Jonathan Lalou's Blog

Posts Tagged ‘RivieraDev2025’

Julien Sulpis took the Riviera DEV 2025 stage to unravel the science of color, blending biology, physics, and technology to explain the quirks of digital color representation. His presentation demystified why colors behave unexpectedly across platforms and introduced modern color spaces like OKLAB and OKLCH, offering developers tools to create visually coherent interfaces. Julien’s approachable yet rigorous exploration provided actionable insights for enhancing user experience through better color management.

Understanding Color: From Light to Perception

Julien began by defining color as light, an electromagnetic wave with wavelengths between 400 and 700 nanometers, visible to the human eye. He explained how retinal cells—rods for low-light vision and cones for color perception—process these wavelengths. Three types of cones, sensitive to short (blue), medium (green), and long (yellow-orange) wavelengths, combine signals to create the colors we perceive. This biological foundation sets the stage for understanding why digital color representations can differ from human perception.

He highlighted common issues, such as why yellow appears brighter than blue at equal luminosity or why identical RGB values (e.g., green at 0, 255, 0) look different in Figma versus CSS. These discrepancies stem from the limitations of color spaces and their interaction with display technologies, prompting a deeper dive into digital color systems.

Color Spaces and Their Limitations

Julien explored color spaces like sRGB and P3, which define the range of colors a device can display within the CIE 1931 chromaticity diagram. sRGB, the standard for most screens, covers a limited portion of visible colors, while P3, used in modern devices like Macs, offers a broader gamut. He demonstrated how the same RGB code can yield different results across these spaces, as seen in his Figma-CSS example, due to calibration differences and gamut mismatches.

The talk addressed how traditional notations like RGB and HSL fail to account for human perception, leading to issues like inconsistent contrast in UI design. For instance, colors on a chromatic wheel may appear mismatched in brightness, complicating efforts to ensure accessibility-compliant contrast ratios. Julien emphasized that understanding these limitations is crucial for developers aiming to create consistent and inclusive interfaces.

Modern Color Spaces: OKLAB and OKLCH

To address these challenges, Julien introduced OKLAB and OKLCH, perception-based color spaces designed to align with how humans see color. Unlike RGB, which interpolates colors linearly, OKLAB and OKLCH ensure smoother transitions in gradients and palettes by accounting for perceptual uniformity. Julien demonstrated how CSS now supports these spaces, allowing developers to define gradients that maintain consistent brightness and contrast, enhancing visual harmony.

He showcased practical applications, such as using OKLCH to create accessible color palettes or interpolating colors in JavaScript libraries. These tools simplify tasks like ensuring sufficient contrast for text readability, a critical factor in accessible design. Julien also addressed how browsers handle unsupported color spaces, using tone mapping to approximate colors within a device’s gamut, though results vary by implementation.

Practical Applications for Developers

Julien concluded with actionable advice for developers, urging them to leverage OKLAB and OKLCH for more accurate color calculations. He recommended configuring design tools like Figma to match target color spaces (e.g., sRGB for web) and using media queries to adapt colors for displays supporting wider gamuts like P3. By understanding the science behind color, developers can avoid pitfalls like inconsistent rendering and create interfaces that are both aesthetically pleasing and accessible.

He also encouraged experimentation with provided code samples and libraries, available via a QR code, to explore color transformations. Julien’s emphasis on practical, perception-driven solutions empowers developers to enhance user experiences while meeting accessibility standards.

Olivier Poncet captivated the Riviera DEV 2025 audience with a detailed dissection of the XZ Utils attack, a sophisticated supply chain assault revealed on March 29, 2024. Through a forensic analysis, Olivier explored the attack’s two-year timeline, its blend of social and technical engineering, and its near-catastrophic implications for global server security. His presentation underscored the fragility of open-source software supply chains, urging developers to adopt rigorous practices to safeguard their systems.

The XZ Utils Attack: A Coordinated Threat

Olivier introduced the XZ Utils attack, centered on the CVE-2024-3094 vulnerability, which scored a critical 10/10 severity. XZ Utils, a widely used compression library integral to Linux distributions and kernel boot processes, was compromised with malicious code embedded in its upstream tarballs. Discovered fortuitously by Andres Freund, a PostgreSQL engineer at Microsoft, the attack aimed to weaken the SSH daemon, potentially granting attackers access to countless exposed servers. Olivier highlighted the serendipitous nature of the discovery, as Andres stumbled upon the issue during routine benchmarking, revealing suspicious behavior that led to a deeper investigation.

The attack’s objectives were threefold: corrupt the software supply chain, undermine SSH security, and achieve widespread system compromise. Olivier emphasized that this was not a mere flaw but a meticulously planned operation, exploiting the trust inherent in open-source ecosystems.

Social and Technical Engineering Tactics

The XZ Utils attack leveraged a blend of social and technical manipulation. Olivier detailed how the attacker, over two years, used social engineering to infiltrate the project’s community, likely posing as a trusted contributor to introduce malicious code. This included pressuring maintainers and exploiting the project’s reliance on a small, often unpaid, team. Technically, the attack involved injecting backdoors into the tarballs, which were then distributed to Linux distributions, bypassing standard security checks.

Olivier’s analysis, conducted through extensive virtual machine testing post-discovery, revealed the attack’s complexity, including obfuscated code designed to evade detection. He stressed that the human element—overworked maintainers and community trust—was the weakest link, highlighting the need for robust governance in open-source projects.

Supply Chain Vulnerabilities in Open Source

A key focus of Olivier’s talk was the broader vulnerability of open-source supply chains. He cited examples like the npm package “is-odd,” unnecessarily downloaded millions of times, and the “colors” package, whose maintainer intentionally broke builds worldwide by introducing malicious code. These incidents illustrate how transitive dependencies and unverified packages can introduce risks. Olivier also referenced a recent Hacker News report about over 200 malicious GitHub repositories targeting developers, underscoring the growing threat of supply chain attacks.

He warned that modern infrastructures, heavily reliant on open-source software, are only as strong as their weakest link—often a single maintainer. Tools like Docker Hub, npm, and pip, while convenient, can introduce unvetted dependencies, amplifying risks. Olivier advocated for heightened scrutiny of external repositories and dependencies to mitigate these threats.

Mitigating Risks Through Best Practices

To counter supply chain vulnerabilities, Olivier proposed practical measures. He recommended using artifact repositories like Artifactory to locally store and verify dependencies, ensuring cryptographic integrity through hash checks. While acknowledging the additional effort required, he argued that such practices significantly enhance security by reducing reliance on external sources. Auditing direct and transitive dependencies, questioning their necessity, and reimplementing simple functions locally were also advised to minimize exposure.

Olivier concluded with a call to action, urging developers to treat supply chain security as a priority. By fostering a culture of vigilance and investing in secure practices, organizations can protect their systems from sophisticated attacks like XZ Utils, preserving the integrity of the open-source ecosystem.

Links:

• Olivier Poncet on GitHub
• Olivier Poncet on Twitter/X

At Riviera DEV 2025, Dhruv Kumar delivered an engaging presentation on platform engineering, a discipline reshaping software delivery by addressing modern development challenges. Stepping in for Silva Devi, Dhruv, a senior product manager at CloudBees, explored how platform engineering, augmented by artificial intelligence, streamlines workflows, enhances developer productivity, and mitigates the complexities of cloud-native environments. His talk illuminated the transformative potential of internal developer platforms (IDPs) and AI-driven automation, offering a vision for a more efficient and secure software development lifecycle (SDLC).

The Challenges of Modern Software Development

Dhruv began by highlighting the evolving responsibilities of developers, who now spend only about 11% of their time coding, according to a survey by software.com. The remaining time is consumed by non-coding tasks such as testing, deployment, and managing security vulnerabilities. The shift-left movement, while intended to empower developers by integrating testing and deployment earlier in the process, often burdens them with tasks outside their core expertise. This is compounded by the transition to cloud environments, which introduces complex microservices architectures and distributed systems, creating navigation challenges and integration headaches.

Additionally, the rise of AI has accelerated software development, increasing code volume and tool proliferation, while supply chain attacks exploit these complexities, demanding constant vigilance from developers. Dhruv emphasized that these challenges—fragmented workflows, heightened security risks, and tool overload—necessitate a new approach to streamline processes and empower teams.

Platform Engineering: A Unified Approach

Platform engineering emerges as a solution to these issues, providing a cohesive framework for software delivery. Dhruv defined it as the discipline of designing toolchains and workflows that enable self-service capabilities for engineering teams in the cloud-native era. Central to this is the concept of an internal developer platform (IDP), which integrates tools and processes across the SDLC, from coding to deployment. By establishing a common SDLC model and vocabulary, platform engineering ensures that stakeholders—developers, QA, and security teams—share a unified understanding, reducing miscommunication and enhancing actionability.

Dhruv highlighted three pillars of effective platform engineering: a standardized SDLC model, secure best practices embedded in workflows, and the freedom for developers to use familiar tools. This last point, supported by a Forbes study from September 2023, underscores that happier developers, using tools they prefer, complete tasks 10% faster. By fostering collaboration and reducing context-switching, platform engineering creates an environment where developers can focus on innovation rather than operational overhead.

AI as a Catalyst for Optimization

Artificial intelligence plays a pivotal role in amplifying platform engineering’s impact. Dhruv explained that AI’s value lies not in generating code but in filtering noise and optimizing practices. By leveraging a robust SDLC data model, AI can provide actionable insights, provided it is fed high-quality data. For instance, AI-driven testing can prioritize time-intensive issues, streamline QA processes, and run only relevant tests based on code changes, reducing costs and feedback cycles. Dhruv cited examples like AI agents identifying vulnerabilities in code components or assessing risks in production ecosystems, automating fixes where appropriate.

He also introduced the Model Context Protocol (MCP), an open standard that enables applications to provide context to large language models, enhancing AI’s ability to deliver precise recommendations. From troubleshooting CI/CD pipelines to onboarding new developers, AI, when integrated with platform engineering, empowers teams to address bottlenecks and scale efficiently in a cloud-native world.

Empowering Developers and Securing the Future

Dhruv concluded by emphasizing that platform engineering, bolstered by AI, re-engages all actors in the software delivery process, from developers to leadership. By normalizing data across tools and providing metrics like DORA (DevOps Research and Assessment), IDPs offer visibility into bottlenecks and investment opportunities. This holistic approach not only secures the tech stack against supply chain attacks but also fosters a culture of productivity and developer satisfaction.

He encouraged attendees to explore CloudBees’ platform, which exemplifies these principles by breaking free from traditional platform limitations. Dhruv’s call to action urged developers to adopt platform engineering practices, leverage AI for optimization, and provide feedback to refine these evolving methodologies, ensuring a future where software delivery is both efficient and resilient.

Links:

• CloudBees company website

At Riviera DEV 2025, Stanley Servical and Louis Fredice Njako Molom presented an immersive workshop titled “Really Inaccessible,” designed as an escape game to spotlight the challenges of digital accessibility. Through a hands-on, interactive experience, Stanley and Louis guided participants into the perspectives of users with visual, auditory, motor, and cognitive disabilities. Their session not only highlighted the barriers faced by these users but also provided practical strategies for building inclusive digital solutions. This engaging format, combined with a focus on actionable improvements, underscores the critical role of accessibility in modern software development.

Immersive Learning Through an Escape Game

Stanley and Louis kicked off their workshop with an innovative escape game, inviting participants to navigate a digital environment deliberately designed with accessibility flaws. The game, accessible via a provided URL, immersed attendees in scenarios mimicking real-world challenges faced by individuals with disabilities. Participants were encouraged to use headphones for a fully immersive experience, engaging with tasks that highlighted issues like poor color contrast, missing link styles, and inaccessible form elements. The open-source nature of the game, as Stanley emphasized, allows developers to adapt and reuse it, fostering broader awareness within teams and organizations.

The escape game served as a powerful tool to simulate the frustrations of inaccessible interfaces, such as navigating without a mouse or interpreting low-contrast text. Feedback from participants underscored the game’s impact, with one developer noting how it deepened their understanding of motor and auditory challenges, reinforcing the need for inclusive design. Louis highlighted that the game’s public availability enables it to be shared with colleagues or even non-technical audiences, amplifying its educational reach.

The State of Digital Accessibility

Following the escape game, Stanley and Louis transitioned to a debrief, offering a comprehensive overview of digital accessibility’s current landscape. They emphasized that accessibility extends beyond screen readers, encompassing motor, cognitive, and visual impairments. The European Accessibility Act, effective since June 28, 2025, was cited as a pivotal legal driver, mandating inclusive digital services across public and private sectors. However, they framed this not as a mere compliance obligation but as an opportunity to enhance user experience and reach broader audiences.

The speakers identified common accessibility pitfalls, such as unstyled links or insufficient color contrast, which disrupt user navigation. They stressed that accessibility challenges are highly individualized, requiring flexible solutions that adapt to diverse needs. Tools like screen readers and keyboard navigation aids were discussed, with Stanley noting their limitations when applications lack proper semantic structure. This segment underscored the necessity of integrating accessibility from the earliest stages of design and development to avoid retrofitting costs.

User-Centric Testing for Inclusive Design

A core theme of the workshop was the adoption of a user-centric testing approach to ensure accessibility. Louis introduced tools like Playwright and Cypress, which integrate accessibility checks into end-to-end testing workflows. By simulating user interactions—such as keyboard navigation or form completion—these tools help developers identify and address issues like focus traps in pop-ups or inaccessible form inputs. For instance, Louis demonstrated a test scenario where a form’s number input required specific accessibility roles to ensure compatibility with assistive technologies.

The speakers emphasized that user-centric testing aligns accessibility with functional requirements, enhancing overall application quality. They showcased how tools like Axe-core can be embedded in testing pipelines to scan single-page applications (SPAs) for accessibility violations on a per-use-case basis, rather than just page-level checks. This approach, as Stanley noted, ensures that tests remain relevant to real-world user interactions, making accessibility a seamless part of the development process.

Practical Strategies for Improvement

Stanley and Louis concluded with actionable strategies for improving accessibility, drawing from real-world case studies. They advocated for simple yet impactful practices, such as ensuring proper focus management in pop-ups, using semantic HTML, and maintaining high contrast ratios. For example, they highlighted the importance of updating page titles dynamically in SPAs to aid screen reader users, a practice often overlooked in dynamic web applications.

They also addressed the integration of accessibility into existing workflows, recommending manual testing for critical user journeys and automated checks for scalability. The open-source ecosystem around their escape game, including plugins and VS Code extensions, was presented as a resource for developers to streamline accessibility testing. Louis emphasized collaboration between developers and manual testers to avoid redundant efforts, ensuring that accessibility enhancements align with business goals.

Leveraging Open-Source and Community Feedback

The workshop’s open-source ethos was a recurring theme, with Stanley and Louis encouraging participants to contribute to the escape game’s evolution. They highlighted its flexibility, noting that developers can tailor scenarios to specific accessibility challenges, such as color blindness or motor impairments. The inclusion of a “glitch code” to bypass bugs in the game demonstrated their commitment to practical usability, even in an educational tool.

Participant feedback was actively solicited, with suggestions like adding a menu to navigate specific game sections directly. Stanley acknowledged this as a valuable enhancement, noting that relative URLs for individual challenges are already available in the game’s repository. This collaborative approach, paired with the workshop’s emphasis on community-driven improvement, positions the escape game as a living project that evolves with user input.

Legal and Ethical Imperatives

Beyond technical solutions, Stanley and Louis underscored the ethical and legal imperatives of accessibility. The European Accessibility Act, alongside frameworks like the RGAA (Référentiel Général d’Amélioration de l’Accessibilité), provides a structured guide for compliance. However, they framed accessibility as more than a regulatory checkbox—it’s a commitment to inclusivity that enhances user trust and broadens market reach. By designing for the most marginalized users, developers can create applications that are more robust and user-friendly for all.

The speakers also addressed emerging trends, such as voice-activated navigation, referencing tools like Dragon NaturallySpeaking. While not yet fully integrated into their framework, they expressed openness to exploring such technologies, inviting community contributions to tackle these challenges. This forward-looking perspective ensures that accessibility remains dynamic, adapting to new user needs and technological advancements.

Empowering Developers for Change

The workshop closed with a call to action, urging developers to apply their learnings immediately. Stanley and Louis encouraged attendees to share the escape game, integrate accessibility testing into their workflows, and advocate for inclusive design within their organizations. They emphasized that small, consistent efforts—such as verifying keyboard navigation or ensuring proper ARIA roles—can yield significant improvements. By fostering a culture of accessibility, developers can drive meaningful change, aligning technical innovation with social responsibility.

Links:

• None available