The contractor that should not be
-
Greetings TDWTF! I've been reading your stories for a very long time, and I wanted to share some of my own.
I work in a tiny webdev agency in Eastern Europe (yes, among other things that includes PHP every day, cue all the witty remarks). We often have more work than we can handle, so we tend to hand some of it off to contractors. This is the story of the contractor we dealt with this week.
His CV included:
Perfect experience In:
PHP (OOP) 3 years
JavaScript (OOP) 4 years
CSS3 7 years
Frameworks (ZF2, YII, Symfony 2, Angular, Node, React, Bootstrap ...) 7 years
LAMP (XAMPP) 5 years
Linux Mint, Windows >10 years(For those unfamiliar, LAMP/XAMPP is a package to get started with PHP. An equivalent for the Microsoft stack would be a tool that downloads and installs IIS, SQL Server Express, and a C# compiler, without Visual Studio or anything else, and then lets you start/stop/configure them. It's the recommended way to get started with PHP, but you're supposed to grow out of it...)
Despite the red flags of "what does perfect experience even mean?", "most of those frameworks weren't even out 7 years ago!", and "how can he have more framework experience than language experience?", the management decided to give him a try, because we were in a tight spot and (sadly!) there were no other candidates.
When we gave him a task, step 1 was of course to get the project running locally on his Linux Mint laptop. This did not go well:
- I had to tell him how to switch to another git branch (he claimed to be familiar with git during the interview);
- despite his "5 years of LAMP experience", I had to set up a vhost for the project, so that Apache would show it;
- when it generated errors instead of displaying the project, I had to look at his error logs to figure out that, despite his claim to be using PHP 5.x, his XAMPP was running PHP 7;
- his approach to switch to PHP 5.x was to uninstall XAMPP and install an older version that includes PHP 5.x;
- during the reinstall process, MySQL user accounts were reset, so the username/password that he swore was working, in fact, wasn't;
The process above took him a whole day, as well as half of my day, and he left promising to fix his MySQL and get it running the next day (he was going to work remotely). I explained the actual task to him, which he seemed to understand okay and said he'd deliver a solution by the end of next day. I had my doubts because I did not think it was such a simple task, given his competence so far...
In the morning, he called my boss and said "I ran into a permission problem, I'm switching my laptop to Windows".
During lunch, he called me and asked how he should deliver the solution. My answer of "make a new git branch, make your changes there, and push them" was the same as the day before, but this time it brought up a counter-question "how do I do that, and do I do it in <the task management system> or <the version control system>?". He still said he would deliver it by the end of the day.
At around 1 AM, he sent us an email saying "I don't know how you want me to deliver the changes, but I'm attaching them to this email". With one attached file.
In the morning, I looked at his changes. And I lost any faith I had left. He had added 7 lines of code, and in those lines he managed to make 3 syntax errors and call two non-existent functions.
When I said that his result was unacceptable, he insisted his IDE did not show any errors. Turned out his entire process for testing was to run the IDE's static code analysis and see if it reported any problems. I have no clue what he misconfigured to make it not show the errors, but when I pointed the actual errors out, he acknowledged them and promised to fix them by the end of the day.
Later he called again and said, quote, "I made the changes, but when I try to view them in the browser, my IDE says it can't save the project".
Fortunately, my boss (who, since this is a tiny company, is also the CEO) has decided to terminate this guy's contract on Monday.
Unfortunately, the client is insistent that this functionality must be ready in production by Wednesday. Fun times ahead!
-
@DCoder I'm impressed, you got shafted with a worse PHP dev that we've had to deal with.
-
-
@DCoder said in The contractor that should not be:
LAMP/XAMPP is a package to get started with PHP
LAMP also stands for the stack even when it's not installed from the LAMP package, to be fair. I'd assume LAMP experience meant "experience running software on a LAMP stack" if it wasn't for every other red flag on this page.
@DCoder said in The contractor that should not be:
how can he have more framework experience than language experience?
No no, he has experience with "frameworks" in general. All of them. Node, Bootstrap, Angular, they're all the same thing really.
@DCoder said in The contractor that should not be:
Linux Mint, Windows >10 years
Operating systems, they're all the same amiright?
@DCoder said in The contractor that should not be:
JavaScript (OOP) 4 years
The hell you say.
@DCoder said in The contractor that should not be:
"I ran into a permission problem, I'm switching my laptop to Windows".
snorts Have fun reinstalling your entire system, I'm sure that's the fastest way to debug.
-
@DCoder said in The contractor that should not be:
but you're supposed to grow out of it...
Lol how about that @Arantor?
-
@sloosecannon we mostly did
-
@DCoder said in The contractor that should not be:
- his approach to switch to PHP 5.x was to uninstall XAMPP and install an older version that includes PHP 5.x;
To be fair, this is the approach suggested by StackOverflow.
-
@cheong said in The contractor that should not be:
@DCoder said in The contractor that should not be:
- his approach to switch to PHP 5.x was to uninstall XAMPP and install an older version that includes PHP 5.x;
To be fair, this is the approach suggested by StackOverflow.
be that as it may, someone who blindly follows SO without thinking will certainly run into somone who asks them if they know they can charge their phone in the microwave, and believe them.
is that the sort of person you want as a cow-orker?
-
Why the fuck would anyone use LAMP? These days, a real server setup is a few
apt-get
commands away. It doesn't even help you setting up virtual hosts, the one thing you'd possibly want some help from a GUI. I switched over to manual setup years ago and never looked back.You're right to consider "LAMP" experience a red flag. Kind of like if a frontend dev stated "Dreamweaver experience" in their CV.
-
@cartman82 said in The contractor that should not be:
Why the fuck would anyone use LAMP?
Again, there's nothing wrong with using PhP on Apache with a MySQL database backing it and a Linux server. What's not "real" about any of that? Just because there's a package to easy-install PhP + Apache + MySQL doesn't make the experience of administrating the server any less valuable. It's not like Dreamweaver where you're isolated from having to maintain the code.
That said, this guy's obviously a moron, and his CV inspires 0 confidence.
-
Remember the days when the 'P' in 'LAMP' stood for Perl? How is it that we ended up replacing Perl with something even worse, and most people didn't even bat an eye?
Seriously, it's as if we were driving around in a car with three good tires and one bad one, and then when we finally took the flat tire off we then replaced it with a bicycle wheel.
-
@ScholRLEA said in The contractor that should not be:
Seriously, it's as if we were driving around in a car with three good tires and one bad one, and then when we finally took the flat tire off we then replaced it with a bicycle wheel.
No, a Flintstones-style stone wheel…
-
@Yamikuronue said in The contractor that should not be:
Again, there's nothing wrong with using PhP on Apache with a MySQL database backing it and a Linux server. What's not "real" about any of that? Just because there's a package to easy-install PhP + Apache + MySQL doesn't make the experience of administrating the server any less valuable. It's not like Dreamweaver where you're isolated from having to maintain the code.
That said, this guy's obviously a moron, and his CV inspires 0 confidence.Ugh. I wanted to rant about XAMP, WAMP and similar GUI frontends. Almost there, Cartman.
-
@cartman82 yeee-aaahhh..... WAMP Server was a POS back when I first installed it a good six years ago, and it doesn't look like it's gotten much better with age.
-
@sloosecannon said in The contractor that should not be:
@DCoder said in The contractor that should not be:
but you're supposed to grow out of it...
Lol how about that @Arantor?
-
@accalia said in The contractor that should not be:
be that as it may, someone who blindly follows SO without thinking will certainly run into somone who asks them if they know they can charge their phone in the microwave, and believe them.
is that the sort of person you want as a cow-orker?
Definitely not. :P
Btw, I'm also one of the people who got pissed off by the manner they handle knowledge. (If it's not posted by someone on the web already, it does not exist even if it does exist for 10+ years and those affected by the problem already treated it as common knowledge)
-
@Yamikuronue Because you're supposed to be using nginx now! It's the new hot web server!!!
-
@blakeyrat said in The contractor that should not be:
@Yamikuronue Because you're supposed to be using nginx now! It's the new hot web server!!!
ITYM
???
-
@DCoder said in The contractor that should not be:
PHP every day, cue all the witty remarks
PHP? More like "P.U.! Pee!" hahahhaahahhahahahahahahaah!
@DCoder said in The contractor that should not be:
get it running the next day (he was going to work remotely)
The contractor was allowed, on day 2, to work from home? TRWTF...
@DCoder said in The contractor that should not be:
terminate this guy's contract on Monday
-
We're stuck using Windows plus the AMP stack, but at least our AMP setup is not off the shelf XAMPP or WampServer, ours is actually tuned for our use, bundling things like ImageMagick and GhostScript.
It's also not configured for debug by default.
-
@Tsaukpaetra said in The contractor that should not be:
Caddy - The HTTP/2 Web Server with Fully Managed TLS
What does it mean that I read that as "Fully Mangled TLS?"
-
@Tsaukpaetra said in The contractor that should not be:
@blakeyrat said in The contractor that should not be:
@Yamikuronue Because you're supposed to be using nginx now! It's the new hot web server!!!
ITYM
???
TIL.
That's... nice looking.
-
@sloosecannon said in The contractor that should not be:
@Tsaukpaetra said in The contractor that should not be:
@blakeyrat said in The contractor that should not be:
@Yamikuronue Because you're supposed to be using nginx now! It's the new hot web server!!!
ITYM
???
TIL.
That's... nice looking.
The homepage? I swear there was a topic on this software in the Sidebar...
Or maybe it was Boomla...
-
@blakeyrat said in The contractor that should not be:
@Yamikuronue Because you're supposed to be using nginx now! It's the new hot web server!!!
Why is this a thing? I have a developer on one of my projects who criticized the use of Apache as a reverse proxy to most of the ALM tools.
"Why not nginx?! <flourish of performance test results of Apache vs. nginx>" Uh... because a.) this server was set up at least a year and a half ago, and b.) this is a development project; I don't think we're going to be getting tens of thousands of requests a second.
I use Apache because I know how to configure it and it works. What other criteria do I really need to use?
-
@Tsaukpaetra said in The contractor that should not be:
What the fuck is this bullshit. That configuration file is incomprehensible. And what is it with everything using "<noun>file" these days?! (I say this as a user of Vagrant and Docker.)
-
@Tsaukpaetra said in The contractor that should not be:
@sloosecannon said in The contractor that should not be:
@Tsaukpaetra said in The contractor that should not be:
@blakeyrat said in The contractor that should not be:
@Yamikuronue Because you're supposed to be using nginx now! It's the new hot web server!!!
ITYM
???
TIL.
That's... nice looking.
The homepage? I swear there was a topic on this software in the Sidebar...
Or maybe it was Boomla...
Yeah, that's the one with the sidebar.
Caddy actually looks useful for dev server stuff.
-
@Tsaukpaetra said in The contractor that should not be:
Caddy - The HTTP/2 Web Server with Fully Managed TLS
I'd rather it served webpages, thank you very much.
-
TBH if you are doing Apache these days I am under the impression you are Doing it Wrong. Nginx is such a better bit of kit.
-
@lucas1 said in The contractor that should not be:
TBH if you are doing Apache these days I am under the impression you are Doing it Wrong. Nginx is such a better bit of kit.
Explain to me in what way I'm doing it wrong and why Nginx is better. That's what everyone is failing to do so far.
-
@heterodox because it is just so much faster than Apache, some would argue more secure as well. I don't hate configuring it either.
There is nothing wrong with Apache, but nginx just works a lot better in high traffic scenarios.
I prefer IIS myself, but that doesn't run on *nix.
-
@lucas1 said in The contractor that should not be:
@heterodox because it is just so much faster than Apache
Nginx is used in some other environments within my project; from what I've observed, it's not faster in any way that's noticeable or relevant to my end users. It may be faster in other configurations and with other workloads, but that's not as important to me.
some would argue more secure as well.
Those would be wrong.
I don't hate configuring it either.
Good for you.
-
@heterodox said in The contractor that should not be:
Nginx is used in some other environments within my project; from what I've observed, it's not faster in any way that's noticeable or relevant to my end users. It may be faster in other configurations and with other workloads, but that's not as important to me.
As I said it fares better in high traffic scenarios, if you aren't in that scenario ... then it probably won't help you. As per usual it comes down to "well it depends that you are doing".
-
-
@lucas1 said in The contractor that should not be:
@heterodox said in The contractor that should not be:
Those would be wrong.
Why?
Because nothing is actually secure until we have encryption that can't be reversed by anyone?
-
@lucas1 said in The contractor that should not be:
As I said it fares better in high traffic scenarios, if you aren't in that scenario ... then it probably won't help you. As per usual it comes down to "well it depends that you are doing".
That's a much more reasonable position than "you are Doing it Wrong".
@lucas1 said in The contractor that should not be:
@heterodox said in The contractor that should not be:
Those would be wrong.
Why?
Because they both use the exact same underlying cryptography and SSL libraries. (Except with Apache you may use NSS and with nginx you mayn't.) Choice of a Web server has very little to do with security of a system, all things considered.
-
@heterodox said in The contractor that should not be:
That's a much more reasonable position than "you are Doing it Wrong".
I dunno why you would choose to have lower potential performance when running a PHP app almost works exactly the same. In the industries I work in, Apache isn't used at all and most of the architects won't allow it even for just simple landing pages.
@heterodox said in The contractor that should not be:
Because they both use the exact same underlying cryptography and SSL libraries. (Except with Apache you may use NSS and with nginx you mayn't.) Choice of a Web server has very little to do with security of a system, all things considered.
I am not talking about SSL and crypto, I am talking about the software itself.
-
@lucas1 said in The contractor that should not be:
I dunno why you would choose to have lower potential performance when running a PHP app almost works exactly the same.
Because potential performance doesn't matter to me. (I'm also not running a PHP app, so.) I work in the real world. I don't have time to optimize for conditions that don't exist. I'm going to pick the software that's best supported and that I can best maintain.
I am not talking about SSL and crypto, I am talking about the software itself.
What the fuck does that mean. There's no possible way to back that up. Web server security depends almost solely on configuration. I'll back an Apache server I've hardened against your nginx server any day of the week.
-
@heterodox said in The contractor that should not be:
Because potential performance doesn't matter to me. (I'm also not running a PHP app, so.) I work in the real world. I don't have time to optimize for conditions that don't exist. I'm going to pick the software that's best supported and that I can best maintain.
I work in the real world too, unless my world is somehow fake. Nginx does pretty much everything better than Apache in everything that matters as far as I am concerned. I don't see why you would choose an older and obviously inferior piece of tech over something that is obviously better.
-
@heterodox said in The contractor that should not be:
What the fuck does that mean. There's no possible way to back that up. Web server security depends almost solely on configuration. I'll back an Apache server I've hardened against your nginx server any day of the week.
Vulnerabilities applying to one of my Apache servers in the past three months: 1 (CVE-2016-5387), mitigated with a one-line configuration change. Vulnerabilities applying to Nginx in the past three months: 1 (CVE-2016-4450), mitigation requires a software upgrade.
-
@lucas1 said in The contractor that should not be:
I don't see why you would choose an older and obviously inferior piece of tech over something that is obviously better.
Obviously inferior vs. something that's obviously better. Yeah, you're exactly the same as my evangelical developer and I'm similarly done talking to you now. You have nothing to back up what you're saying.
-
@heterodox https://httpd.apache.org/security/CVE-2011-3192.txt
Yeah it was 5 years ago but it was fucking massive.
-
Returning to discussion about the contractor that should not be in 3...
2....
1.......
-
@heterodox lol, I said my reasons why I think it is superior and all you've done is say "well I like Apache and it is good enough" ... well if that is how you do development I feel sorry for your users.
-
@Maciejasjmj said in The contractor that should not be:
@Tsaukpaetra said in The contractor that should not be:
Caddy - The HTTP/2 Web Server with Fully Managed TLS
I'd rather it served webpages, thank you very much.
E_COOKBOOK_NOT_FOUND
-
@heterodox said in The contractor that should not be:
Because they both use the exact same underlying cryptography and SSL libraries. (Except with Apache you may use NSS and with nginx you mayn't.) Choice of a Web server has very little to do with security of a system, all things considered.
Because choice of crypto is all there is to Web server security, amirite?
(I don't actually use either server. I don't have a dog in this fight. Just pointing out that this argument appears kind of silly.)
-
@masonwheeler Don't get me fucking started.
-
@Yamikuronue said in The contractor that should not be:
snorts Have fun reinstalling your entire system, I'm sure that's the fastest way to debug.
It is actually faster to install Windows and Visual Studio and debug there than to try to do anything non-trivial on Linux.
Maybe if you included the time it takes to make the $200 for the Windows license, you'd break even.
-
@anonymous234 said in The contractor that should not be:
@Yamikuronue said in The contractor that should not be:
snorts Have fun reinstalling your entire system, I'm sure that's the fastest way to debug.
It is actually faster to install Windows and Visual Studio and debug there than to try to do anything non-trivial on Linux.
Maybe if you included the time it takes to make the $200 for the Windows license, you'd break even.
Installing xrdp from source with the actual x11rdp module was way more troublesome than it should have been.
-
@masonwheeler said in The contractor that should not be:
@heterodox said in The contractor that should not be:
Because they both use the exact same underlying cryptography and SSL libraries. (Except with Apache you may use NSS and with nginx you mayn't.) Choice of a Web server has very little to do with security of a system, all things considered.
Because choice of crypto is all there is to Web server security, amirite?
No, in fact that's the opposite of my argument. I literally just pointed out how little hardening has to do with the software (saying they were equal on that front anyway) and how much it has to do with configuration.
Didn't realize the argument was "Because it's newer and more shiny, it's inherently more secure, and things that are older → better battle-tested and better documented are inherently less secure."
-
@heterodox I didn't say that.
Also both are over a decade old now so Nginx isn't new and shiny. Nginx was from the get go designed to be more performant and it is.