Something that has worked well for me several times (twice so far) is coming up with a catchy aphorism and then getting other people to write about it.
I need to try this again.
implementations, not representations
Turned into the article “Pass implementations, not representations” (2017) by Bevan Arps.
parse, don’t validate
This motto was turned into the wonderful “Parse, don’t validate” (2019) by Alexis King. It’s much better than anything I could (or can) have written on the subject.1
Note
For historical reference, note that the “CouchDB thing” which my original tweet was referring to was CVE-2017-12635. In this case, the built-in JavaScript JSON parser was used to validate the contents of the JSON file before the (Erlang)
jiffyparser was used to actually consume it for processing. Differences in how these two parsers worked allowed users to use duplicate JSON keys to circumvent the validation and grant themselves administrative roles.
Footnotes
-
The original thing I was working on writing back in 2017 (“a type for every concept”) I never actually got around to publishing at the time. But there’s a hint of this in the early draft. ↩