# (0) 21 Dec 2014, 11:10PM: Why You Have To Fix Governance To Improve Hospitality:
Fundamentally, if you want to make a community hospitable,* you need to work not just on individual rules of conduct, but on governance. This is because
- the particular people implementing rules of conduct will use their judgment in when, whether, and how to apply those rules, and
- you may need to go a few levels up and change not just who's implementing rules, but who's allowed to make rules in the first place
Wait, how does that work?
In my Wiki Conference 2014 keynote address (available in text, audio, and video), and in my PyCon 2014 poster about Hacker School, I discuss how to make your community hospitable. In those pieces I also mention how the gatekeeping (there is an initiation/selection process) and the paid labor of community managers (the facilitators) at Hacker School help prevent or mitigate bad behavior. And, of course, the Hacker School user manual is the canonical document about what is desired and prohibited at Hacker School; "Subtle -isms at Hacker School" and "Negative comments" have more ruminations on how certain kinds of negativity create a bad learning environment.
Sometimes it's the little stuff, more subtle than the booth babe/groping/assault/slur kind of stuff, that makes a community feel inhospitable to me. When I say "little stuff" I am trying to describe the small ways people marginalize each other but that I did not experience at Hacker School and thus that I noticed more after my sabbatical at Hacker School: dominance displays, cruelty in the guise of honesty, the use of power in inhospitable ways, feeling unvalued, "jokes", clubbiness, watching my every public action for ungenerous interpretation, nitpicking, and bad faith.
You can try to make rules about how things ought to be, about what is allowed and not, but members of the incumbent/dominant group are less accustomed to monitoring their own behavior, as the Onlinesmanship wiki (for community moderators) reminds us:
Another pattern of the privileged: not keeping track of the line between acceptable and unacceptable behavior. They only know they've crossed the line when someone in authority tells them so. If this doesn't happen, their behavior stays bad or gets worse....
Do not argue about their intentions. They'll swear they meant no harm, then sulk like fury because you even suggested it. In most cases they'll be telling the truth: the possibility that they were giving offense never crossed their minds. Neither did any other scenario, because unlike real adults, they take no responsibility for getting along with others. The idea that in a cooperative work situation, getting along with one's fellow employees is part of the job, is not in their worldview.
This too is a function of privilege. They assume they won't get hit with full penalties for their first offense (or half-dozen offenses), and that other people will always take on the work of tracking their behavior, warning them when they go over the line, and explaining over and over again what they should have done and why. It's the flip side of the way people of the marked state get hit with premature negative judgements (stupid, dishonest, sneaky, hysterically oversensitive) on the basis of little or no evidence.
And, in any community, rules often get much more leniently interpreted for members of the dominant group. And this is even harder to fight against when influential people believe that no marginalization is taking place; as Abi Sutherland articulates: "The problem with being lower on an unstated social hierarchy is that marginal judgment calls will
reliably go against you. It's an excusable form of reinforcement."**
Changing individual rules isn't enough. After all, individual rules get made by particular humans, who -- here, instead of babbling about social rule system theory at you, I'll give you a sort of sidebar about three successive levels of governance, courtesy of my bachelor's degree in political science:***
- Actors: The actual set of people who run an organization or who shape agendas, on any given day, have particular ideas and policies and try to get certain things done. They implement and set and change regulations. Actors turn over pretty fast.
- For example, in its five-year history, Hacker School has had employees come and go, and new participants have become influential alumni.
- Dominant worldviews: More deeply and less ephemerally, the general worldview of the group of people who have power and influence (e.g., Democrats in the executive branch of the US government, sexists in mass media, surgeons in operating rooms, deletionists on English Wikipedia) determines what's desirable and what's possible in the long term. Churn is slower on this level.
- For example, dominant worldviews among Hacker Schoolers**** include: diversity of Hacker Schoolers, on several axes, helps everyone learn more. Hiding your work, impostor syndrome, too much task-switching, and the extrinsic motivation of job-hunting are common problems that reduce the chances of Hacker Schoolers' success. Careers in the tech industry are, on balance, desirable.
- Rules of the game: What is sacred? What is so core to our identity, our values, that breaking one of these means you're not one of us? The rules of the game (e.g., how we choose leaders, what the rulers' jurisdiction is) confer legitimacy on the whole process. Breaking these rules is heresy and amending them is very hard and controversial.***** Publicly disagreeing with the rules of the game costs lots of political capital.
- For example, the rules of the game among Hacker Schoolers, as I see them, include: the founders of Hacker School and their employees have legitimate authority over admissions, hiring, and rule enforcement. Hacker School is (moneywise) free to attend. Admission is selective. A well-designed environment that helps people do the right thing automatically is better than one-on-one persuasion, which is still better than coercion.
(Where do the four Hacker School social rules fall in this framework? I don't know. Hacker School's founders encourage an experimental spirit, and I think they would rather stay fluid than accrete more and more sacred texts. But, as more and more participants have experienced a Hacker School with the four social rules as currently constituted, I bet a ton of my peers perceive the social rules as DNA at this point, inherent and permanent. I'm not far from that myself.)
(I regret that I don't have the citation to hand, and would welcome the name of the theorists who created this model.)
So, if you want a hospitable community, it's not enough to set up a code of conduct; a CoC can't substitute for culture. Assuming you're working with a pre-existing condition, you have to assess the existing power structures and see where you have leverage, so you can articulate and advocate new worldviews, and maybe even move to amend the rules of the game.
How do you start? This post has already gotten huge, so, I'll talk about that next time.
* I assume that we can't optimize every community or activity for hospitality and learning. Every collaborative effort has to balance execution and alignment; once in a while, people who have already attained mastery of skill x just need to mind-meld to get something done. But if we want to attract, retain, and grow people, we need to always consider the pathway to inclusion. And that means, when we accept behavior or norms that make it harder for people to learn, we should know that we're doing it, and ask whether that's what we want. We should check.
**See the second half of "One Way Confidence Will Look" for more on the unwillingness to see bias.
*** I am quite grateful for my political science background -- not least because I learned that socially constructed things are real too, which many computer science-focused people in my field seem to have missed, which means they can't mod or make new social constructs as easily. Requisite variety.
**** A non-comprehensive list, of course. And I don't feel equal to the more nuanced question: what beliefs do the most influential Hacker Schoolers hold, especially on topics where their worldview is substantially different from their peers'?
***** The US has a very demanding procedure for amending the Constitution. India doesn't. The US has had 27 amendments in 227 years; India, 98 in 67 years. I don't know how to interpret that.
# (0) 19 Dec 2014, 01:53PM: Join Me In Donating to Stumptown Syndicate and Open Source Bridge:
I'm donating up to $15,000 to the Stumptown Syndicate -- depending on how much you are willing to match by December 29th. Please join me by donating today and doubling your impact!
I really love Open Source Bridge, which Stumptown Syndicate runs. I've spoken there every year since 2010, and it's the tech conference that has imprinted itself on my heart -- informative technical talks, inspiring ideas that help me improve how I do my work, and belly laughs and great food (see right). I love that I can tell friends "Come to OSB!" without having to add "but watch out for..." the way I do with so many other conferences. Hospitality lives in the DNA of Open Source Bridge, so it's a place where people from different projects and backgrounds can share their experiences as equals. Wikimedians, Linux developers, Mac users, designers, hardware hackers, managers, knitters, teachers, and everyone from Fiona Tay to Ward Cunningham swap tips and inspire each other. I especially appreciate that Stumptown Syndicate curates an inclusive all-genders tech conference where I'm never the only woman in the room; in fact, in 2014, half the speakers were women.
I don't live in Portland, so I don't get to benefit directly from most of Stumptown Syndicate's events. But they document their processes to make a playbook, and they built and improve open conferenceware and an open source shared calendar, all of which contribute to the infrastructure of inclusion for everyone to reuse.
With some more cash in the bank, the Syndicate can look at adding childcare to its events, improving access and scholarship options for low-income participants and guest speakers, and improving the audiovisual experience (with faster video processing or transcripts/captioning).
So: I'll match donations starting today and ending on December 29th, whether corporate or individual, one-time or recurring memberships. Please donate now to help raise $30,000 for Stumptown Syndicate and Open Source Bridge!
# 17 Dec 2014, 12:08PM: Some Fanvids I've Enjoyed Recently:
Many of these came to my attention thanks to singlecrow's link to a rec post; thanks!
"Level Up", a Buffy vid by such_heights. A great match of song and topic, with an inspiring focus on the courage and growth of the whole gang.
The "Every Frame a Painting" series by Tony Zhou, analyzing various uses of film form. In particular the "What is Bayhem?" analysis helped me enjoy Hot Fuzz on a new level when Leonard and I re-watched it the other day.
"It's Still Science Fiction to Me", a multifandom vid by azurish. A funny, joyous, clever, and celebratory tour of the last several decades in film and TV speculative fiction. Partially inspired by bironic's mindblowing "Starships" vid, have you seen it? and also by:
"Hey Ho", a Marvel Cinematic Universe vid by thuvia ptarth. As chaila puts it, a "completely scathing critique of the way Marvel sells the military-industrial complex." I also agree with tardis_stowaway -- it "manages the tricky balancing act of being enjoyable to watch while delivering a powerful, disturbing critique."
# 17 Dec 2014, 01:04AM: My Next Few Months:
Last week I got back from AdaCamp Bangalore, some family visits, the community-builders' meeting within Mozilla's workweek, and some volunteering with Stumptown Syndicate to support Open Source Bridge 2015. I set off on those travels basically right after I spent six weeks improving my webdev skills at Hacker School, which I started a few days after I finished up my four-year stint at the Wikimedia Foundation. So it's been intense!
I'm concentrating on a bunch of errands and backlogged volunteer work in the next few weeks, and then in the new year, for several months, I want to do activist and maker work. (I can go without getting paid right now, and I'm fine with doing this as a volunteer. It's not emotionally sustainable for activists and open source contributors to put in huge gobs of volunteer work over and above full-time jobs. And it's not financially sustainable for most people to work as activists for money (not to mention argh the nonprofit-industrial complex). But Leonard and I are very fortunate in that we can switch; sometimes he supports the household and sometimes I do.)
Spend about 20 hours/week writing open source code that ships and that others directly depend on. I have worked on open source projects that hundreds of millions of people depend on, e.g., MediaWiki, but I wasn't a code contributor. I've written open source code that shipped, e.g., my MC Masala site, but my projects were toys or I was the main customer (one exception being "Missing From Wikipedia"). In 2015 I aim to meld these skills.
Right now I'm planning on contributing to GNU Mailman as a volunteer. I know Terri Oda, one of the maintainers, and talked with her in Portland. The Mailman 3 refactor looks like a promising field, fresh code with work tasks of about the right size and shape for me. My Python's good enough. The codebase has comments, docs, and tests. I hear the community is friendly, and I know Terri, and I live close enough to another key contributor that I can probably arrange some in-person hackdays. I'll get to munge stuff dealing with underlying protocols like SMTP, and it's a project lots of other open source projects depend on, so I'll have an impact.
Ideally, by the end of the PyCon sprints, I'll be contributing to code review and comaintaining something. I'll be better at making the systems I want to make. And I'll be confident and seasoned enough that I could plausibly go find a full-time Python web development job, should I wish. That's really more of a self-assessment heuristic than a goal. More importantly, I'll have the experience necessary to give good and credible advice for marginalized people in tech who want to follow that path, and I'll have better wisdom that I can share with allies and imbue into systems to help those people.
Spend about 20 hours/week working to make open stuff friendlier and more diverse. This is time to volunteer on Stumptown, to continue my volunteer duties on the Ada Initiative Board of Directors, to teach Ally Skills workshops, and do miscellaneous other outreach and writing. I'm also open to a little bit of consulting, but will be redirecting some requests to Ashe Dryden or Julia Rios or other experts.
My goal with these activities isn't so much to grow as an activist; rather, I want to give back to these communities that have given me so much, and to help them in ways I'm uniquely positioned to do well. But I'm building on my strengths as a project manager, communicator, and leader, and I'm learning how to be an effective board member and influencer.
Ideally, by late April (after PyCon): Open Source Bridge and Stumptown Syndicate will have better documentation and more vigorous processes that help attract, retain, and grow volunteers; dozens or even hundreds of motivated open stuff participants, especially Wikimedians, will be better feminist allies; and the Ada Initiative will remain swimming along happily and effectively. The infrastructure of our movement will be in even better shape, and I'll have no qualms about changing my commitments to suit my abilities, my interests, and the movement's needs.
As I said when I announced that I'd be leaving WMF, I'm open to new opportunities, especially New York City-based work in empowering marginalized groups via open technology. But if nothing new comes up, internally or externally, I have a reasonable plan for the next four months. Which is nice.
# (0) 16 Dec 2014, 06:06PM: Blog Posts Are A Way For Tabs To Make More Tabs:
# (1) 15 Dec 2014, 12:06PM: A Code Review Group:
I'm interested in piloting a peer code review group, structured like a writer's group. So next month I'm starting one out in New York City, starting with Hacker School alumni and participants, and I figured I'd put some logistics and reasoning here for my own future reference and to help anyone who'd like to do something similar.
Basics: Part of the point of a writers' group is to get participants to produce work consistently, and part of the point is to help everyone learn craft -- the authors and the critiquers. So I'm trying out a similar structure for this pilot. We will meet in person; I think that criticism is often a lot easier to take in person, and I know it's easier for me to take in person. We'll meet about every 3 weeks, midday Saturday or Sunday, to critique two works of code. We'll have a rotating schedule of who's responsible for writing code and who's responsible for reviewing it; I am maintaining that schedule. (I'm copying the frequency and format from writers' groups like Leonard's.) I figure we'll run this with about 5-6 people for four months, hopefully giving each person a chance to have their code reviewed twice, and then reevaluate and see what to keep, change, or give up.
Who?: It felt natural to me to start this in the Hacker School community. Anyone who's going or gone to Hacker School is someone who accepts the social rules we've set up to make learning easier, and is generally collaborative and friendly. Also, alumni can use Hacker School for stuff like this outside of normal work hours, which means we can use a HS conference room (and projector!) for the group meetings.
What language?: Since Python is the only language I am fluent in and it is the language I'd prefer to work in and grow in, most code we review will be in Python. I consider myself an intermediate Python programmer (very comfortable writing list comprehensions, but still need to stop and look up exception-handling syntax when I need it; see "mcmasala" for a recent code sample). Fortunately, Python's enough of a lingua franca, and there's a wide enough variety of skill levels in the Hacker School community in New York, that several programmers were willing to sign up to an intermediate-and-higher Python-specific group. After the pilot period, I think the group will evaluate the idea of expanding to other languages, and see how we feel about skill heterogeneity.
New code only?: I'm not sure whether people will end up submitting already-written or fresh code for the group to critique. I personally think that it would be fine to circulate bespoke and/or already-working-on-it code. Sometimes I might be working on something that's so huge that it doesn't make sense to extract a small-enough chunk of it for peers to review, so I'd write something from scratch instead. Sometimes I'd really want my peers to look at something that I have already been noodling with. I'm curious what other code review groups have found when experimenting on this axis.
Submission length?: My current wild-ass guess is that each submission for review should be somewhere between 32 and 2048 lines of code, but, given that this.py (as in
import this) is ~6 lines other than a giant string, I am happy to deal with codebases of lengths 4-31 as well, for the length of the pilot. :)
Time commitment?: As far as I can tell, here's the format and time commitment for this pilot:
- Everyone: in-person meeting every three weeks for about four months, January-April -- probably about 60-90 minutes long each time, with about 30-45 minutes for each work (the critiquers offering praise and criticism of the work, and the author responding at the end).
- Per person: Twice during the pilot: writing code and emailing it (or a link to it) to the rest of the group, a week ahead of the meeting.
- Per person: Before every meeting, so, about 5 times: reviewing the author's or authors' code ahead of time and writing out notes, so it's easier to give specific praise and criticism at the meeting, and to email to the author(s) afterwards. (I say "author's or authors'" because even if you're one of the two authors who submits code for a particular meeting, you'll still have to review the other author's code for that meeting.) Writing a critique will probably take the participant at least 30 minutes per critique.
- Organizer: a few hours total of scheduling, sending nag emails, and writing writeups like this one. :)
I'm opening comments on this post specifically to hear from other people who have participated in code review groups, about what has worked and not worked for you. And of course other people should feel free to reuse bits of these ideas to start groups that meet online, or go multilingual, or meet more or less frequently, or what have you!
: Hacker School
# 28 Nov 2014, 07:25PM GMT+5:30: Attachment:
From The Young Buddhists' Path To Success, by Venerable Master Hsing Yun, 1987, p. 25:
What the Buddhist youth lack today is a sense of ambition.
I'm turning this over in my head, half thoughtful and half amused.
# 28 Nov 2014, 06:48PM GMT+5:30: Normal's Just A Setting On The Dryer:
(Title from some lost-to-the-ages sage, I think.)
I recently said to a friend that I'm pretty on-board with "Labels are for mailing things" and "Normal's just a setting on the dryer" (also said as "Normal: of or pertaining to someone named Norm"). I also shy away from calling things "real", from using the minimizing adverb "just", from saying that "everyone" does or is or doesn't or isn't something.
Today I was thinking about the assumptions that US children of immigrants make, about the fact that we know that "normal" is relative. When I'm in Mysore, it's as normal to sidestep cow poop on the road as it is to avoid clicking on phishing links in my email.
Evidence is mounting that several people consider me a role model and a leader. (And yes if you thought "that must be something Sumana is resistant to acknowledging, to herself or publicly" then you are accurate in your predictions!) So I'm mulling that. Role models demonstrate that something is possible, for, lo, here is an existence proof. And leaders get to influence perceptions of what's normal, and what's bullshit.
# (1) 18 Nov 2014, 04:21PM: Using Beautiful Soup, Pystache, and Lunr.js for an Archival Site:
My third week of my 2014 Hacker School batch, I decided to take on a project that I'd originally thought about doing a year before, during my first go at HS.
Between April 2005 and August 2007, I wrote a weekly column called "MC Masala" for the "Inside Bay Area" section of several papers in the San Francisco Bay Area, including the Oakland Tribune. My work circulated to about a million people, I'm told. A few years ago I grabbed a softcopy of almost all my archives off a periodicals database, and then in 2011 I made an abortive attempt to get the columns online, but gave up on all the fiddly textmunging bits.
But a few weeks ago I felt ready to make a go of it, and I figured this would be a fun and useful way to learn Beautiful Soup and learn to finagle a search engine. So I basically stopped doing the Matasano crypto challenges and started a new project.*
Beautiful Soup, Pystache, and sed
I wrote a script to take a list of HTML files of my old newspaper columns and scrape them using Beautiful Soup. (I only needed a tiny bit of live help from Leonard -- to whit, he got me to use the html5lib parser instead of the default.) My script output a Python dictionary containing the stories as structured data: headline, date, & body. And I wrote a script to render that data through Pystache templates I wrote and write an HTML file for each story, plus a table of contents page. (I don't intend on adding comments or starting the column back again, so I didn't think I'd want a CMS. Pystache, the Python implementation for lightweight Mustache templates, seemed like a reasonable choice.) I got some help on this, notably from a pairing session with Chase Lambert on testing Unicode stuff, and from a pairing session with Geoff Shannon on a Pystache type and inheritance problem.
Unfortunately I never quite figured out how to get one Pystache template nested in another, so there's some code duplication (perhaps partials are the answer). And I had to hack my way around some loopback issues so as to put chronological next/previous links on each article. (Story URLs are just kebab-cased dates. So, my script gets the headline and date (and thus the URL) of the next or previous story by traversing a date-sorted list of dates-and-headlines dicts, then renders the dates and URLs into variables in the template. Oh right, this is where a CMS would have been nice! Lightweight is great until it's not.)
(In the course of all this, I (with help from a sed FAQ) wrote my first real honest-to-goodness "changing a bunch of files in-place with sed" one-liner in years or possibly ever. A ton of links in several files were pointing to the parent directory instead of the current directory. So:
sed -i '/head/s/\.\.\///' *.html means "In-place, change
../ to nil, in all the
.html files in this directory." Whoo!)
The look, the feel
(There was a cotton ad on TV when I was a kid, with the jingle, "The look / the feel / the fabric of our lives." Sometimes Nandini and I sing it to each other. I suppose if there were an ad for Cascading Style Sheets on TV today it could use the same motto.)
I wrote the stylesheet and arranged the proper elements in the template with a bunch of help from Mozilla Developer Network's guidance on boxes and tables, and that old standby, CSS Zen Garden. I gratefully and curiously perused several nice-looking styles for inspiration and edification. I now more thoroughly understand the difference between margin and padding, and grok better why modern sites have a zillion
For a "home" image, I used a picture of me that Valerie Aurora took, and for a header decoration, I used the GNU Image Manipulation Program to stitch together repetitions of a photo that Kitt Hodsden took and blogged in 2012.
I've made database schema decisions before, but I haven't previously decided on search indices. It was cool that I had the power to change up the parsed output once I realized that the structured data ought to have hrefs as the unique IDs, rather than otherwise-useless unique doc IDs.
MC Masala is live! I am so happy that these columns have a nice home now, and that I made it. I got to exercise my Python, which is strong, and I got to strengthen a bunch of other skills along the way. It's not perfect, and I have a TODO list, but it's the nicest-looking site I've ever made, and it fulfills its function well. And I made it in just a few days.
* I basically stalled on the Matasano challenges, and will come back to them someday when I don't feel so time-constrained. I did get some use out of doing the ones I did! I have now grokked byte-level stuff much better, and learned about bytearrays thanks to Allison Kaptur. And I got some laughs out of the process. Example: In challenge six, the Hamming distance the player calculates should be 37. First attempt: came up with 14. Next: 598. I literally laughed aloud. Then, when I finally got 37, I thrust my arms into the air with great vigor because I WAS A DEITY OF PURE LIGHT. But then I started getting depressingly wrong answers and kept getting them; I got help from friends, but decided to hold off and only look at one friend's potentially-spoilery explanation when I'm ready to come back, and I still haven't looked at it. I tried to remind myself of a sort of Allison Kaptur/Carol Dweck "the edge of maybe-can't/"The only thing that makes you smarter is doing hard things" attitude, that I am a Joseph Campbell hero and the greater my struggle the greater my triumph will be. But I was tearing up in frustration, and I decided to give myself a rest from crypto and level up on the main skill I'd come to Hacker School to learn, namely, webdev. And I think that was the right decision. You gotta manage your own morale and momentum -- that's a resource too.
: Hacker School
# 18 Nov 2014, 01:01PM: A Node.js Project, And Deciding to Shelve It:
In my second week of my 2014 Hacker School batch, I asked:
What are red flags in scifi/fantasy magazines' calls for submissions? What words/phrases make you think "ew, avoid"? -- @brainwane, 3:48 PM - 13 Oct 2014
As Moss guessed, I was thinking of making an SF&F version of joblint.org, to automatically check for suspect wording in "please submit" pages and posts by speculative fiction publishers.
I take off my hat to Rowan Manning for creating the tool and the site, which I found easy to adapt (my fork of the tool, my fork of the site). The code's in Node.js, and despite an npm problem on Ubuntu, I found it fairly easy to figure out how to change the tests, regular expressions, and error messages, modify the package dependencies and update appropriately (especially thanks to Hacker School colleagues). Check it out:
But conversation with some SF&F community members led me to believe that the joblint approach wouldn't help here. In tech industry job descriptions, you can rely on certain buzzwords and key off them; joblint should be only part of a suite that catches problems, the way a code linter should be in a software engineering process, but it prookes thought and is useful on its own. But problems with SF&F calls for submissions are often in subtler approaches rather than easy-to-match strings. So it didn't feel worthwhile for me to try for a regexes-alone approach, and I didn't want to spend my Hacker School time thinking though the automated literature analysis part of this problem; that's not what I wanted to do in this batch.
So I shelved the project and I have not gotten it even close to launch. But the code's up with a TODO list, and y'all should feel free to grab it and run with it if it strikes your fancy!
: Hacker School
# (1) 18 Nov 2014, 10:46AM: Things I Learned About Drupal And Odd 404s:
Back on October 7th, I offered "Some Tips On Domain Names And Hosting", and said: "So, next step: choosing a provider, spinning up a server, loading it up, and pointing my new domain name at it!" And then an interesting unexpected thing came up, which takes up the majority of this post (see the "Weird spam and HTTP tricks" section).
I chose DigitalOcean mainly because a peer had a $10 referral coupon thing, so I could for free enjoy the benefits of using a service that has a business model that makes sense and won't get all ad skeevy (relevant rant, parts one, two, and three).
I faced some two-factor auth problems basically because the most convenient 2FA solutions assume you are fine with installing a closed-source app on a computing device you control.
Also, when spinning up a DigitalOcean droplet for the first time and SSHing into it, I'd like to establish the authenticity of the host by verifying the ECDSA key fingerprint. Where in one's digitalocean.com settings or in the web UI should one look to find that? The answer: one can't. I looked on the web and asked around, and found a lot of people saying, "when you get to 'the authenticity of this host cannot be established, are you sure,' just say yes." There is apparently no way to verify that key fingerprint in the web UI. The attack vector is microscopic (someone else coming in and spoofing the IP address right after you spin it up and before you have a chance to SSH in). But it still annoys me. I hear Amazon EC2 has solved this problem and does give you a way to verify the fingerprint.
I followed some useful tutorials to refresh my memory so I could set up an Ubuntu server and get a LAMP stack installed. Another helped me install Drupal. I have now successfully installed Drupal!
Generally, if you want to make Drupal do what you want it to do, it's helpful to install modules that other people have made, and maybe themes. You can check out popular modules such as Views, and you can look up how to install modules and themes, and learn how to install modules and themes specifically in Drupal 7.
Thanks to much help from Fureigh (example), when I looked up an "installation profile" ("ngpprofile") that interested me, I found out about Drush and installed it. It seems as though drush wants or seems to need to do everything as root, which doesn't feel right to me, so maybe I misunderstood. Then again, a sysadmin of my acquaintance mentioned his "you gotta be kidding me" reaction to a Drupal installation HOWTO that blithely said "now
chmod 777 the web directory", so maybe I just have a different attitude to privileging than Drupal does! Some more thoughts on Drush: a slide deck, GitHub, a homepage, and a project page.
And Fureigh submitted a patch to get ngpprofile to work properly with Drush! ... And then I ungratefully did not try to use ngpprofile, and instead looked at a very very simple theme, and then fiddled manually with templates and the admin dashboard to make my site look just slightly different from a regular stock Drupal site. Drupal theming seems to be a pretty deep skill in and of itself.
I got help from the
#drupal-support IRC channel on Freenode as I went -- thanks! If I ever dip into Drupal again, I'll check out a video resource they recommended, including a "build your first Drupal 7 website" video sequence.
Weird spam and HTTP tricks
I bought a brand-new domain name via Hover and pointed it to my DigitalOcean droplet. The next day, I looked at various admin logs and noticed strange 404s that had nothing to do with my site. Clearly they were spam and the attackers hoped I would click on their URLs thinking they were referrers, or similar (if the attacked site's 404 logs are public, intentionally or accidentally, then this tactic would increase the spammer's pagerank). I'll reproduce one here, with the actual URL replaced with "myphishingsite.biz" and eliding the IP.
Hmmm. The spammer left their URL in the LOCATION field somehow, but there's no referer (Drupal spells it "referrer in the admin console). I found that I could cause a "page not found" log entry by going to a nonexistent page on my site, e.g.
TYPE page not found
DATE Thursday, October 9, 2014 - 10:46
USER Anonymous (not verified)
HOSTNAME [IP address elided]
/bleeber, but then the LOCATION for that log entry was
http://[hostname.tld]/bleeber. How was the spammer manufacturing an entry with a LOCATION of
http://myphishingsite.biz? And what was up with the truncated initial "h" in the MESSAGE field?
With a few pointers from two Hacker School colleagues, a bit of reading up on how Drupal logs 404s, what access logs look like in Apache, and what 404 actually means, and some trial-and-error, I began to see what was happening. If I went to http://myhostname.tld/http://panix.com , then my access logs included
GET /http://panix.com . But the attacker sent requests that logged as
GET http://[spamsite] (notice that there is no leading
/). So I began to suspect that the attacker programmatically sends
GET requests with some kind of intentionally malformed header. (And then this helped me explain why, in the report overview in the web-based admin console, the spammed URLs miss their first character (the h in http) -- usually you don't care about the leading slash or about the base URL when you're skimming that overview, so Drupal programmers made some kind of "omit the first character" choice.)
Time to break out
netcat! Usually, the first string after
GET in an HTTP request header is the location of the resource you want on the host that you're sending the request to (below, "myhostname.tld" is the host that I'm sending the request to). You'll often see
GET / or
GET /favicon.ico, for instance. But there's no reason you can't do something like this:
$ nc myhostname.tld 80
GET http://berkeley.edu HTTP/1.1
When I sent that HTTP request manually, I could replicate precisely what the spammers were doing, in terms of what characters showed up or got clipped in the relevant logs. For instance, the access log entry:
[IP address elided] - - [11/Oct/2014:16:23:47 -0400] "GET http://berkeley.edu HTTP/1.1" 404 7574 "-" "netcat"
And if I were specifically attacking Drupal administrators and wanted them to click on things, and I knew about the initial truncated character in the web-based admin console view, I might send a
GET request that includes an initial character to throw away:
$ nc myhostname.tld 80
GET /http://nyc.gov/ HTTP/1.1
So, my first week of my second Hacker School batch, I succeeded in learning a bunch about using the domain name system, hosting, and Drupal, AND I learned how to do hilariously wrong things with HTTP requests. (The site isn't up anymore, because that wasn't the point.) I then went on to build some more sites with different tools, and I'll blog about the rest of them in upcoming posts.
: Hacker School
# 16 Nov 2014, 06:36PM: Shelter and Memory:
Mary Schmich wrote in that 1997 "wear sunscreen" advicedump, which has stuck with me and overall proven a good guide for adult Sumana:
Understand that friends come and go, but with a precious few you should hold on. Work hard to bridge the gaps in geography and lifestyle, because the older you get, the more you need the people who knew you when you were young.
This weekend I hung out with a couple of Wikimedia engineers I'd known for a while -- heck, I'd helped one of them move. One of them mentioned, "I was looking at the Wikipedia article for Team America: World Police --"
And I joked something like, "Oh, because it was interfering with the Education Program's
Team America namespace?"
And he laughed at my joke, because he remembered that two years ago, we tried to help out professors by introducing a Course namespace (basically wiki pages starting with "Course:"), but that this caused a conflict with the article about the Star Trek: Voyager episode "Course: Oblivion". Such an obscure joke.
That's the time and the place for the coziness of an inside joke -- among friends, the ones who've helped you shape your identity, so the homosocial bonding doesn't exclude newbies and imply to them that if they don't get the joke then they don't belong. I wonder what idiom speakers of other languages use; the phrase "inside joke" carries these connotations of shelter and interiority to me.
There's a saying that you know you're a New Yorker when you point to a storefront and say "I remember when that was [something different]." I've been here going on nine years, longer than I have ever lived in any other city, and I can imagine visual diffs for scores of blocks. It makes me feel rooted, like a tree. I can sense -- and sometimes give in to -- the temptation to assume that the change began when I arrived and began to observe it, as though the only important change is the change I witnessed.
My family moved over and over when I was a child, and I was poor at socializing as a teen, and I've only retained a handful of college friendships. Today I'm doing a big inbox scouring, and this musing reminds me to prioritize replying to the old pals, the ones who knew a Sumana I can barely remember.
# (1) 14 Nov 2014, 04:07PM: Sometimes Paths Are Useful:
I just finished a six-week batch at Hacker School. As an alumna, I had the option of asking to come back for three months or for a six-week minibatch, and I decided on the latter. I'll be writing more about my lessons, but today I can mostly point to my programming partner's writeup and add a silly story.
I met Greg Hendershott at !!Con months back, and then we ended up in the same batch and found that we laugh at each other's jokes. So we tried to figure out what to work on together. He's way into functional programming, Racket, Clojure, stuff like that, and has for instance written an emacs mode for Racket. In contrast, I'm only fluent in Python and have been concentrating on web dev. We found common ground in Python and an interest in security, and made a webservice that runs a static analyzer on a user-submitted code sample and returns to the user a "report card" of vulnerabilities in their code. That's what I spent the last two weeks on.
In his post, Greg describes how we rejected smaller and smaller web frameworks, finally settling on subclassing from
BaseHTTPServer (built into Python's standard library). When you do that, you have to literally define methods so that the server can handle even the most basic HTTP verbs, like
POST. We defined
POST but didn't define
GET, because we didn't need to! It felt so tremendously subversive, creating a web service that gave you a 501 (Method Not Supported) if you tried to
GET / , and yet actually did other things. Deliciously wrong.
(Also amazing: reading and subclassing from code whose initial code comments specifically and relevantly cite the work of Tim Berners-Lee and Roy Fielding. I felt such awe and gratitude, that I am part of a grand heritage of innovation and infrastructure. What an inheritance!)
So then a few days later we decided to make a simple web page or two, so that someone using a web browser could use the service. I loved the experience of API-first design, and felt amused when I implemented our server's second method,
do_GET. (One nice thing about long-term collaboration is that you can pair some of the time and also do some bits on your own, bringing them to your partner for code review.)
do_POST, didn't care about the path, because there's only one thing a user is ever going to do with our service. No URL routing required. A
GET request always caused the server to return index.html.
Then I stubbed out a small index.html page, borrowing bits and pieces from other past projects where I'd solved similar problems. And I thought "well I'll style this a bit" and copied a style.css file from one of my old sites into the project directory, linked to it in the
head element of index.html, futzed with some element names and IDs, and reloaded. Hmm, why no styling? Shift-reload. Still looked bare. I opened up the developer toolbar...
...and saw that "style.css" had the text of index.html. Because I had defined
GET to always return index.html! And when you want a browser to be able to use a stylesheet, well, it'll have to
I laughed pretty hard, then inlined the CSS. (And we did end up writing a bit of URL routing so we could serve a favicon to browsers and to serve a capabilities document to service clients.)
I get so much joy out of playing with the building blocks of the Web. It's a great feeling. Thanks for working on this with me, Greg!
: Hacker School
# 07 Nov 2014, 04:35PM: Snapshot:
Sometime in early 2010, I jotted down a few notes that I meant to blog at the time; I've now expanded them into the following entry. I was in between jobs; I think it was just after my time at Collabora, and the year before I started working for Wikimedia Foundation. I'd been in New York City for a little over four years. It's interesting to look back -- I never did turn any of those ideas into a proper conference talk, and I still remember the atmosphere of that evening, feeling out of place of course among the men in business suits in some dim bar, but still connected to them because of what we'd studied together.
Today I thought up some proposal ideas for conferences... [terrible ideas elided]
Today I also reread bits of Rick Yancey's tax collector memoirs, and I went to dinner/drinks with old colleagues, people I'd done the master's in tech management with a few years previous. Basically all guys (and jeez sexism much?). Evidently SWOT & similar tools really work when you break 'em out appropriately (in the midst of chaos, maybe?). And from what these guys tell me, HR is a mess in most big companies; if I can not just catalyse, but teach other people to replicate my success, that's marketable. The interface between a firm & its clients is crucial, but so is the interface between the firm & its employees.
It sounds like one way to keep those corporate accounting and finance skills honed would be to try looking at the financials of a company without knowing its name, and work out what it is.
What do I want in my next job? I should be open to larger orgs, larger than any I've worked with in the past, but I don't want some things I've heard are common in big organizations:
Most touchingly, my old classmate [name] said he's forever remembered my interaction with that executive who came to guest-lecture us, about whether he considers himself a success, and would he do it again. Hearing that answer changed his mind. Before coming into the Master's in Tech Management program, he'd thought, "I want to be a CIO of a big corporation." Afterwards: "I want time for family."
- stifling bureaucracy
- stifling political atmosphere that stops necessary things from being said or asked
- lengthy processes lasting more than 3 months to get rid of an underperformer
# 04 Nov 2014, 01:04PM: .illusion():
Last night one of my Hacker School peers was practicing sleight-of-hand with a card deck, and another peer walked over and said, "Oh, I used to run a magic tricks website."
I waited with bated breath for the punchline. None came! So I had to make some up.
I used to run a magic tricks website, but it disappeared.
I used to run a magic tricks website; I wrote it in Haspell.
I used to run a magic tricks website; it ran RabbitMQ.
I used to run a magic tricks website; I used SQLAlchemy. (predicated on the false memory that SQLAlchemy's logo is a tophat and cane)
I used to run a magic tricks address book application; pick a .vcard format, any .vcard format!
I used to run a magic tricks website; this is my lovely helper function.
But I felt stymied. When I think of magic tricks, I think of visuals and descriptions, not easy-to-pun jargon. And I couldn't think of any puns on the names of GOB Bluth, Penn and Teller, David Copperfield, or Criss Angel/Mindfreak.
And then Cerek Hillen came up with: "I used to run a magic tricks website; I wrote it in Brainfreak." And I thought: yes. It is done.
# 04 Nov 2014, 11:49AM: Vestiges:
I know some Russian, some French, and some Kannada, and every once in a while, my vocabulary fractures and I say a word from some other language. "Nodu" is Kannada for "look" (imperative second-person), and to this day, if I want to point something out to an interlocutor, I'll find myself saying "Nodu." (By now I think Leonard's learned that bit of Kannada through repetition and pattern-matching.)
I know some Python, some Bash, and some Scheme, and every once in a while, as I typetypetype in a Python file in emacs, I'll find myself wanting to
car to get the first element from a list, or wanting to pipe (
|) the output of one function into another.
: Hacker School
# (1) 31 Oct 2014, 04:59PM: A Few Intermediate Git Tips:
Today I led an intermediate Git workshop at Hacker School, with occasional help from more experienced Git users. We covered:
- cherry-picking versus merging a commit from one branch to another
git blame [filename] to see who last touched a line
git log --full-diff -p [filename] to view full diffs, and a few cool things to put in your
.gitconfig to better view your log, e.g., aliasing something to
log --oneline --graph --all --decorate -30
- better search with
git grep, and file listing with
git ls-files, to only look at the files in your repository (thus ignoring files mentioned in your
git add -p to make your commits cleaner and improve your pull requests (with thanks to this blog post by Allison Kaptur)
git rebase -i to rewrite history in your branches and thus also improve your pull requests
- shallow cloning with
git clone --depth 1 (demonstrating that it is faster and takes less disk space, but this took a few tries, since Git is so efficient at storing past revisions that the effect barely registers for small, young repositories)
git reset and the differences among default,
- ways to talk about history and what
git rev-parse does under the hood (and thus
HEAD^2 and parents and ancestors and whatnot)
Only afterwards did I see this super useful explanation of the Git model which articulates what's actually doing what.
As we were discussing rebase, I said I didn't yet feel smart enough to do non-interactive rebases. My peer Connor frowned at that. I sought a replacement word. Skilled? Experienced? Audacious? Confident? Maybe that last one.
I'm also going to play around with the
gitk GUI tool, maybe with
git bisect. And I heard a brilliant suggestion: when you're about to do something in Git that feels scary, in terms of rebasing or resetting or whatnot, clone your repo and try out your idea on the clone!
: Hacker School
# 27 Oct 2014, 09:00AM: Epithets for Basilisks:
I saw a theatrical showing of an Indian movie the other day. I noticed that the filmmakers had censored a few words and phrases. Most confusingly, when one character (an Indian lawyer in 2012) hyperbolically talked about criminals going free, he referred to some person, someone obviously guilty. But the audio blanked out when he said the person's name, and the subtitles also elided the name as "K***".
I am so underinformed on major Indian criminals that my first thought was "Karna". But I talked with an Indian relative who hypothesized: they're referring to in-and-out-of-prison celebrity Sanjay Dutt -- who was, in 2012, not imprisoned -- by his nickname "Khalnayak" (the eponymous villain in his career-making film), and they're blanking out all but that initial consonant so that they can refer to him in a plausibly deniable way.
I wonder whether I will ever lose my fascination with the encodings we develop to avoid the Eye of Sauron, to refer to Voldemort without saying his name. Right now I'm seeing creativity flourish on Twitter, as people use "gg", "G________", "actually about ethics in ga-", and similar. My own contribution: "g7e".
(You do realize that, if Twitter wanted to, they could make it so no one could search for that one string on their site, or via their API, or use it in a Tweet, and the hashtag wouldn't work. Closed-source service. Platform we don't control.)
# 20 Oct 2014, 06:56AM: Hacker School Miscellanea:
Found in an email I sent a few years ago: "I'm freaking 30 now, so I have decided to be Mature, stop feeling bad that I don't learn stuff well on my own, and take classes that play to my predilection towards collaborative structure." As it turns out, I think "don't learn stuff well on my own" was an oversimplification; approximately no one truly learns on their own, after all; I needed a more synchronous community rather than a purely asynchronous one.
Found in an old blog draft that I will never turn into a proper post:
context manager - "
with x as y" (especially for files)
modules that are often useful -
requests, os, sys, time, datetime, codecs, unittest
git add -p
What it looks like to merge a pull request
Written? Kitten!'s code uses localStorage
Laura Lindzey blogs about whether she'd do Hacker School again; her answer is that she would not, though she loved it, because "Programming is no longer the thing I struggle most with." I smiled at the very last item on her list of things she particularly wants to learn about right now, because I'm genuinely comfortable with my skills in that area and that's one reason I can take a break from it to be at Hacker School.
My batchmate Alyssa Carter has the best About page I have seen in eons.
I got stuck on the sixth of the Matasano crypto challenges last week. I'm going to take another look at it this week now that I've cried a bit, gotten a new perspective from Alex Clemmer, and spent the weekend in Rhode Island at a friend's wedding reception. Gosh those trees are pretty right now, perfectly autumnal. I'm also eyeing Natas which is more directly the type of serverside web security game that piques my interest. All this on top of the main thing I'm doing during Hacker School this go-round, webdev play.
: Hacker School
# 17 Oct 2014, 10:13PM: The Thing You Garden:
What are you making? And what are you metamaking? That is, what are you doing to, directly or indirectly, help other people create good things?
I keep thinking about Growstuff, my friend Alex "Skud" Bayley's startup and open data platform for food gardeners (interview). Skud has taught me a lot about open source communities and pitfalls and public collaboration over the past several years, not to mention the geek feminism work she's done.
This past summer I played Skud a bit and mentored Frances. She was already a better coder than me; I helped her grow as an engineer, as a Wikimedian, and as an open source contributor.
Now Skud is asking for AUD$20,000 to massively improve Growstuff's API, and if she gets that money, she can hire Frances to do the work.
I'm so proud that I've helped till some soil and plant some seeds, to make it possible for an open source, open data project to empower even more people. But we only have four days left in the campaign and we haven't even reached AUD$6,000 yet.
You might worry that Growstuff is just yet another vaporware project. Don't. Growstuff works. Federico Mena-Quintero, one of the founders of GNOME (one of the biggest open source projects in history), wrote this month:
Watch the video (below) or read the Growstuff blog to see why it's uniquely important to support. And please donate, for the garden we share.
Skud started coding Growstuff from
scratch. I had never seen a project start from
zero-lines-of-code, and be run in an agile fashion, for
absolutely everything, and I must say:
I am very impressed!
Every single feature runs through the same process:
definition of a story, pair programming, integration.
Newbies are encouraged to participate. They pair up
with a more experienced developer, and they get
They did that even for the very basic skeleton of the
web site: in the beginning there were stories for "the
web site should display a footer with links to About and
the FAQ", and "the web site should have a login form".
I used to think that in order to have a
collaboratively-developed project, one had to start with
at least a basic skeleton, or a working prototype
— Growstuff proved me wrong. By having a
friendly, mentoring environment with a well-defined
process, you can start from zero-lines-of-code and get
excellent results quickly. The site has been fully
operational for a couple of years now, and it is a
great place to be.
is about the friendliest project I have seen.
# 13 Oct 2014, 08:56AM: Lee Iacocca and Malcolm X:
I read Malcolm X's autobiography at about twelve and Lee Iacocca's autobiography at around eight. (You know how it is with childhood; you read what's around you.) This past weekend I dipped back into the X, and realized something they have in common: both of them get fired from the number two jobs at their respective organizations.
In their stories, as they tell them:
X converts to Islam in prison and from that point onwards devotes his total loyalty to the Nation of Islam. Iacocca starts working for the Ford Motor Company right after getting his degree. Both rise through the ranks till they're reporting directly to the heads of their orgs, and they live and breathe their orgs' missions.
And then something goes rotten. The top guy in each org is insecure, flawed, can't deal with having such a charismatic, effective, headline-grabbing guy as his direct subordinate. So he gives our protagonist the runaround, then fires him. And our protagonist undergoes the most severe emotional and even physical confusion of his life, reeling from the betrayal.
What next? After Ford fires him, Iacocca goes on to head bankruptcy-bound Chrysler and help turn it around. X founds new organizations, takes the hajj, changes his views. (And assassins kill him a year later.)
Of course Iacocca's and X's self-serving biases skew these narratives. But I still got something interesting out of this repetition, I think, related to what I got out of John Morearty's mentorship -- a belief that, contrary to that old quote, there can be second acts in American lives. That you might rise and fall and rise again.
And that you should be hesitant to love anything that can't love you back -- and institutions can't love you back.
# (3) 11 Oct 2014, 10:58AM: Recent Reading Responses:
Data & Society (which I persist in thinking of as "that New York City think tank that danah boyd is in" in case you want a glimpse of the social graph inside my head) has just published a few papers. I picked up "Understanding Fair Labor Practices in a Networked Age" which summarized many things well. A point that struck me, in its discussion of Uber and of relational labor:
The importance of selling oneself is a key aspect of this kind of piecemeal or contract work, particular because of the large power differential between management and workers and because of the perceived disposability of workers. In order to be considered for future jobs, workers must maintain their high ratings and receive generally positive reviews or they may be booted from the system.
In this description I recognize dynamics that play out, though less
compactly, among knowledge workers in my corner of tech.
This pressure to perform relational labor, plus the sexist expectation
that women always be "friendly" and never "abrasive" (including online), further silences women's ability to publicly organize around grievances. Those expectations additionally put us in an authenticity bind, since these circumstances demand a public persona that never speaks critically -- inherently inauthentic. Since genuine warmth, and therefore influence, largely derive from authenticity, this impairs our growth as leaders. And here's another pathway that gets blocked off: since since criticizing other people/institutions raises the status of the speaker, these expectations also remove a means for us to gain status.
Speaking of softening abrasive messages, I kept nodding as I read Jocelyn Goldfein's guide to asking for a raise if you're a knowledge worker (especially an engineer) at a company big enough to have compensation bands and levels. I especially liked how she articulated the dilemma of seeking more money -- and perhaps more power -- in a place where ambition is a dirty word (personally I do not consider ambition a dirty word; thank you Dr. Anna Fels), and the same scripts she offers for softening your manager's emotional reaction to bargaining.
I also kept nodding as I read "Rules for Radicals and Developer Marketing" by Rachel Chalmers. Of course she says a number of things that sound like really good advice and that I should take, and she made me want to go read Alinsky and spend more time with Beautiful Trouble, but she also mentions an attitude I share (mutatis mutandis, namely, I've only been working in tech since ~1998):
I've been in the industry 20 years. Companies come and go, relationships endure. The people who are in the Valley, a lot of us are lifers and the configurations of the groups that we're allied to shift over time. This is a big part of why I'm really into not lying and being generous: because I want to continue working with awesome, smart people, and I don't want to burn them just because they happen to be working for a competitor right now. In 10 years' time, who knows?
Relationships, both within the Valley and with your customer, are impossible to fake, and is really the only social capital you have left when you die.
No segue here! Feel the disruption! (Your incumbent Big Media types are all about smooth experience but with the infernokrusher approach I EXPLODE those old tropes so you can Make Your Own Meaning!)
Mark Guzdial, who thinks constantly about computer science education, mentions, in discussing legitimate peripheral participation:
Newcomers have to be able to participate in a way that's meaningful while working at the edge of the community of practice. Asking the noobs in an open-source project to write the docs or to do user testing is not a form of legitimate peripheral participation because most open source projects don’t care about either of those. The activity is not valued.
This point hit me right between the eyes. I have absolutely been that optimist cheerfully encouraging a newbie to write documentation or write up a user testing report. After reading Guzdial's legitimate critique, I wonder: maybe there are pre-qualifying steps we can take to check whether particular open source projects do genuinely value user testing and/or docs, to see whether we should suggest them to newbies.
Speaking of open source: I frequently recommend Dreaming in Code by Scott Rosenberg. It tells the story of the Chandler open source project as a case study, and uses examples from Chandler's process to explain the software engineering process to readers.
When I read Dreaming in Code several years ago, as the story of Chandler progressed, I noticed how many women popped up as engineers, designers, and managers. Rosenberg addressed my surprise late in the book:
Something very unusual had happened to the Chandler team over time. Not by design but maybe not entirely coincidentally, it had become an open source project largely managed by women. [Mitch] Kapor [a man] was still the 'benevolent dictator for life'... But with Katie Parlante and Lisa Dusseault running the engineering groups, Sheila Mooney in charge of product management, and Mimi Yin as the lead designer, Chandler had what was, in the world of software development, an impressive depth of female leadership.....
...No one at OSAF [Open Source Applications Foundation] whom I asked had ever before worked on a software team with so many women in charge, and nearly everyone felt that this rare situation might have something to do with the overwhelming civility around the office -- the relative rarity of nasty turf wars and rude insult and aggressive ego display. There was conflict, yes, but it was carefully muted. Had Kapor set a different tone for the project that removed common barriers to women advancing? Or had the talented women risen to the top and then created a congenial environment?
Such chicken-egg questions are probably unanswerable....
-Scott Rosenberg, Dreaming in Code: Two Dozen Programmers, Three Years, 4,732 Bugs, and One Quest For Transcendent Software, 2007, Crown. pp. 322-323.
I have a bunch of anecdotal evidence that projects whose discussions stay civil attract and retain women more, but I'd love real statistics on that. And in the seven years since Dreaming in Code I think we haven't amassed enough data points in open source specifically to see whether women-led projects generally feel more civil, which means of course that means here's where I exhort the women reading this to found and lead projects!
(Parenthetically: Women have been noticing sexism in free and open source software for as long as FOSS has existed, and fighting it in organized groups for 15 or more years. Valerie Aurora first published "HOWTO Encourage Women in Linux" in 2002. And we need everyone's help, and you, whatever your gender, have the power to genuinely help. A man cofounded GNOME's Outreach Program for Women, for instance. And I'm grateful to everyone of every gender who gave to the Ada Initiative this year! With your help, we can -- among other things -- amass data to answer Scott Rosenberg's rhetorical questions. ;-) )
: Reading Work
# 08 Oct 2014, 08:01AM: How I made a tidepool: Implementing the Friendly Space Policy for Wikimedia Foundation technical events:
Back when I worked at the Wikimedia Foundation, I used the Ada Initiative's anti-harassment policy as a template and turned it into the Friendly Space Policy covering tech events run by WMF. I offer you this case study because I think reading about the social and logistical work involved might be inspiring and edifying, and to ask you to please donate to the Ada Initiative today.
I was working for Wikimedia Foundation for ~8 months before I broached the topic of a conference anti-harassment policy with the higher-ups - my boss & my boss's boss, both of whom liked the idea and backed me 100%. (I did not actually ask HR, although in retrospect I could have.) My bosses both knew that Not So Great things happen at conferences and they saw why I wanted this. They said they'd have my back if I got any flak.
So I borrowed the Ada Initiative's policy and modified it a little for our needs, and placed my draft on a subpage of my user page on our wiki. Then I briefly announced it to the mailing list where my open source community, MediaWiki, talks. I specifically framed this as not a big deal and something that lots of conferences were doing, and said I wanted to get it in place in time for the hackathon later that month. Approximately everyone in our dev community said "sure" or "could this be even broader?" or "this is a great idea", as you can see in that thread and in the wiki page's history and the talk page.
I usually telecommuted to WMF, but I happened to be in San Francisco in preparation for the hackathon, and was able to speak to colleagues in person. My colleague Dana Isokawa pointed out that the phrasing "Anti-harassment policy" was offputting. I agreed with her that I'd prefer something more positive, and I asked some colleagues for suggestions on renaming it. My colleague Heather Walls suggested "Friendly Space Policy". In a pre-hackathon prep meeting, I mentioned the new policy and asked whether people liked the name "Friendly Space Policy," and everyone liked it.
So I made it an official Policy; I announced it to our developer community and I put it on wikimediafoundation.org.
This might have been the end of it. But a day later, I saw a question from one community member on the more general community-wide mailing list that includes other Wikimedia contributors (editors/uploaders/etc.). That person, who had seen but not commented on the discussion on the wiki or on the developers' list, wanted to slow down adoption and proposed some red tape: a requirement that this policy be passed by a resolution of the Wikimedia Foundation's Board of Trustees (so, basically, the ultimate authority on the topic).
But approximately everyone on the community-wide list also thought the policy was fine -- both volunteers and paid WMF staffers. For instance, one colleague said:
"If a policy makes good sense, we clearly need it, and feedback about the text is mostly positive, then we should adopt it. Rejecting a good idea because of process wonkery is stupid.
Sumana is not declaring that she gets to force arbitrary rules on everyone whenever she wants. She is solving a problem for us."
My boss's boss also defended the policy, as did a member of the Board of Trustees.
"Perhaps you misread the width of this policy. Staff can and generally do set policies affecting WMF-run processes and events."
I didn't even have to respond on-list since all these other guys (yes, nearly all or all guys) did my work for me.
I was so happy to receive deep and wide support, and to help strengthen the legitimacy of this particular kind of governance decision: consensus, including volunteers, led by a particular WMF staffer. And, even though I had only proposed it for a particularly limited set of events (Wikimedia-sponsored face-to-face technical events), the idea spread to other affiliated organizations (such as Wikimedia UK) and offline events (Wikimania, our flagship conference -- thank you, Sarah Stierch, for your work on that!). And the next year, a volunteer led a session at Wikimania to discuss a potential online Friendly Space Policy:
"Explore what elements are essential for you in such a policy and what we can do collectively to adopt such a policy for Wikipedia and other Wikimedia websites."
So perhaps someday, all Wikipedia editors and other Wikimedia contributors will enjoy a safer environment, online as well as offline! I feel warm and joyous that the discussion I launched had, and is having, ripple effects. I felt like I took a gamble, and I looked back to see why it worked. A few reasons:
- The Ada Initiative's template. I cannot imagine writing something that good from scratch. Having that template to customize for our needs made this gamble possible at all.
- I started the discussion in January 2012; I had joined Wikimedia Foundation (part-time) in March 2011. So I had already built up a bunch of community cred and social capital.
- In early 2012, open source citizens saw more and more reports of hostile behavior at conferences; people saw the need for a policy.
- I added "or preferred Creative Commons license" to the big list of attributes (gender, disability, etc.), which gave the document a touch of Wikimedia-specific wit right at the start of the policy.
- I balanced decisiveness and leadership with openness to others' ideas.
- Honestly, I narrowly focused the policy to an area where my opinion carried weight and I held some legitimate authority (both earned and given), phrased my announcement nonchalantly and confidently, and ran the consensus process pretty transparently. I believe it was hard to disagree without looking like a jerk. ;-)
(If you can privately talk with decisionmakers who have have top-down authority to implement a code of conduct, then you can use another unfortunate tool: point to past incidents that feel close, because they happened to your org or to ones like it.)
By implementing our Friendly Space Policy, I created what I think of as a tidepool:
"...places where certain people can sort of rest and vent and collaborate, and ask the questions they feel afraid of asking in public, so they can gain the strength and confidence to go further out, into the invite-only spaces or the very public spaces....spaces where everybody coming in agrees to follow the same rules so it's a place where you feel safer -- these are like tidepools, places where certain kinds of people and certain kinds of behavior can be nurtured and grown so that it’s ready to go out into the wider ocean."
With the help of the Ada Initiative's policy adoption resources, you can make a place like that too -- and if you feel that you don't have top-down authority, perhaps that no one in your community does, then take heart from my story. If you have a few allies, you don't have to change the ocean. You can make a tidepool, and that's a start.
# 07 Oct 2014, 02:00PM: Some Tips On Domain Names And Hosting:
Here are some things I recently learned or re-learned about setting up your own website.
There are a ton of domain name registrars out there and a lot of them are subsidiaries of Tucows. At least one acquaintance of mine uses NameCheap and finds it low-fuss with a reasonable web UI. I decided to try Hover since they have, in the past, sponsored the In Beta podcast. You will often expect to pay about USD$10 per year, though sometimes you get deals (".club" was $5 through Hover when I last checked).
As long as I was futzing with domains, I decided to transfer over an old domain name to Hover. In order to do that, I had to obtain the auth code, a.k.a. EPP (Extensible Provisioning Protocol) code from my old registrar (the "losing" registrar). Sometimes this should be visible in the web UI when you log into the losing registrar's site. Sometimes you'll have to phone in. And then you might get a shock, because registrars evidently think it's totally okay and normal to ask you for your account password in order to authenticate you, and to send the EPP code over plaintext email. Sadface. But at least some vendors, including Hover, offer two-factor auth! And the two-factor auth applications can live on my laptop or some other device, not necessarily my phone (which is good because I haven't yet checked whether there's a 2FA app for MeeGo but I doubt it).
Once you transfer a domain, it takes maybe 24 hours for the change to propagate; after that, the losing registrar has no residual effect on the domain or on DNS (Domain Name System) resolution.
I found Maciej Cegłowski's "The Five Stages of Hosting" helpful. Right now I'm interested in hosting a reasonably simple joke site, and in learning a bit about sysadmin and deployment, so I want to be able to SSH into a standard-ish Linux machine and set up Drupal or WordPress or similar, and I don't expect my site to need to scale. So I will go with a VPS (Virtual Private Server) provider, under the "dorm room" model in Cegłowski's framing. Stan, my Hacker School colleague who let me interview him to learn this stuff, is most familiar with Linode and Digital Ocean.
I am going to act as my own sysadmin for this site, so I'm going for "unmanaged" hosting. Most VPSes offer you "unmanaged" hosting by default, in which you can only ask the provider, e.g. Linode, for help if the problem is their fault (e.g., "hey, I don't seem to have an IP address anymore!"). "Managed" means you have access to a sysadmin but you pay, say, $100 per month (sometimes less). This person performs tasks such as incident response, fixes if the site goes down at 1am, and help switching you to a new database. The point is that it's cheaper than hiring a full-time sysadmin.
Unmanaged VPS services seem to run about USD$5-20 per month, if they're flat rates, as Digital Ocean provides. (Evidently Digital Ocean caused a bit of a price war when they entered the market, so prices are lower now.) If your VPS operates on a utility model, where you pay for the resources your site consumes, then you have to watch out for spikes that run up your bill. Some services will also offer a backup service, either for free or as a paid add-on.
Linode has a good reputation for very fast customer support; they have often responded to support tickets in under five minutes. Digital Ocean also seems pretty quick. And it's helpful to have a big community of other users who can help you figure stuff out. Linode and DigitalOcean have active IRC channels and web fora, and the Linode Library and Digital Ocean's text resources cover a lot. Amazon EC2 has a huge community of existing users.
Hosting providers also compete on security, or at least they should. Several providers offer two-factor auth. One good signal: having a bounty program, where the company welcomes and pays for vulnerability reports (example: GetClouder's beta program). After watching Matthew Garrett's "Freedom, Security, and the Cloud" talk at Open Source Bridge 2014, I understand that a published security policy also sends a strong positive signal. And I hear that Linode is on its way back up after a few black eyes in this area, and has shored up its security. (Also, some people are beginning to use Docker on production sites, partly for convenient environment management, and partly for additional security. But the Docker developers don't really promise you more security, I gather. And I don't quite get what Docker is, yet, and may look into it. It's not really a virtual machine; it's more like a super-intense and very guarded virtualenv; I'm told it's like a chroot jail but I won't understand that till next week or so.)
For various reasons, security being one of them, when you get an unmanaged VPS, you get a "bare bones" Linux box with, say,
vi on it, but not much else. You decide what software you want on that server. And on most VPSes, there's some set of (perhaps community-written) templates, scripts, or recipes for common types of setups you might want, e.g., a simple WordPress blog. These sound a bit like Chef or Puppet to me, but usually aren't. You can activate one of those scripts to run only on the initial boot of the box; you can also write your own, and use includes to nest/point to other scripts. (Since I'm trying to learn a bit of sysadmin, I'll look at those templates, but install the software more manually.) I am not quite clear yet on whether I choose those via the web UI or something more esoteric; maybe it varies per provider.
For some actions you'll need to use the web UI. For instance, once I own my domain name and I have a VPS account and a server set up, I'll need to tell my registrar that my domain's nameservers should point to the hosting provider's nameservers, e.g., ns1.linode.com. And then I'll need to log into the VPS's website and tell them what the IP address of my server is -- evidently there are "zones" and whatnot, but I haven't gotten that far. Stan confessed that he likes Linode's and Digital Ocean's web UIs a lot better than Amazon EC2's.
Speaking of Amazon: I today finally straightened out my understanding of the Amazon hosting services taxonomy!
- Amazon Web Services (AWS): an umbrella term for everything.
- S3 (Simple Storage Service): just for serving static files.
- EC2 (Elastic Compute Cloud): the thing most people are talking about when they mention AWS. It's "elastic" in that you can use software to tell Amazon to bring some more resources online to serve your needs, and you don't need to physically haul plastic and silicon around, but you do need to explicitly manage that elasticity as needs change, as is the case for about all VPSes.
And now I understand more about "elasticity". Heroku et alia (the "Monasteries" as Cegłowski calls them) provide more insta-elasticity, as the provider senses your growing or waning needs and accords you commensurate resources. Many monasteries offer a free tier, but costs can grow rapidly (cost evidently played a part in the RapGenius/Heroku tiff).
(If you just want to run a reasonably simple WordPress/Drupal/similar web app on your site and don't need or want to SSH in, there exist hosts like Dreamhost; one Dreamhost plan offers you FTP plus a web UI. For another variation, you could do what my friend Skud does, and use Dreamhost VPS to get SSH and, say,
cron, but not root or
sudo. That's a decent compromise for Skud; they can use it for their personal stuff (mostly WordPress and MediaWiki), set cronjobs for backups, write scripts, and generally poke around in the file system, but they can't install stuff or configure major services, since one must set up new user accounts, mailing lists, or web hosts via a web UI config panel.)
So, next step: choosing a provider, spinning up a server, loading it up, and pointing my new domain name at it!
Thanks to Stan Schwertly, a fellow Hacker Schooler, for talking me through a bunch of the hosting stuff! All errors and oversimplifications are my own.
: Hacker School
# 04 Oct 2014, 11:23PM: Kronda Adair and Self-Determination:
Ada Initiative's interview with Kronda Adair reminded me:
I meet lots of people at conferences, and then have a hard time recollecting nearly all their names and faces, even if we've had long, interesting conversations. So, at a recent Open Source Bridge, I stuck my hand out and said "nice to meet you," and Kronda Adair said something like, "Oh we met last year! We had a long talk and you told me to quit my job."
"Oh it's okay, they fired me. But it's totally fine, you were right."
(Or something similar.) Adair went on to start her own business, speak and write about why you should "Stop Crying in the Bathroom and Start Your Own Business", and say,
"There's not a lot of narrative in the tech industry about being able to directly use your skills to benefit people without the overhead of trying to get biased hiring managers to give you a job, or dealing with sexism, racism, homophobia or transphobia on a daily basis. I wanted to model that and show people that it's possible because it's the way that I see myself being able to stay in the industry long term without sacrificing my emotional health."
In order to exercise the four freedoms that F/LOSS guarantees us, we also need economic freedom and nurturing environments. Adair and I have both benefited from the Ada Initiative's work in those areas, and so I'll remind you that you can help: donate now. Thanks.