Related link: http://yapc.org/America/
This year’s Yet Another Perl Conference is at the University of Buffalo from June 16-18, but you need to register by Friday, June 4 to make it onto the caterer’s count. Otherwise you’ll have to walk into town to find your own genuine Buffalo Wings (yeah, that Buffalo!).
Too bad I can’t make it: I’ll be on my honeymoon, with no computers allowed.
From 1988 to 2000 I made my full-time living making music. I used to spend a huge amount of my time writing songs. Lyrics, melodies, grooves, tracks, arrangements, etc.
As I get more and more into programming, I’m constantly struck with how similar it feels to songwriting.
I’ll name a few ways that come to mind so far, and then maybe some other musician/programmers can contribute some more to the list.
Please contribute more, below…
A great essay on a similar subject is "Hackers and Painters" from Paul Graham’s O’Reilly book by the same title.
YOUR TURN - what are some other ways programming is like songwriting?
Last week I was on the road, and pleased to find out that my hotel, the Hampton Inn, has free wireless access. I only needed a username and password which I got from the front desk.
I happened to be working at the same place Eric Meyer was that week, but he was staying at a slightly more upscale hotel. He had high-speed, but wired, access.
All of a sudden the less expensive hotels have a huge advantage over the fancier ones. The cheaper hotels never laid out the money to wire all their rooms with cables and ports and all of the tangible stuff that it takes to create a wired network. A third party company adds wireless access to the hotel for much less expense.
On the other hand, the hotels with the cash wired themselves, and now they are stuck with a huge sunk cost. They already spent the money for the wires, so why spend even more money for the wireless?
The little guys get to leapfrog the big guys by skipping a generation, much like how some countries avoided the mess of a land-line phone market by embracing cellular (and even going for the more advanced cellular technologies, too).
(You can check other hotels through Plugged Inns which tracks which hotels have wireless access.)
Related link: http://www.levenez.com/unix/history.html
A friend passed me this link.
Éric Lévénez put together a time line of the history of Unix, showing its various branchings, mergings, and other developments, starting in 1969 and ending this month (so it is almost current). You can download the chart in various formats. I printed the 17 pages and taped them together.
This month last year, New York State Attorney General Elliot Spitzer announced the arrest of Howard Carmack, a spammer operating in Buffalo.
Last month, a jury convicted the “Buffalo Spammer”, but not for spamming: he had stolen identities, falsified business records, and forged documents: the things that spammers tend to do. He was not charged with sending unsolicited mail. Maybe existing law can take care of spammers if the government, like Elliot Spitzer, has the courage to enforce it.
Last Thursday, Howard Carmack was sentenced to 7 years in prison (no press release available as I write this). Huzzah for good guys!
Curiously, reading about this case in online news sites, I ran into my constant frustration: news that does not reference anything. Most news sites are really just branded versions of Associated Press, United Press International, or Reuters, and add no value. Even those sites which do some of their own reporting rely on a wire service, and pass its stories directly into production with no changes. These sites should be able to add at least some value by linking to all of the relevant documents: for instance, the press releases from the Office of the Attorney General, which I had to find for myself. So much for the potential of hypertext.
The news is not about information, and everything about making money and shaping opinion. Letting people read the original documents for themselves would spoil that.
Related link: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=mailman.238.108543367…
Alternate (non Google-groups) link
When Paul Prescod holds forth on a subject, wise developers pay attention. His recent thread on byte versus character strings in language design is IMHO required reading for language users as well as designers.
The immediate context is Paul’s advice to designers of Prothon, a Python derivative language, to get the character/byte string distinction right from the start, and also to enshrine other good practices such as making encoding and locale important first-class constructs. The lessons, however, are limited to neither Prothon nor Python, and are expressed clearly enough for users of other languages to follow.
Paul references Joel Spolsky’s important article “The Absolute Minimum Every Software Developer Absolutely, Positively Must Know About Unicode and Character Sets (No Excuses!)”, and if you haven’t read this, do so right away. The rest of the thread is filled with important insight and expansions.
I think I’ve learned these hard lessons in many of the same battles as Paul. I can confirm that you really do pay if you are guided by the accidental conveniences of speaking a language whose character repertoire happens to fit into a computer byte. Don’t cut corners when it comes to computer representations of text.
Have you been keeping up on your character-fu?
So we’re going to be converting and archiving decades of amazing interviews with Bob Dylan, Paul Simon, Joni Mitchell, and many other songwriting legends - previously only available on paper.
But what’s the most permanent way to store these so they’ll be just as usable in 1000 years?
Roll our own method, or is there some XML kinda standard set up for this already?
<intro>
I met with Bob Dylan today. Let’s see what he has to say.
</intro>
<interview>
<question>
So Bobby, what are your favorite chords?
</question>
<answer>
The ones that sound like <quote>Eeeeee</quote>. You know like B C D and E. But not A and F.
</answer>
<question>
Is that how you wrote <quote>Blowin’ in the Wind?</quote>
</question>
<answer>
Huh? How’d you know that was me?
</answer>
</interview>
Obviously I’m not the first person on earth to archive interviews for web-presentation and long-term use. But I couldn’t find any info or recommendations on how to do it.
ANY advice or URLs appreciated. Anyone?
ANY advice or URLs appreciated. Anyone?
At CD Baby, our "songs" database table has a list of every song on every album. (Albums are identifed by their sku we call "albumcode")
As we digitize each CD into the FLAC format, we add an "f" into the field called "encoded".
The problem:
I want to find all albums where we have SOME of the FLAC files now, but not all. (The problem albums - I want to re-do these.)
The answer:
Tell MySQL, "show me all albums where encoded has f AND encoded does NOT have f".
SELECT DISTINCT(s1.albumcode)
FROM songs s1
LEFT JOIN songs s2 ON s1.albumcode=s2.albumcode
WHERE s1.encoded LIKE '%f%'
AND s2.encoded NOT LIKE '%f%'
I haven’t had a query make me smile in a while. :-)
Other examples of this? Or was there a better way to solve this problem?
I am consulting for a big university this week, and it turns out that Eric Meyer is leading some training in the same department. I had not met him before, but a lot of people have been recommending his books to me lately.
We are both travelling stag, and staying in hotels across the parking lot from each other. Last night we went looking for dinner together and finally settled on a little Thai place.
We talked a bit of shop, during which I admitted that I knew next to nothing about CSS, although I told him I had just picked up “the fish book”, and I think it looks pretty good despite having read nothing of it other than the table of contents. Those of you a bit more in touch with reality probably already realize that is really “the Salmon book”, Cascading Style Sheets: The Definitive Guide and Eric wrote it. D’oh! I guess I missed that when I picked it up at Borders because it was not on the same shelf with all the other books he has written.
I’m totally fed up with the Democratic National Convention. Boston’s Democratic mayor and Senator Kennedy apparently wanted the Hub to prove itself a world-class city by hosting the convention (and the Republican governors did little to stand in his way) but now we’re coming out looking more like the cowtown we’ve traditionally been.
Due to the same lack of planning that racked up fourteen and a quarter billion dollar charges for our recent (and still uncompleted) road construction project, the city had to announce that they were closing this very road plus other key traffic arteries during the convention–essentially closing the downtown part of the city for most of a week. I’m not even sure how I’ll reach the airport so I can get the hell out of here and make it to the saner city of Portland, Oregon for O’Reilly’s Open Source Convention.
Costs to businesses and the city as a whole could reach fifty million dollars. And now John Kerry is even saying he might not even go through the one formality for which the convention is suited–the ritual of accepting the nomination. We’d all be better off without the convention. The main thing holding up the Massachusetts economy now is what most politicians fought like dogs against: the legalization of gay marriage, which has increased tourism, celebrations, and receipts to luxury retailers.
The Republican Convention may not have such a negative effect (it would be even better had they followed through with their original idea and held it on a boat) but political conventions are emerging as an extravagent and unproductive relic of the days before modern media. Thousands of massed observers mindlessly heil-ing it up in front of cameras is so uncool. Heightened security concerns make conventions even more outmoded.
Let’s stop holding conventions in person. Let’s do them online instead. The medium is ideal for that. People will tire of hoopla and rah-rah quickly, so they’ll have to do what the politicians and mass media spend so much effort preventing: a discussion of the issues.
An online convention would air the party’s platform as well as the divisions among the party faithful. People viewing the debates would have a chance to find out the party actually is. Since the candidate could not participate in every debate, campaign aides would have to show their mettle and expose their personalities and capabilities to the public. Since campaign aides turn into Cabinet staff, this opportunity to be judged by the public is valuable in itself.
Physical conventions draw protesters outside (usually with negative results, of which the 1968 Democratic convention is only the most obvious trauma), but online conventions would have protesters inside.
The debacle of the Democratic Party Convention could become a chance to re-examine what politics is all about. See E-Democracy for more ideas.
What is politics all about?
Related link: http://www.securitypipeline.com/showArticle.jhtml?articleID=20800218
I’m glad Security Pipeline published the news so explicitly. After the company Symbiot published a white paper suggesting that it was time to turn against network intruders and launch denial of service attacks from the white hats against the black hats, I haven’t been able to find anyone in the traditional computer security community to back it. A typical response is to go over to the wall and put one’s head up to it in despair–and that’s one of the more polite responses I’ve gotten. Some experts withhold judgement, but they don’t seem to think the proposal was serious.
Now Security Pipeline ran a poll and found (probably to everyone’s surprise) that a strong majority of readers like the idea of counter-attack. And this is what Symbiot is telling me when they approach customers–even government agencies. There’s a positive response to the idea.
As an interview I published with Symbiot shows, their concept of returning fire is more sophisticated than most people realize. And their product features much more than counter-attack; that’s probably a minor feature of the overall approach. Further confounding people who make snap judgements, Symbiot is going to open source much of their solution. I’m not an adherent to their cause yet, but I’m keeping in touch with them and expect this approach is not going to go away.
yum search Java?
No packages found.
yum search JVM?
Some stuff found, but no JVMs….
Hmm, okay….I looking at what it takes to get a JVM loaded on my fedora core laptop…I’m looking to write some routines that allow java programs to authenticate off of a gforge user database. I’ve written these same routines in python already, so a part of me wants to try the jython route, as it might be fast and fun to do so, but either way I’ll need a JVM on this laptop, so I download the SDK from sun.
Additionally, I want to hack up some j2me stuff for the game, sooner or later, to run on phones like my Treo and other phones (and yes, my head is in the sand regarding midp quality and such, but allow me my illusions, okay?), but for now I’m sticking with regular old j2se for the gforge project.
Gforge project leader Tim Perdue keeps threatening to switch from php to Java for gforge 4.0. Although most people don’t think it will happen that way, it is worth my time to look into it. Tony Guntharp and I service Real Network’s helixcommunity.org site, HC.org runs Gforge, means we care about the future directions of the codebase. Gforge is currently written in PHP and since mailman is so fundamental to its mail operation, some python.
Which brings up an interesting point, python is scary fast….and while I’m not looking to revive the java is slow debate, python, speed wise, is to php what php is to mod_perl and that is saying something. All three are pretty terrific scripting languages, so don’t read too much into that, but the speed differences are really something. Mind you this is based on php 4.x numbers and not 5.x which I haven’t installed yet.
Of course this brings up Java Server Pages and such, but for now, I just want to write some routines to query against gforge. The download, which is some 33 megabytes or so, is almost complete, Now Installing (timing it for our information)…
It would be really worthwhile for sun to provide packages in a yum or apt repository, but its probably pretty obvious that I feel that way, it’s how we do things, I wonder why they don’t do that, or for that matter where is IBM and the other JVM shops? It’s so much easer to keep up with security patching on the rest via these kinds of systems, anyhow…
I’m probably missing something, likely someone has a yum repository up for java, but as I mentioned in an earlier post, I’m a java neophyte by any real measure, and I’m writing on LJN because of my Linux background, so much of this will be very beginner to some readers..
Oh, and while it is downloading, one more thing…. For shame, JBoss, that’s really lame, I didn’t mention this before, but for shame. When I worked at Slashdot, we’d see these kinds of campaigns all the time, and that’s why moderation was developed. But super lame. Ah, looks like the download is done (yay DSL!)!
Do I agree? Again? Didn’t I agree when I downloaded? “yes” … Extracting rpm… rpm -Uvh etc…. done…
K, lets test the install a little bit…helloworld works… excellent…total time to install to this point: 15 minutes or so, not so bad, of that most was hacking about on suns site and such, I think the actual install time post download could have been around 3 minutes if it were properly integrated into yum/apt/etc…
It is fair to compare these against PHP and python, which can be loaded very easily via the various package mangers like yum and apt, including extra features like MySQL (yum install php-MySQL) and imap (install php-imap). Java would benefit from this kind of installation procedure:
yum install j2se
yum install j2me
You get the point, yum and those tools will even add paths properly for you and the rest that you must do by hand with sun’s downloads, but all in all it went smoothly enough, no segfaults on my strangely updated fedora core laptop, so I’m happy. When deploying linux machines into data centers, I can say with confidence that I’d rather use a decent, updating package management system like yum than have to download things like java seperately from those processes.
Anyhow, next time: Querying against MySQL & PostgreSQL, how fast and easy is it to make that work, and maybe a little jython.
yum install java? Not so fast…
Related link: http://jboss.org/jbossBlog/blog/
I was complaining about this practice just yesterday (see Giving honesty ‘Arun’ for it’s money?). Now Marc Fleury, CEO of JBoss Inc., is publically stating that he’s banned the practice at JBoss Inc.
According to Marc, “Let’s put the professional back in professional open source. ‘Astroturfing’ is hereby banned at JBoss, starting with me.”
I guess it’s one thing to be a wildcat when you’re an open source project only concerned with great code. If you don’t have customers (and potential customers) to worry about offending, it’s not that big a deal to get caught and lose community respect.
Maybe this is like graduating from college or university. While you’re a student you can have your hair long, have a tongue piercing, wear nerdy t-shirts with holes in them and do/say pretty much whatever you want (ah, those were the days!). But once you’re out ‘in the real world’, most people find themselves changing and adapting to meet the expectations of the people who give them a paycheck. I’ve heard that this is called ‘growing up’.
Is JBoss (the company, not the product) ‘growing up’? Let’s hope so. Open Source as a technical and social movement will only be fully accepted by executives and corporate managers once they perceive that it’s a low-risk option.
Changing this practice is just one sign that Open Source is now ‘growing up’.
The author avers that the use of one vowel, out of all of them, before
the names of programs for the Mac, have made the order of my programs
almost as bad as the names that all start “The”. The author used to know
that these programs came from Apple, as part of a group of programs, but
now lots of vendors, some for PCs even, have these sorts of names.
Those who ponder whether that vowel has become overused need not worry.
The author has not used that vowel here.
Recently it’s been confirmed that employees of the JBoss Group have been for some time been making anonymous and/or fake posts on the The Server Side and other Java community sites.
They’ve been aggressively promoting their platform by pretending to be people who are using JBoss and like it — and just as aggressively they’ve been attacking people who speak against them or their products.
They even used fake names while loudly accusing people who posted against their views of being imposters themselves.
When fakers like this pollute the knowledge space we all share and count on to help move technology and innovation forward, we all lose. It’s time to stand up and demand better.
Another example of this is the annual ballot stuffing that occurs in the voting for the Java Developer’s Journal (JDJ) Reader’s Choice Awards. It seems every company that has a product nominated sends out e-mail blasts to their employees encouraging them to vote for the company’s products.
Some companies raise this ballot stuffing to an art form. Their mottos seem to be, “Vote early, vote often, and write a perl script to keep voting for you after you leave for the day”.
As a member of JDJ’s advisory board and Editor in Chief of its sister title, LinuxWorld Magazine, this really bothers me. We really want to be a great resource for the community, but we know that the fakers compromise everything.
As a community we need to demand better of ourselves and our peers; and as individuals we need to have more integrity. If we keep our shared knowledge space clean and reasonably trustworthy, we’re all better off.
(JDJ this evening posted a similar editorial from Rickard Oberg and Cameron Purdy, two people who worked hard to help expose and publicize the details behind the fake JBoss postings.)
An open letter to Charles Babcock (cbabcock@cmp.com)
In the May 17, 2004 issue of InformationWeek, you made a serious, yet
all-too-common mistake.
Extreme programming… pairs up two developers, one to produce code
and the second to review the coder’s work, ask whether it meets
business requirements, and work closely with business employees.
What other misconceptions of XP get propagated?
What you’ve described is not extreme programming, but pair programming,
which is only one facet of XP, but is not in itself XP. Unfortunately,
pair programming is the practice that people seem to latch on to
first, probably because it’s the most radical and easiest to dislike.
XP’s other principles and practices include simple design, continuous
integration and testing, writing tests before code, closer interaction
with customers, group code ownership, code reuse, shorter release cycles
and incremental delivery.
There are number of excellent resources on the web and in print to
help gain a more thorough understanding of XP. Three great places to
start include:
by chromatic (O’Reilly)
An excellent, inexpensive overview of XP. This should be called
“Extreme Programming: The Manager’s Briefing.”
http://www.c2.com/
A Wiki maintained by Ward Cunningham, one of the big daddies of XP.
Constantly updated by folks in the trenches making XP work.
by Ron Jeffries, Ann Anderson, Chet Hendrickson (Addison-Wesley)
There are about a dozen XP books from Addison-Wesley, but I like
this one best, as it focuses on making XP happen in practice.
This misconception is especially distressing in a magazine like
InformationWeek (”Business Innovation Powered By Technology”) read by
IT managers for whom your article might be their only exposure to XP.
I’d hate to think of the number of IT managers who hand-wave XP as
“that thing where you have twice as many developers writing the code,”
or something similarly short-sighted. Perhaps a followup article touching
on the less flashy aspects of XP would help your readers out by pointing
out the other, more obviously valuable concepts.
Thanks,
Andy Lester
A few weeks ago as summer signs established themselves in gorgeous Boulder, Colorado, I started having stability problems on my workhorse desktop, a PC computer running Linux on Athlon 2400+. I installed the lm_sensors module and saw a CPU temperature report of about 65C with just GNOME running, and over 70C upon compiling Python or the kernel. These compilations would inevitably crash with a GCC your-hardware-is-hosed-buddy error. Just to verify the lm_sensors readings I sacrificed my uptime and rebooted to check the PC Health reading on the BIOS setup screen. The CPU was reading 60C and the overheat alarm was shut off. I fixed the settings and resigned myself to addressing the CPU and case cooling.
I’ve always been happy to leave cooling to the case and mobo manufacturers, but clearly Athlon pushes Joules at a rate that makes this unrealistic. I suffered the same drafting into the ranks of PC enthusiasts over power supplies (my current power supply is an upgrade from the stock 280W that came with the case to a 360W unit I’d installed).
I checked the case and saw that I had only a CPU heat sink/fan combo, the power supply unite intake and outtake fan and a rear exhaust fan (on another, less stressed computer I checked for reference, I didn’t even have a rear exhaust fan). So the way I saw it, the PSU was radiating heat onto the CPU, which was itself no slouch at generating heat, and that the PSU was drawing away a little of that heat and the exhaust fan somewhat more of it. But I didn’t see where cooler air might be coming into the vicinity of the CPU in order to improve the forced convection of the exhaust fan and the conduction of heat from the CPU surface onto the heat sink.
At this point I went to the local PC Club to see what they had for cooling. I happened to mention my problem to a salesman and he immediately indicated some creatively cryogenic units retailing from $50 to $80. He insisted that for users of well-known Joule-pushers such as Athlon CPUs, there was no other way to get adequate cooling. But I kept coming back to what I saw as a very simple heat transfer problem.
My Dad taught heat transfer in college in Nigeria, and I made the mistake asking him for help with the notoriously failure-prone thermodynamics and fluid mechanics courses I had to take in my Electrical Engineering curriculum. Boy did he work me like a drill seargent. I’ve never been one to think that half of what one learns in college will never be applied in real life, and I’ve used my heat transfer training before. Now the training was telling me that someone was trying to get me to spring extra bucks for an over-engineered solution.
I kept going back to the fundamental problem that I probably had enough exhaust convection going on but that cool air was not being brought into the vicinity of the CPU to impart a useful heat gradient to complement the exhaust. The efficiency of cooling by conduction (i.e. from CPU to heat sink) and forced convection (i.e. radiated from heat sink into exhaust air flow) is proportional to the temperature differential, which is why cryo-coolers are indeed quite effective. But it doesn’t take a huge amount of temperature differential to do the trick. My room is nowhere near 70C (it’s closer to 30C) so if I could just get air flow from the room to the CPU without its being excessively heated en route, I should be able to make a dramatic boost in the efficiency of the exhaust system.
So I started by grabbing a $5 case fan that I could install in the lower front of my case. This would draw room temp air into the case, and natural air flow would tend to draw it up to the CPU to replace the air being exhausted away. I did worry, however, that this air would be heated by the PCI cards which it passed en route so I asked whether they had units focused on cooling the PCI slots area. The salesman first pointed out a fan unit that pulled air directly in a horizontal line from the front area of the case and exhausted it out of the back. But I worried that this would draw air flow from the front of the case away from the CPU and defeat the whole purpose. I did find a $10 unit that drew air vertically, from the bottom of the case, and blew it out of the case hole for the PCI slot.
As an experiment I tried with just the front case fan and then adding the PCI slot fan. The first config resulted in colling by over 12C across the board (BIOS, idle GNOME and kernel compile) and adding the PCI slot fan bumped it up to about 15C cooling improvement across the board. Classic diminishing returns where the first $5 I spent yielded a 12C return, the next $10 I spent gave an additional 3C return, and based on the salesman’s claims, I might have paid $50 - $80 for an overall 5-10C return.
So I end up wondering how often all those mega cryo units are really necessary. To be fair I don’t overclock, so my problems don’t measure up to those of hard-core enthusiasts, but I got the impression from the PC Club salesman and some stuff I’ve read on the Web that these super coolers are even marketed to non-OC users of the latest CPUs.
Really, you don’t need to have had a drilling in fluid mech and heat transfer to figure out how to spend the least amount of money on cooling your CPU. Just think of all the sources of heat in your system. If you’re brave and careful, feel some of the surfaces and areas to get a visceral sense of the hot and cool zones. Think of how air is moving around to provide efficient overall cooling, and think of how cool this air is to begin with, and what could be heating it up as it moves.
Incedentally, I happened to see some of the slick, newer mini “appliance” form factor (SFF) PCs at the PC Club, but they sported Athlon 64s and P4s and I wondered how they could possibly provide adequate cooling. I do like that small form factor for aesthetic reasons, so I may have to find out some day.
Side question 1: does anyone know how well all those special knobs and slick displays on SFF computers play with Linux?
Side question 2: does anyone know how to flash/update the BIOS on an EPoX 8RDA3+ from Linux? Recent BIOS changelogs seem to indicate that I should upgrade in order to address AGP issues and the like, but I can’t find any way to flash the BIOS except for the Windows utility that comes on the driver CD. I’ve checked the EPox site and a variety of gambits of Google (Web and groups) and Yahoo searches.
Have you tried cheaper cooling methods before having to resort to an expensive cryo-cooler?
Related link: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=115980
In response to my recent article on problems booting a Wndows XP partition after installing Fedora Core 2 a couple of the Fedora developers wrote me. They defended the choice of not treating the bug as a show-stopper and also scolded me a bit for possibly giving others ammunition to use FUD against the Fedora project. Their thoughtful response deserves the same forum as my warning and complaint, so with their permission I’ve posted relevant excerpts.
Jack Aboutboul responded:
I was alerted of this blog entry just a short time ago, and after reading it, I was pretty shocked at what was posted. I just wanted to send you some information regarding the bug you talk about and hope that you can somehow update this blog entry with the correct information, so as not to cause confusion.
The bug you speak about in the article stems [from] a few subtle,yet key feature changes that have happened within the 2.6 kernel. For 2.6 the kernel developers pulled out certain functionality from within the kernel related to Hard Disk geometry. In 2.6 the developers though that it may be wiser to have user space take control of things such as HD geometry. There is still discussion as to whether or not this was such a bright idea.
In addition to that, it is noted in the bugzilla report that the cause of this bug seems to be a CHS geometry problem. This problem most likely stems from an error within the parted utility, addressing bios incorrectly. In fact, many users with this bug reported that it disappeared after updating their bios to newer versions. Other than that, exhaustive testing has been done on this bug and newer machines did not seem to have this problem. It was almost totally non-reproducible.
I hope that I have been able to shed some light on this issue. You do very great work, and we salute you for trying to bring to the surface what seems like a stop-ship bug. However, I hope that the information I have provided you with will help you further investigate this problem so that you can update your blog, and spare the Fedora Project some great amounts of nonsensical FUD, that will undoubtedly be spread around by many unknowing readers of your blog.
Mr. Aboutboul in a later message said:
It is an issue that people should know about. The truth of the matter is, that almost none of the developers dual boot, and hence,no testing. Even the few that did try it, did so on IBM laptops and desktops, and didnt have any problems.
How do you think distributions should handle elusive bugs that may not be their fault, and could be wrongly used as fuel for FUD?
Come with me, close your eyes, and imagine a world filled with excitable programmers and software users who love free software. One such user, we will call her Bertha, loves to write software, and has always dreamed of writing the one true weather reporting panel applet. Bertha sits back, stretches her fingers, shaking with excitement, ready to jump into the world of free software, and, and…registers a Sourceforge account.
Bertha is wise to the ways of development. She knows she needs a CVS server, mailing list, website, bug tracking system, forums, feedback reporting systems, download repositories and more. All of these services are available to her and she has seen her favourite projects with such ample resources. Bertha wants her panel applet to be the queen of panel applets, reputed for weather reporting accuracy and an exquisitely designed configuration dialog box, so she sets forth to hunting out documentation on each of these resources. She explores the joy of patches, creating CVS branches, handling mailing list subscriptions, developing a careful revision system and other fun filled aspects to her project. Unfortunately, it is all a bit much and after a few commits to her CVS account, Bertha rapidly gets bored and her legendary spectacle of weather reporting joins the other poor unmaintained souls that wretch in Sourceforge hell. Damn.
The moral of this story is one of overreaching the potential of a project. When Bertha had the idea for her software, she also had a clear idea of how she was going to run her development environment and handle input from other hackers. The problem with her approach was the fact that she expected user input from the community when little or no code was produced initially. She also created a number of resources and discussion mediums for a project that essentially did not need them. There are a great many dead mailing lists, chat rooms and forums that have been exhausted from the over-excess of resources. If you go to a forum community with ten forums available, you are likely to have a little conversation in different parts of the site. If you visit a discussion site with a single forum, the discussion is concentrated better and given the opportunity to flourish and develop relationships between the members, with a sense of peer review and aspiration.
The problem we face is an excess of software consumption. I am certainly not exempt from this sordid story, and let me share with you an example. A while back I decided I wanted to do some XUL programming. I downloaded every possible XML editor I could find, documentation parsers, validators and other utilities and tools that were even loosely linked to XML. The same applies to GUI programming; debuggers, editors, GUI dialog designers, profilers, documentation generators, source highlighting tools and other things have clogged up my system over the years. Most of these tools were used in a context that only scratched the surface of their capabilities. There is a distinct feeling of potential and the security of being armed to the teeth with tools if you have everything available to you at your fingertips. This rapidly growing library of free software and documentation is resulting in less time for us to actually learn these tools in depth. I am certainly not unhappy with all of this choice of free software, but there is a certain level of understanding that can be achieved when you only have a single tool and you need to know how to make use of it well and in a number of contexts. As the old saying goes, “a jack of all trades, but master of only vi”. Oh, hang on…no.
The concern I have with this culture of padding ourselves with resources, utilities, tools and other fluff, is that we are putting projects up on a pedestal before they have had the opportunity to grow and develop. With the example of Bertha and her project, if she had simply worked on the code herself until she had something useful, she could have then simply put it on her website with an email address to send patches to. If Bertha started receiving patches, it would then warrant the possibility of setting up further resources. If on the other hand, Bertha did not get anything, or she lost interest, or didn’t have time to commit to the project, she has not lost a dot. By having yet another dead Sourceforge project we are reminded yet again of a free software failure that could have actually achieved something if the time was spent on the software as opposed to arranging CVS accounts and mailing lists for a project that would ultimately fail.
The same dilemma is really affecting advocacy of Linux and free software. There are so many organisations and schemes that are touted to further the software we all know and love in weird and wonderful ways. These organisations then get set up and begin discussing how their organisational systems should be set up and operate. Typically arguments about frivolous subjects such as whether they are going to use Perl or PHP as their website scripting language are argued, debated and ultimately thrashed out on a mailing list. All of this red tape then occupies up the precious time of volunteers who only have a certain amount of time that they can spare in between work and family commitments. This red tape not only wastes effort but can also hinder morale when little is achieved.
I am a believer of a practical hands on approach to software development and advocacy. I used to be of the opinion that every project, no matter how big or small, needs a full-on branding campaign to give it a professional and viable look and feel. This is valid for established large scale projects such as OpenOffice.org, KDE, GNOME and Mozilla, but for new projects such as Bertha’s little panel applet, this red tape and fuss is a lot of effort over nothing. I firmly believe that you should spend as much of the time you dedicate to free/open software and actually spend the time doing real, tangible, measurable and pragmatic things. If you are advocating Linux, instead of writing rules and regulations on how your advocacy project should manage its resources and how its official branding should be created, just get out there and call a person/charity/school/business and get on with it. The red tape will be needed at some point, but not until a stage when you are becoming a big noise in the advocacy world and when you are working on lots of different projects with different members.
So, what do you think? Have you any experiences that preserve one view or another? Do you support an established system or prefer a freeform development route? Scribe your mumblings below…
Related link: https://www.sdn.sap.com/sdn/index.sdn?page=SAP_TechEd_04_Proposals.html
This is quite a steal: Propose a session [free registration] for SAP TechEd, get it selected by your peers on the SAP Developer Network and you will travel to both SAP TechEds in San Diego 5th-8th as well as Munich 12th-14th of October. SAP will pay your flight, hotel stay as well as TechEd fees.
What I really like is, that you can check out the proposals that have been submitted already, and they’re really interesting. I am very curious to see which ones will win. Currently the odds are quite good: 15 proposals for the 3 slots, means 20% will go, but I guess that will not stay that way.
Unfortunately SAP employees can’t compete, otherwise I would be all over it:
"How to run your Model Train using SAP NetWeaver" I’m convinced it would be a sure winner. Maybe someone else picks up the ball and fills in that clear void in the TechEd schedule.
Just don’t get your hopes up expecting to visit the Oktoberfest while at the Munich TechEd.That beer craziness ends on the 3rd of October and you will have to pack your bags for San Diego right about that time. But fear not, there will be the famous Munich beer gardens awaiting your thirst after your presentation.
Related link: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=115980
UPDATE: A commenter kindly pointed me to the equivalent Mandrake 10 bug. From what I can read it seems the handling of this problem in Mandrake has been as worrisome as that in FC2. The bug is marked as “fixed” although comments make it clear that the mooted workaround is not sufficient for some users. As such I extend the same warning to those considering any version of Mandrake 10.0. Be very careful if you have a dual XP boot set-up.
UPDATE: See this article quoting a response from a Fedora developer.
I have used Red Hat since 4.2, and it has been my distro of choice. I’ve earnestly tried Debian, Mandrake, Gentoo and SuSE at various times, but I’ve always come back to Red Hat, probably not because of any of the silly reasons you see bandied about in flame wars, but rather because I’m already comfortable and familar with Red Hat. When the natural evolution of Red Hat took me to Fedora Core 1, I followed and have been very happy so far.
I’ve been eyeing the progress of FC2, which includes Kernel 2.6 and other goodies. I tried the third and final FC2 test release but had problems with the installer that were already listed in bugzilla and decided to try again upon the final release, scheduled for this week. Before doing so I browsed the mailing list to see what success others were having and came across this posting, from which I quote:
A very serious bug exists which can render dual-boot Windows XP
installations inoperable. The problem has been discussed in other
threads here on this list, and can be found in bugzilla, so I won’t go
over it in more detail. Please see bugzilla bugs 120128 and 115980.
This problem happens on my hardware even if the harddrive is wiped, and
a fresh Windows XP install is performed before FC2-test3.
Note: bug #120128 is a dupe of #115980.
This bug is still acknowledged as unfixed on the eve of the final FC2 release. On reading further, several things alarmed me:
Before commenting further I do want to make sure I reiterate that people see the actual bugzilla item for the raw facts as they’re known. Also see this thread which is a bit more focused on solutions and narrowing down the problem than the flame war over whether the Fedora community is taking this bug too lightly.
There has been some discussion as to whether this is actually a bug in Grub, in Kernel 2.6 (some say they came across is in Mandrake 10), or in Windows XP. None of the uncertainty over root cause excuses a responsible distribution from treating any such issue with the utmost seriousness. This bug could cause a significant cross-section of users to lose data, and so at the very least it should be affixed with a clarion horn, bold letters and blink tags in the various release notes and announcements. Instead, the sorts of discussion I see about this situation include jibes at dual-booters and even snide suggestions that FC2 is doing users a favor by neutralizing their Windows paritions. I can be as spiky in a flame war as anyone else, but I’m very surprised at how a matter that could so seriously damage the reputation of Fedora is being treated with so little apparent seriousness by all but those who have themselves lost time and data.
Speaking for myself, I have two computers on which I’d planned to make the upgrade. One (my laptop) is a dual-boot to XP. Yes, I usually back up before such upgrades and installations, but I don’t have the time to go through the reinstall-XP-then-restore dance so I’m not taking the chance on my laptop and will leave it at FC1 until there is a fix for this issue. I shall upgrade the Linux-only box right away and, I hope, not run into an other unpleasant surprises.
The most important matter is fixing the bug. Do you have any new data that might be useful in doing so?
Related link: http://gmail.google.com/gmail
Is spam still spam if I ask for it? I would really like to take my Google Mail account for a test drive, but I am not getting any spam. Please send spam to brian.d.foy@gmail.com.
If you have a Nigerian banking scheme, a body part enlargement device, discount drugs, viagra, or any of the usual spam topics, I am soliciting your mailings, making them non-unsolicited. I have 1,000 MB of storage space, so send as much as you want as often as you want.
That being said, I have two things in mind:
Remember to send that spam to brian.d.foy@gmail.com
Related link: http://www.apple.com/applescript/imageevents/index.html
Now that I have Panther, I can play around with Image Events. Prior to this, I used Perl to read in an image from my phone, scale it to 320×240, then add a black border around the image.
Now AppleScript makes this really easy. Cobbling together a couple of scripts from the Apple web site, I get the job done in a very Mac like way.
set this_file to choose file
try
tell application "Image Events"
launch
set this_image to open this_file
scale this_image to size 318
pad this_image to dimensions {320, 240}
save this_image with icon
close this_image
end tell
on error error_message
display dialog error_message
end try
Although this script asks me to choose the file through a dialog, Apple also shows examples of automatically choosing every image in a directory, on the desktop, and so on. I want to set up a folder for incoming images for a moblog, then automically run an AppleScript on every new photo before it gets posted to the web.
At some point I also want to use Image Events with watch folder for iPhoto, so when I take screenshots I can automatically convert them from PDF to JPEG. I just wish I could automatically import the images, though.
Still, someone at Apple finally did something did something good for AppleScript.
Do you use image events?
Related link: http://www.oreillynet.com/pub/wlg/4863
In my previous post called Getting PHP to make the HTML for me - I mistakenly called what I was doing a template system. But I don’t want a template system. I want shortcuts, inside PHP, that output the HTML I need.
All good geeks know that repetition of information is usually a problem waiting to be solved. HTML (even in templates) is filled with SO much repetition I can’t help but try to optimize my use of it.
But first - here’s a couple examples why I don’t want to use templates for my web-making:
<html><head><title>{$title}<title></head><body>
<table border="0" cellpadding="5" cellspacing="0">
<tr><td class="bgcolor1">
<h1 class="header">{$title}</h1>
</td></tr>
<tr><td class="navbar">
{$navigation_here}
</td><td>
<h2 class="title">{$article_title}</h2>
<p>{$article}</p>
</td></tr>
<tr><td>
© {$year} {$author}
</td></tr></table>
</body></html>
Why not just use PHP? In that sense PHP *is* a templating language. Why wrap a new language around something that PHP already does just fine? Better explained in Brian Lozier’s article on Template Engines. A great read.
{include file="pagetop.tpl"}
{if isset($invalid)}
Invalid edit option ({$edit})
{else}
{foreach key=fieldname from=$fields item=element}
{if $expert or !$element.expertonly}
<tr><td width="40%" align="right" valign="top">
<b>{$element.description}</b>
{if $element.subdesc}
<br /><span class="tiny">{$element.subdesc}</span>
{/if}
{strip}
</td><td width="60%" align="left" valign="middle" class="small"
{if $element.crucial} bgcolor="Yellow"{/if}>
{/strip}
{if isset($notype)}
<p>Not ready to upload yet</p>
{else}
{assign var="file" value=$element.type|concat:".tpl"}
{include file="Backend/Bits/$file"}
{/if}
</td></tr>
{/if}
{/foreach}
{/if}
{include file="pagebottom.tpl"}
Again - why not just use PHP? Look at that code example, above. 26 lines of code, and only 6 lines are actually HTML. Why even be in a template, then? Why not just stay in PHP and generate those occasional tidbits of HTML when you need them?
I disagree with the philosophy that tries to keep the "poor non-technical graphic designers" away from PHP, giving them an "easier" system like Smarty or any other template language. Again: why not let them use PHP for their template-logic? It’s much more documented and well-known than any special template-language you can throw at someone.
I make very interactive websites. Full of display-logic that will (for example:)
As you can imagine, using template files for this kind of on-the-fly display logic was getting ridiculous.
I decided I don’t want to leave PHP anymore to output the occasional HTML tags around my variables.
That’s where my head was at when I wrote the last post, "Getting PHP to make the HTML for me".
Read that, if you haven’t, then let’s move on to the next idea: basic HTML building blocks.
Your thoughts on this so far? Do you use and love templates for interactive sites? Am I missing the point, here?
Related link: http://www.auscert.org.au/render.html?it=4091
The Australian National Computer Emergency Response Team (AusCert) said today in “AA-2004.02 — Denial of Service Vulnerability in IEEE 802.11 Wireless Devices”
NetGrocer is the latest e-business which cannot ship to me on time, and perhaps one of the last hold-outs from the dot-com era of broken promises. The problem is that I keep believing the promises.
I am on the road with my wife, who is singing with Michigan Opera Theater this month. Performances are in the evening, and we stay up later than that, so we do not keep normal hours. We are often up late enough to catch breakfast in the hotel restaurant before we go to sleep. Detroit grocery stores do keep normal hours though, so that’s a problem.
I thought I would be slick: NetGrocer could send me groceries by FedEx. I could shop whenever I want, so I did. For some reasons I still believe in the promise of computers, easy living, and Tomorrow Land. I still think software and gadgets can make life easier, despite abounding negative evidence.
On May 7, around 2 am, I ordered a bunch of groceries. They said that delivery times were 1 to 4 days, but definitely by 3 pm on May 12 (yesterday). That would still give us a week at the hotel to eat everything I ordered. We could do that.
At 4 pm on May 12, one hour past the delivery date, I tried to track my packages through their website, but couldn’t because there was no way to track them. My order status was “Processing”. I called their customer service center. They could not find my order. I cancelled my order, dejected that once again I had let myself get burned by the hype of a better future. The truth is that I still have to get my rental car out of the garage, drive far away from the hotel, and shop in a real store crowded with real people.
Today, May 13, I got an email saying that my order had just shipped and should be there by May 12. I suppose that is true for certain values of May 12, just not the one that was yesterday. They must have some high tech software there (the mailer was NTMail 7.00.0018, if that is any clue). In any case, I do not have any space in the small hotel refrigerator that I just stocked with real food from the real grocery store. Now NetGrocer threatened to be also inconvenient in addition to disappointing.
Their email also says they are out of stock of some items, despite the claim on their website that they are in stock. Indeed, the web site claims different items are out of stock. That is some amazing inventory control software. When the real grocery store did not have something I wanted, I knew right away and choose something else.
I called my credit card company to dispute the charge, but NetGrocer has not charged my card, at least not yet (not even an authorization). I usually expect businesses to make me pay for my purchases, even if they ship it in error. They must have some high tech accounting software too.
As far as I can tell right now, three boxes are on their way to the hotel via FedEx, but they are going to get here after the show is over and we are already back in Chicago. Again, so much for the convenience of “e-business”. Too bad I will probably just fall for the hype with some other company though.
Is there E-Commerce Anonymous? Anyone want to be my sponsor and keep me straight?
Related link: http://www.usatoday.com/tech/wireless/data/2004-05-12-tv-airwaves_x.htm
This USA Today article represents wonderful news, because it shows that Wi-Fi has caught the eyes of the regulators enough to give it cachet over cell phone companies. The decision isn’t certain yet, but it looks like pretty much a done deal. Unused channels will be open to all users, providing a resource for successors to Wi-Fi, WiMax, and whatever else comes along
This decision would be particularly significant because it would indicate government’s future decision regarding TV broadcast spectrum in general, as broadcast TV (presumably) moves to HDTV. (It’s more likely that broadcast TV will just shrivel up gradually through disuse. HDTV isn’t proving economically viable, but people will find ways to get Internet video other ways.)
I had always assumed that, as broadcast TV channels became free, Congress and the FCC would just license them off. Cell phone companies haven’t made great use of the overpriced licensed spectrum they’ve gotten so far, but I didn’t imagine the public interest would actually trump powerful commercial ventures. The current controversy is a source of hope.
Here’s the text of a warning distributed today by Mandrakesoft, publishers of Mandrake Linux:
Flash: EU Software Patent Legislation: a real threat for Linux and Open
Source
Mandrakesoft would like to alert all users and the software community at
large about a recent clandestine attack by proprietary interest through
covert adoption of EU Software Patent Legislation.
In direct contravention of the recent vote by the European Parliament to
curtail Software Patents, the Irish Presidency of the European Union has
surreptitiously reinstated unlimited software patent language into the
text of a statement to be adopted by the European Council of Ministers
on Monday May, 17th, without further debate!
The new text, if adopted, will extend Software Patents to every piece of
software, including computer programs, data structures, and process
descriptions. This will directly harm most software firms and all Open
Source projects unable to pay patent licensing tribute, and amounts to
an appropriation of the public domain by proprietary interests. A
direct beneficiary will be a new class of pure patent companies without
any real business or contribution to employment, which will use the
threat of litigation to extort payments.
Of note is that a sponsor of the Irish Presidency is Microsoft,
currently building a large patent portfolio. If the Software Patent
text is adopted, Microsoft may use this patent portfolio against Linux
and other Open Source projects.
Mandrakesoft would like to forewarn and mobilize its users and the
software community about the very real threat of such a law. Please
contact the media, your political representatives, and your government,
and urge them to vote against unlimited Software Patents and to revert
to the previous European Parliament position.
For further information please see the following links:
http://swpat.ffii.org/journal/04/cons0507/index.en.html
http://kwiki.ffii.org/SwpatcninoEn
Mandrakesoft Online Team.
Related link: http://www.onlamp.com/pub/wlg/4860
I just read a very favorable review of Advanced PHP Programming by George Schlossnagle.
This isn’t unusual, since everyone loves George’s book (myself included, although I haven’t had a chance to read it thoroughly enough to review it yet), but I thought it was cool that the review was from Derek Sivers, the guy behind CD Baby. Very cool.
Earlier I pointed at the essays by Paul Graham about building up a language, and that guy that made Ruby Rails.
Now that I’m making my own HTML template system, I realize what I need are functions, as if built into PHP, that will do some basic HTML markup of strings.
THE TAGS:
h1, h2, h3, h4, h5
p div span
ul li
dl dd dt
table tr td
strong
code address pre blockquote
a href
image
form input select option label
THE DECORATION:
All of those tags can (and will often) have one or more these attributes:
class=”something”
id=”something”
title=”something”
Also, image and a href have their own special targets. And forms have their own special attributes.
OH NO! IT’S NOT AN OBJECT!:
Somewhere in Ruby-love I got it in my head that everything should be an object.
But what I want here are functions that returns a result:
div(’hello’) = <div>hello</div>
div(’hello’, ‘id’, ‘greeting’) = <div id=”greeting”>hello</div>
PHP already has a bunch of these under “String Functions”. Some great ones are:
htmlentities(’”you & me”‘) = "you & me"
strip_tags(’<a href=”me.html”>me</a>’) = me
strtoupper(’hello’) = HELLO
So there we go. If I could alter the language itself to add these functions, I would. (Yes OK I know I could write modules in C to expand PHP, but I’d hate for someone else to have to maintain or debug that.)
So I think the best thing is to write a library of string-altering functions.
HOW TO DO ATTRIBUTES, THOUGH?
How to do the attributes, though? The best way I’ve ever seen is PHP’s XML DOM class:
$track = $tracks->new_child(’amount’, 10) = <amount>10</amount>
but…
$track = $tracks->new_child(’amount’, 10);
$track->set_attribute(’currency’, ‘USD’) = <amount currency=”USD”>10</amount>
If I were to do that with HTML-markup objects, it’d have to look like this, though:
$x = $html->div(’hello’);
$x->attribute(’id’, ‘greeting’);
$x->attribute(’title’, ‘welcome’);
= <div id=”greeting” title=”welcome”>hello</div>
Hmmmmmmmmm……… That’s not very elegant for use in a hundred places on an HTML page.
What if attribute() was also a string-altering function that uses a little regex to add an attribute to the first HTML tag it sees?
$plaindiv = div(’hello’) = <div>hello</div>
$div_plus_class = attribute($plaindiv, ‘class’, ‘greeting’) = <div class=”greeting”>hello</div>
attribute($div_plus_class, ‘title’, ‘welcome’) = <div title=”welcome” class=”greeting”>hello</div>
Ooh! The nice thing about this is that I could use, say, a table-making function, to get me back a table:
$mytable = table($bigarray);
… then add an id to the table afterwards like this:
attribute($mytable, ‘id’, ’sales’) = <table id=”sales”><tr><td>etc…</td></tr></table>
Yeah I’m diggin’ this.
Holy shit I just went to go test this idea and it took only 30 seconds, and seems to work!
# regex to add an attribute to an HTML opening tag
function attribute($html, $key, $value)
{
$pattern = ‘/^<(\w+)/ ‘;
$replace = ‘<$1 ‘ . $key . ‘=”‘ . $value . ‘”‘;
return preg_replace($pattern, $replace, trim($html));
}
Related link: http://dev.mysql.com/doc/mysql/en/ANSI_diff_Subqueries.html
It’s hard break the glass ceiling : to wrap your head around new programming features you didn’t have before.
MySQL 4.1 has subqueries. And I can hardly find a use for them! I’ve gotten so used to thinking of SQL without subqueries that I can’t remember what I would need them for.
I’m sure I’ll find a use someday, when frustrated that I have to write an ugly solution to something that could be done more succinctly.
But this is how I feel with learning new programming languages, for example, where I find a language has Feature X, which I’ve never worked with before. My head is used to the limitation.
I guess that’s why it’s good to learn new languages. (Read Paul Graham’s essays on Lisp here and here - and the Pragmatic Programmers Language of the Year project.)
Related link: http://www.cdbaby.com
There are two projects about to start at the same time: CD Baby and Filmbaby.
Both are almost identical. One sells CDs by indie musicians. One sells DVDs by indie filmmakers.
For Filmbaby, though, I was going to stay out of it, and let another programmer do it all. I’ve got enough on my plate. I figured I’d just let him use anything from my CD Baby code, to make Filmbaby.
But right now the CD Baby code is a mess. I’m just about to re-write it from scratch. (Timeline: I could start any day now, and probably finish in 2 months.)
If he were to start now, and borrow code from the existing CD Baby, then he would be borrowing messy code about to die anyway. (Or have less to borrow because it’s so messy, and un-borrowable.)
So I’m trying to decide what’s the best way for him and I to make these two projects, since they will be almost the same, and almost at the same time.
APPROACH #1 : I START CD BABY ALONE, FILMBABY STARTS NEXT MONTH
I start coding CD Baby now, by myself, setting up the basics the way I think it would be best. In a month, he starts Filmbaby alone, borrowing whatever he needs from my CD Baby coding.
APPROACH #2 : HE STARTS FILMBABY NOW, I START CD BABY WHENEVER
He starts coding Filmbaby now, however he thinks it’s best. I start rewriting CD Baby later, and we probably borrow bits and pieces from eachother’s stuff.
APPROACH #3: WE BOTH SIT DOWN AND WRITE A SHARED BASE
We both write this together : a new codebase that will work for CD Baby and Filmbaby together. Leaving most things generic until the end when we fork it off into the stuff that is just for CD Baby, and just for Filmbaby.
APPROACH #4: I START WRITING A SHARED BASE, HE JOINS IN LATER
I could start writing that shared base myself, from my experience with what’s needed. In my mind, I’d actually be writing the generics of the new CD Baby, but keeping it non-specific to CDs, so that the same stuff could be used for Filmbaby.
Related link: http://www.cdbaby.com
I think there is no such thing as a shopping cart.
A shopping cart is what we call the process of putting together an order.
When you put something in your shopping cart, what you’re really doing is adding it to your order.
A shopping cart implies something in flux. Items being added, subtracted, changed. But it’s still just an order.
Proof?
A shopping cart must follow the *exact* same rules as an order. Meaning:
* all discounts
* postage costs
* bundles
* coupons
* gift certificates
Every business rule you write that applies to the final order has to be exactly the same for a “shopping cart” or else the customer would be furious.
From a programmer’s point of view, this means that the same code has to calculate an order-in-flux as it does a final order.
A shopping cart is an order. Not “a kind of” order. Not “like an” order. A shopping cart is an order.
There is no such thing as a shopping cart.
A final order is still not final
Example: a customer orders 3 items that are usually $10 each, but only $7 each if ordered together. The $21 order is shipped. The customer decides to return one of the items in the bundle. The back-end customer-service handling of the not-really-final order has to also use that same code to know that returning one brings the price of the other two back up to $10 each.
The common trait: a collection of things
Think of an Amazon wishlist. It’s basically a “cart” from which you can add and subtract items. But it has no quantities and no prices.
What does it have in common with an order (a shopping cart)?
It’s a person’s collection of things.
It seems this should be a module, a mixin, an interface, an abstract. Something like that. (Sorry - all these object-oriented programming terms swimming in my head, and I get them confused.)
A shopping cart, an order, a wishlist, all have these functions/methods in common:
* add a thing to the collection
* delete a thing from the collection
* change quantity of a thing in the collection
* knows how many things are in the collection
* knows who is its owner (whether user_id, session_id, etc)
* show me all things in the collection
A non-quantitied collection (wishlist) will have this unique aspect:
* when you add a thing to the collection that is already in the collection, the quantity stays at 1
* a count of things just counts how many unique things - ignores quantity (has no concept of quantity)
A quantitied collection (not priced) will have this:
* when you add a thing to the collection that is already in the collection, the quantity increases by 1
* when you decrease the quantity of a thing to zero, the thing is removed from the collection
* a thing’s quantity can be changed directly (change 1 of a thing to 15 of that thing)
* a summary count of items needs to take quantity in mind (sum of the quantities tells you how many things)
A priced-and-quantitied collection (shopping cart, order) will add this:
* a summary of price that includes quantities
* business rules for altering the price, based on the things in the collection (sales, quantity-discount, bundled-batches, etc)
We’re still just dealing with the generic, here. Next time we’ll get into what a CD Baby order (cart) needs to do.
Your thoughts on this?
Related link: http://www.isbn.nu/0672325616
This book just got me excited about PHP again: Advanced PHP Programming by George Schlossnagle.
I’ve been programming in PHP full-time for 5 years now. I remember when I was first learning, how all the books felt a little over my head, in a good way. Very slowly I understood things that didn’t make sense before. And then very slowly I’d start to incorporate those things into my day-to-day programming.
After 2 years or so, I missed that feeling. I’d check out new PHP books and flip through every chapter saying, “Yeah yeah yeah…”. I realized I had become an expert.
I was honestly impressed looking at the table of contents of this book. This is NOT your usual PHP book! That’s obvious right away. So I ordered it. And it just arrived yesterday. I was up all night reading it, and again today. This is the most amazing PHP book for experienced PHP programmers I’ve ever seen. (Wait - this is the ONLY book for experienced PHP programmers I’ve ever seen!)
The author really knows his stuff, and uses best-practices, throughout. Really well thought-out code with a lot to learn from.
It’s written entirely in PHP5 with things I had never heard about, like MySQL’s new Prepared Statements and Bound Parameters. (More on that subject later.) Great chapters on benchmarking and profiling. Really nice to see him using the PHP5 style OOP, marking all methods and attributes as public, private, or protected. A great way to get to know the new object approach to PHP5: to see it in real-world examples, so that after a few hours with this book it’s second-nature.
For the first time in three years, I feel wonderfully over-my-head with a LOT to learn here in this one amazing book. Thanks George!
Related link: http://www.cdbaby.com
Just thinking out loud, which components of CD Baby will be the *exact* same as Filmbaby - and where it will differ. Trying to help me decide how to approach programming these at the same time.
CODES USED BELOW:
* = exactly the same
~ = very similar
! = different
STOREFRONT:
* customer
* cart
~ recommendation engine
* client
* item(abstract)
* inventory (multiple warehouses)
* payment
* shipping/postage calculation
* email notification
! album < item
! movie < item
* merch < item
! songs (for albums)
! cast+credits (for movies)
!~ site browsing methods (new arrivals, top sellers = same. by genre & flavor = similar. by location = N/A.)
* search engine abstract (including caching)
~ search engine specifics (music versus film)
* front-page & featured
* language (approach - though different files)
* dynamic web config (name, css)
* template system
* database connection
* session-management (customer login/memory)
* url parsing (key/value/value)
* hits/traffic log
MEMBERS AREA:
Existing members.cdbaby can be copied exactly, except:
Slight difference in signing up movie versus album.
No digital distribution.
OFFICE:
Existing office.cdbaby.com can be copied exactly, except:
No free CD assigner
No digital distribution section needed
No swiper section
No compilations
Think about how to do employee thing : same as CD Baby? How to split expense?
No Tower Records thing
ORGANIZING (filesystem/CVS):
/baby = classes shared between both, kept in exactly in sync with CVS even after sites are up and active
/cdbaby = cdbaby-only classes
/filmbaby = filmbaby-only classes
Related link: http://www.paulgraham.com/progbot.html
A nice thing to look forward to in re-writing from scratch: Bottom-Up Programming. I like the way he describes this:
Look at a great example in Ruby, here. Extending the core library. Beautiful. Another one of the things I love about Ruby.
Related link: http://www.paulgraham.com/taste.html
Go read Paul Graham’s essay called "Taste for Makers". It’s one of the most inspiring things I’ve read in a long time.
I want to make beautiful programs for their own sake. It makes me happy. Like the art and craft that goes into making music even if nobody will hear it. You want this beautiful thing to exist and be as good as it can be.
CD Baby was, from the very beginning, meant to be a design project. Not graphic design, but business design. A contrarian invention to be the opposite of traditional distribution, the opposite of greedy commercial ad-filled websites, the opposite of the major-label attitude that shuts out all but the biggest sellers. Even if it never made any money, I just wanted something like that to exist.
So now I feel the same way with the code. I can imagine beautiful code, smart layout, best-practices in class structure and encapsulation, separating business-logic from presentation-logic, and the list goes on.
I know this might be really naive, but it’s a fun thing to shoot for.
Related link: http://www.cdbaby.com
Pretty soon I’m going to re-write CD Baby from scratch.
CD Baby, including the storefront, backend intranet, members login area, and various cron scripts is made up of 91,345 lines of PHP code in 1105 files. And I did it all myself over the past 5 years.
6 years ago when I started CD Baby, I didn’t know shit about programming. I just knew some basic HTML. The first version of the site was done in Microsoft FrontPage (how embarrassing! It worked hand-in-hand with the shopping cart software, though, so I had to.) When people would mail me CDs, I would open up a template in FrontPage, and cut-n-paste their info into the template, and upload their page.
As it grew, I knew I had to go to something database-driven. But to me, a database was Filemaker Pro. A program where you click things on the screen, drag and drop things, etc. I guess for people using Microsoft servers, it still can be that way. But my gurus taught me the peace-of-mind of open source. Using only non-commercial technologies, so that nobody can decide to start charging you too much.
So I bought some books on PHP and some books on MySQL. I learned s-l-o-w-l-y. I mean REALLY slowly. I mean only really after 3-4 years did I feel I knew what I was doing. Until then I would get by with something just barely good enough to work, which was enough for me.
But now after 6 years and 90,000 lines of PHP code, I really am getting good at this. So I want to go back and re-write CD Baby from scratch, knowing what I know now, to right my past wrongs, and leave a much more flexible, expandable, maintainable program to ride into the future.
This journal will document the re-writing thought process, decisions, philosophies, cool tricks, and all that fun techie stuff.
Related link: http://www.back-to-iraq.com
Chris Allbritton of Back-to-Iraq.com raised over $11,000 in reader donations to return to Iraq to continue his independent reporting in his blog. He left today for Oslo, and from there he travels to Jordan, then into Iraq. Chris is going to be there for a while, too, instead of popping in and out to cover the stories of the week.
Not only that, he uses Movable Type that he updates from a PowerBook.
Do you want to give your 50 cents to your favorite reporter instead of a newspaper?
Related link: http://www.wired.com/wired/archive/12.05/view.html?pg=3
Lucas Graves interviewed Earthlinks Chief Privacy Officer, Les Seagraves, about fighting spam. He mentions AOL, Yahoo!, and Microsoft a couple of times, saying
As long as there’s something threatening to put them [spammers] out of business or make them pay a lot of money, they’ll think twice.
Maybe Microsoft’s legal department will turn out to be a force for good.
The shocking scenes of torture from the Abu Ghraib prison should make us think farther than Iraq, the Middle East, or even U.S. relations with other non-Western countries. It informs our debate on the PATRIOT act, which eases the government’s ability to spy on people, to arrest them, and to treat them in any manner it likes once they are arrested.
Add up the following considerations:
The Red Cross reported yesterday that 70% to 90% of Iraqi detainees are innocent. Our Iraqi prisons, overstuffed to the bursting point, are not responses to crime or even military need so much as punishment centers for the whole population.
But this should be no surprise. The Guantanamo Bay Naval Base has been releasing its detainees steadily since it was set up. These wretched souls, often swept up in random dragnets after the Afghan war or turned in by malicious neighbors, get a one-way ticket back to their home country without any apology or compensation, so far as I’ve heard. Rarely are they charged with a crime; this is an admission by omission that their arrest was unjust.
The Red Cross report also quotes high-level U.S. officials as explaining that they strip prisoners naked and hold them in the dark without bedding as a matter of course. Clothes, bedding, and light are rewards for cooperation.
Here, comparisons with Guantanamo Bay are less evident. Few direct reports of torture have come out of there, but the published guidelines for treating prisoners include practices that are illegal under both U.S. and international law. These guidelines include “moderate physical pressure,” which sounds like the guidelines followed (and routinely exceeded) in Israeli prisons, and which an Israeli court has ruled illegal there.
There is no doubt, however, that prison conditions are terrible in U.S.-occupied Afghanistan and that the U.S. regularly farms out prisoners to governments that use torture. So Abu Ghraib is part of the pattern.
The lack of people well-trained in Arabic and Iraqi culture in the military and American intelligence community has repeatedly been cited. It doesn’t improve the situation for the military to amuse themselves by subjecting their own Muslim chaplains and translators to the same treatment they dish out to prisoners.
This is the context for understanding the PATRIOT act and its extensions. Instead of evaluating it as an instrument for the U.S. to use against internal or external terrorists, we must evaluate it primarily as an instrument for the U.S. to create new Abu Ghraibs around the world.
There should be no illusions that use of the PATRIOT Act will be restricted to dangerous and criminal people. It will be used like any tool in the hands of the powerful to cut off political disputes and carry out personal vendettas. And its clauses make it easy not only to catch people in a sinister pseudo-legal net, but to hide them away from lawyers and others who could check what forms of torture the government is using against them.
Abu Ghraib has been in the planning for some time. It shows why the U.S. has been so insistent on opposing the very existence of the International Criminal Court and has spent a lot of political and economic capital to browbeat other countries into promising not to bring the U.S. before that court.
Administration officials say, “Don’t worry about us; we are upright protectors of human rights who are unlikely to violate laws, and who will prosecute our own violators.” I’ll believe that when Donald Rumsfield is thrown naked into a darkened cell.
The ACLU and others who fight the PATRIOT Act have identified plenty of abusive Administration practices. But much of the debate over it has been hypothetical. It can be hard to project into the future the seeds of what the government is doing in the U.S. References to the internment of Japanese during World War II or Johnson’s and Nixon’s COINTELPRO activities in the 1960s and 1970s hark back to barely-remembered eras.
But Abu Ghraib is now. And we are all Abu Ghraib.
Related link: http://www.google.com/googleblog/
I wonder if you’re allowed to post to your blog during the IPO quiet period?
What do you think about Google’s new blog?
Over the past month I have tried to buy a bunch of things on Amazon, and failed almost every time because Amazon has not ship things to me on time. I use to love buying things on Amazon because I knew I’d get them in a couple of days with minimum hassle. Now I have to scrutinize the several pages of the checkout process to see if the estimated shipping dates match what the product pages said, and more often than not lately, they don’t.
This is a big deal for me. I’m hopping around the country right now. I’m in Detroit only for another week and a half, so if I order something today and choose regular shipping, Amazon needs to ship it within the next couple of days for it to get to me before I leave. Amazon missed me in New York and again in Chicago because they did not ship on time.
The product pages say “usually ship in 24 hours”, but then the order page will say “Estimated ship date for this item: [two weeks from now]”, This gets even worse if it is shipped by a third party (J&R Music and Computer World and eBags were recent suppliers who couldn’t ship to me on time). They seem to be even slower.
I have already been burned by this twice this month. I ordered a book for next day delivery, and it got to where I was two days after I had left because it shipped three days late. This happened at my next stop too. I still do not have the book, and I wanted to order it again today. It can’t ship until next Tuesday so I risk missing it again. What’s the point of paying extra for FedEx when the book won’t even ship for a week?
What happened to all that bluster about getting rid of bricks and mortar? It looks to me like Amazon needs more of it, because I’m going to Borders tomorrow.
Anyone else having problems with Amazon, or am I having a string of bad luck?
Related link: http://www.macintouch.com/thoth.html
I got my new PowerBook the other day (the 15″ model, for everyone who has been asking: the 17″ is just obscene), and I have been going through the (literally) once in a blue moon process of setting up a new PowerBook.
As part of that, I need to get my favorite newsreader, Thoth, up to speed so I can work on things in various perl.org newsgroups. I would give you a link to Thoth, but all you get is a blank page. I found out that Brian Clark has moved on, for various reasons.
I tried Thunderbird, but I could not figure out how to order the newsgroups in any other way than alphabetical, which means I cannot order groups in the order I think they are important and the order in which I want to read them. A few other application were even less appealing.
I just want my Thoth, and it needs a registration key to get rid of an annoying “Register” dialog, but I have no way to pay for it anymore, and I have not figured out how transfer the registration from my old PowerBook to my new PowerBook. It is too bad too, because Thoth is one of the few applications I actually paid to use.
So long, Thoth.
Related link: http://methodshop.com/mp3/articles/iMix/index.stm
Go figure—Apple Computer rejected “One To Tango—Songs With a Masturbation Theme”, although it will sell you all of the songs in that rejected iMix playlist.
I think the playlist may have been rejected for a single word in its title, and Apple did clearly state that they will not publish iMixes that are “obscene, objectionable or in poor taste”, even if they will sell songs marked with little “explicit” boxes next to them.
I do not think Apple has the potential to dominate global digital music downloads if it does not want people to share or discuss what a lot of music actually says.
In my life I have two major interests; computers and music. Within my computing interest I spend a lot of time writing/coding/tweaking, and within my music interest I spend a lot of time playing guitar/bass/drums. The natural conclusion to this riveting set of events is that I spend an awful lot of time waggling my fingers back and forth. When you roll into this recipe the fact that sit, bolt upright, in front of a computer and drum kit, this pegs the last hole for the likelihood of Repetitive Strain Injury (RSI) problems.
RSI seems to be something that affects some, but not all, and I know people who have been involved with computers for years and never had any problems. I few months back I began aching a little in my fingers and I put this down to possible RSI and bad posture at the keyboard. I also leveled much of the blame with the fact that I spend a lot of time working and playing music; I may well have just over-reached myself a little. Anyway, I booked myself in to see the doctor, where I was then referred to a physio to identify the potential problem and solution to my RSI. I got up early one morning and reveled in the joy of trying to find a car parking space at the over-capacity NHS hospital. From around 9am until my appointment at 10.45am I waded through many layers of NHS red tape and endless hospital corridors to eventually meet an incredibly friendly physio.
It seemed that my problems with RSI were not life, music or career threatening, and I was advised about some possibilities to make things a little better. This included soft massage of the part of my hand that was problematic and some special hand exercises. Another suggestion was to take a series of so called micropauses when working. This means taking a 10 or 15 second break every 5 or 10 minutes. A micropause then allows your hand to relax and stop a build up of tension that can result in a repetitive strain injury. This all sounded vaguely familiar to me, and I remembered reading about a special Mac OS X RSI clock on Simon Willison’s blog that alerts you when you need to take a micropause and a general rest break. I did my own research and after a bit of hunting around I discovered a wonderful little GNOME tool called Workrave. This is a pretty impressive chunk of code in the way it will not only regulate your rest breaks and micropauses, but it will also teach you special exercises that you can perform to prevent RSI. These exercises are demonstrated with a 3D character named Miss Workrave.
After installing and using Workrave it struck me that RSI prevention should not be a third party, post desktop afterthought, and should instead be included at some point in the desktop software stack. I tend to use KDE/GNOME/Mac OS X and Windows at different times in my work, and there seems to be little or no RSI prevention included in the software. This is rather dangerous. If I worked in a building site I would not enter the site without a hard hat, and if I were a truck driver I would wear a seat belt. RSI seems a very real and likely problem that can afflict computer users; a problem that can be solved with a better level of awareness. The problem is that this awareness is simply not there. I have been using Linux for years, and I have been aware of RSI for years, but I had never even heard of Workrave.
After doing some googling on the net I discovered very little in the form of official recommendations to include RSI prevention software at these different levels of the desktop software stack. My first assumption was that the common all garden environments such as KDE and GNOME should include some form of RSI clock in their base platform. Then I considered a lower level option. A while back I was chatting to Keith Packard on IRC about some of the possible features and improvements in the new X servers that are getting hacked together. One area that Keith informed me about was accessibility. At the time I assumed this kind of accessibility would be related to things such as text-to-speech and redirection of input/output devices and data to brail readers and screen readers. I didn’t even consider the potential of RSI prevention at this level.
If you think about it, the X server has all of the pre-requisites to prevent RSI at that level; this would typically involve timing the breaks between device input and output. If someone is working for 10 minutes and then needs to take a micropause, the X server could pop up a box to indicate the pause. The X server could also initialise micropauses dependent on the number of keyboard interactions and the amount of mouse activity. I am sure someone somewhere has performed research that would indicate the amount of keyboard/mouse action before you need to take a break.
I may be wrong here, but I have seen nothing about this online so far. It does strike me that the new and revitalised culture of X.org could incorporate an RSI prevention layer built into the server. This is of course, the most sensible place to place an RSI prevention strategy - everyone is susceptible to RSI, so everyone should have the ability to use software that prevents it. If this software is built into the very X server that you are using, the issue of awareness is somewhat increased. I am sure the KDE and GNOME projects could then build around this functionality within their desktops. The key thing we need here is research. We need to know which particular movements and interactions are most likely to cause RSI; we can then make our software intelligent enough to prevent this repetition.
The next natural area of debate is whether this RSI prevention layer would be forced onto the user. I know many people will be of the view that an RSI prevention layer should not be included in an X server; an X server is after all there to pug graphics to the screen and handle input. Well, that is the key point - it does handle input. In the same way we need to accommodate different languages, disabilities and other nuances of human interaction, we need to also acknowledge threats to human interaction and incorporate prevention mechanisms.
So, what do you think? Does this make sense, or is it all a load of rubbish? Put finger to keyboard and share your thoughts below.
Related link: http://news.bbc.co.uk/1/hi/technology/3639679.stm
I ran across this story in The Week that was on the top of my reading stack today.
Researchers asked if people on the streets of London if they would reveal their login passwords in exchange for confectionary.
I did not find what they actually offered, or even if they offered an actual cholocate bar. I do not know about anyone else, but I would hold out for something better than Cadbury.
What you take in exchange for your password?
Related link: http://undeadly.org/cgi?action=article&sid=20040430231221
Once again, the OpenBSD team gave us new, better tools to secure the networks we look after. Enjoy!
Related link: http://groups.yahoo.com/group/extremeprogramming/message/91683
A common assignment type in creative arts classes is to produce a work in a
specific style on a specific topic. For example, a poetry class might have to
write a
vampires. A painting class may produce watercolor still lifes. A composition
class could write a three voice canon and a songwriting class will sometimes
write a silly song in the AAA form.
These assignments rarely produce commercially viable or artistically elite
work, but they’re effective at exercising creative muscles. I think that the
constraints enforce some editorial judgments. For example, if you had to choose
the right six words to describe vampires as in the case of the sestina, you’d
have to choose the right six words, if you wanted to write a good poem.
Consider also the case of writing a three-hundred word horror story, especially
if you edit it multiple times. Every new word requires the removal of another
word.
It’s obvious that you can take this idea too far. Arguably, since there’s
already one good vampire sestina (see Neil
Gaiman’s Smoke and Mirrors), the subject’s tapped out. If you
have existing constraints, though, of color, form, line length, meter, or word
count, does that save your creativity for more interesting problems?
In the introduction to
Guide, I argued that successfully adopting XP requires adopting an attitude
of sufficiency. Instead of assuming that you don’t have enough resources to do
everything you think you need to do, assume that you have enough resources to
do what you can do — and scale back what you need to do to what you can
do.
In a recent post to the XP mailing list, Ron Jeffries suggested that you can
start
practicing XP by adopting the practice of Small Releases. That is, if you
force yourself to produce a release every two or three weeks, you’ll need to
adopt most of the other XP practices (or reasonable equivalents)! You don’t have to make your customer upgrade every two or three weeks, but his needs should govern the choice, not the stability or quality (or lack thereof) of the code.
Even though I’ve been writing and writing about software for a while, I’m
still amazed at how projects can drag on and on until someone with authority
gives a final, drop-dead date. (Hey, open source development isn’t immune.
Witness the length of time between Debian GNU/Linux or Linux kernel stable
releases!) It often takes a burst of activity (and, unfortunately, a death
march or two), but the software finally arrives near the deadline.
I’m deliberately leaving aside the questions of quality, customer fitness,
stability, and maintainability from this argument — I think XP-like
practices definitely help here — but I often wonder lately if trying to
produce more frequent releases by doing everything except releasing more frequently is misguided.
Perhaps we don’t need long development times because software’s so difficult
to write. Perhaps software’s so difficult to write because we have such long
development times.
Thanks to Adrian Howard for the pointer to the mailing list
message.
Not all artificial constraints are harmless, but could the helpful or neutral ones help us produce better software more reliably?
Much of the Gmail-inspired outrage has focused on what happens to email messages sent by non-Gmail subscribers to Gmail subscribers. “If you want to sign up to have Google’s version of SkyNet scan your messages for ads,” some objectors say, “that’s fine, but don’t involuntarily subject me to that scanning just because I send you a message.”
That is, Gmail subscribers themselves may willingly opt-in to whatever onerous TOS Gmail provides, but third party correspondents are afforded no such opportunity, nor should they have to.
This faulty objection springs from the seductively misleading “privacy” of email.
When I send you an email message, that message is out of my control the instant I send it. This is a lesson that has been learned by countless Internet users who accidently include someone they’re mocking on a CC: list, mistakenly send personal correspondence to a mailing list, or send something so outrageous that their friends can’t keep it to themselves and it ends up in the New York Times.
It is this last circumstance that is most relevant to the Gmail debate. The custodianship of email messages you send lies with the recipient. Shared values of (on- and off-line) etiquette, friendship, and sociability usually govern that custodianship acceptably. When I share sensitive personal thoughts with friends, whether via e-mail, phone, or good old face to face conversation, they don’t rebroadcast those thoughts to others. Not because of a legal requirement or a Terms of Service agreement, but because of our friendship. Even handwritten letters (with ink and paper, remember those?) are subject to unauthorized distribution. In a professional context, I choose to whom and how I disclose confidential or sensitive information based on my judgement about the trustworthiness and motivations of the recipient of the information. A non-disclosure or other legal agreement helps, but doesn’t prevent disclosure. It just makes punishing the disclosure easier.
The technology that underlies e-mail doesn’t remove the need for the same kind of social guidelines for how it is used. If I find the computerized scanning of e-mail text to generate context sensitive ads repellent (which I don’t), then I must balance my repulsion with my desire to communicate with whomever@gmail.com. It is certainly impractical for me to familiarize myself with the practices of all handlers of all destinations of all email messages I send, but that is not a new problem.
When you send someone an e-mail message, what do you know about the server that it eventually ends up on? Do you trust the administrators of that server? Where do that server’s backups live? Who is the night manager at that off-site storage facility? All of these unknowns certainly affect your privacy as an e-mail author. These mysterious individuals and locations guard your prose. Any one of them could give or sell it to the world.
Encrypting your correspondence doesn’t really buy you much more bulletproof protection. Yes, a PGP encrypted e-mail message gives you some protection against snoopers while the message is in transit and probably guarantees that the first person to read the decrypted message is your chosen recipient. But what happens then? Does the recipient save a plain text copy of the message to his computer? Forward on the decrypted contents to others? The same social necessities and system administration unknowns apply.
So, how to prevent nefarious, rude, encryption-inexperienced, or just plain disagreeable correspondents from making (dare I say it) fair use of your email messages that you don’t like? One way is to cuddle up to the DRM boogeyman. If the Internet has made everyone a publisher, no personal printing press turns out more content than the email client. Individual publishers of email now have something very much in common with the media behemoths that want to squash song sharing. The same technology that is derided for putting restrictive encumbrances on legally acquired PDFs, DVDs, and MP3s could also prevent perceived villains like the Gmail ad-bot from operating on your lovingly crafted email content.
Such a restrictive solution as bad a policy for most email messages as it is for most other digital content. Email authors must realize that they give up control when they send an email. This has always been true, but perhaps the Gmail fuss makes it clearer.
Over and over again, I read and hear that the communication implications of the Internet mean distributed publishing power, grassroots efforts, infinite channels, reduction in centralized control, insert starry-eyed phrase of choice. If true, this applies to everyone, not just large corporations. If we are publishers, we all must give up some control of our creations.
What do you expect of people to whom you send e-mail messages?
In one sense, the venerable X Window System has achieved a kind of
security I did not expect it to have: not security in the technical
sense, but security in its role as part of the future of computing.
Just a couple years ago, it appeared that X was joining the hoards of
legacy protocols that would hang on awkwardly in backwaters while the
rest of the world moved forward (at least, some people claim it is
forward) to Windows and OS X.
But then Linux on the desktop became a topic of everyday conversation.
And while Linux on the desktop is just beginning to take hold, it’s
showing signs of staying. The X Window System has a secure place in
end-user computing. (And I’m not even considering here the potential
for X on embedded devices.)
OK, let’s get serious now and talk about technical security. This was
the subject to which Wednesday afternoon was devoted at the intimate,
informal X Developer’s Conference taking place this week in Cambridge,
Massachusetts. Since the ideas tossed around were speculative and
uncoordinated, I will heavily embellish what I heard with my own
interpretations. And that means I take responsibility for any
technical inaccuracies that appear in this weblog.
Security is normally something one worries about with files and
daemons. When an X server and client communicate over a network, of
course, one might be concerned with encrypting the communications to
protect passwords and other data entered. But subverting a window on
your screen doesn’t seem to pose a threat on the level of altering the
/etc/password file or grabbing hold of a Sendmail hub server.
Still, security is enough to worry many potential users of Linux. For
instance, as Eamon Walsh of the SELinux team said, “There are weird
things you can do with the X server.” For instance, clients can do
what’s called a “server grab,” which essentially locks the mouse,
keyboard, and every other element controlled by the server for as long
as the client desires. If the client desires to keep it indefinitely,
the only way to kill the client is to find a different physical
terminal or remote system to log into.
It would also be nice, as one attendee at the conference suggested, to
allow someone to view a document labeled Top Secret without allowing
her to cut and paste material from it into another window. This is a
subtle problem involving permissions between two programs and X
properties.
Needless to say, as a relatively old protocol from the 1980s, X was
not designed for security from the bottom up. Jim McQuillan, creator
of the
Linux Terminal Server Project,
listed several ways one could achieve secure X communications:
X over SSH (what his customers tend to use)
Kerberos
NFS 4 (the most recent version, which has security built in)
IPSEC
Clearly these each operate at a different level. They also require
different types and amounts of configuration.
I caught som of the presentation by Eamon Walsh of the SELinux team on
“Fine-Grained Access Control for X.” Whereas the most popular ways of
controlling access for X (SSH and Kerberos) work at the session level,
an SELinux extension for X could protect particular windows.
Authentication information could be passed when the user logs in for
the X session. Then, for each window, authentication information could
be stored along with authorization information taken from SELinux
policies
Walsh is working on a set of hooks in X called XACE. Like Linux
Security Modules, XACE will allow an administrator to plug in the
SELinux extension or others that come along. The SELinux teams’ work
was welcomed by conference attendees, but the large amount of
configuration was questioned (particularly the proper choice of
policies, which tend to get very big and complicated in SELinux).
It’s tempting to take the encryption and authentication features from
SSH and build them into X, tailoring them for its particular
needs. But because there is no stand-alone SSH library, extracting its
essence in this manner would mean forking the project, with all the
bad consequences that normally entails.
This was part of an extensive presentation on possibilities for X
security given by Ted Ts’o. Ts’o is well-known for his work on the
Linux kernel, but also led the Kerberos development team at MIT and
put Kerberos support into X.
Ts’o built on McQuillan’s talk by suggesting that there were many ways
to successfully achieve security in X, and that the key was to
determine the requirements of a particular environment.
For instance, SSH is great for a dozen or so users over a network. But
it has problems scaling. For one thing, each user has his own SSH
session with the remote server. Second, X over SSH requires an extra
trip through the kernel, with the resultant potential for extra delays
due to scheduling. Third, each SSH session requires configuration on
both remote host and local client system; as the number of systems
grows, the number of configurations grows geometrically. Imagine
cleaning up old configuration lines as employees or students leave the
organization.
Kerberos provides a centralized and therefore more scalable solution,
but it takes much more effort to install and configure than SSH. So
it’s appropriate for large sites.
I got the impression, during these talks, that several fundamental
aspects of security make it difficult to achieve with X.
First, X is a highly distributed protocol. Each connection between
each application (client) and server is independent.
In contrast, security tends to thrive on centralization. Think of
passports, drivers licenses, and credit cards, all issued by
centralized authorities with varying guards against forgery. Think of
certificate authorities, the centralized solution to proving
identity. Think also of PAM, the common basis for introducing
different types of security into the Linux kernel.
The attendees at the X conference spent quite a lot of time looking at
PAM. There was also a brief consideration, which flew by in about
thirty seconds, for centralizing access by all clients so that
security between the clients and server could be handled locally.
After the centralization/decentralization issue, one comes across the
bewildering choice of layers. For instance, SSH operates at the
application layer. It seems to me that this is why it’s relatively
inefficient for the purposes of securing X. In contrast, IPSEC
operates deep at a nicely buried layer, but that means that its
information is unavailable to X. (Ts’o said that X cannot currently
tell whether IPSEC security is in effect, much less extract the
signature used to sign an IPSEC session.)
Aside from security, another of the discussions I had the privilege to
listen in on concerned a possible move to the OpenGL 3D interface. Jon
Smirl, a product marketer in the open source area, claimed that OpenGL
was valuable even for applications that did not do 3D graphics; the
acceleration provided would benefit all graphic displays. He pointed
out that a growing number of graphics cards offer the OpenGL interface
and perform a growing amount of 3D in hardware (the move being
encouraged by the growing bandwidth available between CPUs and
graphics processors). X needs to settle on OpenGL to achieve
competitive performance.
OpenGL, however, is only a part of the strategy Smirl said that Linux
and the open source community needed to compete with Microsoft. He and
others backed up a widely-circulated warning, given by Miguel de Icaza
in a recent
interview,
concerning the convenient mark-up language developed by Microsoft
under the name XAML.
XAML, sometimes superficially called “the Microsoft XUL,” is a
linchpin in Microsoft’s Longhorn strategy to eliminate the difference
between local application development and Web development. As a
technical development, the strategy intrigues Smirl, and he called it
the next big evolution in end-user computing after GUIs and the
Internet. However, many fear that if Microsoft succeeds in pushing
XAML out so that it becomes part of large numbers of Web pages, the
Internet will turn into a Microsoft walled garden–and that will be
the end of competition.
After Smirl explained why it was important to support the newest in 3D
hardware and software, a developer of Sun’s
Looking Glass
desktop interface and two developers from HP’s
Croquet
project showed what could be done with these capabilities.
Concerning Looking Glass, I’ll just say that once you view a demo and
take a step into this graphical interface, you won’t glance backward.
Croquet is both an advanced 3D interface and a networking
collaboration tool. Its motivation was explained on an impressively
deep level by developer David P. Reed, a pioneer in TCP/IP who is
well-known for co-authoring a
paper
on the “end-to-end” concept in networking. Reed said that current
applications were still assuming written for the lowest common
denominator in network bandwidth, but that it was time to write for
cable modems or better.
That said, Croquet requires only a a few tens of kilobits in bandwidth
most of the time to achieve real-time collaboration with richly
textured 3D objects. It achieves this efficiency partly through
classic P2P processing, letting each system do rendering and any other
possible calculations on its own. Large, short bursts of bandwidth are
required for occasional complex messages, such as the creation of new
objects. Since a quickly emerging new generation of PDAs will have 3D
acceleration, environments such as Croquet could become widespread.
The X Developer’s Conference overall was a very pleasant, serious,
working event with about thirty attendees. It was organized by X
founder Jim Gettys and held at a gorgeous location at Hewlett Packard,
his current employer, on the top floors of a building in East
Cambridge. Somehow it seems appropriate to have beautiful views right
outside the hall when you’re discussing graphics. It was also an honor
to be just one block from MIT, where X–along with Kerberos and so
many other worthy free software technologies–was invented. Some of us
also remember that the conference is two blocks from the offices of
the Open Software Foundation, the distributors of the Motif toolkit
that at one time was considered the cat’s meow for X
development. (Yes, it really was.)
What will make X ready for the modern graphical era?
Related link: http://www.ss.ca.gov/executive/press_releases/2004/04_030.pdf
Yesterday, California Secretary of State Kevin Shelley banned the Diebold TSx touch-screen voting system, citing an April 20th report by his office that details abuse and fraud by Diebold. “We will not tolerate the deceitful conduct Diebold.”
This is not the first time that Diebold has had problems, either. The Department of Budget and Management of the Office of Information Technology for the State of Maryland said in >Risk Assessment Report: Diebold AccuVote-TS Voting System and Processes (Sept 2, 2003):
This Risk Assessment has identified several high-risk vulnerabilities in the implementation of the managerial, operational, and technical controls for AccuVote-TS voting system.
That is pretty damning. They identified not vulnerabilites in just software, but in managerial and operational controls.
Avi Rubin, et alia, discuss the technical problems with Diebold in their Analysis of an Electronic Voting System, due in May’s IEEE Symposium on Security and Privacy.
Last year, This American Life aired
a story by Jack Hitt that showed how easy one could rig a Diebold machine.
Diebold’s problems go back further than that even. You can find plenty of digital ink about Diebold screwing up the Florida vote count for the 2000 presidential race, and Florida still uses Diebold in Volusia county, among others.
I have two words for this: “open source”. If the government uses software, it should get the source, and in most cases, the people should get to see it. That does not mean the we get a license to use it—just to look at it. Words like “fraud” or “deceit” do not apply when we can inspect the source ourselves.
In the end, our elections should not be a commercial activity, and we should demand something more than just competition in the marketplace to decide what we are going to use. How many states have to connect their election debacles to Diebold before someone goes to jail?
I want to buy a new PowerBook. This one will be the fifth PowerBook I have bought, and I still have them two of them, only because I passed on the others to computerless friends. Old Macs never die, they just become servers or fancy hard drives.
I never research these purchases. I just buy the one in the middle, and take whatever features it has. What am I going to do, buy a Dell or a Gateway? Yeah, right. I did buy a Vaio once, when Vaio meant “really, really small”, and I put FreeBSD and an AppleShare thingy on it, so it looks like a Mac to the network. Nope, I just buy PowerBooks now.
Let’s pretend, however, that I was not only going to buy a PowerBook, but that I was in the market to shop for a PowerBook, meaning that I actually might say no, or choose something else, or just not buy anything. What would I want? While I was running along the Detroit River yesterday, I started to make a list.
Now, I know that the PowerBook I am going to buy already has a lot of features that I would look for, like a DVD Burner, BlueTooth, 802.11g, and so on. Not counting those things that I expect in a PowerBook, what else would I want?
Some of this might already be on the new PowerBooks. I thought about checking, but then thought I would be cheating for this little intellectual exercise by letting the Apple marketeers put thoughts into my head.
I could probably come up with more things, but I did not run that far.
What do you want on your PowerBook?
 © 2008, O'Reilly Media, Inc. (707) 827-7000 / (800) 998-9938 All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. |
About O'Reilly Academic Solutions Authors Contacts Customer Service Jobs Newsletters O'Reilly Labs Press Room Privacy Policy RSS Feeds Terms of Service User Groups Writing for O'Reilly |
Other O'Reilly Sites O'Reilly Radar Ignite Tools of Change for Publishing Digital Media Inside iPhone O'Reilly FYI makezine.com craftzine.com hackszine.com perl.com xml.com |
Partner Sites InsideRIA java.net O'Reilly Insights on Forbes.com |
