We’ve had rave reviews from a number of ThoughtWorks teams using Browsersync. As the number of devices we deliver web applications to grows, so does the amount of effort that must be devoted to testing across these different devices. Browsersync is a free, open source tool that can dramatically reduce this effort by synchronizing manual browser testing across multiple mobile or desktop browsers. Providing both a CLI and a UI option, the tool is build-pipeline friendly and automates repetitive tasks such as form filling.
我们从ThougthWorks一些使用Browsersync的团队中收到一些热烈赞扬的反馈。随着我们网站应用所支持设备的增多,花在跨设备测试上的代价也在不断增大。Browsersync是一个免费的开源工具,它能够通过同步多个移动设备或桌面浏览器上的手工浏览器测试来极大的降低跨浏览器测试的代价。通过提供命令行工具以及UI界面,Browsersync对CI构建非常友好,并且能够自动化像填写表单这样的重复任务。
Dependency management in iOS and OS X projects used to be either completely manual or completely automatic as part of using CocoaPods. With Carthage, a new middle ground has become available. Carthage manages dependencies - it downloads, builds and updates frameworks - but it leaves the integration of the frameworks into the build of the project to the project. This is in contrast to CocoaPods, which basically takes over the project structure and build setup. It should be noted that Carthage can only deal with dynamic frameworks, which are not available on iOS 7 and below.
过去,iOS以及OS X项目的依赖管理主要有两种方式:完全手工管理或使用CocoaPods实现全自动化管理。通过使用Carthage,一个新的中间地带成了可能。Cathage管理依赖的方式是:它仅负责下载,构建并更新框架(frameworks),而把集成框架的工作留给项目本身。这和CocoaPods形成了鲜明的对比,CocoaPods基本上会接管项目的结构以及构建的组织。需要注意的是Carthage仅仅能处理动态框架(dynamic frameworks),而iOS7及以下版本的系统并不具备这个特性。
Previously, we recommended boot2docker as a way of easily running Docker on your local Windows or OS X machine. Docker Toolbox now replaces boot2docker, adding some tooling as well. Now included is Kitematic for managing your containers, as well as Docker Compose for managing multi-Docker setup (Mac only). It can be used safely as a drop-in replacement for boot2docker, and it will even handle the upgrade for you.
以前,我们建议Boot2docker作为一种很容易在本地Window或者OS X机器上运行Docker的方式。现在,Docker Toolbox取代了boot2docker,同时它还加入一些其他工具。现在增加的工具包括用于容器管理的Kitematic,以及用于多Docker设备管理的Docker Compose(仅限Mac)。它可以安全的替代boot2docker,甚于他还会处理软件的升级。
Safely storing secrets such as passwords and access tokens in code repositories is now supported by a growing number of tools - for example, git-crypt and Blackbox, which we mentioned in the previous Technology Radar. Despite the availability of these 102 tools, it is still, unfortunately, all too common that secrets are stored unprotected. In fact, it is so common that automated exploit software is used to find AWS credentials and spin up EC2 instances to mine Bitcoins, leaving the attacker with the Bitcoins and the account owner with the bill. Gitrob takes a similar approach and scans an organization’s GitHub repositories, flagging all files that might contain sensitive information that shouldn’t have been pushed to the repository. This is obviously a reactive approach. Gitrob can only alert teams when it is (almost) too late. For this reason, Gitrob can only ever be a complementary tool, to minimize damage.
越来越多的工具支持在代码库中安全地保存密码和访问令牌,上期雷达中我们就曾提到git-crypt和Blackbox。尽管已经有工具可用,但是人们依然不加防范地存储秘密。这种做法非常普遍,以至于有攻击者用搜寻软件寻找AWS的账号,然后用EC2实例挖比特币,攻击者得到比例币而AWS账号主人买单。Gitrob采用类似的做法,它扫描公司的GitHub代码库,找出不应出现在代码库中的敏感信息,然后标记包含敏感信息的文件。很明显,这是一种滞后做法,Gitrob提醒团队时已经(几乎)太晚了。因此,Gitrob只能作为一种损失最小化的附加工具。
Git can be confusing. Really confusing. And even when it’s used in a simple trunk-based development process, there are still enough nuances to how it works that people can tie themselves in knots from time to time. When this happens, having an understanding of how Git works under the hood is very useful, and GitUp is a Mac-based tool that gives you exactly that. GitUp provides a graphical representation of what is happening as you type normal Git commands into the terminal. You can learn the various Git commands while also understanding what each one does as you use it. GitUp is a useful tool for both people new to Git and those with more Git experience.
Git可能会令人困惑,相当的令人困惑。就算是在一个简单的基于主干分支开发的过程中,它的用法也有足够的细微差别令开发人员时不时的纠结。问题发生时,是否理解Git背后的运作原理就显得格外重要了,Mac上Gitup就可以帮助你。你在命令行中输入的Git命令的时候,Gitup提供一个实时图形化界面显示正在发生些什么,这样你不仅可以掌握更多的Git命令,同时也更理解每个命令的功能。不管是否有Git经验,Gitup都是一款好用的工具。
Several of our teams working on .NET projects have recommended Polly as being useful in building microservice-based systems. It encourages the fluent expression of transient exception-handling policies and the Circuit Breaker pattern, including policies such as Retry, Retry Forever and Wait and Retry. Similar libraries already exist in other languages (Hystrix for Java for example), and Polly is a welcome addition from the .NET community. Integrating well with Polly is Brighter. Brighter is another small open source .Net library that provides scaffolding to implement command invocation. Combining the two libraries provides useful circuitbreaking functionality especially in the context of the Ports and Adapters pattern and CQRS. Although they can be used separately, in the wild our teams find they work well together.
我们的一些.Net项目的团队推荐使用Polly来帮助我们构建微服务系统。它鼓励使用基于流畅表达式的透明错误处理机制,还包含了多种断路模式(Circuit Breaker Pattern),如重试、不断重试、稍后重试。在其他语言中已经存在了类似的程序库,比如Java中的Hystrix, 而Polly是.Net社区中一个很好的补充。Brighter与Polly可以很好的集成,Brighter是另一个.Net平台上的开源小类库,他提供了实现命令调用的脚手架。结合这两个类库,提供了熔断模式的功能,是在端口–适配器模式和CQRS的上下文中尤其有用。我们的团队发现他们能够在一起工作的很好,虽然是可以被单独使用的。
Many monitoring tools are built around the concept of the machine or instance. The increasing use of patterns like Phoenix Server and tools like Docker mean this is an increasingly unhelpful way to model infrastructure: Instances are becoming transient while services are the things that persist. Sensu allows an instance to register itself as playing a particular role, and Sensu then monitors it on that basis. Over time, different instances playing that role may come and go. Given these factors and the increasing maturity of the tool, we felt it was time to bring Sensu back on to the radar.
许多监控工具是建立在机器或者实例这样的概念之上的。Phoenix服务的模式、Docker这样的工具被越来越多的使用,使得这样的监控方式在现代的体系结构下越来越无助:实例变的短暂而服务长存。Sensu允许一个实例把自己注册为一个特定的角色,然后在这个基础上监控它。一段时间之后,来来去去的不同实例都会扮演这个角色。鉴于这些因素和该工具的日益成熟,我们认为是时候把Sensu放回雷达了。
Although SysDig isn’t the newest tool on the Technology Radar, we’re still surprised by how many people haven’t heard of it. A pluggable open source CLI for Linux system troubleshooting, SysDig has some pretty powerful features. One of the key things we like is the ability to generate a system trace on a machine that is experiencing difficulties, which you can then interrogate afterward to find out what was happening. SysDig also contains support for working with containers, something that makes a previously useful tool even more powerful.
尽管SysDig已经不是技术雷达上的新宠,我们仍然惊讶地发现很多人还是没有听说过它。作为一款开源的Linux系统诊断命令行工具,SysDig具有一些非常强大的功能。生成问题机器上的系统记录,使你之后能进行查询检测来找出原因是我们非常喜欢的功能之一。SysDig对容器的支持使本已十分有用的工具如虎添翼。
Many development teams are making the move from simple continuous integration servers to Continuous Delivery pipelines, often spanning multiple environments, reaching into production. To implement such a pipeline successfully and operate it in a sustainable way requires a CI/CD tool that treats build pipelines and artifacts as first-class citizens; and unfortunately there aren’t many. Concourse CI is a promising new entrant in this field, and our teams that have tried it are excited about its setup, which enables builds that run in containers, has a clean, usable UI and discourages snowflake build servers.
许多开发团队正在简单的持续集成迁移到持续交付流水线,往往通过多个环境的验证,最终部署到产品环境。为了成功实现这类构建管道,并且使之持续适应交付的变化,势必需要一个将构建管理和构建产物视为一等公民的CI和CD工具,然而不幸的是我们的选择并不多。在我们的团队尝试使用Concourse CI之后,这个CI/CD领域的后起之秀以其便捷的设置获得了整个团队的青睐,如构建在容器中执行,干净实用的用户界面,以及限制雪花构建服务器。
Espresso is an Android functional-testing tool. Its smallcore API hides the messy implementation details and helps in writing concise tests, with faster and reliable test execution.
Espresso是一款安卓系统功能测试工具。它微小的内核API隐藏了复杂的实现细节,并帮助我们写出更简洁、快速、可靠的测试。
Gauge is a lightweight cross-platform test-automation tool. Specifications are written in free-form Markdown, so test cases can be written in the business language and can be incorporated into any existing documentation format.
Gauge是一个轻量级的跨平台的测试自动化工具。技术规格都由形式自由的Markdown写成,因此,测试用例可以以商业语言写成并且能够结合到任何现有的文件格式。
Supported languages are implemented as plugins to a single core implementation, which ensures consistency across language implementations. This tool, open sourced by ThoughtWorks, also supports parallel execution out of the box for all supported platforms.
不同编程语言是以实现某个核心实现插件的方式进行支持,这确保跨语言实现的一致性。这个工具,由ThoughtWorks开源,同时支持对所有支持平台的并行执行。
Despite the shrinking usage of Internet Explorer, for many products the IE user base is not an insignificant share of the market, and browser compatibility needs to be tested. This is particularly troublesome if you prefer the joys of a UNIX-based system for development. To aid in this dilemma, ievms provides a utility script that brings together Windows-distributed VM images and VirtualBox to automate the setup and testability of various IE versions, from 6 up to Edge.
尽管IE浏览器的使用量日益萎缩,但对很多产品而言IE浏览器的用户群依然不可忽视,浏览器兼容性仍然需要测试。这对于喜欢使用基于Unix的操作系统进行开发的人来说还是件麻烦的事。为了帮助解决这个难题,ievms提供了实用的脚本来自动设置不同的Windows虚拟机镜像来测试从IE6到Microsoft Edge的各种版本浏览器。
Although more sites every day are implementing HTTPS to help protect their own users and improve the integrity of the web as a whole, there are many more sites to go. In addition, we see more and more people using HTTPS within their enterprises, to provide additional security guarantees. One of the main blockers to wider adoption has been the process of getting a certificate in the first place. Aside from the cost, the process itself is far from slick. Let’s Encrypt, a new Certificate Authority, aims to solve all this. First, it provides certificates for free. Second, and arguably more important, it also provides an extremely easy-to-use command-line API, making it easy to fully automate the process of issuing, upgrading and installing certificates. We think that Let’s Encrypt, in beta at the moment, has the chance to be revolutionary in terms of helping more of the web get on to HTTPS, and at the same time showing what good, automatable tools for the security-conscious should look like.
尽管用HTTPS保护用户并提供web完整性的站点与日俱增,但仍有很多站点没用HTTPS。此外,我们看到越来越多的人在企业内部使用HTTPS来提供附加的安全保障。在更大范围采用HTTPS的最主要阻碍是申请证书的流程。且不论费用高昂,流程本身也华而不实。用Let’s Encrypt吧,这是一个新的证书权威机构,旨在解决上述问题。首先,他免费提供证书。其次,更重要的是他还提供极其易用的命令行API,很容易完全自动化证书发放、升级以及安装的流程。我们认为,Let’s Encrypt现在还处于beta阶段,未来将具有革命性意义,他能帮助更多站点使用HTTPS,还是安全方面一个好的、自动化工具的标杆。
Pageify is a Ruby library for building page objects for UI automation tests, focusing on faster test execution and code readability. It offers simple APIs to dynamically define, operate and assert on the page objects, allowing readable code even when handling elements with complex hierarchies in the DOM. It bundles integration for WebDriver and Capybara.
Pageify是一个Ruby库,用于为针对UI的自动化测试构建页面描述对象。它关注于更快的执行测试以及代码的可读性。它提供简单的API用于动态的构建,维护及断言页面描述对象 。使处理复杂层级的DOM的处理代码更加可读,并可以很好的配合WebDriver或是Capybara使用。
SoundCloud has recently open sourced its monitoring and alerting toolkit, Prometheus. Developed in reaction to difficulties with Graphite in its production systems, Prometheus primarily supports a pull-based HTTP model (although a more Graphite-like push model is also supported). It also goes further by supporting alerts, making it an active part of your operational toolset. As of this writing, Prometheus is still only in release 0.15.1 but is evolving rapidly. We’re glad to see the recent product focus on core time-series DB and multidimensional indexing capabilities while allowing for export to a wider variety of front-end graphing tools.
SoundCloud已于近日开源了监测和报警工具包,Prometheus。为了应对其产品系统中使用Graphite时的一些困难,Prometheus主要支持基于位的HTTP模式(虽然更像Graphite的推模式也有支持)。它通过进一步支持报警,使之成为你的运营工具集中的一部分。写这篇文章的时候,Prometheus刚刚发布了0.15.1版本,但它发展很迅速。我们很高兴地看到,最近的一些产品专注于核心时间序列数据库和多维索引能力,同时允许导出到更广泛的各种前端图形工具中。
With a growing landscape of services providing RESTful APIs, it is becoming increasingly important to document them. We have previously mentioned Swagger, and in this Technology Radar we’d like to highlight the RESTful API modeling language (RAML). Our teams feel that in comparison to Swagger it is more lightweight and moves the focus from adding documentation to existing APIs to designing APIs.
随着越来越多的服务提供了RESTful API, 如何文档化这些API变得犹为重要。在之前的技术雷达里,我们提到了Seagger。在这期的技术雷达里,我们想强调一下RESTful API建模语言(RAML)。与Swagger相比,我们的团队认为更为轻量级的RAML将关注点由如何文档化现有的API移到了如何设计API上。
Sleepy Puppy is a delayed cross-site scripting (XSS) payload-management framework recently open sourced by Netflix. It enables you to test vulnerabilities for XSS past the target application when the perpetrator intends to attack a secondary underlying system. With XSS being one of the OWASP Top10, we see this framework assisting with automated security checks for several applications. It simplifies the capturing, managing and tracking of XSS propagation over long periods of time, with customizable payloads. Sleepy puppy also exposes an API that can be integrated with vulnerability tools like ZAP, for automated security checks.
Sleepy Puppy是Netfix公司近期开源的一款盲打XSS收集框架。当攻击者试图入侵第二层系统时,这个框架可用于测试目标程序的XSS漏洞。XSS是OWASP的Top 10的安全威胁。它可以自定义盲打方式,简化了捕获、管理和跟踪XSS漏洞的过程。Sleep puppy还提供了API供ZAP之类的漏洞扫描工具集成,从而支持自动化安全扫描。
Visual Studio Code is Microsoft’s free IDE editor, available across platforms. We find the version-control integration with Git very beneficial to promoting continuous integration practices. Visual Studio Code also provides a means of integrating with external tools via tasks, with autodetection of grunt/gulp tasks eliminating the need for running grunt/gulp tasks via terminals and simply using the editor. With the growth of the Docker ecosystem, this IDE offers support for the dockerfile with snippets and definitions of valid commands.
Visual Studio Code是微软出品的一款免费的IDE编辑器,并支持跨平台。我们发现它提供的Git集成功能对提升持续集成能力有很大的帮助。Visual Studio Code同样提供了很好的外部工具集成功能,例如通过自动感知grunt/gulp任务功能可以在IDE中非常容易的直接运行grunt/gulp任务,避免了与命令行终端的切换。随着Docker生态系统的快速发展,这款IDE同样提供了对于dockerfile的snippets以验证的支持。
Many organizations are still forcing distributed or offshore development teams to use Citrix remote desktop for development. Although this provides a simple security model – assets supposedly never leave the organization’s servers - using remote desktops for development absolutely cripples developer productivity. There’s not much point paying a cheaper hourly rate for developers if you’re going to impose both the distribution and remote-desktop burdens on them, and we wish more offshore vendors would admit these drawbacks to their clients. It’s much better to use either a ‘clean room’ secured offshore environment where local development can be done, or a Hosted IDE (e.g. ievms).
很多组织依然强迫分布的或者离岸开发团队使用Citrix远程桌面来开发。虽然这种方式提供了一种简单的安全模型–资产理应从不会离开该组织的服务器-使用远程桌面开发绝对会戕害开发者的生产力,便宜一些的每小时收费是完全没有意义的,我们希望更多的离岸外包商能够在客户面前承认这些缺点。更好的做法是,要么使用一个“净室”在保证环境的安全性的同时进行本地开发,要么使用托管的IDE(比如ievms)。