Types of codebases my customers send me:

- Enterprise javabean factory factory... on a SIM card

- C# programmer retasked to write an authenticated bootloader in C for an arm platform with no training

- Beautiful well-written, easy-to-read C by an experienced systems programmer, with one mind-blowing 100-out-of-100-risk-severity bug buried in miscutils.c

- There is a hermit monk in a cave in Czechia. Once every three years, he emerges with a new revision of the codebase. It is horrifying spaghetti logic that repulses the human soul, but no matter how long and how hard you look, you can't actually find anything wrong with it

@0xabad1dea Hey! Number 2 almost describes me!
(C# Backend/JS Frontend to Microprocessor C for an IoT device)

@0xabad1dea how long before you add vibecoded projects to the list?

@val people who vibecode don’t pay for risk and compliance services

@0xabad1dea I God, how many may I pick?😍

@0xabad1dea Why Czechia? Sounds oddly specific, compared with the first three options. 🙂

@kalvotom the Czech cave monk is definitely a specific real person.

@0xabad1dea That Czech guy reminds me of Daniel J Bernstein back in the day... Qmail was... quite the piece of work...

@0xabad1dea Just wait for the next delivery from the Czechia guy, now that he has access to ChatGPT.

@doragasu @0xabad1dea

Or just wait for ChatGPT to get access to the guy from Czecia's code. Then everyone will be delivering incomprehensible code with random bugs added.

And you thought "enshitification" was bad...

@0xabad1dea I think I know the Czech guy!

@nela @0xabad1dea i thought it's the third one :(

@0xabad1dea [X] I'm in this picture and I don't like it

@0xabad1dea We just get sent labyrinthine excel spreadsheets with thousands of macros that somehow contain the customers entire business logic.

Then we painstakingly break it down and have to inform them 'you *do* know you're selling these items for half your wholesale cost don't you?'

@tony which items? are they nintendos? just asking

@0xabad1dea another fun one: aspect orientated hell. my least favourite kind of codebase to assess.

@0xabad1dea the first one reminds me of the government e-signatures here. they are either a USB device similar to a yubikey or a smart card of various form factors – there are ones that are the size of a SIM card! They run CardOS which I believe is written in java, at least the drivers for it are written in java. yes cross-platform device drivers written in java that is built for windows since vista, Pardus, or ancient versions of Ubuntu

@sanana I thought cardOS was its own thing, but yeah there definitely are "JavaOS" smartcards too (even the Yubikey Neo is a JavaOS smartcard, technically), and then there are literally SIMs with "SIM Toolkit" apps written also in Java... around here it's common to have a regular SIM in your phone with a digital signature app embedded

@grawity @sanana there is no well known thing named javaOS or cardOS. There are javacard virtual machines from several manufacturers including Thales and NXP. They all have the same API which is just a java lib. These are very simple, no multitasking, just a java class with a callback executed when the card receives a command. Most only know byte, short, and references to non volatile objects. There can be several apps, but these are excessively isolated and only one is active at a given time.

@grawity @sanana yubikey, openpgp card, your visa/mastercard/emv bank card, your biometric passport, most of government ID cars and "smart" driving license are based on javacard.

The only alternative is MultOS, they claim some large markets but I dont yhink they're getting many new large customers.

SIM toolkit is nothing more than an API package foe javacard.

Javacard are very annoying to program. 50% of the code are casts of unsigned bytes to java shorts lmao.

@grawity @sanana javacard platforms are usually Common Criteria certified which means that the provider paid very big bucks to make sure that the VM can only execute code that was intended. cards have bytecode verifiers and many countermeasures, which affects performance. Bugs are very few, and most often in "sim card" JCVMs, never heard of compromises on bank intended cards in the last 15 years.

@0xabad1dea As someone who identifies with the hermit monk I would suggest that maybe you should update your definition of spaghetti code. I have seen too many people balk at perfectly fine stuff like 500+ line functions with 5 nested for loops and no alignment of anything beyond standard indentation.

@NohatCoder @0xabad1dea I can think of a handful of times where a 500 line function having 5 nested loops really was the best representation of the logic, typically implementing something from a specification.
I can think of many more times when automated "code quality" tools and methodology proponents turned what could've been a 25-line state machine into 500 lines of low-density boilerplate.

@marshray @0xabad1dea Of course we don't know exactly what type of code the monk has written, I have just observed that when people say "spaghetti code" they often refer to surface level qualities that don't actually have all that much impact on readability. I'm not saying that code is necessarily good because there is a 500 line function, I'm just saying that it is the wrong parameter to make that judgement on.

@NohatCoder @0xabad1dea My recollection of the term ‘spaghetti code’ is that it referred to excessive use of non-structured control flow, literally in Djikstra’s “goto considered harmful” sense.

@marshray @0xabad1dea Yeah, but nowadays people call anything they don't like "spaghetti code".

@NohatCoder @marshray I am literally a world-class expert in reading other people's code. I have read more code by more other people who are not me than 99.9% of programmers, this is my entire job. I was talking about code that is a huge heaping plate of spaghetti with tomato sauce and parmesan.

@0xabad1dea @NohatCoder Well you’re not making this code sound any less yummy.

We were so far down in this thread that it didn’t even cross my mind who might have introduced the term.

@f4grx @sanana I recall seeing the java source code of Yubikey's openpgp applet on github a few years ago (when they had the bug with missing PIN check for the signing operation - not in the VM but in the applet). I think these use NXP chips?

one of the obsolete eTokens I have is running "Siemens CardOS V4.2" which seems to have been a different platform, I'm guessing from the way the other one was explicitly branded "72k Java" that the "64k CardOS" one wasn't javacard-compatible.

(Not that I could tell the difference anyway; I've never had access to writing custom code for them or anything like that, only poked at the regular end-user cert management features.)

@grawity @sanana possible, I've not worked with every platform, sorry for being too assertive in the previous message. There are "secondary" platforms not as well known as the big ones.

There are also business games where company A buys company B and renames the jc implementation they got, so only a handful of products are using the old name.