[mr_tristan]

What's funny to me, is that I focused on something completely different; how independent these teams at Amazon are. The move from pretty different infrastructure services, all at the same company. I can't think of a single place I've worked at in 20 years where these infra teams wouldn't be either: a.) mandated, i.e., "you will stick with lambda/kubernetes/whatever", or b.) review and be involved in the architectural decisionmaking of the video service approach, i.e., have to politick your way around any deviation.

I guess the shift from "mono to micro" just isn't very interesting to me. You can usually change your definition of either concept to fit your architecture. This just seemed like the team did the math and revised their approach. Good for them!

[iLoveOncall]

This is in part where the "It's always Day 1" mentality manifests at Amazon.

There's only one programming language that is forbidden (PHP - for wrong reasons), and only one cloud vendor that is mandated (obvious). But beside that, teams are able to use literally whatever technology they want. There are some technologies that impose themselves because of the ecosystem, but you can always do your own sauce if needed.

I've been in two teams that had basically 90% different tech stacks, but it's never a problem, and it doesn't really ever come up in design reviews (unless there's a real reason, not for personal preferences).

[jpgvm]

Curious though, what is the reason for banning PHP? It must be pretty specific if they singled out just PHP.

[iLoveOncall]

I don't know the full history because it's from way before I joined, but it is honestly a terrible take (by a guy who's now Distinguished Engineer at Apple, no less!) explaining that it is impossible to write secure applications in PHP.

Basically, they used "the historical number of vulnerabilities identified in applications developed using a technology" as metric to determine how insecure a technology is.

For the argument here, they looked at the CVE list, where at the time (in 2012, with the list existing since 1999) 40% of all software vulnerabilities recorded were in PHP applications. This led to the conclusion that PHP is insecure by nature.

Of course, he didn't mention that at the time, PHP was also used by 80% of all websites, because that would have made his argument worthless.

That wiki page explaining that is still up. It's so baffling to me when the argument violates so many of Amazon's leadership principles.

[jpgvm]

Yeah that is a pretty poor reason, thanks for the nugget though that is pretty interesting.

I could think of a bunch of legitimate reasons to want to ban it but they would also hit a bunch of other languages as a result - hence why I was curious how it could be so specific.

It wouldn't surprise me if LOC for LOC PHP written today is much more secure than JS because of the same dynamic, just JS is the one that is now on 80% of new code written by beginners.

[beastcoast]

Even worse than that - Amazon spent dozens of engineer years migrating their wiki from PHP MediaWiki to Java XWiki, pretty much for that reason only, and for dubious customer benefit. There was a very epic post mortem at the end of it.

[iLoveOncall]

I didn't mention that in my original response, but the guy that wrote this document putting the nail in the coffin for PHP at Amazon said that ultimately it was too expensive to even TRY to assess PHP's safety. The amount he quoted was only 250,000$.

Looking back it's so obvious that it was an opinionated crusade from one guy, I simply don't understand how one of the most influential programming languages ever got dismissed by a single dude with fallacious arguments in less than a thousand words.

[beastcoast]

Amazon is actually better thought of as a collection of independent startups with their own software architectures, roadmaps and P&Ls. There’s commonly used infrastructure but very little is really mandated at the company level.

[zoover2020]

Exactly. I'd say the enforcement is on org/PE (Principal Engineer) level, cascading down to Senior engineers.

Once you're designing something beyond a small app, you'd have to pass PE review anyway.

[kamray23]

Isn't that just a massive maintenance mess?