• Prime Mover (unregistered)

    Apropos of, er, nothing in particular, does anyone know if there is any truth in the rumour that companies have started "onshoring" their development processes?

  • A. Glez. B. (unregistered)

    "we do a test: if the entry isn't a dicetory, and the name of the entry is the file we want to launch, we'll do all the magic of launching the executable"

    I knew magic would be involved the moment I read "dicetory" . ;)

  • (nodebb)
    pb.directory(new File(System.getProperty("censored")));

    A system property that's not family friendly?

    Addendum 2021-10-05 07:28: The easy reader version reflects my thoughts too. Clearly they do checks to make sure the zip comes from a trusted source... surely?

  • (nodebb)

    Even worse, if the current working directory isn't the directory named in top, the program won't be run anyway, since the code tries to run the file named in the parameter to the function rather than the file which was created by the extraction process.

    (And I suspect that if ever they succeed in setting the "case sensitive" flag on the NTFS file system (yes, that's a thing), the code will explode in entertaining ways, since it does a case insensitive compare of the strings, then uses the requested name rather than the found name to run the program.)

    Addendum 2021-10-05 08:00: Oops. Yes, I know that if top names a directory that's on the PATH, it will work.

  • Anon (unregistered)

    This looks like the unholy matrimony of coding by copy/paste and fiddling without understanding until it works with the (one) test file.

  • my name is missing (unregistered)

    If the penalty was $10K per minute, how much did the programmer get paid to write this monstrocity?

  • (nodebb)

    "Of course, that doesn't matter, because as the comment explains: this doesn't actually work on Linux. They actually shell out to cmd to run it, the Windows shell."

    I have seen more Linux executables named cmd than I care to count to address exactly this isutation. They have ranged in quality from crap to some pretty decent emulators of the actual cmd.exe

  • Burner (unregistered)

    Job security code? "I'll be employed for decades trying to fix this."

  • BeeKay (unregistered)

    If this fails, then at $10,000 per minute the poor person assigned to fix this has a STRONG incentive to NOT run the test suite until after deploying it. (What’s that you say? “What’s a test suite?”)

  • Jay (unregistered)

    I'm not too familiar with programmatically working with zip files, but the first block of code is just a misplaced end-brace. It only works because the case it was supposed to handle either never comes up in production or they already know to work around it.

  • (nodebb)

    How much top grade brick oven pizza can be bought for $10,000?

  • planB (unregistered) in reply to Jay


    			entry = zipIn.getNextEntry()

    should be:

    				entry = zipIn.getNextEntry()
    so more a typo than a WTF
  • planB (unregistered) in reply to planB

    hmm, markup error, bu you get the idea

  • Richard Brantley (unregistered)

    "...does anyone know if there is any truth in the rumour that companies have started "onshoring" their development processes?"

    I can't speak for the industry, but the company I work at now ran for many years without any internal IT at all. They developed web sites for customers using a third party CMS, but they off-shored all that work, and even worse, they had no internal supervision to verify that the code was of any qualty. The dev team just shotguned their solutions until they found one that worked, but left all the detritus of their failed attempts in the code as well.

    I was hired as part of a team to manage this process and it soon became apparent that the off-shore team was not going to improve their work or their processes anytime soon. We couldn't even get them to document any of their build and deploy processes which were all done by hand.

    Within a year, we'd terminated all our contracts and were doing all the work in house. It was cheaper to pay two or three developers competitive US wages than it was to pay a team of 12-15 off-shore developers.

    I don't want to sound like I'm denigrating all off-shore devs; but my experience in the last 10 or so years is that the really good programmers in their teams get promoted out of teams that go cheap enough to be attractive to companies off-shoring work in the first place. You get what you pay for.

    I'd also say that most management in the US does not truly appreciate the challenges that cultural differences creates in communicating with and managing a host of developers in another country.

  • DanK (unregistered)

    I’ve seen similar quality code from onshore developers. The location of the engineer is rarely the issue.

    I think offshore developers get a bad reputation because agencies are really good at assigning incompetent engineers to incompetent organizations and keeping the competent ones for competent organizations. The result, of course, is that you cannot build a competent offshore team without a competent onshore team first.

  • Sword of Damocles (unregistered)

    Getting into a $10,000/minute penalty situation without any stability and QA sounds like a horrific idea, both for the entity requiring it and for the entity providing it. The entity requiring it will be let down whether or not there's a penalty, unless the money actually offsets all costs. The entity providing it without a solid QA process is setting themselves up for instant obliteration, as the pressure on the disorganized programmers would be horrendous and the cost of a 4 hour outage would be in the millions. The only thing I can assume is that a few $million isn't a big deal to either company involved.

    Reminds me of a certain event in the news that was estimated to cost $164,000 per minute and lasted for 5 hours and 38 minutes, but in that case the devops were world class.

  • (nodebb)

    I wonder how much everything would break if the zip file contains more than one file named fileToLaunch.

  • akozakie (unregistered)

    This is... mesmerizing. I love how none of the issues would be remarkable alone - these are innocent errors (like next outside loop) or junior-level bad ideas. Any kind of code review with any remotely decent programmer would catch most or all of them. Yet together they form a whole far more unholy than the parts. A statue to the utter lack of a decent process and quality standards.

    Seeing something like that in a hobby project would be funny - or just a sign of a novice programmer-to-be starting with a project too ambitious for current skill (which might actually lead to good progress). Seeing this in testing would be slightly worrying. In production - alarming. In production for 4 years in a business-critical application? ...run.

  • ZZartin (unregistered)

    Getting into a $10,000/minute penalty situation without any stability and QA sounds like a horrific idea, both for the entity requiring it and for the entity providing it.

    No no, that's the penalty for being offline, stuck in an infinite loop is fine.

  • Rob (unregistered)

    Some more improvements that definitely need to happen:

    1. Use ZipFile (https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/zip/ZipFile.html). No need to loop through the entire ZIP file manually.

    2. Read "When Runtime.exec() won't" (https://www.infoworld.com/article/2071275/when-runtime-exec---won-t.html). Even though they use ProcessBuilder, the stderr stream is still ignored, and the stdout stream is only partially read. That can lead to deadlocks, I've actively seen those happen.

    3. Use newFile.deleteOnExit() as soon as it's created. That way, even if an exception occurs, at least the file is deleted when the JVM is closed.

  • Sole Purpose Of Visit (unregistered) in reply to Sword of Damocles

    I'm actually interested to learn what sort of theoretical company might legitimately lose $10K per minute of downtime. And I say this as an ex-member of (insert world wide credit card company here) high-volume processing. Twenty years ago, but still.

    I'm of the opinion that this was not so much a cost requirement as a punishment mechanism for the supplier when they got things wrong. And apparently it didn't work very well.

    I'm also tempted to blame Java, but that isn't really fair. It's not so much Java itself (a language that imho should be retired, gracefully) as the cohort of programmers who have been using the language since version 2 or so. The latest version has great, up to date, features and libraries. But what generally gets used is ancient, bugly, crud.

    Also, what's with this directory-based zip file cretinism? Use JSON. Or mebbe Ant. Or even XML. Any neutral format with convenient libraries for persistence/rehydration. That way you really, seriously, don't care about the directory structure of the target machine -- you just wrap everything into a neutral hierarchical structure.

    And I feel I've only scratched about 5% of the utter stupidity here.

  • Sole Purpose Of Visit (unregistered)

    Incidentally, if this monstrosity didn't break in four years of production (we are not told how often the $10K per minute penalty was invoked), why is it a WTF at all?

    I mean, presumably the stupid thing contributes nothing at all to the bottom line, to the pipeline, or to any imaginable benefit to the company. Because, if it did, surely somebody would have noticed in four years or so?

  • Hmmm (unregistered) in reply to Dragnslcr

    Interesting. Let's assume the nextEntry() were inside the loop. My first thought was, "well, it's not going into any subdirectories, so there's no risk", but then I realized, that it would be possible make a zip file "manually" with multiple entries with the same filename.

    Nevertheless, there's a break at the end of the 'if' scope, so it would just process the first one it found.

  • (nodebb) in reply to Sole Purpose Of Visit

    surely somebody would have noticed in four years or so?

    You sunny-natured optimist.

  • Officer Johnny Holzkopf (unregistered) in reply to Dragnslcr

    Old people also know how to create "recursive ZIP files", suited for "I know better than the proper language-provided library I should be using" types of developers. Extracting something and then running something without any reasonable verification looks like an opportunity for a supply chain attack. Or if the penalty fee cannot be compensated by an insurance or just by raising the price for the company's customers, then simply taking the whole thing down for a while should be fine.

  • (nodebb) in reply to A. Glez. B.

    "Dicetory" seems like a good name when luck plays a role in finding the correct location.

  • Code Refactorer (unregistered)
    Comment held for moderation.

Leave a comment on “Unzipped”

Log In or post as a guest

Replying to comment #:

« Return to Article