Only by a miracle can a Level -2 organisation produce any useable software. As Level -2 organisations rarely get beyond specification they pin their hopes on automatically generating a program from that specification.
- Anthony Finkelstein, Software Process Immaturity Model
LLM’s are doing an impressive job of getting us from conversations to requirements to specifications to code, but when I look at that diagram, I have a visceral sense of what 2025’s Level -2 is.
So you’re telling me you wrote an unsalted, date-seeded, unsigned, deterministic password generator?
In the initial interview, the client expressed a desire to modernize their security. They wanted someone with multiple iterations of implementing other types of authentication. MFA, passwordless device flows, SSO. I told them I was pretty well versed in SAML and OIDC, and had some hard-earned experience doing multi-generational technology leaps, and thought I might be well suited for the task. I even worried that I had insulted the manager’s competence by claiming Basic Auth is (still) a useful stepping stone in some scenarios.
When I first heard that the SEI had a lesser-known counterpart to its Capability Maturity Model (CMM) called People CMM (P-CMM), I had to DuckDuckGo if it was a joke.
It isn’t, except in the same sense that CMM-I is a kind of cruel joke.
P-CMM uses the same 5 levels as the SEI CMM to “systematically transform chaotic workforce practices into strategic capability development” across 22 process area. Without any sense of irony, the process professes to “address critical people issues in your organization”, then immediately dropping the word “people” in favor of the terms “workforce” and “resource.”
I sat down to lambaste what I view as the outsourcing of thought by management teams, but then I got to thinking about NIHS (Not Invented Here Syndrome) in some organizations, and the (often concurrent) complete outsourcing of thought to consultants and hype mongers.
Where is the balance of internal capability and external expertise?
I think the scales get tipped one way or another by motivation. I’ve been brought onboard for two broad categories of needs. I don’t have names for these two groups, other than to say there are two of them.
Nobody ever calls me because things are going well.
When the Outsiders arrive (consultant, contractor, new guy, whatever), they will be full of “best practices” and experiences codged from other, more fanciful clients. They look around, horrified, because they have a keen eye for the dysfunctional. I’ll be the first to admit, I see bad security, architecture, process, design, whatever it is - and my first reaction is an emotional one. Usually angry, usually self-righteous.
There is nothing quite so useless as doing with great efficiency something that should not be done at all — Peter Drucker
Despite what the godfather of management says, what the engineers want to talk about is:
What the customer doesn’t care about: (see above).
The things in the list don’t even matter! They’re fungible. Given three mainstream choices for programming language, AI, cloud, etc., literally any combination of them is sufficient.
In what is perhaps the most brilliant act of malicious compliance I have ever witnessed…
Early in my career I bullied my way into a de facto tech lead position on a small software team in a pretty big organization.
The most powerful and vocal of our users used our software passively as a kind of combination dashboard and news aggregator. They had lots of passwords to lots of systems, and they did not want another one for ours. They made this very clear - not one more goddamned password.
Businesses have important reasons to establish targets independent of software estimates. But the fact that a target is desirable or even mandatory does not necessarily mean that it is achievable.
— Steve McConnell, Software Estimation: Demystifying the Black Art
We need precise language about what we want, what we predict, and what we promise.
Weekend plan: migrate authentication to OIDC. Four hours later I’m debugging if I can symlink my way to success with Claude Code, Cursor, and Junie. GPT5 is released, maybe that will just do this for me, time to re-enable my OpenAI account and generate an API key. I learn each tool’s proprietary file formats and locations, MCP configs, keyboard shortcuts, and licensing terms. Which one has reasoning? What’s the TPS? Can I make it stop being such a goddamned sycophant?
Our nonscientific study suggests that, on average, business people can pay attention for no more than thirty to sixty seconds without being distracted by an unrelated thought.
— The Trusted Advisor: 20th Anniversary Edition by David H. Maister, Charles H. Green, et al.
A spike is a sudden, dramatic increase in demand, effort, or activity that far exceeds normal operating levels. I consider spikes a threat to sustainability.
Startup culture’s reliance on the veneer of coolness and a potential future payoff as a way to fortify employees against these spikes will shape the workforce, selecting for younger people who are more naive and risk tolerant. The effects of this compound over time.
I recently came across OpenCommit, which claims to “generate commit messages with an LLM in 1 sec”. Here’s what’s good:
ocoollama serveRegarding “flow”, pay attention the next time you write a commit message. Do you feel the context switch happening as you go from “doing” to “documenting”? I do, and I have aversion to that feeling.
After over 2 decades using GNU Screen for multiplexing, often on machines where tmux wasn’t a sensible option, I’ve realized that I’ll probably never find myself telnetting (!) into a solaris box again.
Still, tmux doesn’t “just work” the way I want with the Mac OS terminal. I am aware iterm2, wezterm, kitty and several others exist, but it’s 2025 and I’m just now migrating away from screen, so that’s the level of stodge I’m at. I still want to use the mouse to copy/paste text while I change my muscle memory from screen to tmux.
When things happen, I often find myself rating them with two vector quantities.
A Costco Case Study: Taking it back to the warehouse every time.
I built a very special Chrome profile for doing Next.JS Tutorials and I wanted WebStorm to launch it for me. It didn’t go well.
Here’s some shit developers say to each other when the other person is stuck and we don’t actually have an answer to their problem.
Patently stupid marketing assertions and the reasons they appeal to us.
In order to survive, the human body maintains stability in two ways.
Homeostasis — the process of maintaining internal stability by adhering to fixed points.
Examples: maintaining optimal pH, liver enzymes, body temperature
Allostasis — the process of obtaining stability by adapting to anticipated demands or environmental stressors.
Examples: cortisol during fight or flight, inflammatory responses, shunting of blood
Both are necessary for survival. One is required to keep the organism alive over the long term, the other helps us respond to emergent or future scenarios.
I’ve long thought that the ability to maintain flow state for hours was the hallmark of a good programmer. I prided myself on being in such a deep state of flow that I would often fail to notice the passing of hours, the setting sun. I would often only reluctantly step away to pee. I would work late into the night, uninterrupted by the world.
As the systems I’ve worked on have become more complex, technologically diverse, and frankly riddled with errors, I’ve realized that what I thought of as “flow” is actually just a state of chasing my own thoughts, trying to immediately fix whatever annoyances or weirdnesses I encounterd, and finishing my days not having completed my initial goals for the day.