Comment by swatcoder

Comment by swatcoder 10 months ago

25 replies

View on Hacker News

> bold warning text in the Firebase docs.

Unfortunately, we currently have an industry where highly paid "engineers" unironically believe that their job can be done by reading/watching random tutorials, googling for StackOverflow answers, and pasting code from gists.

Attentively reading documentation or developing a mental model of how your tools work so that you know how they are built to be handled does not make it on to any job listing bullet points. It presumably fell off the bottom in favor of team spirit or brand enthusiasm or whatever.

How many tutorials, community answers, and gists do you think conveyed that warning?

ggregoire 10 months ago

Reading/watching random tutorials and asking basic questions on SO __instead of reading the official docs__ is a trend I've observed for the last 10 years. Even for stuff pretty well documented like Python, Postgres, React, etc.

Reply View 14 replies
  • zo1 10 months ago

    Most official documentation is awful, and just an API reference. It's (almost) like asking someone to learn english and then pointing them to a dictionary.

    And that's because a lot of devs think it's perfectly dandy to just put perfunctory docstrings in their methods, point it at whatever "doc generation" tool, wire it up to a github.io domain and call it a day.

    There is a reason people crave, want and seek things like SO and blog-posts. They're packed full of insight, working examples and just plain old "how TF do you use this thing". Oh and of course, the "this problem A didn't work when using setup B and C, and that's because of reasons X,Y,Z. Here, try H,I & K and it'll work.

    Reply View 4 replies
    • yunwal 10 months ago

      > Most official documentation is awful

      This goes doubly so for google cloud documentation. Firebase docs are decent, but if you're a developer who's gotten used to google's documentation style I could see skipping right over it.

      Reply View 1 reply
      • com2kid 10 months ago

        For many years entire sections across multiple pages of firebase's documentation were missing after the site contents had been migrated from one system to another.

        Multiple years of sample code and examples just cut out from the middle of pages.

        When I was building on firebase it took me a long time to reconstruct exactly how certain aspects of the system were supposed to work just because of those missing docs.

        Reply View 0 replies
    • netdevnet 10 months ago

      That's true but people still do it for well documented stuff like Vue, Svelte and the R that shall not be named. Two wrongs that don't make a right

      Reply View 0 replies
    • macintux 10 months ago

      I remember writing a Twitter library when that was a thing, and being severely disappointed at the quality of the API documentation. There seemed to be little choice other than to experiment to see what responses you’d receive (and hope that it wouldn’t change underneath you). Same was often true with some of the GitHub APIs, although it’s been a few years since I’ve spent time with them.

      Reply View 0 replies
  • prilo 10 months ago

    I often wonder how much this can be attributed to the pretty awful SEO of most documentation. I write mostly Python at work and it's infuriating how often GeeksForGeeks, W3Schools, Programiz, or RealPython pop up when I'm just trying to reference like, the arg order of a builtin, or the particular behavior. Django is worse, I often feel like I can't even find the doc when I know it's there and read it before.

    Reply View 7 replies
    • kevin_thibedeau 10 months ago

      Documentation is largely static content. It isn't their job to play SEO games to convince search engines to surface it in the query results. Documentation is not a revenue generator for Google so it gets buried below the sites with Doubleclick ads.

      Reply View 0 replies
    • kchr 10 months ago

      For native documentation, why not just search the official docs at https://docs.python.org/ ?

      I find it to be very discoverable if you are looking for docs about a specific function or module.

      Reply View 0 replies
    • jetbalsa 10 months ago

      This is why I switched to Kagi.com it gives me results that are much more sane for things I'm looking for when it comes to a programming stance

      Reply View 0 replies
    • Vegenoid 10 months ago

      Attempting to find the relevant docs page via search engines is generally not a good way to go, you should go to the documentation and search from there. Bookmark the landing page of the documentation.

      Reply View 0 replies
    • sbotzek 10 months ago

      People have already given many ideas, but if you use DuckDuckGo they have bangs for searching various python docs. Here's a page that lets you search which ones are available: https://duckduckgo.com/bangs

      Reply View 0 replies
    • skykooler 10 months ago

      Also, many pieces of software whose "documentation" is just some examples of its use.

      Reply View 0 replies
    • aden1ne 10 months ago

      Yeah, the official docs for python rarely if ever show up on the first two pages of search unless I do `from: python.org`.

      Reply View 0 replies
  • andreareina 10 months ago

    Google is really good at surfacing random blogs and SO questions instead of the official docs.

    Reply View 0 replies
pphysch 10 months ago

"don't trust the client / validate inputs" is software security 101

Reply View 4 replies
  • dbalatero 10 months ago

    For sure, I think the issue is – at what point in an engineer's development is that fact hammered home? For me it was hanging out with friends and learning fundamentals together, and then even more reinforced in the security course I took in college. For others, they might skip that elective in school (or their bootcamp will gloss over it), and they learn it the hard way later on the job?

    That said, ideally code review/peer review/design review would catch things like this. If this was a feature implemented by an engineer that wouldn't know any better, they should have at least some help from others around them.

    Reply View 2 replies
    • Vegenoid 10 months ago

      The issue is not about supporting engineers, this isn’t a pile-on to some poor engineer. It’s about choosing secure software, and avoiding software (particularly critical and vulnerable software like a web browser) from orgs that have built severe vulnerabilities into their software by incorrectly implementing something foundational to computer security.

      There are many smart engineers who I would not trust to build my web browser because they lack the domain knowledge to do so. That’s not a slight on them. But if a company hired those people to make a web browser, I wouldn’t trust that org’s software.

      Reply View 1 reply
      • DecoySalamander 10 months ago

        This wasn't really a problem that required domain-specific knowledge to get right. Whoever designed an API that allows the client to bypass auth like that can't be trusted to design software that takes user input. At least not without some additional training that was missed along the way.

        Reply View 0 replies
  • netdevnet 10 months ago

    It points to a deeper issue in the Browser Company imo. Clearly, an inexperienced dev wrote that api, a senior approved the PR and no one in the wider team picked it up. And that's a team building the fundamental unit of your digital experience. If they failed at something this basic, I would be terrified to know what else they are missing in terms of security

    Reply View 0 replies
JohnMakin 10 months ago

This may or may not be fair, but in my view, the type of person that would opt for a firebase solution is probably the type of person most vulnerable to foot guns.

Reply View 0 replies
jahewson 10 months ago

Sadly true, but Firestore has a security rules emulator and encourages you to write unit tests for it! There's just so many levels of "ignored all reasonable practices" here. Where's the code review? Where's the security/privacy audit?

Reply View 0 replies
netdevnet 10 months ago

I am glad to put engineers in quotes because many people here and elsewhere will use that word with a straight face while also believing that you can call yourself that while learning your job from watching youtube vids and pasting code you don't understand. We need to stop using the word "engineer" for "software developer".

I shall watch the downvotes come from these so called "engineers".

Reply View 0 replies
725686 10 months ago

Nah, just ask ChatGPT.

Reply View 1 reply
  • firewolf34 10 months ago

    ChatGPT would have probably parrotted the bold text. It is always super concerned about risks.

    Reply View 0 replies