I recently communicated 3 security issues in the Safari browser to Apple.

Apple let me know that they will fix 1 of the issues I reported. I will not discuss the vulnerability Apple has promised to fix until they release the fix because it is a high risk issue affecting Safari on OSX and Windows.

I let Apple know that I’d like to discuss the 2 issues they won’t be fixing with the security community and they let me know they are fine with it.

I happened to come across this article in Redmond Developer News recently…

Redmond Among Contributors to Open Source PHP Framework

…about contributers to the Zend Framework. Among the many (400) contributers to the project are Google and Microsoft. It’s probably just me, but I found it amusing (in a good way) that the two arch-rivals contributed pieces to the same Open Source project.

The article goes on to describe how Microsoft sponsored work to enable InfoCard (now called CardSpace) support in a number of Open Source products including Zend and Ruby on Rails.

Yesterday Google celebrated the opening of a larger Cambridge, Massachusetts office, which takes up a substantial part of a building right next to the Kendall/MIT subway stop in the higher-than-high tech area of East Cambridge. I got a look at their new Friend Connect service (covered in a related Radar blog) and heard some fascinating comments that the staff kindly let me reproduce here.

Google staff certainly know how to say the right things and react in ways I approve to the situations Google finds itself in. More and more people I know (including authors) are Google employees, which is statistically predictable because more and more people in general are Google employees. The Cambridge office has been growing wildly since it began with the purchase of the company that created Android. And this office is one of 45 Google offices around the world.

This raises the question of whether the empire can be supported through continued sales of advertising, and whether Google’s stated openness carries through to employee behavior on the ground. I explored these questions with managers and staff at

On a recent consulting gig, a client had the requirement that a JavaScript deliverable needed to run in a self-enclosed script tag that would be arbitrarily placed within the body of a page. In other words, I needed to deliver a JavaScript file such that the following code snippet would work:

<!-- somewhere in the page... -->
<div id="specialContainer">
    <script type="text/javascript" src="foo.js"></script>
</div>
<!-- ... -->

So, in the end, it’s a pretty routine chore. A special container needs to exist at an arbitrary place in the page, the self-enclosed script tag will do some DOM building within it, and all of the magic happens therein. Well, hopefully, it goes without saying that I wanted to streamline the time it took me to complete this task with the help of Dojo.

Microsoft’s Patch Tuesday will be upon us soon patching 3 critical and 1 moderate security problems. Security issues aren’t just a problem for Microsoft software of course. And, I recently learned about…

oCERT: Open Source Computer Emergency Response Team

…which describes itself like this…

The oCERT project is a public effort providing security handling support to Open Source projects affected by security incidents or vulnerabilities, just like national CERTs offer services for their respective countries.

There doesn’t seem to be a lot there yet (only 4 advisories posted so far, the last on April 17). But, I hope oCERT will become a good resource for those of us who deploy a lot of Open Source applications.

Port 25 Security Related Blog items

Okay, actually, there are a number of virtualization options not listed in the title, but the one nobody seems to be talking much about Sun’s xVM VirtualBox. But, wait! you say, Sun begs to differ: “Sun xVM VirtualBox software is the world’s most popular open source virtualization platform because of its fast performance, ease of use, rich functionality, and modular design.”

Some cool features of VirtualBox include:

• Seamless windows - rather than a whole desktop environment, just the guest application windows can co-exist alongside native host applications.
• Shared Folders - easily move documents and files between the host and guest systems.
• Mouse pointer integration - it just works how you’d expect it to.
• Dynamically adjustable screen resolution in the guest.
• Time Synchronization.
• Shared clipboard.

A lot of that is available elsewhere (e.g., time sync and shared folders), but seamless windows is a nice touch.
AND, VirtualBox is open source!

Do check it out.

There’s an interesting four page PDF file that appeared recently on the Microsoft downloads site titled…

Open Source at Microsoft CodeBox: Bringing the Open Source Approach In-House

It answers the question: Could the community and collaborative concepts that
underlie open source projects be applied internally to Microsoft product engineering?

CodeBox is an software development environment that was developed as an internal tool to help Microsoft apply the Open Source software development model internally. It gives Microsoft’s programmers and internal tool to manage shared code.

If anyone was interested in a great Google App Engine project, I would love to see a community blog/speaker registration tool. Jeff Rush mentioned something like this a couple of PyCons ago, but now there is the technology available for free with Google App Engine. Basically, it would be cool to have a google app engine app that allowed organizers to book meetings and plan them, then post about the meetings, and finally “book” speakers that happen to be traveling to that city.

Currently there is this blog, but I find it difficult to post the data there, plus our meetup site, plus by email…etc. Making this process easier would be awesome.

On a side note, is there a chart somewhere that graphs what open source web application components are working and what isn’t on google app engine. For example:

Templates:

Genshi
Django
Mako

URL:

blah

Frameworks:

blah

I like numbers. They can mean a lot of things.

Rather than continuing silly arguments over obfuscated and flawed measurements of “language popularity”, perhaps a better way of measuring the viability of a language or platform is to measure the freshness of its ecosystem.

LaPerla’s How Fresh is the CPAN? measures the upload dates of one of the world’s largest and most active repositories of free software. Of the 12,000 (or is it 14,000 now?) distributions on the CPAN, 25% have a most recent upload date of February 2008 or newer. Half have an upload date of 2007 or newer.

You don’t get those kinds of statistics by putting “Ruby Programming” into Google and pretending the results are meaningful.

If you are at all familiar with the UNIX or Linux world, you will know about the Pluggable Authentication Module (PAM) functionality. Essentially, PAM is a highly extensible login framework for authenticating and authorizing a user for access to a server. Prior to PAM, most logins worked directly against the local /etc/passwd database, but with PAM, users are authenticated against the PAM library, which in turns relies on a series of “modules” (surprise!) that return a Yes/No response. On many UNIX and Linux boxes, PAM still relies on /etc/passwd, but it doesn’t have to—and often doesn’t. For example, LDAP is quite often supported for authentication, and this is done by simply adding the right LDAP module to your PAM configuration.

Yawn.

Well, it is all very cool of actually, but it is old news in the UNIX world.

Now, Windows has supported this, kind of, a little bit, with GINA and GINA chaining and what-have-you, but it is really JUST NOT DONE. In addition, the GINA chaining concept is rarely if ever used. (I have heard because of reliability issues.)

However, Vista now supports a new model known as Credential Provider, which is deceptively like… PAM! Well, cool. (And they say Microsoft doesn’t learn!)

Anyway, I suggest you take a look at this as it’s all very nifty stuff:

Windows Vista Sample Credential Providers Overview

Credential Provider Samples

New Authentication Functionality in Windows Vista

OK, I know this is NOT the Inside MySQL blog area. But, MySQL is the “M” in both LAMP and WAMP. And, as one of the people who wasn’t very happy by MySQL’s decision to close source parts of the upcoming MySQL 6.0, I thought I should help spread the good news announced by MySQL’s VP for Community Relations - Kaj Arnö:

MySQL Server is Open Source, even Backup extensions

His six main points are:

- MySQL Server is and will always remain fully functional and open source
- MySQL Connectors will be open source
- The main storage engines will be open source
- MySQL 6.0’s pending backup functionality will be open source
- The MyISAM driver for MySQL Backup will be open source, and
- The encryption and compression backup features will be open source

FYI: MySQL related blog posts on Port 25

The third Ignite Boston will be on Thursday, May 29, from 6 to 10pm at Tommy Doyle’s in Harvard Square, Cambridge, MA. This time, we’re using two floors at Tommy Doyle’s, so the acoustics will be better than our first event there. From 6-6:45 pm, mingle and talk tech with your fellow FOOs, alpha geeks, and techies from the greater Boston area. After the mingling and social stuff, we’ll have a couple of special keynote presentations by Jonathan Zdziarski of iPhone notoriety and John Viega of Security notoriety to kick off our Ignite talks. Then, onto guest speakers who’ll catch you up on the cool, new, innovative stuff going on in technology today. Don’t blink or you’ll miss their lightning-fast, five-minute presentations. During intermissions, get a cold beer and chat with speakers, sponsors, and O’Reilly’s own editors. Join us Thursday, May 29, for a fun, energetic evening of talking, learning, collaborating and drinking!

RSVP If you plan to attend, email IgniteBoston at oreilly dot com for the chance to win $300 worth of O’Reilly books of your choosing. You must be present to win. There will likely be other items like tee-shirts and other promo items for those who alert us ahead that they plan to attend.

Presentation Guidelines

Ignite is a user-generated event. If you’re interested in speaking, then submit a proposal for consideration.

Presentations must:

• Be no longer than 5 minutes
• Be on an innovative topic (no sales pitches, please!)
• Be viewable on a PC [a MacBook Pro with Powerpoint and Keynote, and PDF] with standard AV equipment
• Did we mention, no Sales Pitches.

Here is an application on Google App Engine Application I wrote for an upcoming PyAtl Talk, and an upcoming O’Reilly Online Article: http://greedycoin.appspot.com/

Quick notes: Really liking the datastore API. I also liked the Django templates even though I have touched them in over a year and a half. I am looking for Google App Engine consulting or contract work…anyone..anyone :)

(Cross-posted from perlbuzz.com)

Selena Deckelmann has come back from BarCampPortland with copies of every Post-It on the topic selection board. The topic selection board at an unconference like a BarCamp is where people write on a Post-It a topic they’d like to see presented, and put it on a board for all to see. Whichever topics people vote for are the topics that are presented.

Scanning through the photoset on Flickr is fascinating, as these often are. Topics range from Pirates Paying Artists to WordPress as CMS to How to lie with statistics to Should we replace Congress with a wiki?

Also fascinating to see how widespread Twitter has become, with half the Post-Its leaving @usernames as contact information.

Makes me want to start up a Bar Camp Chicago. And move to Portland.