👋 Hi, this is Mathias with your weekly drop of the 1% best, most actionable, and timeless resources to grow as an engineering or product leader. Handpicked from the best authors and companies.

Did a friend send this to you? Subscribe to get these weekly drops directly in your inbox. Read the archive for even more great content. Also: I share these articles daily on LinkedIn.

The Power of Product Thinking

If you're building a product, your job is to make hypotheses and guesses. Iterate and experiment, right?

Yet each of these iterations has a cost, so how do you avoid betting on guesswork?

💡 Product thinking💡

"Product thinking is the skill of knowing what makes a product useful — and loved — by people. [...] Product thinking is a habit, an eye, a mindset."

In a fast-changing environment, product thinking can make the difference between 0 and 1. And lucky us, it can be developed! But how?

"The two most important habits are observation and inquiry."

"Observation is about paying attention to people's reactions when they encounter products or services in their day-to-day lives."

"Inquiry comes from genuine curiosity about people and their behaviors, and can take different forms depending on how you learn best. The key is understanding the "why" behind the reactions."

📗 Julie Zhuo's The Power of Product Thinking is a reference article. After explaining that product thinking will make you and your products stand out, the author describes how to develop it with simple habits. With practice and curiosity, observation and inquiry become a defining mindset.

Read the full article

Sampling work in Interviews

One of the most feared parts of the Software Engineer career is algorithm interviews.

Hiring managers often default to leetcode-style interviews because they don't know better 🤷‍♀️.

So here's to all software hiring managers:

1. Yes you should absolutely test the technical ability with some kind of case study

"Work sample tests are a critical factor in effective hiring. Interviews aren’t enough; hiring without work sample tests risks selection people who excel at interviewing but can’t actually perform the job."

2. But no there are a lot more possibilities than algorithm questions

• Coding homework

• Pair programming

• Bring Your Own Code

• 'Reverse' Code Review

📗 Jacob Kaplan-Moss's "Series: Work Sample Tests" is a reference series of articles in that domain. In addition to describing all these different ways of conducting work sample tests, the author gives opinionated insight on how to maximize the inclusivity and predictive value of such tests. The entire series is extremely high-quality content.

Read the full series on Jacob's blog

Google's Consistent, Global Authorization System

A few weeks ago, I shared the excellent post from Oso that explains why Authorization is hard. Its three main points were enforcement, gathering the data required for a decision, and access modeling. These are extra hard for a small to mid-size company because you have to prioritize and can't afford building a large authorization system.

But what if you were Google and had near-infinite resources to throw at the problem?

That’s Google's Zanzibar, one of the most fascinating core pieces of the Google infrastructure.

"Zanzibar provides a uniform data model and configuration language for expressing a wide range of access control policies from hundreds of client services at Google."

And since Zanzibar is used by many Google products and is in the critical path of all requests, the scale is incredible.

"Zanzibar scales to trillions of access control lists and millions of authorization requests per second to support services used by billions of people. It has maintained 95th-percentile latency of less than 10 milliseconds and availability of greater than 99.999% over 3 years of production use."

📗 Google's Zanzibar: Google’s Consistent, Global Authorization System is a paper released in 2019 by the Zanzibar team to shed some light on this internal system. It details the initial requirements, critical architecture decisions, operational data, and lessons learned.

This "public release" of some of the key features of Zanzibar combined with the departure of some Googlers led to hundreds of companies trying to replicate Zanzibar internally, and some even open-sourcing the resulting systems.

Read the full paper

Query Engines explained: Push vs Pull

The query engine is a fascinating part of databases. It's particularly true when such query engines must answer a complex query language like SQL.

They are packed with features and optimizations. Understanding them will make you a better engineer - not because you'll be able to build a database - but because they apply everywhere else too.

First stop: "pull" vs. "push" based query engines.

"People talk a lot about "pull" vs. "push" based query engines, and it's pretty obvious what that means colloquially, but some of the details can be a bit hard to figure out."

📗 Justin Jaffray's Query Engines: Push vs. Pull is an excellent explanation of the two different models. Justin uses code samples to make these abstract models a lot more concrete to the reader. And if you're skimming through the article, do not skip the last parts that build on your new understanding. They detail why databases use one model or the other, their impact on algorithms, and (possibly) on performance.

In short:

"In a pull-based system, the operators sit idle until someone asks them for a row."

“In the push-based system, the system sits idle until someone tells it about a row."

Read the full article on Justin's blog

Email Authenticity 101: DKIM, DMARC, and SPF

Why do my transactional emails end up in SPAM folders?

There are many possible answers to that question. A lot of them involve copy-pasting DNS instructions from your email provider. You can do better!

Like many internet protocols, email protocols were built for an open internet where people can exchange emails freely. Being this open also created major holes that senders and receivers have to cover with extra layers of security: SPF and DKIM.

"At its core, SPF is just a list of IP addresses that are authorized to send email from your domain."

"DKIM is another security mechanism that uses asymmetric keys to cryptographically verify the server sending email for your domain is authorized to do so."

Yet what's stressful about email is that, as a sender, it can be hard to know if the receiving server accepted your email.

Guess what: this hole has a patch, too, a third acronym: DMARC gives instructions to the receiver server to enforce SPF and DKIM checks and an address to report results.

"DMARC is the most powerful piece of modern email security, and its reporting can be incredibly insightful into what spam is out there pretending to be you. If you take anything from this guide, I hope it is that you should take the time and care to set a strict DMARC policy."

📗 Alex Blackie's Email Authenticity 101 explains DKIM, DMARC, and SPF from the point of view of the email domain owner. The perfect guide to get you started or double-check your email security understanding.

Read the full article on Alex's blog