Related link: http://www.microsoft.com/downloads/details.aspx?FamilyID=94082d26-e689-4f7f-859b…

IronPython is a .NET implementation of Python, created by Jim Hugunin who is currently working for Microsoft. Jim didn’t specify a date when to expect 1.0 final, but he did mention that he’d prefer to keep it under 10 beta releases. As always, I’m happy to see the continued emphasis of CPython compatibility with this project. Microsoft takes a continual beating for “not playing nicely with others”, but I haven’t seen anything with the IronPython project that would lend itself to such criticism. I haven’t had a chance to install 1.0 yet. Maybe I’ll get to that next year…. :-)

Related link: http://www.perl.org/

A year is a surprisingly long and short time in the life of a software project. It may go by quickly, but when you review what actually happened, you may find that many things happened.

The theme for Perl in 2005 is one of rebirth. Several projects that looked dormant started again — not just technical, but social. While Perl may have entered the year a little slowly, it’s leaving 2005 much stronger.

Stable Releases

Perl 5.8.x pumpking Nicholas Clark announced last year that he intended to change the quarterly stable release schedule to once every four months. Unfortunately, real life intervened. Fortunately, his excellent work in making the 5.8.x series stable and usable continues. He released Perl 5.8.7 at the end of May. Few people have tested release candidates for future releases with their code or their modules — feedback is very important.

Hopefully next year will see more regular releases.

Despite the fact that stable releases bring bugfixes, newer versions of the core modules, and, as always, ever-improving test coverage, some businesses still stick with Perl versions that have gone unmaintained this millennium. Perl 5.004 is ancient, Perl 5.005 is old, and Perl 5.6.1 is creaky. If you’re deploying a new installation of Perl, please consider the latest stable 5.8.x release, or if you really need old software, at least Perl 5.6.2.

Upcoming Releases

Perl 5.10 pumpking Hugo van der Sanden, perhaps the kindest man in Perl, passed on the full pumpking to Rafael Garcia-Suarez, another candidate for the title of “the kindest man in Perl”. Unfortunately, this means that Hugo is unlikely to tackle the proposed and much-anticipated rewrite of the regular expression engine.

Perl 5.10 will be impressive, though. Proposed new features include:

• the defined-or operator, ported from Perl 6
• a smaller memory footprint, with much slimmer internal data structures
• an improved Switch module with smart matching and no source filtering
• assertions
• a lexical $_
• variable names in uninitialized value warnings
• a new pragma, feature, which allows you to use features from Perl 6
• more tests
• updated core modules
• continual improvements to the internals, thanks to Ponie
• regexp trie optimizations (especially thanks to Yves Orton)
• a somewhat cleaner and safer API (thanks to Andy Lester and cleanup patches)

New features planned for inclusion are:

• integrated Module::Build (and perhaps CPANPLUS)
• proper lexical pragmas
• state variables, as found in Perl 6

There’s no timetable yet on the 5.10 release, but there’s a sense that it’s getting close to the time to think about such things. Pumpking Rafael Garcia-Suarez plans to release the 5.9.3 development version just after the start of the year.

Notable Modules

Adam Kennedy continued the Australian domination of the weird on the CPAN, releasing PPI 1.0 — an independent Perl parser that can parse Perl without running it. PPI makes a lot of things possible — better IDE integration, refactoring, automated style guides, et cetera. Still, only perl can still parse every Perl file especially when you get into areas where the other crazy Australian hacker has been.

Which other crazy Australian hacker? Damian Conway. He did not rest this year either. In conjunction with the release of his new book, Perl Best Practices, he released several modules to help you write code well. One of the most interesting is Class::Std, which itself touched off a few debates on Perl Monks about the use, abuse, value, and implementation of inside-out objects. Though Class::Std itself may not be the ultimate and final way to write clean, maintainable, and performant OO code in Perl 5, it does show why Damian’s a master Perl hacker. Would you have considered inside-out objects if he hadn’t written it?

The web world has seen some work too. Simon Cozens’s Maypole has new maintainership and new evolution. The spinoff project Catalyst has a lot of activity, excitement, and open job requests. Of course, CGI::Application is still vital and valuable, and Randal Schwartz’s CGI::Prototype takes a new approach.

There’s no standout Ruby on Rails killer yet, as much as Catalyst would like to claim that title. Perhaps the Jifty project from Jesse Vincent and Best Practical will be the right blend of database magic, cleanliness, and intelligent defaults. Certainly its use of continuations is very compelling.

Curtis “Ovid” Poe’s Class::Trait is also compelling, bringing the designish goodness of Perl 6 roles to Perl 5 in a very Perl 5 way.

The venerable object-relational mapper Class::DBI has some healthy competition in the form of DBIx::Class and Rose::DB::Object. The Class::DBI::Sweet extension is a worthwhile complement. Tangram is still around too… and Jifty::DBI might possibly make Rails’s ActiveRecord look verbose and clunky, at least when it gets a little more documentation.

Perl 6

2005 was yet another year for Perl 6. “When will it be out?” you ask. “Sooner, if you help” the designers and implementers and true believers still answer. After struggling for a few months, sooner really is, well, sooner.

Allison Randal, president of the Perl Foundation and project manager of Perl 6, stepped back from both positions to devote more time to coding. Jesse Vincent replaced her as the day-to-day project manager of Perl 6 and now spends his time attempting to elicit progress reports from developers and asking both “What’s blocking you?” and “Are you having fun?”

So far, it’s working ever better.

Parrot Reborn

Parrot hit a low point late last year, with several unanswered design decisions, a lack of direction, and arguments on the list replacing actual working code. Citing a lack of motivation and time, longtime designer Dan Sugalski stepped down and Perl 5.004 pumpking emeritus Chip Salzenberg surprised many people by volunteering as a replacement.

Though Chip has spent several months fighting a persistent (and, in the opinion of your editor, unfair) legal battle (see GeeksUnite), he’s also reviewed several pending design decisions and started to meet the mini-milestones on the way to completing Parrot’s design and implementation. For example, calling conventions have improved (yet again, but this time they fixed the sticky continuation issue) and the lexical implementation works.

Thanks and well-wishes go to Dan for several years of tireless and often thankless work. Thanks and well-wishes also go to Chip and Parrot Pumpking Leo Toetsch for their existing service and in anticipation of even more good work.

In semi-related news, the Dutch foundation NLnet generously sponsored two milestones of Parrot development, enabling both Chip and Leo to devote paid time to the project. These two milestones include nine critical subsystems. The developers finished two in 2005, leaving seven to go. (Thanks to Mark Overmeer for corrections here.)

Pugs

No one could have known at this point last year that a working Perl 6 prototype implementation was only a couple of months away, for various “in one sense or another” definitions of the word “working”. The Taiwanese world-traveler Audrey “Autrijus” Tang sparked a near-revolution in two ways. First, by making actual Perl 6 code run with a few weeks of hacking and second, by demonstrating a guided near-anarchy development style that brought new energy, new questions and ideas, and, more importantly, new contributors to the Perl 6 development process.

You may have thought that Perl 6 would only run atop Parrot, but would you believe that it may run on JavaScript, Java, and even Perl 5? Back in February 2005, who could have guessed that you can embed both Parrot and Perl 5 in Pugs, so as to run existing CPAN modules with Perl 6 code?

The project has been exceedingly liberal in granting commit bits (to the point of answering all bug reports and feature requests not with “patches welcome” but “if you check in a test, someone will add the feature”), even to the point of offering commit bits to Python designer Guido van Rossum (who kindly declined).

The roaring velocity of Pugs did slow somewhat after the normal conference season, but lately work has started again on the infrastructural features necessary not only to produce Parrot-compatible code but to support all of the amazingly powerful but conceptually complex features of the Perl 6 object system. Oh, and it looks very likely that the Pugs solution to connecting to Parrot will help the rest of the Parrot and Perl 6 compiler tools evolve and grow too.

Synopses

In the beginning, there were Perl 6 mailing lists and Requests For Comments. Then Larry began synthesizing and producing long, weighty Apocalypses. Damian followed, extracting the practical wisdom from the Apocalypses to produce practical code examples in Exegeses.

When it’s too much work to build thirty pretty great pyramids to show how to build a Really Great Pyramid, pass around blueprints instead.

Now the Apocalypses and Exegeses have become historical curiosities (for various comedic misspellings of the word “hysterical”). The Perl 6 Synopses are the new Apocalypses, except shorter, more accurate, and more up to date. (Pity the poor Perl.com editor who tries to keep Larry’s hundreds of thousands of words current. That’s a hypothetical editor, by the way, because the one you have now just doesn’t.)

Fortunately for mere mortals who lack Larry’s and Damian’s metaphysical ability to hoist great blocks of metaphorical sandstone into place during the Nile delta’s dry season, the Synopses are also easier to read and digest.

PGE

Patrick Michaud, Perl 6 pumpking, released the Parrot Grammar Engine early this year. This is (now) a set of Parrot libraries implementing rules (as described in Apocalypse, Exegesis, and Synopsis 5). PGE not only provides regular expression support to all languages hosted on Parrot but it forms the basis of the grammar engine used to build Perl 6.

This has lead to small cleanups in Parrot, namely removing the experimental and long underused regular expression operations.

Patrick’s first cut at the grammar engine was a prototype written in C. The current version is a port of that to PIR, the “native language” of Parrot as far as Parrot has a native language that you might actually use to write programs. Perhaps it’s a compliment to the design of PIR that Patrick considers this version more maintainable and cleaner than his prototype.

Of course, PIR is an object oriented assembly language with higher-order functions and aggregate data structures.

The next step in the process is a shift-reduce parser. As of the last report, Patrick’s code can parse Perl 6 expressions. That leaves the rest of the compiler tool suite to transform the parse tree into code that Parrot (or any other compatible backend) can execute.

A Compiler Roadmap

Speaking of the compiler tools, Allison Randal published her ideas on how to build the full compiler suite for Perl 6 while making the same tools available to any other language hosted on Parrot. In particular, the approach seems to be to perform a series of tree transformations (see “attribute grammars”) to turn the output from PGE and the language parser into syntax trees which various tools can analyze, annotate, optimize, and translate into Parrot’s AST input format.

Allison’s Punie project (which bears some relation to a failed project your editor started a couple of years ago) has succeeded in running a subset of Perl 1 code (you read that correctly) through the entire compiler suite. Perl 1 now runs on Parrot and passes a few tests. At least, part of Perl 1 does, with more on the way.

Though that sounds frivolous, Perl 1 is a real language, if somewhat simpler than Perl 6. If Parrot and the compiler tools work to run Perl 1 programs (and its test suite), it validates the design decisions for the process. It’s also a small project with no particular pressure to succeed on its own merits, the nice poetic joy of working aside.

Miscellaneous

Larry recently revealed that he has almost completed a Perl 5 to Perl 5 translator. That may seem flippant and silly until you realize that he’s modified the Perl 5.9.2 parser and lexer to save all of the information — including whitespace and comments — it normally throws away. He can reconstruct the original Perl 5 program from an annotated parse tree.

If he can emit working Perl 5 code, he can emit working Perl 6 code.

It may not be perfect (the latest estimate is that it handles 97% of the core Perl code correctly), but even if it only works for 95% of your code, that’s still 95% of your code you don’t have to translate by hand.

Audrey Tang and Ingy döt Net (you thought your editor had an odd name) might have a similar project up their collective sleeves, too.

Nicholas Clark, wearer of many hats, officially retired as the Ponie pumpking. He and Jesse Vincent have put out a call for a new Ponie pumpking to work with Nicholas to continue porting Perl 5.10-to-be to Parrot.

Social

There’s little point in participating in the Perl community without a community. There may be code out there, but unless people can work together, the code isn’t as useful or as well-used as it could be. Fortunately, 2005 was a good year.

Revamping TPF

The Perl Foundation doesn’t lead the Perl community. Its mission is to help things happen when it can, whether by organizing events and donations or to find the right people to fund for projects.

One common concern in recent years has been that TPF seems awfully quiet, apart from issuing a press release about Perl 6 once in a while. This illustrates a sort of truism in open source development. Ideas are cheap. Implementors are worth their weight in gold. After several years of overworking the same volunteers, TPF has recruited new volunteers and harnessed their energy and ideas to revamp the group.

In particular, Bill Odom (the man who knows practically everyone) is now the new TPF president. Jim Brandt, the primary organizer of 2004’s successful YAPC::NA in Buffalo, is the new chairman of the YAPC committee. Andy Lester is in charge of PR and grant manager Curtis “Ovid” Poe is now the head of the Grants Committee. Richard Dice, who lead the organization of this year’s YAPC::NA in Toronto, replaced Bill Odom as the chairman of the steering committee.

That doesn’t mean that everything TPF could possibly do has someone ready, willing, and able to do it — if you’d like to make the Perl community a little better and have the time and energy and commitment to make it so, TPF could use your help!

TPF also launched The Perl Foundation group weblog for its volunteers to communicate with the broader Perl community about what the Foundation is doing, how it’s doing it, and why.

Google’s Summer of Code

Does anyone remember an Internet before Google? Even if you do, the 800-exabyte gorilla doled out a cool couple of million dollars to sponsor college and graduate students to increase the amount and quality of open source code in the world. Perl had eight projects participating this year.

Leon Brocard kept an eye on all of the projects and posted interviews with each Summer of Code Perl grant recipient.

TPF Grants

In addition to Adam Kennedy’s PPI project mentioned earlier, TPF funded Ivan Tubert-Brohman to build AnnoCPAN. Ivan’s site mirrors the documentation of CPAN modules while allowing users to annotate sections that are confusing or unclear, or to add additional notes where possible. Novices often compare Perl’s documentation to that of PHP.net; this is one place to improve and surpass that example.

Ivan launched AnnoCPAN just before YAPC::NA in Toronto. With all of the spare time and goodwill he earned, he immediately set to work making the Perl documentation better indexable.

A Conference for All Seasons

Several YAPCs took place this year, including those in Toronto, Israel, Portugal, and somewhere in Asia. There were also hackathons all over the globe (wherever Audrey Tang is, there’s a hackathon), workshops, weekends, and various Perl monger meetings.

Miscellaneous

The Perl 5 list summaries restarted.

The Perl 6 list summaries did not stop, so they did not restart.

Everything Else That Didn’t Fit Into a Parallel Top-Level Heading

CPAN celebrated its 10th anniversary. Take that, pretty much every other language. See you on Parrot.

Did I miss something? Do you want to try prognosticating? What was significant to you? Let us all know right here.

Related link: http://acmqueue.com/modules.php?name=Content&pa=showpage&pid=346

It’s too easy for determined minorities, acting outside the social
pale, to ruin things for the rest of us. Several neighborhoods in
Boston, for instance, are struggling to contain gang activity that
took 75 lives this past year. How can a community preserve itself when
it has no control over a small number of disrupters?

Unsolicited bulk email is a comparable situation: most of us want to
reach other people with email messages of mutual benefit, but we’re
overwhelmed by those misusing the system.

The solution is to act together, which software and Internet
connections allow us to do.

Filtering gets a boost from a reputation system developed originally
as an open-source tool (Razor) and then as a commercial product called
Cloudmark. (The desktop version is available only for windows, but
the server and gateway versions support Linux and Solaris too.)

The concept behind the system is simple enough: if several other
people think something is spam, you probably feel the same way. A
worldwide coordination system works much better than millions of
individuals trying to flag spam on their own.

The key to the reputation system–as to any reputation system–is
bootstrapping. You need good data to start with. In this case,
Cloudmark has signed up a few trusted individuals to put the first
ratings in place. As they continue doing ratings and other people sign
up, the system monitors itself. If any spammer decides to throw in
false ratings, he is quickly isolated and demoted so that he has no
effect on further ratings. This is a clever combination of manual,
human intervention and automated support.

I’m sitting on Delta 1400 (Salt Lake City to San Jose) waiting for the boarding door to close, and I’m on the internet.

Yesterday I got a Kyrocera KPC650 EVDO card from Verizon. Actually, I got the Audiovox PC5740, but when I got it home I discovered I couldn’t immediately use it with a Mac since the install CD didn’t have Mac support (and never claimed too, actually). I found instructions on modding Tiger to use the PC5740, and that works save for the step where I have to activate the card. Fellow Stonehenge trainer Tad McClellan booted his linux laptop into Windows and we gave it a go, but it wanted the Windows install CD to get drivers. Thank god Mac OS X usually has the the drivers I usually need already installed.

I took the PC5740 back to Verizon and exchanged it for the KFC650. The customer service guy asked me who sold me the much cheaper PC5740 because someone should have sold me the more expensive and better KPC650. Indeed, in my googling, everyone was saying the same thing: get the KPC650.

I could mod Tiger in the same way I did for the PC5740, but I ran into the same problem: I need a Windows machine to activate the card (if I want to use the Verizon software that came with the card).

Booster-Antenna.com has a Mac version of the VZAccess software to activate the card, install the right things, and manage the card while I use it. I had to pay another $75 for it, but that’s better than tracking down a networked Windows box with a PC card slot.

They’re closing the door so it’s time to go. :)

Related link: http://www.siteadvisor.com/previewsignup

Technology is a big part of the security problem. Technology is very effective and efficient, and it gets the job done. However, the inner-workings of technology are rarely, if ever, revealed, to describe how it gets the job done. I asked many people the questions: “Do you know what happens to your credit card when you complete an order on Amazon.com?” or “Do you know what happens to your vote when you cast your vote electronically?” The response is usually: “I don’t know.”

Likewise, when you visit a website, you usually do not know what goes behind the scenes of that site. Is the intent of the website malicious? What are the downloads associated with the website? Is the website notorious for sending annoying e-mails to you? Does the site link to other questionable websites? It takes months and years to have a certain degree of trust for a website. But even then, you still do not have much knowledge of what really goes on behind the website, and disclosure is normally not very prominent.

There is a new web browser plugin that will alleviate many concerns. Meet SiteAdvisor. The SiteAdvisor plugin is currently in the beta-testing phase. The simple premise of the plugin is to identify whether a website is safe or unsafe. The plugin is available for Microsoft Internet Explorer, and Firefox (on all platforms as I tested). Once installed, it serves as a signal light on your browser. When you visit a safe site, the light is green. If you visit a questionable or malicious site, the light is red.

It also aids searching. There will be a green check icon on safe search results, and a red “X” icon on unsafe results. Try searching for file sharing in Google.

However, the plugin goes beyond identifying whether a site is safe or unsafe. You can also see the e-mails sent by the website, the downloads and executables associated with the website, and an analysis of links to other websites from the current site.

Websites can be looked at as black holes. Very rarely, you know what happens when you submit your e-mail address to the website: it may be used for more than just sending newsletters. When you download a piece of software from a website, you may be getting more than you ask, or don’t ask, for. SiteAdvisor is more than a good aid for web surfing. It aims to disclose information about websites through iterations of automated testing and user comments. Even their FAQs is very well written to disclose the changes to your operating system after the plugin is installed (e.g. registry changes). Awareness is still a persisting problem in information security. Informing users on how privacy can be violated, downloads that are malicious, and other annoyances before they happen goes a long way, and prevents fear and headaches.

Update: After giving some though to one of the responses to this entry below, I have decided to take down the email thread between Jobs and myself. I have no way of knowing if Jobs would be OK with me posting the e-mail publicly, even though the contents of the e-mail didn’t contain anything private or sensitive.

That said, I’d like to turn this entry into a discussion of what people think of having to use Objective C to code Cocoa applications. Feel free to comment below. Here is my take on the subject: “Although I am a die-hard Apple and OSX fan, I’ve never cared for Objective-C much. As far as the development world is concerned, it is my opinion that Microsoft has done wonderful things with .NET, while Apple hasn’t churned out much innovation (not recently at least.) I’d like to see Apple developers gain more choice. With every iteration of OSX, there seems to be so much effort put into innovation of desktop components, but the development environment is age old. I use Objective C because I have to, while I use recent languages such as C# and ruby because I want to. Take look at with Microsoft is doing with .NET: you can write your own .NET compiler - you just have to make sure it spits out the required IL code. It’s beautiful and elegant, and you aren’t locked onto one language. It’s managed, and therefore a bit more expensive, but unless you are writing real time code, it doesn’t matter today: it’s not _that_ slow for writing most desktop applications. In short, I’d love to see Apple investigate managed code, and perhaps help bind Cocoa with more interesting and fun languages.”

Update2 (12/27/2005): Thanks to those who commented below - most of the comments have been quite constructive and I’ve enjoyed reading them. I’d like to add the following notes to supplement my views:

1) I am not suggesting Apple carbon copy .NET and port it to the OSX as is. I am suggesting that Apple put in some resources to investigate the innovations and choices (C#, Python, etc can be used to spit out .NET assemblies. It is possible to write a compiler for .NET as long as they adhere to the IL specification - this is what I mean by more choice) offered by .NET and similarly offer it’s developers more choice. I am suggesting that Apple take a _lead_ with offering its developers new paradigms of creating applications. Feel free to comment on your like or dislike for .NET and compare C# to Objective-C if you must, but you’d have lost the gist of my argument.

2) I do not agree that .NET is ‘too slow’ or only useful for developing quick and dirty solutions. I have come across a _lot_ of good enterprise level implementations of applications coded in .NET. Please don’t attempt to convince me that .NET doesn’t work for enterprise level applications - I have seen otherwise.

3) I do not agree with the “If its not broke, don’t fix it” argument. This is an extremely dangerous argument. It limits progress and innovation. For example, Panther was a great iteration of OSX - why did Apple have to work towards Tiger? If one were to accept the “don’t fix it” argument, Apple shouldn’t have released Tiger, and Apple doesn’t need to release any more iterations of OSX. Everything seems ‘not broke’ with Tiger today, why bother? The answer: innovation. There has got to be a non-stop iteration of improvements. Apple hasn’t disappointed me with progress made towards OSX desktop components, and so I’d be happy to see a stronger push towards more choices and newer methods of development.

4) I do not agree with assertions along the lines of “Objective-C is the best. There is nothing better.” Language preference is a matter of _taste_, and this cannot be forced upon anyone. _You_ may like the Objective-C way of doing things, but _I_ prefer newer languages such as ruby and C#. I am suggesting Apple investigate and put in efforts towards giving people more choice. There is no doubt in my mind that more developers will be enticed into developing for the OSX platform if they had more choice. Also see 7)

5) I am not suggesting Apple abandon Objective-C. Clearly, it has a tremendous fan following.

6) I am aware, and I appreciate many community related efforts towards bridging Cocoa with other languages. However, many of these are incomplete, and I’d be delighted if Apple chose to sponsor similar efforts.

7) As with .NET in 1), my example of ruby is just that - an example. I am not insisting that Apple only bind languages such as ruby and C# to Cocoa because I happen to like them. I am suggesting that Apple take a look at how these languages are improving the lives of developers. For all I care, Apple could come up with a brand new language after drawing inspiration from recent innovations of ruby and the like.

8) I am not suggesting that Apple has made no progress in the past few months. For example, I am aware of new solutions such as Core Data and Core Image to name a few.

To sum it up: Apple has blown me away with it’s innovation with desktop components. For example, after having used Expose with hot-corners, I can’t imagine life without it. I’d like Apple to channel some energy towards giving it’s developers more choice of languages, and perhaps learn a thing or two from efforts such as the .NET environment and the ruby language.

Perhaps I should’ve posted the above with my original post, but I had no idea I was going to get Slashdotted. I’ve enjoyed most of the comments - but the amount of responses has been quite overwhelming. Much appreciated though!

Want to flame me for criticizing Objective-C? This is the place to do it!

For 3 years, I had the opportunity to work from home. I would travel to client locations as needed, and enjoyed the freedoms of a true and ideal consulting lifestyle. During this time, I felt I was most creative, for I had the energy to author two books, articles, and speak at information security conferences around the world. During that time, I felt I was a member of the ‘cafe environment’ Mark Morford describes in his article “Why Do You Work So Hard?“:

Call it “the cafe question.” Any given weekday you can stroll by any given coffee shop in the city and see dozens of people milling about, casually sipping and eating and reading and it’s freakin’ noon on a Tuesday and you’re like, wait, don’t these people work? Don’t they have jobs? They can’t all be students and trust-fund babies and cocktail waitresses and drummers in struggling rock bands who live at home with their moms.

Our culture allows almost no room for creative breaks. There is little tolerance for seeking out a different kind of “work” that doesn’t somehow involve cubicles and widening butts and sour middle managers monitoring your e-mail and checking your Web site logs to see if you’ve wasted a precious 37 seconds of company time browsing [censored]…

These days, however, I am stuck with a routine 9 to 5 lifestyle. Add to that office politics, _ridiculous_ controls and procedures, the daily work commute routine - and I am left with no energy or the will to embark on anything creative. It does appear that the routine corporate environment does not suit me well, and I will have to negotiate some changes soon in order to revert back to my older lifestyle.

If you haven’t had a chance to read Mark’s article, I do recommend it highly. I will end this entry with the following quote from the column:

We are designed, weaned, trained from Day 1 to be productive members of society. And we are heavily guilted into believing that must involve some sort of droning repetitive pod-like dress-coded work for a larger corporate cause, a consumerist mechanism, a nice happy conglomerate.

Related link: http://groups.google.com/group/comp.lang.python/browse_frm/thread/32dc95bd671542…

Alex Martelli stated on the thread:

I don’t think there was any official announcement, but it’s true — he
sits about 15 meters away from me;-).

I’m happy and excited for Guido. I’m interested to hear what exactly he’ll be working on over there and how this could impact Python. Maybe it’s my optimism kicking in, but I expect it will be positive for the community. I’m sure people can point to an incident here or there where Google has been questionable in its “don’t be evil” motto, but I believe that overall, they’re doing a good job of maintaining credibility.

Anyway, congrats, Guido!

Is Guido’s move to Google a good thing for Python? Share your thoughts.

I missed the last several episodes of Battlestar Galactica earlier this year. No big whoop. I often complained about the underwhelming story and lack of serious robot whup-assing. I figured the SciFi Channel would just show them over and over again. They didn’t. Oh well.

When iTunes announced TV show downloads, I didn’t pay attention to that too much either. I don’t like that much on TV, and not anything in iTunes. A week or so ago, they added Battlestar Galactica and last night I thought I finally had an excuse to check it out. If the SciFi Channel isn’t going to show them again, I might as well buy them. I bought the episodes I missed ($1.99 each) and caught up. I’m not sure it was worth the $6, but that’s how it goes. I’ll be ready for season three.

When I got home this morning, I noticed the red recording light on the TiVo. No big whoop. It happens. I kept noticing it all day though. Just what are you recording all day, roboTV?

It turns out the SciFi Channel played the entire second season of Battlestar Galactica today. I could have saved my $6. Curses!

Related link: http://online.wsj.com/public/article/SB113435260241219853-o_bxQIb0Tesryll_Bt9fq7…

Gates has floated the idea of sharing ad revenue with search users, and Google has concurred. Sounds like an effective way to redistribute wealth without selling a darned thing. I wonder what advertisers would think?

This comes to us from the 12/12 Wall Street Journal:

“We’ll actually go to users and say instead of us keeping all that ad revenue, we’ll actually share some of it back with the user,” said Mr. Gates, according to a transcript supplied by Microsoft. “The user essentially will get paid, either money or free content or software things that they wouldn’t get if they didn’t use that search engine.”

Google replied:

“We’re always looking for ways to make our users’ search experience more satisfying, including paying users for searching with us,” Google said in a statement.

Here I was already worried about the misalignment of interests between advertisers and Google, et. al. These new suggestions would turn that misalignment to almost 180 degrees.

As they mature, I believe that online ad services must work to improve their credibility with advertisers, not erode it. If I were an advertiser, I would want:

• to see a strong, active policy against click fraud,
• some transparency into the click cost mechanism, and
• click audit features.

That is, some assurance I’m getting high quality clicks. Maybe even a transparent ‘click quality index’ that quantifies these factors (and adjusts click cost to suit). Paying users to read/click ads would draw the lowest quality ad clicks.

Skeptical advertisers might appreciate my own quid pro quo social ad service: LinkLike.

Related link: http://www.chrisdolan.net/talk/index.php/2005/11/14/private-regression-tests/

One of the nicest things about being an open source developer is that other free software developers often make good development tools. Chris Dolan’s recent weblog on Private Regression Tests shows how to use some of them to make the job of releasing high-quality software easier. No, this isn’t about distributing tests with your software. It’s about using the same testing tools you already know to use to automate all of the things you know you need to do.

What’s in your directory of private tests?

Related link: http://groups.google.com/group/turbogears-announce/browse_frm/thread/b960a318531…

For anyone unaware of what TurboGears is, TurboGears is a Python web development framework which supports and encourages an MVC style of development. It is not so much a new project as it is the compilation of existing projects, namely, CherryPy, SQLObject, Mochikit, and Kid template.

I think this is really great news for TurboGears as well as Python in general. TurboGears is quickly gaining publicity and users because it is really easy to get stuff done. A book deal lends even more credibility to the project as well as a great entry point for new users. I think that showing users how easy it is to get work done with TurboGears implies ease of programming in Python for general computing tasks, so this is good all around. I look forward very much to getting this book on my shelf. Too bad they’re getting published by the “wrong” publisher :-)

If you haven’t checked out TurboGears and you do any sort of web development, you should really at least give it a glance.

Related link: http://www.oreilly.com/catalog/timemgmt

One of the books I edited this fall was Time Management for System Administrators by Tom Limoncelli. As a former sysadmin this book really spoke to me, which is exactly what Tom intended. What Tom probably didn’t intend was how often I found myself telling my wife how she (or I) should implement one of Tom’s time tips. Often in the middle of a discussion I would see a chance to impart some of Tom’s wisdom to her and I would say, “Well, you know what Tom would say…?” And then I would tell her one of his time tips.

You see, despite Tom’s best efforts to make this a book exclusively for system administrators, it can’t escape the fact that it has solid, sensible, and useful time management advice. (If this weren’t the case we never would have published it.) The copy-editor and production editor who worked on the book both found it very insightful, even though they don’t speak geek. My wife always nods when I give a time tip and comments, “That seems like a good idea.”

Probably none of these non-techies will heed Tom’s advice. I say this because time management involves at least two things. One is knowing what you ought to do. The second is doing it. How you get from one to two is by being motivated. And Tom’s book is not written to motivate anybody other than a sysadmin. And I think this is its strength. Instead of wasting pages talking about generic situations that can apply to anybody in an office environment, Tom speaks directly to the harassed, overworked, and underappreciated system administrator.

If this description of the book isn’t enough to motivate you, then you should know that in the life goals chapter Tom talks about how to date a porn star. I wanted to cut this out (I feared offending people) and so did the copy-editor, production editor, and my wife. Tom said no, and to trust him. He knows how to motivate a sysadmin.

Related link: http://www.lispniks.com/cl-gardeners/

I chided a few Lisp advocates in Why Lisp Still Hasn’t Won, so let me now praise the greater number of Lisp advocates who are participating in the Lisp Gardeners project to improve Common Lisp for novices and experts alike. Things look very good so far — it’s very heartening to see a real community form to address a few technical issues (and in the process, solve a few more difficult social ones). Keep up the good work!

What would make you consider (or go back to) Common Lisp?

(Originally published in the
American Reporter.)

The Internet was the great noncommercial success story of our time.
Commissioned by the government, built on open-source software,
promulgated initially through research and academic facilities–the
Internet was the crowning example of a public good, a resource without
an owner, a self-regulating convocation of equals.

All that seems threatened now. This month, local phone companies
revealed a far-reaching change to Internet access. These companies,
who control the line into the Internet users’ homes (usually through
ADSL connections over traditional telephone wires) want to create
varying levels of service for Internet content of their choice.

They plan to reserve high-speed connections for content they serve up,
or that they accept from entertainment firms and other commercial
companies willing to pay. All other content (originating from sites
such as this one, the American Reporter) will receive poorer service.

And if the phone companies can do it, cable companies (the other major
providers of Internet service to end-users) could very well start
doing it too.

Those who hail the open Internet cringe at this initiative, which
exploits the Internet to build and market private, premium content.
But this is is by no means the first time companies have tried to bend
technology to favor their services. In fact, it’s an old story.

As I’ll show in this article, companies have been trying to position
themselves at choke holds and manipulate the Internet since it became
commercialized in the early 1990s. Such shenanigans are simply an
exercise of market power. Up to now they have failed to change the
essential nature of the Internet. If they threaten to do so, opponents
can invoke regulatory power and antitrust law to fight them.

Case One: Walled gardens

Parallel to the Internet, in the 1980s and 1990s, grew several
commercial networks whose names are mostly part of computing history:
Prodigy, CompuServe, and the one that managed to beat the odds,
America Online. These sites offered email, forums, and special content
to their users; they were often termed “walled gardens” because they
existed only for paid subscribers, and because the companies used
their content in bidding wars to win users to their exclusive service.

There was one form of competition, though, that none of the commercial
companies could beat. That was the Internet, a completely uncontrolled
repository of every imaginable thing anybody wanted to put up in
digital form. During the mid-90s, the users of the commercial services
demanded access to Internet riches, and soon there was little interest
in the special, limited-access forums. The companies gambled that they
could use the Internet as a lure to keep users in the walled
gardens–and they lost the gamble.

The functions of Prodigy and the rest are now split into two types of
business, both of which are thriving. One side of the split is pure
connectivity, the other pure content.

Internet service providers (ISPs) offer end-users raw physical access
to the Internet. Meanwhile, portals–which are experiencing a
resurgence, and of which Yahoo! is the most successful–offer
high-quality content attractions such as news and discussion forums.

Both businesses are becoming concentrated in fewer and larger
corporations, which is typical for maturing markets. And as the phone
company announcement showed, some companies are trying once again to
combine these functions. We’ll see later in the article whether this
attempt to create a new choke hold can succeed.

Case Two: Peering and transit charges

The Internet grew because companies strung lines between their routers
and connected to each other. No connections, no Internet.

This principle, in fact, lies at the heart of the term “Internet.”
For a long time, computer administrators have been running networks
that cover a department, a building, or a small campus. Each network
can be an Ethernet, a wireless network, or some other local area
network technology. Whenever the administrator connects two of these
networks, it’s called an “internet” (small “i”).

The vision of connecting all these networks globally led to the
capital-I Internet. It was brought to fruition by the simplicity and
flexibility of the TCP/IP protocols (and, some say, government
requirements that these protocols be used for communications with
government agencies).

At first, ISPs carried each other’s traffic for free. How else could
they imagine doing it? If they put up any barriers to connection,
they’d slow the growth of the miraculous Internet that increased the
value all providers could offer to their users. Furthermore, the
effort and cost of counting traffic, working out pricing systems, and
collecting payment didn’t seem worth the extra revenues they might
bring. Because everybody was equal in these halcyon days, building
connections was called “peering” (as in the modern term Peer-to-Peer).

By the late 1990s, though, hard-headed bean counters had taken over,
and a major change ensued. The largest ISPs and backbone owners
announced they would peer only with companies who could provide
comparable service to them–other companies would have to pay.

What was considered comparable? Comparable companies had to have a
certain geographic spread, accept a certain volume of traffic, and
meet various other criteria for reliability and service.

A lot of small providers complained, but this change was economically
necessary. End-users paid for the connections to the ISPs, but who
would pay for the lines that stretched for thousands of miles across
continents and between continents, carrying the Internet from one
far-flung ISP to another? The large ISPs who owned these thick bundles
of optical fibers, known as backbones, needed to charge to cover both
their sunk costs and their maintenance.

According to Fred Goldstein, principal at ionary Consulting, “Major
backbone operators (Tier 1, as they are called) were a new market that
had to create itself from the early noncommercial Internet. Not only
was there no dominant player, it was a cut-throat business in which
huge operators went bankrupt. Transit charges helped make the wider
Internet possible.”

Still, a whiff of oligopoly hangs over the issue. The large backbone
companies gambled that they could maintain a common front and force
smaller companies to pay extra. And this gamble, unlike the earlier
gamble of the walled garden companies, succeeded.

At that time, people also worried that large ISPs would employ
technical measures to make service for users on the same ISP better
than service for users on different ISPs. Certain ways to transmit
streaming data (audio and video) work better if a single company has
control over the whole route. Therefore, an ISP might be able to
market a “quality of service” that requires users at both ends to sign
up with that ISP.

This has not yet happened, perhaps because the need was not felt by
users (Voice over IP works pretty well on the current Internet, while
few people do video teleconferencing), and perhaps because the market
did not emerge for social and business reasons. (See my article

A Nice Way to Get Network Quality of Service?)

The peering controversy mostly died down in the 1990s, but it can
still pop up. In October of this year, a controversy between two
providers–Level 3 and Cogent–burst into public view. Level 3 wanted
Cogent to start paying for its connection, and to show its muscle, cut
off the connection to Cogent for three days. Subsequently they signed
a new agreement. But people using each provider who were trying to
access each other’s email or web pages found out that peering and
transit is a living controversy. (Some commentators attribute the
dispute to other business conflicts as well.)

Ironically, back in 1998 it was Level 3 who complained that larger
companies were charging it instead of peering. What’s fair or unfair
looks different from the two ends of a cable.

The only policy argument over ISP transit currently lies in the
international realm. ISPs in North America and Europe impose transit
charges on smaller ISPs in regions of the world that came to the
Internet more recently.

This has been a major bone of contention in international
communications policy for years. It comes up repeatedly at meetings of
the International Telecommunications Union and at that well-publicized
United Nations body on Internet issues, the World Summit on the
Information Society (WSIS). In fact, WSIS participants consider
peering and transit arrangements more important than the issue that
grabbed the headlines in the U.S., that of domain names and ICANN. So
transit is now a digital divide issue.

But independent analysts back the backbone operators. They consider
peering and transit not as policy but purely as business, privately
negotiated and covered by non-disclosure agreements. Chris Savage,
head of the Telecom/Internet practice at the law firm Cole, Raywid
& Braverman, says, “To avoid transit charges, an Internet provider
has to bring to the table (a) a lot of users, and/or (b) a lot of
highly valued content. The providers in the underdeveloped countries,
at least historically, have had neither.”

So the worldwide Internet is not the seamless universality that
idealists like to talk about, but rigidly segmented. The cost of my
accessing a Web page in Brazil, or even some rural parts of the U.S.,
are greater than my costs of accessing a Web page in Menlo Park,
California. It is not I, however, who pays the difference (though I
may well pay in the form of noticing a longer time delay during the
download).

Transit charges led to increased costs for small ISPs in the U.S., but
these didn’t made much difference in their profitability. What killed
most of these ISPs was the cost and difficulty of a very different
kind of connection: those between small phone carriers and the
established local phone companies. The battle over the last mile had
begun.

Case Three: Last-mile legerdemain

Aside from the transit charge controversies, Internet backbones
present little to fight over. This is because they have ample
bandwidth for current needs, partly because of the over-optimistic
investments of the dot-com boom.

Trouble arises only in the wires that connect the backbones to
individual homes and businesses: the so-called “last mile.” This is
what our traffic passes over when we sign up with a local Internet
service provider.

Originally, an ISP was just a company with a connection to an Internet
backbone. Customers dialed up the ISP just like they dialed up a
friend, and the phone company treated the call the same way. In the
early days, ISPs were often Mom-and-Pop operations; a computer
programmer might offer service as an adjunct to managing his or her
own Internet connection.

But as new technologies with higher-speed access emerged, ISPs
realized they had to start acting like phone companies. Some formed
close relationships with small, upstart phone companies, while others
created their own companies that traversed the regulatory maze to
offer phone service. The upstarts ran their own lines, or more often
rented lines from the old Bell phone company, the incumbent.

Once incumbent phone companies woke up and realized Internet business
was big business–both because the upstarts were successful, and
because cable companies started offering the Internet over cable
modems–they started marketing their own service, and redoubled their
efforts to cut off the competitive phone companies. These could not
survive without connecting to the incumbents. Who would sign up for
phone service or Internet service from a small company, if that
service reached only customers of that company?

In a dozen ways, incumbents made it hard for competing phone companies
to connect. Their numbers dropped precipitously during the late 1990s;
few exist today.

Now the ISPs themselves are in the incumbents’ direct sights. When the
incumbents build new, high-speed lines, they no longer are forced by
regulation to lease or share them with competing ISPs.

As for cable TV companies, U.S. regulations have ruled out any
requirement for them to serve competing ISPs, although Canadian
regulators have taken the opposite tack. ISPs in Canada still need to
buy service from companies with which they are in natural competition.

So the open Internet–the Internet cited at the beginning of this
article as an exemplary achievement of noncommercialism–now ends,
ironically, in choke holds. Incumbent phone companies and cable TV
companies both hold considerable market power, enforced by regulation.
The incumbent phone companies are the children of the break-up of
AT&T, a regulated monopoly; they still face only minimal
competition. The cable TV companies get franchises from cities and
towns, and often enjoy the sole cable franchise in each community.

The incumbents and cable companies are gambling that they can
re-establish walled gardens; that they can leverage the Internet to
tie customers to their high-revenue offerings. Goldstein says, “It’s
no coincidence that the companies are rolling out these plans after
most of the alternative phone companies and ISPs have disappeared.” A
key part of their gamble is that users won’t find viable competition
to move to.

So do incumbents and cable companies now own the Internet?

With this background we are almost ready to tackle the historic (and
perhaps histrionic) question asked at the beginning of this article.

First, we have to recognize that the Internet access offered by
incumbents and cable companies to home users is notably different from
Internet access as it was understood originally. In the early days,
bandwidth was equal in both directions. A typical Internet site was an
institution owning file, mail, and news servers; it hosted content.

When sites hosting content pushed it down their fat pipes
(high-bandwidth lines) and home users downloaded it on their small
pipes (dial-up lines), the users experienced the notorious “World Wide
Wait.”

The next step up in Internet access was ADSL (from phone companies)
and cable modems (from cable companies). But both are asymmetric
(that’s the A in ADSL). This is part of their design.

The providers expect you to request a web page (a very small
transmission in the upstream direction, perhaps just a couple dozen
bytes) and use most of your bandwidth downstream (which can easily be
tens of thousands of bytes, if the page contains images or
animations). Bandwidth is divided up accordingly. The model of
Internet access, ensconced in current ADSL or cable lines, is a
consumer model.

Markets in tandem with technology can often overcome limitations. So
perhaps, despite being relegated to the status of a consumer, you are
merrily blogging, putting up photos, and even posting songs and videos
(legally, I presume) on the Web. Most individuals do these things by
forming some kind of relationship with a hub on the Internet that has
fat pipes, powerful services, and terabytes of disk space. The
individual remains a consumer, but can piggyback on a producer.

Meanwhile, this market fuels the growth of portals, mentioned
earlier. Two example readily at hand are the popular site for posting
photos, Flickr, and the site for sharing favorite web sites,
deli.cio.us. Both were acquired by Yahoo! this year.

Because of bandwidth restrictions, and the physical nature of the
cable as a medium shared by hundreds of users, the terms of service
published by most cable companies rule out servers and peer-to-peer
applications. Some place absolute limits on traffic usage.

We should not be surprised that a cable company’s idea of Internet
access differs from the original meaning of the term. Cable companies
have always existed to deliver canned content of their choice with
graduated prices. When they discovered the Internet, they set aside
one channel for Internet traffic; the Internet became an incentive to
sign up for cable service, as it served the Prodigies and CompuServes
of the 1980s.

In other words, the cable company leopard never changed its spots; it
just let a monkey hop on its back for a ride. The lifespan of the
monkey is up for debate.

Phone companies have been watching the premiums charged by cable
companies for decades; now they see their opportunity to do the

Phone companies are finally ramping up better connections. But the new
plans would dedicate the new fat pipes to commercial vendors who pay
to use them. Personal, small-business, and community-organization
Internet sites would be ghettoized onto the current aging wires. And
the promise of innovative applications such as video teleconferencing
would remain a pipe dream.

In fact, such a policy would actually reduce incentives to build
faster connections. The phone companies would be able to keep using
the old ADSL lines, just marking traffic by its origin and favoring
the highest bidder. The change would increase revenue without
improving service.

Goldstein says, “The incumbent phone companies want to apply a
‘message unit’ model to web sites, who must either pay up (’800
model’) or become harder to reach (’hobo class’). And perhaps they’ll
even block all access outside of the walled garden. This is what they
set up on mobile phones, whose data services were never regulated.”

The goal of favoring one type of content over another can be fulfilled
through a technology called differentiated service. This is not
something new, nor is it the result of oligopolistic conspiracy.
Research into this area has gone on for many years, and many Internet
tools support differentiated service.

Differentiated service lets administrators choose routes for data by
multiple criteria, and let through traffic between certain users while
holding up other traffic. The important criterion might be how fast a
single request gets to its destination, or how fast a heavy stream of
traffic gets through in the aggregate. Reliability and cost can also
be factors; each factor assumes a different way of handling traffic.

For a long time, the business goal behind much of this research was to
allow ISPs to provide different quality of service to different
customers, and to charge for the difference. The attempt has mostly
been a failure, as I mentioned earlier.

But differentiated service has a new lease on life, and it’s much more
closely targeted to users and content. Particular types of traffic
(identified, for instance, by port number) and particular sources and
destinations can be either favored or penalized.

The first suggestion that cable and phone companies could employ
differentiated service to prefer particular content came in 1999, when
Cisco Systems, the leading maker of Internet routing equipment,
introduced a router specifically marketed to these companies and
promising sophisticated ways to enforce preferential treatment.

Public interest groups such as Consumer Project on Technology jumped
on this development. They criticized Cisco, and by extension its
potential customers, heavily. But it’s hard to criticize a technology
developed, with support from standards, over many years with many
useful applications. It’s also hard to criticize companies for using
technology to direct consumers to their own content. That would be
asking the leopard to change its spots.

So now we can make a stab at predicting the outcome of the trend
toward creating new Internet haves and have-nots. The question should
be what constitutes an anti-competitive practice.

What forced the issue into public view is a bill in Congress that
would explicitly stop preferential treatment and mandate “neutrality”
in Internet service. The phone companies want this clause removed.

Historically, the Federal Communications Commission has tried to leave
the Internet unregulated, but at key moments it has often laid down
rules concerning the interactions between Internet services and the
larger communications environment that the FCC is responsible
for. Most recently, they fined a phone company for blocking a
Voice-over-IP provider; the phone company had clearly seen the
provider as a competitor and was using its position as a choke point
to curb that competition.

The FCC has freed incumbent phone companies, in one ruling after
another, from the need to support competitors. The trend in Congress
seems to approve. As mentioned before, cable companies have always had
that freedom in the United States. But discriminating in Internet
access may be a drastic change the FCC cannot stomach, a
bait-and-switch approach to offering Internet service–and Congress
may feel the same way.

Savage says, “It would not surprise me if, regarding Internet access,
the FCC will matter more over the next three to five years than it has
in the past. This is because the two kinds of entities that will now
be providing the overwhelming majority of consumer Internet access are
incumbent telephone companies and cable operators, which the FCC has
traditionally viewed as generally within its regulatory ambit.”

We should not sing a dirge over competition, either. Old competition
has been vanquished, but new forms poke their shoots up.

A second cable company offers competition in some areas. Cellular
phone companies (some owned by the incumbent phone companies and some
independent) are rolling out Internet services, although not very fast
in North America. And in rural areas many people connect to wireless
ISPs. Wireless is expected to become a more and more common solution
to the last mile. In some areas it may be offered by a powerful new
standard called WiMAX.

Municipalities are also getting into the act. The more games companies
play with access, the more pressure will grow in the public for their
municipal governments to provide alternatives. And while the phone
companies anticipated this movement and worked hard to pass laws in
many states to prohibit municipal networks (a Philadelphia case made a
particularly large news impact), more and more public officials and
experts are coming out in favor of them. In Philadelphia, with phone
company obstructionism exposed to public view, a compromise was
arranged.

I don’t think we need to panic over the two-tier Internet. Attempts to
monopolize the Internet have failed before, and there are many factors
in both the business and the legal frameworks to prevent it from
happening again. We will always experience tensions between business
models and the public good. But it’s clear that, around the world,
people want their Internet. Ultimately they’ll get it.

Related link: http://shiflett.org/archive/176

The tutorial that Geoff Young and I gave at ApacheCon has sparked some discussion (mostly via email) that I think will lead to better testing tools for PHP developers. A PDF of our slides is now available:

• Power PHP Testing (PDF)

Geoff also has some tarballs available that let you test a very simple PHP library (functions.inc) with Apache-Test, Simple-Test, PHPUnit, and phpt:

• http://people.apache.org/~geoff/power-php-testing/

One of the tarballs demonstrates how to use the Simple-Test testing library within the Apache-Test testing framework. This is thanks to the work of Mike Lively, who has documented his work in his blog:

• I Think I Finally Understand Apache-Test (Mon, 25 Apr 2005)
• TAP Format Explained (Wed, 04 May 2005)
• Implementing Apache-Test Support into Simple-Test (Thu, 05 May 2005)
• Updated Simple-Test + Apache-Test (Thu, 15 Dec 2005)

His most recent tarball contains everything you need to use these two tools together.

After we mentioned TAP (Test Anything Protocol) to Sebastian Bergmann, he added TAP support to PHPUnit. Now, at least conceptually, you can also use PHPUnit to write your tests. This gives PHP developers three choices for writing tests within the Apache-Test framework:

• The bundled PHP port of Test::More
• Simple-Test with the TAP Reporter
• PHPUnit with the TAP Logger

We’ve also been discussing the various advantages and disadvantages of each tool as well as how we might be able to help make testing easier for PHP developers. One of the perspectives I’ve been highlighting is best stated by Matthew Weier O’Phinney in his blog:

I find writing the tests tedious. In Simple-Test, as in PHPUnit, you need to create a class that sets up the testing harness, and then you create a method for each test you wish to run, and so on. I found it incredibly time consuming.

I don’t think Matthew knew about Apache-Test’s Test::More library (it’s as simple and straightforward as phpt tests), but this illustrates one of the disadvantages of testing tools that require a lot of overhead - they raise the barrier of entry (and they don’t really fit in with the “PHP way” of solving problems as simply and directly as possible). This was one of the reasons why I ported Perl’s Test::More library to PHP - it’s very simple and doesn’t get in your way. It also works with many mature testing tools already available (such as Apache-Test), because it’s TAP-compliant.

Note: Sebastian says he’s working on adding phpt support to PHPUnit in an attempt to lower the barrier of entry.

On a related note, it looks like there will be a talk about this stuff at the 2006 PHP Quebec conference called Using Test::Harness to Test PHP Applications:

The Perl community has long had a very powerful unit-testing tool available: Test::Harness and friends. It uses what the Perl people call TAP - the Test Anything Protocol. I’ve used the Perl framework myself to verify correct behaviour in Perl modules and the Apache Web server. It came as a surprise to me that there was apparently no port of the technology to PHP, and so I’ve done some work toward correcting that. This session will include an introduction to the technology, a description of the implementation, and examples of how it can be used to test PHP applications.

Ken is a few years late to the party, but I think his interest highlights the usefulness of these tools. (He’s been notified that this work has already been done, so hopefully it can save him some wasted time.) With any luck, Ken will not only talk about the PHP port of Test::More but also the TAP support that is now available in Simple-Test and PHPUnit.

Do you test your PHP applications?

The other night, we were getting ready for bed and I asked my wife where Justus’s (that’s my son) baby monitor was. If you’re a geek and don’t have children, your first thought will be, “so he was looking for a small CRT or LCD screen for his son?” No, no, no. It’s one of those things which allow you to listen in on what your children are doing, especially helpful when they start crying in the middle of the night so you can go check on them.

Well, my wife informed me with disappointment that Justus’s monitor, the receiving end of it anyway, had fallen into the dog’s water bowl during the day. She started fiddling with it to see if it was dried out enough to work. If it sounds like this isn’t the first time this has happened, you’re right. The only sound she could manage out of it was unbearable crackling. She made the comment that she wouldn’t be able to sleep now because she would be worrying about Justus crying and not be able to hear him.

So, what does a geek do? Improvise. I spent just a moment trying to figure out how I could get sound from his room to our room. Debra’s (that’s my wife) computer is in our bedroom and it has speakers. My laptop is (obviously) mobile, so I felt like I was making progress. But, how could I get sound from the laptop to Debra’s computer?

I didn’t even think about a messaging service like Yahoo or AOL. I thought of Asterisk, the open source PBX. I could call my laptop from Debra’s desktop using SIP phones. I have my laptop configured to use Asterisk as a SIP proxy. I could just call the proper extension on the Asterisk server from Debra’s SIP phone and it would forward to my laptop. And, yes, the though occurred to me later that I could have done a direct SIP->SIP connection rather than SIP->PROXY->SIP, but, like I said, it was 11PM and I was getting tired.

I placed the call, plugged the microphone into the laptop to make sure I was getting sound on the desktop, placed the laptop just outside Justus’s room, placed the microphone on the rocking chair by his bed, and pointed it directly at his bed. The microphone has about a 6′ cord on it, so there was plenty of slack. I turned up Debra’s speakers full blast and shut off her email client so we wouldn’t get blasted out of bed if an email should arrive during the night.

Either my little innovation worked and he slept all night, or it didn’t work and he just cried himself back to sleep. I’m hoping it was the former. Oh, and in case you’re wondering, the monitor dried out enough by the next night so that I didn’t have to use my laptop again.

Have you ever resorted to a geeky solution for a desperate problem?

Related link: http://www.perlfoundation.org/news/2005/sprintf_patch_released.html

The Perl community has released a fix to the sprintf function
that was recently discovered to have a buffer overflow in very specific
cases. All Perl users should consider updating immediately.

Dyad Security recently released
a security advisory
explaining how in certain cases, a carefully crafted format string
passed to sprintf can cause a buffer overflow. This buffer
overflow can then be used by an attacker to execute code on the machine.
This was discovered in the context of a design problem with the Webmin
administration package that allowed a malicious user to pass unchecked
data into sprintf. A related fix for Sys::Syslog
>has already been released.

The Perl 5 Porters team have solved this sprintf overflow
problem, and have released a set of patches, specific to four different
versions of Perl.

• For Perl 5.8.0
  >ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.0.patch
• For Perl 5.8.1 and 5.8.2
  >ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.2.patch
• For Perl 5.8.3
  >ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.3.patch
• For Perl 5.8.4 through 5.8.7
  >ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/sprintf-5.8.7.patch

While this specific patch fixes a buffer overflow, and thus prevents
malicious code execution, programmers must still be careful.
Patched or not, sprintf can still be used as the basis of a
denial-of-service attack. It will create huge, memory-eating blocks of
data if passed malicious format strings from an attacker. It’s best if
no unchecked data from outside sources get passed to sprintf,
either directly or through a function such as syslog.

For further information, or information about The Perl Foundation, please email
Andy Lester at pr at perlfoundation.org.

Google just released a new Firefox extension called “Safe Browsing for Firefox”. From the “Introduction” section of the plug-in website, here is what it does:

“Google Safe Browsing is an extension to Firefox that alerts you if a web page that you visit appears to be asking for your personal or financial information under false pretences. This type of attack, known as phishing or spoofing, is becoming more sophisticated, widespread and dangerous. That’s why it’s important to browse safely with Google Safe Browsing. By combining advanced algorithms with reports about misleading pages from a number of sources, Safe Browsing is often able to automatically warn you when you encounter a page that’s trying to trick you into disclosing personal information.”

Good enough. I clicked on the FAQ section of the web-site to learn how the extension works, and here is the explanation given:

“6. How does Google know a page is bogus?
We use several techniques to determine whether a page is genuine, including the use of a blacklist containing pages that have been identified as suspicious and/or misleading based on automated detection or user reports. Our software also examines pages’ content and structure in order to catch potentially misleading pages. Google Safe Browsing can’t offer perfect protection, so you should always be on the lookout for indications that a site isn’t what it appears to be. But Google Safe Browsing can help identify and protect you against many of the sites designed to trick users.”

Great – but what information does the extension send to Google? To find out, I intercepted the traffic between my Firefox browser and google.com. For every request you make, the extension invokes /safebrowsing/lookup on http://www.google.com. So, if you were to goto cnn.com with the extension enabled, here is the HTTP GET request that will be sent to http://www.google.com:


GET /safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client=navclient-auto-ape&q=http%3A%2F%2Fcnn.com%2F HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: [deleted]


Since http://cnn.com is a legitimate domain name, http://www.google.com/safebrowsing/lookup sends the following back:

HTTP/1.1 200 OK
Content-Type: text/plain
Server: TrustRank Frontend
Content-Length: 0
Date: Thu, 15 Dec 2005 10:16:55 GMT


And all is well. To test what happens when you do come across a ‘phishy’ website, I logged into my Yahoo! account and looked at one of the billion Paypal phishing emails I get everyday, and found the following URL: http://mail.teleline.hu/%20/https:/www.paypal.com/cgi-bin/webscr/update.html. This is obviously a phishing attempt, and sure enough, the Google extension caught it:

The following response was sent back by http://www.google.com/safebrowsing/lookup to the Firefrox extension when I visited the above website:


HTTP/1.1 200 OK
Content-Type: text/plain
Server: TrustRank Frontend
Cache-Control: private, x-gzip-ok=""
Date: Thu, 15 Dec 2005 10:04:47 GMT
Content-Length: 11

phishy:1:1


So, in a nutshell, the extension looks for the phishy:1:1 response from http://www.google.com/safebrowsing/lookup and alerts the user.

Here are two things that bother me about this extension:

1) Every request is transmitted to Google over HTTP, i.e. in clear-text. This is not good. Here is why: Consider a web application that uses SSL to encrypt the session. If this web application were to submit private information about you via a GET request (i.e in the URL, such as a credit card number), this will now be transmitted to http://www.google.com/safebrowsing/lookup in clear-text, allowing someone on your network segment, or any router in between yourself and google.com to sniff the information off the wire.

2) The extension sends the entire GET request to Google. If a web application were to send private information via GET parameters, this will now be transmitted to Google.

I am more worried about the issue #1. However, I do realize that web applications should be designed to use POST in order to send sensitive information, but the fact of the matter is that many web applications do not follow this guideline. Google’s extension makes this situation worse by transmitting this information over clear text (assuming the web application uses SSL). This extension is designed to help protect users from illegitimate resources, but the irony is that it has the potential to expose sensitive information about you when you visit legitimate resources!

So there you have it – my preliminary analysis of Google’s new Firefox extension.

Related link: http://svn.python.org/view/python/trunk/Lib/xmlcore/etree/

From what I can tell from the flurry of discussion on python-dev, Fred Lundh has formally offered the ElementTree library for inclusion into the Python standard library. The Python-devers appear to have accepted his offer as the link above points to a spot in the Python SVN repository where ElementTree lives in the Python 2.5 branch. The discussion on python-dev appears to be mostly in favor of such inclusion. From this blog entry of Fred’s, it appears that cElementTree has also made it in as well. I didn’t see it in the Lib/xmlcore/etree directory, but I guess it would have to live somewhere else as it is a compiled module.

I find this news quite exciting. I’ve been enjoying ElementTree (and cElementTree) for a little while now, probably over a year. I don’t recall ever wondering, “Why isn’t this thing in the standard library?” although I should have. Practically every new environment that I set up receives the ElementTree libraries as a matter of course. ElementTree is elegant, Pythonic, and easy to handle. cElementTree is all those things, and blazingly fast, as well.

Excellent work, Fred. And if I might add it, congratulations. ElementTree is entirely worthy of inclusion in the standard library.

Related link: http://www.turbogears.org/docs/devcasts.html

This screencast is obviously geared more toward folks interested in creating and contributing new widgets rather than using existing widgets. I’m digging in right now to see exactly how these things work. These guys never cease to impress me. I guess widgets is a first step to full-on CRUD.

I recently wrote an article about my new laptop. In that article, I mentioned that suspend to RAM just doesn’t seem to work. I had seen this website before about Ubuntu on an Inspiron 9300 and tried the suggestions for getting suspend to work…to no avail. Recently, though, I tried it again and it worked. I don’t know what has changed, but suspend works for me now. I did revert back to the xorg ATI drivers rather than the ATI proprietary fglrx drivers, but I tried that before, so I guess the xorg ATI drivers were maybe updated.

Hibernate even appears to work without too much disruption to my system (meaning, networking seems to come back up nicely). The only piece of oddness is that after resuming from hibernate recently, a USB mouse that I plugged in after resuming failed to be recognized and work. I decided to see what happens if I tried the same thing from suspend to RAM and I’m getting the same misbehavior. I googled around for a minute and didn’t turn up anything, so I guess I’ll go over to the Ubuntu forums and see if anyone else has had the same trouble.

Anyway, it’s nice to see that suspend to RAM and hibernate are mostly working now for me.

Related link: http://linklike.com

Some people enjoy whitewater rafting, hang gliding or gambling. I enjoy creating web applications. After I create them, however, I’m not sure how to promote them. Talking with friends who also blog and develop, I hatched this idea: a networking web site for folks who run web sites. Why? So they could exchange ads. Exchanging ads boosts the flow of unique visitors to both sites. LinkLike’s metered ad exchange makes sure this works for all parties.

Eyeball Economy

Eyeballs are a fundamental online currency which can be changed into cash pretty easily using AdSense or some such. So, many web sites try to maximize the number of eyeballs coming in and minimize the number of eyeballs going out (save via paid ads). ‘Want an ad on my site? Pay up.’ This is natural.

Metered Ad Exchange

What if I offered to pay for my ad on your site in eyeballs? That is the idea behind LinkLike’s metered ad exchange. I display your ad, you display my ad, and the LinkLike server makes sure the eyeball flow (click flow) is constant between our sites. If my ad starts soaking up too many eyeballs, then LinkLike simply stops showing my ad until yours catches up.

More Unique Visitors

This one-to-one eyeball flow might seem like a silly exercise since it doesn’t boost paid ad revenue. However, it will boost the number of unique visitors to your site. Some of them will come back, some will tell friends, some will subscribe. As your readership grows, your ad revenue will follow.

Beta

Please visit LinkLike and give it a try. It still has some kinks, I’m sure. Please contact me if you find any. LinkLike is a free service.

[This is a test ad — it may be empty (eyeball imbalance)]

Related link: http://rubyonrails.org/

Ruby on Rails, the fastest and easiest way to develop web-based applications, has now officially reached its 1.0 release!

The website has been updated and looks great. It should help anyone looking to sell ruby on rails development internally. It prominently shows off a few showcase production apps built on Rails.

For those who don’t know yet, Rails is a new platform for web application development that achieves a super level of productivity by providing an easy to use MVC framework based on Ruby. It embodies the ideas of ’simplicity of design’ and ‘convention over configuration’.

If you’re willing to follow some default ways of designing your application (for example, defining the primary key of a database table as a column named “id”), then Rails can dramatically speed your development process.

A few of the reasons to check Rails out:

• A set of video files showing you how it works and why it’s better
• Easy to use ActiveRecord Object Relational Mapping for simplifying database access
• Built-in support for developing Ajax-based web designs
• Built-in support for unit and functional testing

If you’ve been considering looking at Ruby on Rails, now’s the time to get off the fence. Begin by viewing on of the videos referred to above, then download and install Rails to get a quick look at why this new development platform is taking the web development community by storm.

NOTE TO SELF:

When “getting things done”, remember : people are not things.

Related link: http://reddit.com/blog/2005/12/on-lisp.html

The Y Combinator-funded reddit was originally a website built in Lisp. For this, the vocal online Lisp community praised it as a practical example of a successful Lisp project.

After a week’s worth of rewriting, reddit now uses Python. Cue storms and furies.

While the explanation given by the reddit developers is that they couldn’t find a good solid open source Lisp implementation that ran on their development and deployment platforms and supported all of the features they wanted, some Lisp advocates accused them of selling out to Venture Capitalists (why not J2EE then?), of being bad programmers (as if something had changed in a week), or of insufficient technical aptitude to do something as simple as resolving to do all development in a different operating system running an emulator for a foreign architecture or deploying to an untested commercial implementation for which the vendor expects ongoing royalties if the project succeeds.

Meanwhile, the developers now have an equivalent site written in a language for which there exists a single high-quality implementation across multiple platforms, for which there exist multiple libraries with documentation, and for which the user community online won’t rush to sacrifice you to a volcano if you don’t toe the dubious and ill-defined line of language purity.

(I suspect that anyone who says “Python is a lot like Lisp” in all apparent seriousness knows very little about either.)

The technical problems for Lisp in the case of reddit are solvable. Some of the posters in comp.lang.lisp realize that the lack of libraries that work well across multiple implementations holds back Lisp… as does the lack of complete features across multiple implementations and multiple platforms.
Still, I suspect they will go unsolved as long as the angry vocal online Lisp advocate community chases away potential allies. (See talk #10 from “Twelve Views of Mark Jason Dominus” — Why Lisp Will Never Win.) I almost wonder if half of the comments in the “on lisp” article came from people who want to see Lisp fail.

John McCarthy, save us from your followers!

Related link: http://blogs.datadirect.com/jonathan_bruce/2005/12/minding_your_ps.html

CROSS POST FROM: http://blogs.datadirect.com/jonathan_bruce/2005/12/minding_your_ps.html

On Friday, December 9th, the International Herald Tribune brought up some critical aspects of the appropriate uses of open source software which is ever more pressing as open source continues to go more main stream. Open source compliance continues to be difficult issue, often compounded by the large and varied range of licenses that governed the use of the software that may come with the kind of strings attached that you may not realize.

The following is a snap-shot story from IHT, highlights a well known violation of probably the most stringent of all open source licenses, GPL:

Harald Welte, a 26-year-old software developer in Berlin, was peeved in 2003 when he learned that a company in Irvine, California, was selling software that used Netfilter/iptables, a program he had created with five software developers in Australia, Japan, Canada and Germany.

“This kind of infraction is not as uncommon as one might think,” said Welte, whose efforts have also forced Deutsche Telekom, Siemens and smaller European software makers like Allnet, Sitecom and Fortinet, among 50 others, to publish source code because they were selling products based on his software. “Violations are getting more common all the time.”

As result, software indemnification is becoming cannot be ignored by software house that uses one or more line of source code from the Open Source community. A recent article published on DataDirect’s developer site explains more about the risks incurred if you choose to ignore what you the sand approach, but critically, the article states the following:

“DataDirect provides legal indemnification and quality guarantees that provide customer protection and legal assurance.”

Recently, this is going further and spawning new business models. The world renowned` insurance brokers Lloyd’s of London who are typically more associated with shipping insurance is now offering ‘open-source compliance insurance’, particularly for companies doing M&A – unpeeling the many layers of software dependencies is now a core part of due diligence. One only has to look at start ups such as Palamida underscore the increasing need for open source compliance.

So the watch-word is, proceed with caution. When looking to acquire software, look for intellectual property indemnification and most importantly an understanding from your software vendor that they understand the risks of using open source.

I really don’t think I’m talking out of both sides of my mouth, but you can decide for yourself.

I recently blogged about my fear that Microsoft could harm Python by promoting it as merely a scripting and dynamic language. I stick by what I said. But let’s look at the flip side and see what good IronPython can bring to Python in spite of what I consider misguided marketing.

1) It is open. Anyone interested can poke around and see how it was put together. And knowledge is power. And failing that, I’m sure it’ll be a positive mental exercise.

2) It is a re-implementation of Python. I don’t know if there has been much communication between the CPython folks and the IronPython folks, but anyone can look and see how the IronPyton folks did it. And, the CPython folks can build upon the ideas used in the creation of FePy…as long as they’re careful and don’t violate any licenses.

3) It could enlarge the userbase of Python. Granted, it may only be in the form of folks needing to create extended macros in Word. But on the upside again, Python does have a viral effect on people. Meaning, folks who would never have programmed before may find themselves writing simple little programs to do simple little things and then find themselves wanting to take things to the next level.

4) Some in the geek community will invariabley use IronPython to its full benefit. While we’re not totally impervious to bad marketing, some geeks will always use products in excellent ways regardless of how they were marketed. And again, the viral effect of Python will (hopefully) kick in and spread.

To sum up, I’m concerned that Microsoft’s marketing may have ill effects on Python, but I think that IronPython itself will benefit the Python community.

Related link: http://www.microsoft.com/downloads/details.aspx?FamilyID=e73fad51-6566-4f4a-a42c…

About 3 1/2 weeks after 0.9.5, FePy 0.9.6 has been released. There was actually some intersting news from the release email:

We?ve just released the newest version of IronPython ? 0.9.6. This is most likely the last Alpha version of IronPython before the end of the year when we play to release IronPython 1.0 Beta 1. This build includes many bug fixes for issues reported to us by the community as well as support for many new modules. We are continuing to drive completeness of the Python and support for interoperability between .NET and IronPython.

So, it appears that IronPython 1.0 Beta 1 is around the corner. I consider this good news. From the list of changes in this release, it looks like they are getting closer to a fully CPython compatible Python implementation.

Three weeks ago I
editorialized
about a controversy stirred up by the Boston Globe and sources in
Massachusetts about the state government’s adoption of the
OpenDocument format. I’m happy to say the whole matter has blown over,
now that the facts are in.

The Globe reports today (not on the front page, but where such news is
normally reported–in the City & Region section) that a review of
IT director Peter J. Quinn is finished and that no wrong-doing was
found. The findings match the analysis I presented in my blog, with
minor updates. Quinn was told to finish the paperwork for his trips,
which his boss Eric Kriss had waived.

It’s nice for the government in Massachusetts to recognize that
officials can meet with relevant experts and communities in the course
of decision-making.

Related link: http://us.rd.yahoo.com/finance/external/wsj/SIG=11pitkscs/*http://online.wsj.com…

Here are some snippets from an interesting piece in yesterday’s Wall Street Journal: ‘Music Labels See New Threat From Satellite Radio’ by Sarah McBride.

Today, SIRIUS offers a device that can record broadcast tracks for later playback. This has the music industry in a tizzy. According to Orbicast they have compelled SIRIUS to limit the device’s capabilities. You can read first-hand user feedback from SIRIUS Backstage.

It seems we could someday see unteathered iPod-like music devices that can pull tracks out of the air and record them for later playback. First the music industry must set new terms with satellite broadcasters.

“[the music publishers and record labels] are paid a lower fee for songs that are played on the radio than they are for songs that are purchased through download services or on CDs… “

“… users must keep subscribing to the satellite services to be able to access their recorded songs.”

“The new devices ‘are an iPod that pulls down the satellite signal,’ says David Israelite …”

However:

“… the new receivers must be placed in a docking station to receive satellite-radio signals … They also can store music from sources other than satellite radio …”

“… (current) royalty fees equal about 7% of the satellite companies’ revenue, according to Jonathan Jacoby, an analyst at Banc of America Securities.”

“Today, the two services have nearly 10 million paying subscribers between them - up from slightly more than four million a year ago.”

“With negotiations coming next year, satellite providers and record labels have been exchanging letters and phone calls. But neither shows signs of backing down. And soon, the recording industry may be fighting far more radio players than XM and Sirius. New digital radio technology is expected to allow consumers of free radio to capture any song they like with the press of a button…”

It’s been talked about for years, and now there are well-endowed and
well-researched organizations claiming to offer open source software
some protection from patent lawsuits. The very announcement of these
efforts–even before they have a chance to prove successful–are an
historical watershed for open source and free software. For the first
time you get back something tangible for open-sourcing. And this leads
to another key change in the terrain: it now becomes critical how
“open source” is defined, and who has the power to define it.

Background

The two patent pool projects concerned here–open source’s shining
knights in armor–are the
Patent Commons Project
and the
Open Invention Network.
The basic idea is to use the patent system the way companies and
inventors have used it from the start: to cross-license patents and
use patents defensively so they aren’t sued out of existence.

As in a fencing match between good players, patent holders rarely hit
each other point-on. Rather, they make threats and counter-threats.
But that requires a great deal of money and legal help, both to
acquire patents and to use them in court.

Now developers, corporations, and organizations sympathetic to open
source software can take out patents and donate them to one of the patent
pools. The pools are backed by large companies that provide the
resources for defending the patents. They pledge never to use the
patents against open-source projects. But when anyone threatens an
open-source project, the patent pool is brought into play to defend
the project against the threat. This is the way the patent system
works (or has up to now).

An
overview
at Linux Weekly News covers the developments (it may not be available
yet to the general public when this blog first comes out). Some have

doubted the value of the pools,
but putting a formal system in place should have long-run effects that
can’t be achieved through current ad-hoc promises by IBM and others.

Free software developers have been waiting years to try this out. But
as always, major initiatives raise major questions.

Suddenly open source has new value

Until now, there was no prize for doing open source; you didn’t get
back anything in return. Oh, of course, you got the right to use
other people’s innovations in open source, and that’s probably the
biggest incentive for open-sourcing software. But it’s just a tit for
tat. There was no particular power to open-sourcing.

Now it’s different. Open source your software, and you get
protection. Individual developers or small software houses that always
had to worry about patent lawsuits can now worry a bit less–but only
if they play the open-source game.

This is powerful. Managers who always asked “What do we get for
open-sourcing besides good will?” now have a concrete answer: there
will be a lot of legal muscle at their disposal.

There’s power behind open source. And that means there’s something new
to fight over.

What is open source–and who gets to say?

If large legal resources are available to anyone open-sourcing his or
her software, it suddenly becomes critical to define open source
precisely. Does Microsoft’s Shared Source initiative receive patent
protection? Do we use the
Open Source Definition
managed by the
Open Source Institute,
the
definition of free software
by the
Free Software Foundation,
or both, or some totally new definition created the sponsors
of the patent pools?

Amazingly, I have not been able to find anywhere–on the web sites of
the Patent Commons Project and the Open Invention Network or among any
of the commentators–a definition of open source. These towering legal
initiatives have not publicized the key legal foundation of their
work, which is what they’re protecting.

There have been many arguments over definitions of free and open
source software, largely because projects using different licenses
find it difficult to combine their software. Some of the arguments are
less well-intentioned. People are finding new ways to game the system
all the time (one of the reasons for the current update of the GPL to
3.0). Now that there’s a new and valuable resource to fight over,
definitions become central to a potential battle over a significant resource.

Are there enough licenses already? Could the community just select a
few and tie the definition of open source to those licenses forever?
That won’t work; times and technology change, so someone will always
have to revisit the definition. That someone will have a lot of power.

I’m sure the current ambiguity will be resolved. (In fact, I might
just have missed the resolution.) It’s important for the sponsors of
the patent pools to be fair and not to play favorites, but to be
precise and explicit–and alert to possible misuse of their
generosity.

I believe that Python should be dominating in the LAMP arena. But, frankly, it is lagging behind terribly. I’m not saying that it’s lagging behind in its usefulness and usability, but in the breadth of its adoption.

There are some excellent tools (such as SQLObject) as well as some fantastic web frameworks (such as CherryPy) which make developing web applications faster, easier, and more fun. Python as a language has every conceivable facility available to it to empower web development. The syntax is extremely clean and nimble. It is OO, but not demandingly so. It has a wealth of re-usable code in the standard library specifically geared to facilitate web development.

Ian Bicking wrote a really great article/blog on this topic I guess a few months back. Ian could not have been any more correct with his premise of fixing Python’s web programming problems being the most important thing we can do to market Python. In that article, he stated

We also need input from people trying to do commodity Python hosting, and we need to pay attention to what they say.

In that vain, let me recount my most recent web development experience. (Let me first of all say that I’m not a web developer by trade. I piddle and I hack, but it’s not my day job.) I am in the process of creating a website for my wife. Initially, it was going to be just plain HTML. Then, it was going to need some file-upload capability. Now, it’s going to need user management, a shopping cart, a product catalog, etc., etc.

I initially started just creating plain HTML when that’s all it needed. There was no need to over-engineer, right? Next, when she wanted a file-upload section, I reached for Python CGI. That should do the job pretty simply. Then, as we faced further scope creep, my heart reached for TurboGears, but I knew that wasn’t an option. Not on my hosting plan, anyway. So, I reached for PHP. (And, by the way, I’m not altogether dissatisfied with it, either. But I’ll save that for another day.)

Why did I reach for PHP rather than something Python-based? I can’t believe that I’m so different from everyone else. I believe that this experience (and the answer to the question which I just posed but haven’t answered yet) may shed some light on the current Python situation. I didn’t try Python any further than Python CGI because Python CGI is the most ubiquitous Python offering in the web hosting space; any other options are very sparse.

Let me outline the 3 general options for depoying Python web applications. 1) Standalone processes. Turbogears which sits on top of CherryPy require a standalone server in order to run. They don’t integrate nicely with Apache like PHP does. Actually, that’s not entirely true, but I’ll get to that in a second.

2) CGI. This is by far the most available option for commodity web hosting. But I don’t believe it supports sessions out of the box. You could probably contrive something to stuff a “?PYTHONCGISESSIONID=12ASD83234JALJSDF879S87DF98SA7DF987″ string at the end of every URL and store session data in a database, but that just feels nasty.

3) mod_python. This is currently, IMHO, possibly the best option for Python web development using commodity hosting services. I’ve even read that you can deploy CherryPy and TurboGears in it. But the availability is just not there yet. Google sometime for “mod_python web hosting” vs “php hosting” and you’ll see what I mean.

To sum things up, after failing to find more than a handful of hosting services who would support Python hosting in a configuration suitable to me, I chose a more commonly available technology: PHP. The hosting is cheaper and if I run into a problem with a hosting service, I’m not stuck with a bad host. I suspect that the majority of Python web application development takes place in one of two settings: 1) large deployments where the developer/customer have full access to the boxes they are deploying to, or 2) small deployments for either in-home use or on an intranet where the developer is using a spare Linux box and has full access to it. That’s just a guess, though.

I really don’t have a solution, merely my experiences and an observation of the current state of things. I don’t know how Python will gain a ubiquitous commodity-ready hosting solution overnight. Or, how it will take what appears to be a commodity-ready hosting solution (such as mod_python) and make it ubiquitous. I can’t help feeling that I’m missing something obvious, here, though.

Related link: http://phpsecurity.org/

PHPSecurity.org, the companion web site for my new book, Essential PHP Security, is now online. Many thanks to Amy Hoy for the excellent design!

I’ve included the table of contents, the (unfortunate) errata, some reviews, and the code repository.

Some of the examples in the code repository might raise ethical concerns, but I tried to be very careful not to provide full-featured tools that script kiddies can use. For example, the session injection script only lets you modify strings and is split into two separate examples (edit.php and inject.php), and the script to let you browse the filesystem is very basic. I’ve considered enhancing these to make them more useful (and more robust), but I fear they would be misused. What do you think?

The reviews have been very good. I’m happy to see that so many people appreciate the book’s small size and focus. Thanks to everyone who has taken the time to record your thoughts. I really appreciate it!

Several people have asked how the book is selling, and I honestly don’t know. It has frequently been on Technorati’s Popular Books list as well as in the top 10 PHP books on Amazon. I haven’t found a really good site for tracking the Amazon Sales Rank, but Rankforest isn’t bad (and they use PHP). Anyone have any better suggestions?

The sample chapter for MySQL’s Developer Zone still hasn’t been posted, but hopefully that will happen soon. Until then, you can read Chapter 4, Sessions and Cookies (PDF) or get your own copy. :-)

Related link: http://c2.com/cgi/wiki?WikiEngines

I would like to maintain online PHP code using wiki-like features, such as: ‘edit this page.’ Also: page rollback, site versioning and site staging features would be nice. Such a thing should ease web service collaboration. Any recommendations?

What I want almost sounds like a WikiWithProgrammableContent for PHP. Almost, but not quite. I desire complete control, not just programmable extensions. And, I must admit, I’m not interested in facilitating the WikiWay.

Ariadne is a web application server that appears to fit the bill, except it seems too bulky. Wiki-like simplicity is what I desire. It does offer a nice, syntax-highlighting online PHP editor.

Edit This Page PHP sounds like it would work, with a little modification. If I want to modify an existing system, however, what would make the best foundation?

Many thanks.

Do you know a good WikiEngine for editing PHP code online?

Related link: http://news.perlfoundation.org/

The Perl Foundation, a non-profit community group that holds the copyrights to Perl, sponsors low-cost Perl conferences, and manages grants and infrastructure for Perl development, has just launched a weblog to keep the community informed. This has been a need for a long time and it’s very nice to see much more openness and transparency from a group that does good things.

Related link: http://news.perlfoundation.org/

(In my Copious Free Time when I’m not at work, or updating the just-released
Mac OS X Tiger In A Nutshell, I’m PR guy for The Perl Foundation.)

The Perl Foundation was established in December 2001, but is a mystery
to many people. Today we announce
The Perl Foundation Blog at
blog.perlfoundation.org
(also available as
Atom
and
RSS).

Perl Foundation News is the place to read updates on what members of the
Foundation’s working groups are working on and for other project-related
announcements. Where before a working group member might post an update
to his
use.perl
journal, or a meditation on
perlmonks.org,
from today those updates and more will be appearing on the Perl
Foundation Blog.

The Perl Foundation’s work includes:

• sponsoring the YAPC conferences and supporting their organizers
• managing grants for Perl-related projects
• working with outside groups, as on Google’s
  Summer Of Code project

• putting a public face on the work of the Perl community
• providing technical infrastructure for web hosting and Subversion repositories
• supporting and coordinating volunteer efforts

Now you can get information about these activities.

Comments are enabled, allowing you to give feedback directly to our
working group members. Talk directly to us and tell us what we’re doing
right or wrong. Ask us questions and we’ll do our best to answer. We
love comments and want to hear your views.

We’re well aware of the problems of the past. We know that communications
have been weak. We’re working hard for the trust of the Perl community,
and creating the Perl Foundation Blog is a crucial step as we work to
earn that trust.

Whether you want to participate in helping make the Perl community even
better, or interested in what’s going on, we hope that
blog.perlfoundation.org
helps.

Related link: http://blog.chris.tylers.info/index.php?/archives/14-Multiseat-X-Under-X11R6.97.…

Multiseat systems provide multiple graphical interface hardware sets (monitor/keyboard/mouse/optionally sound) so that several people can use one computer at a time. They’re ideal for libraries, Internet cafes, desktop home computing, classrooms, call centers, and other high density, cost-sensitive environments.

When you put two to seven users on one standard white box PC (instead of individual PCs), the hardware, system administration, and power savings add up quickly.

I keep getting inquiries about doing Multiseat X under Linux using X.org 6.9 (X11R6.9/7.0, which is now in pre-release testing), so I’ve put together a temporary mini-HOWTO.

What uses can you see for Multiseat?

Related link: http://www.theperlreview.com

I’m sending out the email announcements as I post this. Once you get the new password, you’ll be able to download the latest issue of The Perl Review.

In this issue:

• Seven Sins of Perl OO Programming — chromatic
• Hash Anti-Patterns — Alberto Manuel Simões
• Haskell for Perlers — Frank Antonsen
• PerlWar — Yanick Champoux
• books reviews, commentary, news and more…

Some of you neglected to renew, but I won’t bug you in email anymore. To find out more about the sampler on the cover, you’ll have to renew that subscription.

If you haven’t subscribed yet, now’s the time because I have to raise prices next year when the US postal rates go up.