I’ve done a ton of consulting as part of my work at Petabridge over the past 10 years and I run into developer onboarding problems constantly with new clients. It takes much longer than it should to clone a customer’s application from source control and successfully run it.

Continuous deployment and continuous integration (CI/CD) get a ton of attention in the DevOps space, but improving the “first run” experience for onboarding new team members is rarely mentioned in these spaces. A strong “first run” experience just as important and an essential ingredient to good CI/CD outcomes.

Bad “First Run” Experiences

If your “first run” experience is agonizing, this means your local development feedback loop is broken too even for experienced members of your team.

For instance, if I want to make a SQL schema change and test it, how easy is it for me to:

1. Actually do that, in a local environment;
2. Revert that change / change it again if I’m unhappy with it; and
3. Verify that my change was safe or otherwise acceptable?

If your applications’ first run experience is any more complicated than git clone && run¹ then you have room to improve.

Read More

We were getting ready to redesign and simplify phobos.petabridge.com - our Akka.NET observability platform documentation site. The plan was to remove a bunch of old pages, restructure the information architecture, and redirect everything properly so we wouldn’t break any inbound links from Google, Stack Overflow, or the blog posts referencing our documentation.

The problem: how do we know we’re not blowing up external links during this restructuring? We needed full, measurable, observable control over the sitemap as we made changes. Every redirect had to work. Every removed page needed a destination. One broken link could cost us traffic and credibility. At its core, this is a continuous integration problem.

So I built LinkValidator - a CLI tool to validate all internal and external links in our statically generated sites during CI/CD on Azure DevOps and GitHub Actions.

The goal: fail the build if we break anything. Crawl the site, validate every link, and catch problems before they reach production.

Then I hit an immediate problem.

Our documentation has links to localhost resources - Grafana dashboards at http://localhost:3000, Prometheus at http://localhost:9090, Jaeger tracing at http://localhost:16686. These are part of our observability stack demos. They’re 100% correct when someone’s running the demo locally, but they fail validation every time in CI because there’s no Grafana instance running on a GitHub Actions runner.

I needed a way to selectively suppress link validation, and I wanted it to be contextual - right there in the HTML where the “broken” link lives, not buried in some global configuration file that’s completely divorced from the context of the page itself.

Here’s how I built that in C# using HtmlAgilityPack and a little sprinkling of Akka.NET.

Read More

Everyone in tech is convinced that AI will eliminate junior developers first. “Why hire a junior when AI can write code?” they ask. The prevailing wisdom is that entry-level developers are most vulnerable to automation.

They’re dead wrong.

I wrote “The Future of AI Belongs to Experienced Operators with Good Taste” a few months back and that’s still absolutely true. But there’s a massive plot twist most people are missing: AI coding assistants aren’t just productivity tools - they’re the great equalizer.

Junior developers with the right attitude and intentional practice are positioning themselves to outpace expensive, slow senior developers who refuse to adapt. The window is open right now, but it won’t stay open forever.

Read More

“Software supply chain management” is one of those terms that sounds like Venture Capital-funded vendor marketing bullshit right up until it isn’t.

In 2016 the npm left-pad incident taught many of us in the software industry the importance of:

1. The fragility of depending directly on central package management systems, such as npm or nuget.org, hence why artifact proxying tools like JFrog Artifactory became so important; and
2. How centralized package management systems probably need to make stronger security and availability guarantees, such as not allowing hard deletes of packages in the first place.

One of the distinguishing features of nuget.org is they make it very, very hard for authors to delete their packages - only in exceptional cases, such as malware inclusion, will they allow the permanent deletion of packages.

Imagine my surprise yesterday, when I discovered that two of our Akka.NET packages were deleted¹, by Microsoft, without any advanced notice. I only discovered that this was an issue when one of my own Akka.NET applications failed to build on CI/CD due to missing package versions.

I’ll get into the reasons why they did this, but the bottom line is: this is a disturbing precedent that really should never be repeated.

In essence, Microsoft’s adjacent business units abused NuGet to deal with their own security vulnerabilities - getting a level of access that would never be granted to any other publisher on the platform.

Read More

Intro

Over the past year or so we’ve built out a decent-sized test lab environment for Akka.NET and I’ve also personally started a small homelab environment for creating some useful services for my family’s use. Both of these networks use the same components:

• Tailscale for secure...

  Read More

Azure released a major update to some of their VM images last week and it’s caused a number of problems for me:

1. mono support was removed from ubuntu-latest, which caused all of our FAKE v4.0 builds to no longer work¹ for Akka.NET and several of our other mature projects;
2. SignService, our workhorse for Authenticode signing all Petabridge NuGet packages for the past seven years, stopped working suddenly on the Azure App Service we’ve been using.

I have no idea what Microsoft did to kill this service off, but my guess is they finally stopped supporting the ancient version of .NET Framework this was running on starting on April 11th or so:

We had owed a customer an update today and the race was on to find a replacement for SignClient - quickly. We quickly settled upon dotnet/sign - and then the race was on to figure out how to solve the infernal quagmire of Azure Entra / AAD permissions hell in order to access our Azure Key Vault where our signing certificate is stored.

This post explains how to do that.

Read More

I have a lot of respect for Geoffrey Huntley. So when I read his blog posts about AI over the past couple of months: “Dear Student: Yes, AI is here, you’re screwed unless you take action…” and “The future belongs to people who can just do things” among others, I thought to myself - “am I missing something?”

This image of his, in particular, summarizes his take on AI and the impact it’s going to have on the software development industry:

He’s essentially singing the same song that people who sell AI courses do: “if you’re not dropping everything to learn AI right now, you’re going to get left behind!” His conclusion to “The future belongs to people who can just do things” ends thusly:

Ya know that old saying ideas are cheap and execution is everything? Well it’s being flipped on its head by AI. Execution is now cheap. All that matters now is brand, distribution, ideas and [retraining] people who get it. The entire concept of time and delivery pace is different now.

Distribution, brand, et al are important - no doubt. The idea that any LLM, even ones with future capabilities, is a catch-all substitute for experience is laughable.

In a world where typing in the right prompt to a chat window is “all you need” for “execution,” this actually makes idea guys even more commodified and worthless than they already are - and they’re already worthless.

Read More

“You can build it cheap, fast, and good - pick two” is how the saying goes, referring to the inherent trade-offs in software development priorities. It makes intuitive sense but utterly fails in real-world applications. Two simple reasons why this correlation does not hold:

1. Price is not realistically correlated to quality of outcomes and
2. Price isn’t correlated to faster delivery times either.

Price is its own independent quality determined entirely by the buyer’s and seller’s perception of value.

As the Dan Luu article I linked to mentions - it’s fairly difficult even for experts within a given domain to accurately assess the market value of their own services (or someone else’s), hence why price discovery has to be tested continuously¹.

But let’s take a closer look under the covers at the price vs. quality and price vs. speed relationships.

Read More

This week FluentAssertions, a popular open source library designed to make it easier to write assertions during unit testing, changed its license from Apache 2.0 to some commercial terms under the name of a new business entity, Xceed.

The net impact of this is that FluentAssertions now costs $129.95 per seat for commercial use for version 8.0 and later.

Naturally the .NET community was in uproar over this on /r/dotnet and in a few other places, like this comment from the “.NET Eventing Framework” thread which inspired “.NET Developers Begging for Ecosystem Destruction”

In this post we’re going to unpack two things:

1. Impact of the FluentAssertions change and
2. Broader questions about what .NET users would prefer: “re-license or die?”

Read More

As of Monday this week, my company Petabridge turns 10 years old. I’ve been my own boss for longer, but my tenure at Petabridge is nearly 5x my tenure at every other company I’ve founded and at every place I’ve worked.

When you set out on a new venture, rarely do you expect things to go this well or last this long - so I decided to take some time to cobble together 10 lessons that have kept me sane throughout my entire odyssey with Petabridge.

Read More