envkey VS nocode

envkey-vscode is a VSCode extension that provides autocomplete, type checking, and peek-on-hover for environment variables in 46 different programming languages. Instead of a typeless, error-prone blob, the environment now acts like a strongly-typed object in every language you work in.

I’ve been using this extension myself for a couple weeks now and it feels like a pretty significant upgrade to my development workflow, especially when working on integrations across multiple languages, so I thought it was worth showing you all.

envkey-vscode relies on EnvKey, an open-source, end-to-end encrypted configuration and secrets manager that is focused on security and ease-of-use. It’s cross-platform, can integrate with any language or host, and can be cloud-hosted or self-hosted. Getting a project integrated normally takes a couple minutes.

More on EnvKey: https://www.envkey.com

Building and testing it has been an interesting process, as I relied quite heavily on ChatGPT/GPT-4 to cover languages that I’m not very familiar with. It helped me to develop regexes to cover the common forms of environment access in each language, as well as to produce small test cases and Dockerfiles that can run them. While it took a lot of passes and tweaking to root out hallucinations and get each language right, I don’t think there’s any way I could have built a tool like this in a reasonable amount of time. Having a single `test` command that runs examples in dozens of languages is pretty amazing—sort of like a rudimentary version of Replit that runs locally.

All the code for the extension lives in EnvKey’s monorepo here: https://github.com/envkey/envkey/tree/main/public/sdks/tools...

I’m planning to write up a blog post on this process and what I’ve learned about how to get the most out of GPT on a polyglot coding project like this. If you’re interested, you can sign up to get notified here when this post is live: https://envkey.us15.list-manage.com/subscribe?u=623039cd8518...

envkey-source code is here: https://github.com/envkey/envkey/tree/main/public/sdks/envkey-source

If anyone needs help keeping secrets out of git, you could give EnvKey[1] a look (disclaimer: I'm the founder). It aims to keep all secrets out of the repo completely so that you can't be burned by forgetting to add something to .gitignore

It takes a few minutes to install and then all your secrets and config will be in the environment, and will stay automatically up-to-date when there are changes.

Might be a way to cut out that particular failure mode when using Gut (which looks interesting btw--kinda like Git: the good parts).

1 - https://github.com/envkey/envkey

We took a similar approach to passphrase stretching in EnvKey[1] v1 (EnvKey is a secrets manager, not a passwords manager, but uses end-to-end encryption in a similar way). We used PBKDF2 with iterations set a bit higher than the currently recommended levels, as well as Dropbox's zxcvbn lib to try to identify and block weak passphrases.

Ultimately, I think it's just not good enough. Even if you're updating iteration counts automatically (which is clearly not a safe assumption, and to be fair not something we did in EnvKey v1 either), and even with safeguards against weak passphrases, using human-generated passphrases as a single line of defense is just fundamentally weak.

That's why in EnvKey v2, we switched to primarily using high entropy device-based keys--a lot like SSH private keys, except that on Mac and Windows the keys get stored in the OS keychain rather than in the file system. Also like SSH, a passphrases can optionally be added on top.

The downside (or upside, depending how you look at it) is that new devices must be specifically granted access. You can't just log in and decrypt on a new device with only your passphrase. But the security is much stronger, and you also avoid all this song and dance around key stretching iterations.

1 - https://github.com/envkey/envkey

2 - https://github.com/dropbox/zxcvbn

EnvKey[1] moved from OpenPGP(RSA) to NaCl for its v2, which recently launched.

It’s causing a difficult migration for our v1 users. Moving to a new encryption scheme is not fun for a product with client-side end-to-end encryption.

But within a year or so after releasing the v1, it seemed like the writing was on the wall for OpenPGP and RSA. I didn’t want to go down with a dying standard.

NaCl is so much better. In spite of the migration headaches that will likely cost us some users, I’m very happy I made this decision. It’s so much faster, lighter, and more intuitive.

It’s legitimately fun to work with, which I never thought I’d say about an encryption library after cutting my teeth on OpenPGP.

1 - https://github.com/envkey/envkey

The process management code lives here: https://github.com/envkey/envkey/blob/main/public/sdks/envke...

Basically the command you pass in to envkey-source is run via:

exec.Command("sh", "-c", c)

(c is the command you passed as a string.)

Stdout/stderr is piped through, and .Wait() is called on the command. If envkey-source is in watch mode, it will send a SIGTERM when the environment is updated, then re-run the process once the initial process has died. I can verify that, for example, if a server listening on ports is restarted in this way, the process will die and the ports will be cleared before the new process is started (this has been well-tested).

Do you see a problem with this approach? We will prioritize making all this bulletproof.

> "no cruft: no build systems, no null, no exception handling, no ORMs, no OOP, no inheritence hierarchies, no async/await, no compilation, no dev environments, no dependency hell, no packaging, no git, no github, no devops: no yaml, no config files, no docker, no containers, no kubernetes, no ci/cd pipelines, no terraform, no orchestrating, no infrastructure: no sql, no nosql, no connection poolers, no sharding, no indexes, no servers, no serverless, no networking, no load balancers, no 200 cloud services, no kafka, no memcached, no unix, no OSes"

I'll be honest, I did the same and at first thought Darklang was a troll project along the lines of https://github.com/kelseyhightower/nocode.

Either this is one hell of a project that is taking on all problems (and will consequently fail), or this pitch is misguided. The majority of what is listed there have nothing to do with languages.

I hope this clears some of the fears of missing out (FOMO) that you might have about SurrealDB not having traditional SQL joins. You can still do the things you need to do such as with the subqueries. When it comes to the traditional joins though, we think about it more in terms of the joy of missing out (JOMO) because the best way to reduce errors in your code is by writing less code, as seen in our record links example.

Vanilla Design is a super lightweight, ultra high-performance React UI library. Vanilla Design Team places a great emphasis on code size and performance, drawing inspiration from the nocode philosophy, which has significantly boosted the security and maintainability of Vanilla Design. It's like they've added an extra layer of bulletproofing and polish to their creation!

There are some open source competitors to Airtable and Notion that can provide good insight. Check out https://github.com/kelseyhightower/nocode

Well 100 is a number. And here is the relation: https://sources.debian.org/stats/ and here is how to get 0 bugs: https://github.com/kelseyhightower/nocode

This is my background and i years of experience hosting this..

Asta kelseyhightower/nocode: The best way to write secure and reliable applications. Write nothing; deploy nowhere. (github.com) are mii de forkuri si zeci de mii de stelute, activitate masiva la 'issues' - mii, sute de 'pull requests', clar ca rezolva o problema reala, nu?

Well, you can write a bug-free application..

First off, congratulations on entering the Computer Science!

Second, I am not sure what is a bigger joke here, the project itself and the OP's innocuous and cute self-promotion or the fact that this post landed the HN's front page.

0. Terms and definitions.

"You" refers not to the author of the tool but to the dear reader who happens to stumble upon this comment in the stream of random screen scrolling.

1. Comment body.

Couple of things about CS classes and specifically about programming classes. They will teach you everything but the most important engineering principles. And you'll have to adjust your learnings once you leave the campus gate behind and enter the wilderness of real tasks and challenges.

The first biggest lesson I learnt as a CS graduate was that the most beautiful, efficient and valuable software program is the one that does not exist, literally no code[0]

The second biggest lesson I learnt as a CS graduate was YAGNI[0]. You never ever write a single line of code, even touch the keyboard until you are absolutely sure you have exhausted all possible options to solve your problem without getting your hands dirty with programming.

The third biggest lesson I learnt as a CS graduate was RTFM[2]. It is so exciting to go to conferences and see people present fancy slides and watch youtube videos with lollipop coloured pictures explaining some complex topics in a eli5 style. Or read blog posts on a gazillion of websites posted by unknown unknowns but yet coming so convincing as if they were written by John Carmack or ChatGPT 5. But then none of them tell you the whole truth and show you the full picture. It is only official documentation, manuals and boring reference specifications that can help you find what you are looking for. And you will need to learn the skill of grinding hunderds of pages of badly styled refdocs to find that really nitty gritty quirky feature that consumed your whole day in finding out why your code does not work as expected. That's where you will start proceeding to the official docs and source code (if needed) before anything else (even Stackoverflow!).

There have been so many git wrappers around, you can probably try them all (tig, jj, gh-cli, gitui, lazygit, gix, you google it). But then, no matter how much effort their authors invest in those tools, there will always be inconsistency between git and its wrapper and you find yourself resorting to git to do what was supposed to be covered by the bespoke tool. And then you learn to respect git, understand its concepts as they were designed, learn some bash and git aliases[3], ditch all those tools (or the majority of them) and proceed with your personal tailored toolbox where if you find something odd you adjust it for your needs within 10 minutes and chill out.

[0] - https://github.com/kelseyhightower/nocode

[1] - https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it

[2] - https://en.wikipedia.org/wiki/RTFM

[3] - https://git-scm.com/book/en/v2/Git-Basics-Git-Aliases