Prints "John"
Console.WriteLine($"Name: {person.Name}");

Lenovo Slim 7 Pro-X Troubleshooting

USB-C Ports Not Recognizing Devices

If the USB-C ports are not recognizing devices — only accepting power delivery, or nothing at all — then try turning the device off, holding the power button for at least 30 seconds (you should see a power cycle on the screen), and trying again.

November 8th, 2025

If it can't be automated, then it's not a quality control process, it's just somebody's opinion of what quality is.

Against Object Pools

Do not use object pools in your library

Instead expose an interface for applications to implement their own object pools, such as:

interface Lender<T>
{
    T borrow();
    return(T obj);
}

Why? By definition, an object pool is a leaky abstraction. Quite literally, an object pool holds onto memory once it has allocated it (usually). This means users of your library will need to know about your library's object pools when chasing down a memory leak. However, that is not to say that object pools are bad, they can play a crucial role in reducing allocation times, and help with garbage collection overhead. But whether this optimization is worth the trade-off can only be known at the application level.

Open Source 2025 Notes

Throwback Thursday: Old School Optimization Using Newfangled Machine Learning

Linear Programming

• "Programming" in the sense of scheduling.
• Inequalities carve out regions of space. These are called "constraints".
• Objective function: goal we are trying to maximize.

Linear Optimization Facts

• Solvable when bounded.
• Min-Max duality.
  • As an example - RPGs: Max strength == min weakness
• Deterministic - guarantees best answer given the input. Is susceptible to garbage input.

When to use

• Making the best choice out of many available while satisfying constraints.
  • Resource allocation.
  • Matching.
  • Routing problems.
  • Inventory decisions.
• Best fit for batch decisions under constraints.

Expected Outcomes

• Better use of resources.
• Stable operations planning.
  • Better inventory management

Pros of Linear Programming

• Measured risk, explainable, and respects your contraints. Can be built quickly with a small team.
• Plays nice with forecasted values: making best prediction with the data available.
• Any vertex of the feasible region has a cone of normal vectors where it is the optimal solution.
• Strength of forecast affects the feasible region.

How to Make One?

• Pyomo functions like an ORM for interfacing with solvers.
• CBC (COIN-OR Branch Cut) to solve.

React at Work Post-Create-React-App

• Provided testing, bundling, and a dev server built-in.
• "Kill it with Fire" book looks interesting.
• Create React App officially deprecated in February 2025.
  • React 19 doesn't work well with it.
  • React is slowly becoming its own framework instead of just acting as a component in a bring-your-own-framework model.

Alternatives

Next.js

Cons:

• Tight coupling of backend and frontend.
• Built-in server runtime.

Remix

• Also tightly coupled.
• Gnarly nested routing structure.

Bun

• Really fast bundler.
• Too much magic.
• Incomplete ecosystem compatibility.

Vite

• Fast, flexible, and friendly.
• Pretty easy to migrate from CRA.
• Static by default.
• Unbundled dev server, optimized builds.
• Can use existing rollup plugings.

Open Source Tooling and Best Practices to Improve Vulnerability Management

• VM: Vulnerability Management

• --Identification -> Reporting -> Evaluation -> Prioritization -> Remediation -- ∧ | | ∨

• Competency trap: people don't use new tools because building competency in a new tool is challenging.
• Mend Renovate: formerly Renovate.
• Renovate bot can work off of dependencies defined in comments in a dockerfile.

Beyond the Chatbot: Delivering Business Value with LLMs

• According to IBM "Institute of Business Value", only 25% of AI initiatives have delivered expected ROI.
  • 16% have scaled enterprise wide.
  • IBM's Advice: ignore FOMO, lean into ROI.
• When to chatbot:
  • Onboarding users (employees/customer) to complex systems.
  • When users are lost, confused, or not even sure what they need.
• Need metrics
  • conversion rate
  • % requests routed to a human
  • manual time saved
  • response/execution times.
• When not to chatbot:
  • Simple forms
  • When users are experts
  • LLM Assisted Automation (agents) can provide value by performing tasks on triggers.
  • Using AI to capture business that you don't have the number of people to take in the business?!?!
• Solving problems with GenAI:
  • Classifying unstructured data.
    • What kind of document is it? What needs to be done with it?
  • Convert unstructured so structured data?
    • Parsing quote requests, emails, etc.
  • Translate similar data between systems:
    • Referencing information from external vendor systems.
• Why was something not already automated?
  • Complex SOPs (Standard Operating Procedures).
  • Unstructured data
  • Parsing information from multiple internal/external services

Measuring GenAI Solutions

LLM Evals

"Answer true or false" is the key.

• Example:

SYSTEM: Act as a metallurgy expert. Do not explain your answer. Answer true or false.

USER: Steel is an alloy of iron and carbon?

Easy to apply to any business domain. Ask experts: what are the toughest questions you're asked? What are the perfect 20 year veteran answers? Then let the expert decide when the AI is trustworthy enough.

Metrics Driven Development

• Answer correctness
  • True/false, multiple choice questions
  • More complex questions:
    • Determine ground truth
    • Take intersection of model answers and ground truth and divide by intersection + model + ground truth.
      • AnswerIntersections / (AnswerIntersections + Ground Truth + Model Answers)
• Faithfulness - degree to which outputs align with facts
• Relevancy
• Context recall
• Arize Phoenix: LLM evaluation tool
• guardrailsai.com

These tools are generally used to test existing LLM's, not to fine tune or create a new model. Most things that are changed by the LLM implementer are the context that is fed in, or the prompt that is given.

Minnesota Code Freeze Conference Notes

My notes from the 2025 Minnesota Code Freeze conference that took place at the University of Minnesota.

Working Effectively with Legacy Code

Michael Feathers (r7k)

• Test-Driven Architecture (like TDD but for architecture).
• Hyrum's Law: Any behavior you expose on an API will become depended upon even if it's not intended.
• Knowledge tends to dissipate over time (think music popularity reduction over time, for example, the ragtime of the 1920's).
• Galileo's scaling law (the square/cube law) - structure must change as things grow:
  • Initially named after the concept that as an object grows its volume grows faster than the surface (n^3 > n^2).
  • However, applies to other scaling concerns, for example, you can't build a skyscraper with wood.
  • With graphs, as they grow, you need to break them into smaller graphs to manage them effectively.
  • Understanding this tension can improve design.
• Miller's law - humans can track 7 +/- 2 items
  • This relates to class design, a class with 20 methods is much harder to track than a class with around 7.
• "The Principle of Deliberate Context" (coined by Michael Feathers):
  • Systems should be designed with intentionally bounded contexts that are optimally sized for human cognition.
• Robustness principle: be liberal in what you accept and conservative in what you produce.
• A potential issue with AI is when it generates things that we don't understand.

Infrastructure as Code Anti-Patterns

Jason Baker (Director of Cloud Operations at Civix)

• Thought on anti-patterns: every anti-pattern started as a pattern with good intentions.
• Why do infrastructure as code anti-patterns exist?
  • Senior tech leadership usually is promoted through software not infrastructure (citation needed).
  • Defining infrastructure as code is immature compared to software development (isn't infrastructure as code software development?).

1. Cloud Cowboys

• Creating cloud infrastructure manually (using a web console) instead of using code.

1. Muti-Tool Madness

• Using too many tools to define the infrastructure.
• Increased complexity, risk, and toil.
• Picking a consistent tool is more important than pick the best tool.

1. Partitioning infrastructure projects by infrastructure type or environment instead of by context.
2. Building all the environments

• Using a single infrastructure template to build out all environments.
• Templates should be environmentally agnostic.
• Infrastructure changes should be promoted using the same process as normal software.

1. One repo to rule them all

• Defining all resources using infrastructure code in one monolithic infrastructure code repository.
• Can introduce undesirable coupling.
• Partition infrastructure code by services.

1. Using DRY With Infrastructure

• All software problems can be solved with another layer abstraction, except for the problem of too many layers of abstraction.
• Taking an imperative approach to building infrastructure instead of a declarative approach.
• Coupling vs. cohesion

1. Modularize all the things

• Same as above.
• Enforce the updating of module versions across projects, allowing no more than for example 2 versions in use.

1. The infra team

• All infrastructure code has to be defined by an infrastructure team.
• Reinforcese the traditional division between developer and infrastructure operations.
• A single team becomes a major bottleneck for infrastructure work.
• In high-performing organizations most of the infrastructure code is defined by software developers and co-located in application repositories.

1. All security related infrastructure code changes must be implemented and approved by the secuirty team.

Finite State Machines and AI

Adam Terlson (https://github.com/adamterlson/AgenticStateMachines)

• Using state machines to control AI agents.
• X State: state management and orchestration library
• Model-based testing of state machines
• His AI Agent definition:
  • Autonomous - operates independently, making decisions without constant human input
  • Goal-oriented - achieves specific objectives
  • Context-aware
  • Collaborates
  • Interactive
  • Persistence - retains memory of past interactions and data.
  • Adaptive
• Agentic Systems:
  • Actors provide autonomy and communication.
  • State machines provide structure, enforce predictable behavior.
  • AI provides adaptability.
• Patterns:
  • Tool use
    • Available tools given to LLM.
    • LLM returns JSON object describing a method (tool) call.
    • Expected next message is tool response.
  • Human in the Loop (tool approval, if tool is expensive).
  • Feedback: one oagent receives the output of another agent and gives feedback on how to improve.
  • Collaboration: multiple specialist agents working on a broader goal where each agent owns a slice of the broader task.
  • Orchestration: Planning agent dynamically routes to the next agent based on current context.
  • "Chartering": state machine defined by LLM.
• Advantages over industry tools?
  • (LangGraph and competitors)

Evolveable Architectures

Rebecca Parsons

• Conway's law - the systems you build will reflect the dysfunction of your organization.
• Last responsible moment - wait to make decisions until the last possible moment.
• How do we build code that is auditable?
• How do we build code that increases code quality?
• Contract testing allows developers to ignore each other.
• Use AI for contract testing?
• LLM hallucinations are a feature, not a bug. How are you supposed to generate something new if you never make something up? The question is whether there are ways to bound the hallucinations (yes, with temperature).
• How do you test non-deterministic systems?

Monolith vs. Platform vs. Serverless

Corwin Diamond

• This talk was generally biased against monoliths (seemed to imply a definition of a monolith as a giant legacy application, in something like an older ecommerce server application).
• CAP Theorem:
  • Consistency - works correctly.
  • Availability - always works.
  • Partition Tolerance - works across different partitions.
  • You can pick 2.
• Distributed CAP: different services/teams within your ecosystem will have different CAP requirements.
• Multi-cluster platforms...
  • Need to solve data replication.
  • Sounds like classic SOA/microservice problems.
• Cellular architecture...
  • Platform monoliths.
• Modularize abstract abstractions.
• Minimize different types of deployment processes.
• Remove requireemnts that aren't required.

Panel

David Laribee, Rebecca Parsons, Michael Feathers

• Remote work:
  • How can we maximize the effectiveness of in-person time?
  • Shoud do hybrid meetings remote first.
  • Important to work on things together with remote work.
  • Create venues where smaller collaborations can occur.
  • Times when we get together should be treated as precious and valuable.
  • Is the problem encouraging people to value social connections?
• Modular Monoliths:
  • Return to simplicity.
  • Look into testcontainers.
  • It is important at the early stages of a product development to develop a well-structured monolith.
  • Chris Richardson has good ideas on microservices.
  • Event-driven applications can be done in process (and I do).
• Functional programming:
  • "The little lisper", "the little schemer" books.
  • If one spends too much time in the OOP world, it can become difficult to understand functional programming.
  • More people are recognizing the benefits of functional programming.
• How do we discern when we should adhere to new programming principles vs traditional principles?
  • With low-code/no-code, you can get started very easily, but it's hard to scale to complex problems.
    • It's easy to solve 80% of the problem, hard to solve the remaining 20%.
  • Be very cautious about de-scaling your development.
  • Where have all the mid-level engineers gone :D.
• Is agile dead?
  • Agility was kind of jettisoned, and "agile" became a management practice.
  • Good technology (and good process?) disappear, they just become standard operating procedure, like small commits, TDD, etc.
  • There are different product domains: Simple, Complex, and Chaotic. Which domain your product fits in determines how "agile" you need to be.
• 3 things developers can do to stay current:
  • Need to start using AI.
    • How are they going to make money off of it?
  • Everyone is using AI today which differs from the prior AI hype cycles of the 60's and 80's.
    • And problematically, most people do not have a strong mental computational model that matches how it really works.
  • AI is good at ideation. It can also help increase your skill at asking questions.