Welcome to the new week!

If you'd like to know how to avoid event modelling anti-patterns like Property Sourcing, CRUD Sourcing, Clickbait Event and others, check the recording of my talk at KafkaSummit; it is already available!

Watch it here:

I heard that it was both funny and educational, curious if you agree with that!

That’s not all; I gathered all my resources about even-modelling anti-patterns in one place. You'll find both articles and videos there.

• Oskar Dudycz - Event modelling anti-patterns explained

Read also the next thorough article about challenges in Event-Driven Architecture from Mario Bittencourt:

• Mario Bittencourt - Exploring Advanced Error Handling Patterns with Event-Driven Architecture — Part I

Some time ago, Maciej "MJ" Jędrzejewski did a webinar for us about Evolutionary Architecture. I love his pragmatic approach based on his strong experience with real projects.

Now, he decided to spin up a few initiatives. One of them is the newsletter Fractional Architect, in which he shares his experience with software architecture.

The other is his podcast; I’m happy he invited me to talk about Event Sourcing; you can join us live tomorrow, Tuesday, at 7 PM CET:

Going to the news, last week's laudest event was the XZ breach. Probably the biggest Open Source supply chain attack ever. At least from those that were found… Didn’t you hear about that? No worries, I got you covered:

• Evan Boehs - Everything I Know About the XZ Backdoor

• Lasse Collin - XZ Utils backdoor

• Gynvael Coldwind - xz/liblzma: Bash-stage Obfuscation Explained

• Thomas Roccia - XZ Outbreak InphoGraphic

• Andres Freund - backdoor in upstream xz/liblzma leading to ssh server compromise

• Rob Mensching - A Microcosm of the interactions in Open Source projects

What’s a supply chain attack? Per Wikipedia:

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components.

The most known so far was the SolarWinds breach. Read more here. But this one takes it to the next level. This beach was spanning a few years of grooming a single person who was maintaining one of the most popular Linux compression tools, xz. It’s like on this xkcd image:

Many big tools, including Clouds, are standing on the shoulders of tiny giants. Tiny because those are regular, passionate people. Giants because they’re building extraordinary stuff. Yet, they’re exploited by gigantic tinies. You can read the whole coverage; links are showing it from many angles:

• how technically sophisticated was the breach (they were using test blobs that were transformed, decompressed forming an executable during GitHub actions build, allowing to inject malware into source code)

• how long game was the social and managerial part of that,

• response by the OSS maintainer

For me, the saddening thing was the part where the maintainer was clearly burning out and the only offer for help he got from those scammers playing good cop and bad cop…

So the answer is not to drop OSS—that’s not going to happen—but to ensure that the creators of your favourite tools are getting the support to make it sustainable.

Also interesting part is how many similar but uncovered issues we have boiling underneath…

Read also more on the human-to-human histories of skilled jerks in our industry, jerks telling us to return to office

• Brendan Gregg - Brilliant Jerks in Engineering

• Brian Elliott - Return-to-Office Mandates: How to Lose Your Best Performers

Not surprisingly, that’s not ending as they’d like to.

Let’s move on to something positive. I told you earlier that Open Telemetry is finalising the CNCF graduation process; here are a bunch of links showing how useful it is and how different vendors ensure that they’re providing telemetry data. Recently, Elastic did a big boost around it. Read more:

• Elastic - Elastic now providing distributions for OpenTelemetry SDKs

• Steve Gordon, Martijn Laarman - Introducing Elastic's OpenTelemetry SDK for .NET

Check also:

• Chris Patterson - Using Open Telemetry with the MassTransit Test Harness?

• OpenTelemetry - Span Links documentation

I’m planning to soon make telemetry support a first-class citizen in Emmett.

About the positive aspects, I also read a nice story from Brent Ozar with his thoughts on 12 years working in a startup. Unusual case:

• Brent Ozar - How the Company-Startup Thing Worked Out For Me, Year 12

Check also other links!

Cheers

Oskar

p.s. I invite you to join the paid version of Architecture Weekly. It already contains the exclusive Discord channel for subscribers (and my GitHub sponsors), monthly webinars, etc. It is a vibrant space for knowledge sharing. Don’t wait to be a part of it!

p.s.2. Ukraine is still under brutal Russian invasion. A lot of Ukrainian people are hurt, without shelter and need help. You can help in various ways, for instance, directly helping refugees, spreading awareness, and putting pressure on your local government or companies. You can also support Ukraine by donating, e.g. to the Ukraine humanitarian organisation, Ambulances for Ukraine or Red Cross.

Architecture

• Oskar Dudycz - Event modelling anti-patterns explained

• Oliver Wehrens - Why you need a macro architecture

• Mario Bittencourt - Exploring Advanced Error Handling Patterns with Event-Driven Architecture — Part I

• Alessio Ferri, Tom Coggrave - Uncovering the Seams in Mainframes for Incremental Modernisation

DevOps

• Elastic - Elastic now providing distributions for OpenTelemetry SDKs

• OpenTelemetry - Span Links documentation

• The NewStack - Can OpenTofu Become the HTTP of Infrastructure as Code?

Databases

• Sylvain Kerkour - Optimizing SQLite for servers

• ExtendClass - PostgreSQL online playgroun

AWS

• Yan Cui - DynamoDB now supports resource-based policies. But is that a good idea?

Azure

• Microsoft - Announcing Distributed Functions (Preview) for Azure Static Web Apps

Java

• OpenJDK - JEP draft: Module Import Declarations (Preview)

.NET

• Chris Patterson - Using Open Telemetry with the MassTransit Test Harness?

• Steve Gordon, Martijn Laarman - Introducing Elastic's OpenTelemetry SDK for .NET

• Microsoft - Testing Your Native AOT Applications

• Khalid Abuhakmeh - Responsive Images Crash Course for ASP.NET Core Developers

WebAssembly

• Ryan Levick - Deconstructing WebAssembly Components

Coding Life

• Brent Ozar - How the Company-Startup Thing Worked Out For Me, Year 12

• Brendan Gregg - Brilliant Jerks in Engineering

Management

• Brian Elliott - Return-to-Office Mandates: How to Lose Your Best Performers

Security

• Evan Boehs - Everything I Know About the XZ Backdoor

• Lasse Collin - XZ Utils backdoor

• Gynvael Coldwind - xz/liblzma: Bash-stage Obfuscation Explained

• Thomas Roccia - XZ Outbreak InphoGraphic

• Andres Freund - backdoor in upstream xz/liblzma leading to ssh server compromise

• Rob Mensching - A Microcosm of the interactions in Open Source projects