Skip to content
DevMeme
851 of 7435
The Only Truly Secure Application
DevCommunities Post #961, on Jan 6, 2020 in TG

The Only Truly Secure Application

Why is this DevCommunities meme funny?

Level 1: No Toy, No Mess

Imagine you have a toy box, but you decide not to take out any toys to play. Now, if you never take any toys out, you’ll never have a mess to clean up, and none of your toys can get broken. Easy, right? But of course, you also don’t get to play with your toys at all. This meme is joking about the same idea applied to making computer programs. It says the safest and most reliable program is the one that you never even create. If a programmer doesn’t write any code, nothing can go wrong with it – kind of like how a toy left in the box can’t get lost or broken. The picture from GitHub is showing a pretend project where the instructions literally say: “Write nothing; deploy nowhere.” In simple terms, that means “don’t make anything, and you’ll never have any problems.” It’s funny because normally we write code to make something useful, just like we take out toys to have fun. Saying the best way to succeed is to do nothing is a silly, upside-down way of looking at things. It’s a bit like a child proudly saying, “I got a perfect score on the test because I didn’t answer any questions – I didn’t get anything wrong!” Technically, if you don’t attempt anything, you can’t make a mistake — but you also don’t achieve anything. Everyone knows we actually have to write some code to have a real app or game, but this joke makes us laugh by pretending that doing nothing is the ultimate “perfect” solution. It’s a playful reminder that while doing less can sometimes avoid problems, you won’t get anywhere if you never try – and that silly extreme is what makes it a joke that developers find hilarious.

Level 2: Zero LOC Strategy

Let’s break down what’s actually shown in this GitHub repository screenshot, and why it’s funny to developers. GitHub is a popular website for hosting coding projects (repositories). Normally, a repository contains source code files and maybe a working application. But in the “nocode” repository, there are essentially zero lines of code doing anything. The file list shows items like README.md, LICENSE, Dockerfile, and CONTRIBUTING.md. Notably missing is any actual .py, .js, .java, etc., file – there’s no program logic at all. The phrase “zero LOC” literally means the project has zero Lines Of Code. In other words, this project’s core feature is that it has no implementation.

Despite having no functional code, the repository’s statistics are huge: 34.5k stars (GitHub’s way of bookmarking or liking a project), 3.1k forks (copies of the repo, usually made when someone intends to modify or contribute to a project), and over 2.6k issues and 396 pull requests. Normally, an “issue” on GitHub is where users report bugs or request features, and a “pull request” (PR) is where someone proposes changes to the code by forking and then submitting their modifications back. The funny thing here is, what are all these people discussing or proposing if there is no code? It turns out they’re in on the joke. The issues and PRs are mostly humorous in nature – people pretending to find bugs in the non-existent application or suggesting new features that continue to do nothing. For example, someone might tongue-in-cheek open an issue saying, “The application isn’t doing anything, is this a bug?” and someone else might suggest a pull request to “fix” it by, say, adding an empty line (which still does nothing). This flood of issues_without_code and pull_request_spam is part of the community’s way of enjoying the satire. It’s like a collaborative joke, where developers riff on the concept of an empty app.

The tagline of the project is prominently shown: “The best way to write secure and reliable applications. Write nothing; deploy nowhere.” This is written in the README (the main documentation file) and it’s essentially the project’s slogan. Let’s unpack that: if you write nothing, you’re not writing any code, so there can be no mistakes in code. If you deploy nowhere, you’re not running the app on any server or device, so it can’t crash or be unavailable. It’s a satirical twist on real software advice. In real life, we do aim to write less code (don’t reinvent the wheel, keep things simple) and we aim for secure, reliable deployments. This meme just jokes that the ultimate way to achieve perfect security and reliability is to have no software at all! It’s secure_by_absence – nothing to hack, and reliable because there’s nothing to break. It’s a play on the notion that “the only truly safe system is one that’s turned off.” Here, the safest app is one that was never built.

Now, why did this repo become so popular (all those stars and forks)? It’s because it cleverly satirized a trend in the industry. Around the time (and still today), there’s a big trend called “low-code/no-code” platforms. These are tools that claim to let you build apps with very little traditional programming. You might drag and drop components or fill out forms instead of writing code line by line. The idea is to make app development accessible and faster by reducing the amount of code a developer writes. Many developers are a bit skeptical of the hype – we know that creating a non-trivial application always involves logic somewhere, even if it’s hidden behind a tool. The nocode_repository by Kelsey Hightower took this idea to an extreme to poke fun at it. It basically said: If no-code is good, how about we go all the way to NO code at all? The absurdity of a completely empty application being held up as the pinnacle of security/reliability made people laugh and say “touché.” It was a way of humorously reminding everyone that less code can be good, but you can’t have useful software with zero code.

Let’s look at some specifics in the screenshot:

  • Watch 310: 310 people are “watching” the repository, meaning they get notified about discussions or changes. It’s funny because they’re basically waiting to be updated about nothing happening – a comedic contrast.
  • Star 34.5k: Over 34,000 people liked or bookmarked this project. For context, that’s a huge number; many important open-source tools have fewer stars. It shows how widely the joke resonated. Developers essentially said “I see what you did there” by starring it.
  • Fork 3.1k: More than 3,000 people made copies. Why fork an empty repo? Possibly to make their own humorous contributions or just as part of joining the fun. Some might have been trying to submit those joking PRs.
  • 1 contributor: Only one person (the creator) officially contributed to the repository’s main branch. This makes sense – the whole point is nobody should add code. So despite thousands of attempts to contribute (those PRs), none were merged because adding anything would ruin the joke. The sole contributor likely just set up the initial structure and documentation.
  • 3 commits: A commit is a saved change. The messages next to the files show what those commits were:
    • “add no code” for CONTRIBUTING.md and LICENSE suggests when those files were created, the commit note humorously said they added “no code” (indeed they didn’t add any program code, just text files).
    • “add Docker support” for Dockerfile indicates they added a Dockerfile to the repo with that commit message. Docker is a technology used to package applications into containers. Including a Dockerfile in a project typically means you can containerize the application. In this case, it’s comical: even though the app does nothing, they provided a Dockerfile so you could run that nothingness in a Docker container! It’s like saying, “Yes, we support all deployment methods — even Docker — for our non-app.” Likely that Dockerfile is nearly empty, perhaps using a base image like scratch (which is an empty container image) or doing essentially nothing. The commit message just stays in character with the project’s tone.
    • “add windows support” for README.md implies they updated the README to mention that the application now supports Windows (in addition to whatever else). Since the app does nothing, “Windows support” probably meant adding a line in documentation saying “Works on Windows too, because it doesn’t actually run.” It mocks how projects often brag about multi-OS support; here it was trivial because doing nothing works the same everywhere!
  • Apache-2.0 License: This is a standard open-source license. Including a LICENSE file is normal for open source projects, even though here it covers an empty codebase. It’s part of the joke’s thoroughness — even nothing is formally licensed! Essentially it says: you can use this non-software freely. The presence of a license and contributing guide (CONTRIBUTING.md) gives the repo an authentic feel of a serious project, which heightens the humor when you realize those documents likely say “don’t actually contribute any code.”

For a newcomer, it might be confusing why everyone is excited about a repository that literally contains nothing useful. The humor lies in the contrast and the commentary. Developers often deal with OverEngineering – projects that are needlessly complex – and with hype that “this new tool will solve all problems and you’ll hardly have to code.” This repository takes a lighthearted jab at all that. By adopting a completely serious tone about something so absurd, it creates a classic form of developer humor. It’s a DeveloperMeme that you appreciate more as you understand software development: the bold claim of 100% secure and reliable app is technically true here, but only because they sidestepped the actual goal of software (doing something useful). It’s like an engineer’s version of a joke, wrapped in the form of a working GitHub project. And because it’s on GitHub where developers hang out, it spread rapidly — people started sharing the link saying “Check out this revolutionary framework!” only to reveal it’s an empty repo, getting a good laugh in return. In summary, the Zero LOC strategy shown here means if you write no code, you also introduce no new problems. Great for code quality, not so great if you actually needed an application! The popularity of this gag project is a wink from the programming community, reminding us that sometimes the best solution is to keep things simple… although maybe not this simple in real life.

Level 3: Secure by Absence

At first glance, the screenshot of the kelseyhightower/nocode repository looks like a thriving open-source project: thousands of stars ⭐, hundreds of forks, and an active issues list. Seasoned developers immediately smirk at the irony. The project’s tagline declares, “The best way to write secure and reliable applications. Write nothing; deploy nowhere.” This is pure TechSatire. It pokes fun at both CodeQuality mantras and IndustryTrends_Hype around “no-code” solutions by taking them to an absurd conclusion. After all, every experienced programmer knows that the fewer lines of code you write, the fewer bugs you introduce. So here’s an app with zero lines of code – logically it should have zero bugs, right? Secure by absence, indeed! No code means no mistakes, no runtime errors, no need for hotfixes at 3 AM. It’s the only project in the world that can truthfully boast a 0% bug rate and maximum_test_coverage without writing a single unit test.

This repository is a brilliant github_parody. It mimics the structure of a serious project to deliver a joke. The README reads like a sincere manual, even including a Getting Started section that instructs: “Start by not writing any code.” The documentation is intentionally ironic_documentation – it adopts the tone of an official guide for an application that doesn’t exist. For example, it suggests you can imagine the application doing anything you want, and that adding new features is as easy as continuing to write nothing. Seasoned devs laugh because it parodies every over-hyped framework’s promise of ease. Here, the promise is ultimate ease: do nothing and voilà, feature complete! The commit history shows messages like “add no code” and “add Docker support,” as if new features were being implemented. In reality, those commits likely just added empty or placeholder files (like an empty Dockerfile) to maintain the illusion. The inclusion of a Dockerfile with the note "add Docker support" is especially humorous to anyone in DevOps: it satirizes our tendency to containerize every app. Yes, they even Dockerized the absence of an app! One can imagine the Dockerfile simply using FROM scratch (an empty base image) because what else would it do? It’s a playful jab at how we sometimes apply heavyweight tools to trivial or nonexistent problems – the very definition of OverEngineering.

Another layer of humor here is how the developer community responded. The repo shows Issues 2,679 and Pull requests 396. That’s an astonishing amount of activity for a project explicitly telling you “don’t create anything.” This reflects a shared joke among developers: thousands have participated by filing tongue-in-cheek issues_without_code and spamming pull_request_spam for a laugh. Experienced engineers recognize this scenario: the more popular a GitHub project, the more random or off-topic contributions it attracts — in this case, entirely facetious ones. There were likely PRs like “Improve performance by doing nothing faster” or issues like “Application does nothing, please add feature X (that also does nothing).” Managing a popular repo can be hard, and here the sole maintainer (Google’s Kelsey Hightower, a respected figure in cloud computing) cheekily became the maintainer of nothing. Senior devs chuckle at the thought: even an empty project can generate massive community management overhead. It’s a clever commentary on open-source popularity contests — this empty repository amassed 34.5k stars because it made a witty statement that resonated widely. It satirizes our habit of chasing trends: at one point “NoCode” was literally one of the hottest projects on GitHub, highlighting how developers appreciate a good inside joke about their own practices.

Importantly, this meme also parodies the lowcode_hype_parody movement. In the tech industry, there’s constant buzz that “coding will soon be obsolete, anyone will create apps with drag-and-drop!” or that no-code platforms will let non-programmers build complex systems. Seasoned developers have seen these cycles come and go (from visual programming tools in the 90s, to UML auto-generators, to modern app builder services). There’s always a promise that we can eliminate the need to hand-code everything. The nocode_repository mocks that promise: it delivers the ultimate no-code platform – one where nothing is built at all, which is ironically the only way to have zero bugs and zero maintenance. It’s a fun reminder that while tools can reduce the amount of code we write, at the end of the day, useful software has to do something, and doing something inevitably carries complexity. Write_nothing_deploy_nowhere is the satirical endpoint of the “less code, fewer problems” philosophy. Real senior engineers strive for simplicity and to avoid OverEngineering, but not quite to this nihilistic extreme. Still, the underlying truth makes the joke powerful: every line of code is a liability, so the code that doesn’t exist is the easiest to maintain. As the old saying (half-jokingly) goes, Zero lines of code = zero bugs.” The community’s overwhelming reaction – tens of thousands of stars – shows that this tongue-in-cheek lesson in code minimalism struck a chord with developers everywhere. It’s a meme that makes you nod and laugh, because who among us hasn’t fantasized during a late-night debugging session: “If only this whole system could just run on no code at all, then I could finally get some sleep!”

Level 4: Attack Surface Zero

From a theoretical standpoint, writing no code eliminates complexity and potential faults by definition. In software security, the idea of minimizing an application's attack surface is crucial – fewer exposed functions and endpoints mean fewer avenues for attackers. NoCode takes this to the extreme: with zero lines of code (zero LOC), the attack surface is literally nonexistent. There are no logic bugs, no buffer overflows, no SQL injections, because there's no code running to contain such flaws. The system can’t be breached through the application layer if the application doesn’t do anything at all. This is the ultimate secure_by_absence design.

From a reliability perspective, a program that has no operations cannot crash or misbehave. It has an effectively 100% uptime (a bit tongue-in-cheek, since an idle program doesn’t truly serve users, but hey, it never goes down!). The runtime complexity can be treated as O(1) – constant time – because the program immediately does nothing and finishes. Memory footprint is minimal; if you run an empty container it’s just the overhead of the container itself. There are no race conditions or memory leaks when nothing executes. In formal verification terms, an empty codebase vacuously satisfies any property of doing nothing. The classic joke in computer science is that the only program guaranteed to be bug-free is the one that doesn’t exist – here it is materialized as a GitHub repo. We have essentially reached the nirvana of code quality in a paradoxical way: by having no code at all, we achieve perfect CodeQuality metrics. It's a comically perfect solution to the halting problem too – an empty program halts immediately without issue.

This level of abstraction also hints at the limits of IndustryTrends that promise magical solutions. “No code” as a concept is almost like a degenerate case of a programming language: it’s akin to a Turing machine with a blank tape that performs no operations. Interestingly, if you consider composition of software components as a mathematical monoid, the empty program is like the identity element – composing it with any program leaves the other program unchanged. In this repository, however, composition isn’t even on the table; it’s a standalone pristine identity with nothing to combine. By reducing everything to nothingness, the project humorously showcases a theoretical upper bound on security and reliability – one that is only achievable by doing absolutely nothing. This is the ultimate minimalistic architecture: a system with Attack Surface Zero that achieves safety and stability by entirely opting out of doing work.

Description

A screenshot of the GitHub repository 'nocode' by user 'kelseyhightower'. The repository page shows typical GitHub UI elements like tabs for Code, Issues (2,679), and Pull requests (396). The repository description reads, 'The best way to write secure and reliable applications. Write nothing; deploy nowhere.' The file list includes CONTRIBUTING.md, Dockerfile, LICENSE, and README.md, with commit messages like 'add no code', 'add Docker support', and 'add windows support'. The README.md section is visible, with the title 'No Code' and the text 'No code is the best way to write secure and reliable applications. Write nothing; deploy nowhere.' This is a satirical commentary on software development, humorously arguing that the only way to avoid bugs, security vulnerabilities, and maintenance overhead is to not write any code at all. It's a famous joke repository created by Kelsey Hightower, a well-respected figure in the tech community, making it an inside joke for experienced developers who understand the inherent complexities and risks of software engineering

Comments

7
Anonymous ★ Top Pick The 'nocode' repo has more stars than most production applications and is the only project in history to achieve 100% test coverage, zero vulnerabilities, and infinite scalability on its first commit
  1. Anonymous ★ Top Pick

    The 'nocode' repo has more stars than most production applications and is the only project in history to achieve 100% test coverage, zero vulnerabilities, and infinite scalability on its first commit

  2. Anonymous

    After decades of bikeshedding about architecture, 'nocode' finally proves the only bullet-proof pattern: no lines, no bugs, just 2,679 unresolved issues about nothing

  3. Anonymous

    After 20 years in the industry, I've finally found the only framework with zero CVEs, perfect uptime, and no technical debt - it's also the same one that passes all security audits instantly and never needs dependency updates

  4. Anonymous

    Finally, a codebase that passes every security audit, has zero CVEs, requires no dependency updates, and scales infinitely - because the best code is no code. This is what happens when you take 'defensive programming' to its logical extreme: the only winning move is not to play. With 34.5k stars, it's apparently more popular than half the frameworks we're forced to use in production

  5. Anonymous

    We finally met every SLO and compliance requirement - no endpoints, no data, no users; YAGNI-as-a-Service

  6. Anonymous

    Zero attack surface, zero tech debt: the only architecture where 'immutable infrastructure' means it can't mutate because it doesn't exist

  7. Anonymous

    Finally found an architecture that meets every SLO: a blank repo - zero LOC, zero dependencies, zero CVEs, and the on-call rotation is an empty array

Use J and K for navigation