Notes from Topconf Linz 2016

Topconf Linz 2016 was a a great conference with charming people and inspiring talks. I am looking forward to next year and hope events like this will help put Linz on the map and attract more international attendees and speakers. Here are my notes from the talks that I have seen.

Carving up stuff for fun and profit – Stefan Tilkov


  • People structure their code into smaller building blocks. (Micro-)services, components, modules, procedures…

  • “How big shall each individual piece be?” – “Just make things the right size.”

  • The same programming task can be solved with several pages of code or just a few lines.

  • David Parnas proposes that “one begins [to decompose a system] with a list of difficult design decisions or design decisions that are likely to change. Each module is then designed to hide such a decision from the others.”

  • Separation of Concerns and the Single Responsibility Principle tell us to “separate separate things” and “join things that belong together.”

  • Robert Martin says a module “should only have one reason to change,” while at the same time “an axis of change is only an axis of change if the changes actually occur.”

  • Indicators of strong cohesion are simplicity, a single stakeholder, one reason to change and that the module doesn’t get split but used as a whole.

  • Indicators of weak cohesion are that the code is hard to understand and difficult to explain, obviously divisible, has many stakeholders, many reasons to change and is often used only partially.

  • Isolated development teams are not a good reason for separation.

  • Try not to forget about the application environment when designing your building blocks.

  • What works: Being explicit about your meta-model. What doesn’t: Mentioning the word “meta-model”.

  • What works: Separating macro and micro decisions. What doesn’t: Over-regulating everything.

  • What works: Trusting your gut and making a good guess. What doesn’t: Fleeing into technicalities.

  • What works: Use organization and its use cases as level 0 driver. What doesn’t: Center around technical commonality.

  • What works: Prepare to be wrong on every level. What doesn’t: Aim for perfection and stubbornly stick to it.

The web is getting pushy – Phil Nash


  • Browser vendors have implemented technologies that already work (as in “Does this make sense?”) for native apps. If you want, you may look at native apps as a testing ground for future web technologies.

  • Browser Support

    • Notifications are supported by major browsers. The status for Edge is “Under Consideration”.

    • Service Workers are only supported in the latest Chrome, Firefox and Opera. The status for Safari is unknown. The status for Edge is “Under Consideration”.

    • Push Notifications are only supported in the latest Chrome and Firefox. The Safari implementation is non-standard, Opera has it “on the roadmap” and Edge has it “Under Consideration”.

    • Implementation status can be checked on and

  • Demo is listening for the #topconfpush hashtag and then pushing a notification. The code is available on

  • It is possible to push notifications to your users via your web app, but try to follow the lessons learned over the last few years.

  • There is now a nice tutorial over at Google Developers.

Punishment Driven Development – Louise Elliot


  • Bonuses are a punishment tool and may weaken the performance of your team.

  • Narcissim of small differences: The odd man out may be invaluable to your success with his differing views.

  • Hansei: Acknowledge your mistakes and learn from them.

  • Kaizen: It is often easier to change yourself than to change others.

  • There is an area in your brain responsible for blame and punishment, called the dorsolateral prefrontal cortex.

  • Punishment Driven Development Manifesto

    • Finding out who is to blame over working collaboratively

    • Retribution over improving the process

    • Punishing mistakes over avoiding future mistakes

    • Venting emotions over achieving goals

  • People Driven Development Manifesto

    • Respecting people over controlling people

    • Celebrating mistakes over punishing mistakes

    • Putting yourself in their place over putting others in their place

    • Changing your behaviour over changing another’s behaviour

There is no half-remote team – Markus Tacker


JSON API – The ultimate anti-bikeshedding weapon – Henning Glatter‑Götz


  • JSON API is a specification for building APIs in JSON.

  • Content-Type: application/vnd.api+json is registered with the IANA.

  • It specifies content negotiation, document structure, fetching data (including pagination), CRUD, query parameters and errors.

  • Standardization tremendously helps with tooling. Libraries for the most popular languages already exist.

HTTP/2: Current Status – Simone Bordet


  • Why? HTTP/1.1 is an inefficient, old protocol for serving single pages. Web developers are hacking around its limitations and browser vendors break recommendations to make their browsers fast. “Better HTTP means more money!”

  • How? HTTP/2 is a binary protocol based on frames. It offers multiplexed streams, compressed headers, request prioritization and pushing of correlated resources to reduce round-trips. TLS is mandatory for browsers but server-to-server communication may be unencrypted.

  • When? The protocol is specified in RFC 7540. Browser vendors have already implemented it and major websites are using HTTP/2 already.

CSS for Software Engineers for CSS Developers – Harry Roberts


  • The first programming languages were written in the 1950s. We should honor existing programming paradigms and apply them to our stylesheets.

  • Don’t Repeat Yourself is not about duplicated output, therefore argumentless mixins can be valid in certain cases.

  • Single Source of Truth, the Single Responsibility Principle, Separation of Concerns, Immutability and the Open/Closed Principle can all be applied to CSS.

  • Mutation is particularly common in CSS and leads to unpredictable outcomes and unexpected side effects.

  • Deeply nested or qualified selectors increase Cyclomatic Complexity.

  • Proper scoping of selectors can improve Orthogonality, which is inherently difficult in CSS. Can you reorder your @import statements?

We’re going in: The 3D web – Martin Naumann


  • WebGL is ready to be used, especially via one of the excellent libraries like three.js.

  • Archilogic builds real-time architectural visualization for the web. Another example for good use of WebGL is the article The Dawn Wall by The New York Times.

  • The same visual perception tricks as in game engines help us improve performance: Light maps, normal maps, level of detail, asynchronous asset loading…

  • WebVR is currently being standardized, but there is a polyfill for Cardboard and Oculus available.

Your Web Stack Would Betray You In An Instant – Tim Perry


  • Your greatest weakness is (probably) not your code, but your web framework, programming language, web server, database or network infrastructure.

  • Always be ready to update your web stack, so you can benefit from the latest security updates.

  • Fear user input in any format and be as restrictive as possible (CVE-2013-0156).

  • Value best practices. If you see automated tests failing, please report it (CVE-2011-3189).

  • Keep internal errors secret from your end users (CVE-2015-2080).

  • Isolate your components from themselves and everyone else (CVE-2013-1899).

  • Avoid complexity, as it makes security flaws hard to find (CVE-2015-5477).

An Abusive Relationship with AngularJS – Mario Heiderich


  • AngularJS extends the attack surface dramatically. Many sites still use older versions, as updating is unnecessary difficult, largely due to frequent API changes.

  • Sandbox bypasses exist for every version of AngularJS, including 1.5.0.

  • Content Security Policy can be bypassed when applications use Google’s CDN. If it is whitelisted a collision check implemented in AngularJS 1.2.15 enables a downgrade attack.

  • Mario was able to attack the code base itself by issuing a pull request for an apparent “bug”, enabling cross-site scripting via the attributeName and attributeType SVG attributes.