I receive invitations for job interviews for various positions time to time, as probably a lot of software engineers who have public profiles on linkedin (and similar) do, usually it's nothing interesting, but this time it was a new experience for me.
This time it was Epam – an outsourcing company, almost nothing special. So they had some Python position at New-York with H1B visa. As you probably know from reading my blog that I do some Python programming and feel quite good about it and I'm quite interested in migration also, that's why I said I was generally interested.
The first (and the most) surprising thing is that they didn't provide much info on the technical side of the vacancy. Yes, Python, yes, some company that does advertising on the internet, that's all. I thought, ok, I'll probably figure out more details during an interview. I had an non-tech interview with their HR and I wasn't able to find out anything new.
On the next day after an interview he goes like 'hey, please skype to "some_skype_id" here, he'll provide more info, I made him aware that you'll contact him." I wondered why I should bother contacting anybody as I basically don't know anything about the vacancy and therefore not interested that much. So I asked if that guy could contact me himself on what HR replied something like "no, please contact him yourself" and was like "I've arranged this possibility so you could get more technical details." and it sounded like he made a huge favor for me already so I could talk to this person. At this point I decided I don't want to work at this company already.
So I'm trying to understand point of view of such recruiting managers. They work in a company that doesn't have a reputation as a good place for engineers (unlike Google and similar). Moreover, they have an office in my hometown and even there it's not the best place to work at. Then, they try to recruit a person who has a job already and doesn't state anywhere that he's looking for job. And finally they offer a candidate (which is not really a candidate strictly speaking because at that point it's not clear if the job worth it or not) to drive himself through information gathering for the vacancy on his own.
So I'm wondering who are they expect to find. A programmer who's only interested in obtaining H1B? A programmer who's not very interested what he's going to do (even if it is legacy Python 2.2 code support or maybe shell-like scripting in Python)? I don't get it.
PS Don't think I'm such an asshole. Once I traveled to a different city on my own expense for an interview because I saw a potential in the job, more on that later I think.
Thursday, March 24, 2011
Friday, March 11, 2011
Treating security loosely
I don't want to sound like a grumpy old man, but anyway sometimes I get really surprised how people treat security these days.
I was going to try gitflow (which seems to be quite interesting thing to adopt by the way) today and was reading documentation on the installation process. Believe it or not, the suggested installation way on linux system is:
Yes, you're right, it's like that: downloading a random script from the internet and executing it from 'root' without extra checks. Certainly, it's up to you if you trust the source and sure that it doesn't have any malicios code (generally, it's better not to trust). But anyway, such installation schema should be improved:
Without it executing such a command seems to be plain dangerous.
I was going to try gitflow (which seems to be quite interesting thing to adopt by the way) today and was reading documentation on the installation process. Believe it or not, the suggested installation way on linux system is:
$ wget --no-check-certificate -q -O - https://github.com/nvie/gitflow/raw/develop/contrib/gitflow-installer.sh | sudo sh
Yes, you're right, it's like that: downloading a random script from the internet and executing it from 'root' without extra checks. Certainly, it's up to you if you trust the source and sure that it doesn't have any malicios code (generally, it's better not to trust). But anyway, such installation schema should be improved:
- SSL verification shouldn't be disabled, so you're sure that you're actually downloading your file from github, not from some source identifying itself as github
- Control checksums should be provided or the file should be signed with gpg to make sure you're downloading exactly the same thing as author uploaded
Without it executing such a command seems to be plain dangerous.
Subscribe to:
Posts (Atom)