PyCon 2007 is creeping up in about three months. So far, no accepted talks have been announced. The keynotes, however, have been announced. It looks like a good lineup. Guido will be speaking on Python 3000. Ivan Krstić will be speaking on the one laptop per child initiative. r0ml Lefkowitz will be speaking on the importance of programming literacy. And Adele Goldberg, of Smalltalk and Xerox PARC fame, will also be presenting. In addition to what can be gained from listening to the presentations, there also appear to be a number of ways to give back to the conference and the community.

I would love to make it this year. I’ll have to see what craftiness I can conjure to be able to attend.

UPDATE: The approved talks and tutorials have now been published. It looks like an amazing lineup.

Following is the official press release for PyCon 2007.

Press Release

SOURCE: Python Software Foundation

PYCON 2007 - FIFTH ANNUAL PYTHON COMMUNITY CONFERENCE

ADDISON, TX, November 30, 2006 - PyCon 2007, the fifth annual conference of
the Python community, will take place February 23-25 at the Dallas/Addison
Marriott Quorum hotel. The keynote speakers will include Ivan Krstić, from
the One Laptop Per Child project; Adele Goldberg, a developer of Smalltalk;
Robert R. Lefkowitz, an expert on the use of open source in business; and
Guido van Rossum, the creator of Python.

PyCon annually attracts hundreds of attendees interested in the open-source
Python language, ranging from novice programmers to developers of the
language core. This year’s conference will include a record sixty-four
sessions, covering the use of Python in a broad range of contexts, such as
web development, testing, and cross-language integration; case studies in
industry, science, and education; and Python implementations for the Java
and .NET platforms.

The program will also include intensive half-day tutorials, impromptu Open
Space talks, Birds-of-a-Feather topical gatherings, and the ever-popular
five-minute Lightning Talks. One new feature this year will be the Python
Lab, a collaborative, hands-on problem-solving environment. Following the
conference, many developers will stay for Sprints, extending the Python
language and Python projects through several days of intense, cooperative
coding.

PyCon is organized by members of the Python community, and made possible by
the Python Software Foundation and conference sponsors.

For more information or to register, please visit the PyCon 2007 website:
http://us.pycon.org/TX2007/

Information for members of the press is collected at
http://us.pycon.org/TX2007/ForPress

Contact information
——————-

Publicity coordinator: Catherine Devlin
IntelliTech Systems
catherine.devlin@gmail.com
937-427-8814×222

Conference chair: Andrew M. Kuchling
ASTi
amk@amk.ca
703-471-2104 x120

Alternately, send e-mail with a phone number to psf@python.org and someone
will call you as soon as possible.

Alvar Freude just wrote in to ask for help soliciting Perl development teams for the upcoming Plat_Forms contest. He describes it as “an international contest and comparison with scientific evaluation about programming languages (and frameworks) for web development.”

It will take place at the end of January in Nuremberg, Germany. The rest of Alvar’s message is:

Do you know Josh McAdams ?? Surely you do, he’s the talented brain behind the Perl Podcasts (http://www.perlcast.com/) and one of a kind, who clearly has a special tactile sense about people communications, behavior and the community itself.

And remember, he’s the one that said :

… Perl is definitely not the next big thing. It already is a big thing.

Enjoy !

Recent blog postings here on the O’Reilly Network and articles on Slashdot (including a recent review of my book) have generated some really strong negative comments about the Fedora project. Does Fedora really matter?

USB drives are popular Christmas gifts. They are portable, relatively inexpensive, and extremely useful to store electronic files. My graduation gift from the Tufts Computer Science department in 2004: a 32 MB USB drive. My gift for a security presentation last year: a 128 MB USB drive. Now, you can get a 1 GB USB drive for roughly $20.

The prevalence of electronic data and portable devices, including USB drives and laptops, have spawned a huge data security problem. Devices are easily lost or stolen, and the data is unencrypted. I’m sure we all remember the story of the missing laptops at the Department of Veterans Affairs (VA) earlier this year with thousands of personal records. Or the news of US Army USB drives being sold on the streets of Afghanistan. It is hard to read the news these days without seeing a story on a data security breach somewhere.

Some USB drives will come with data encryption software while many will not. Do yourself or someone else a favor and encrypt the data on the device. TrueCrypt will accomplish this, and it is not difficult. Todd Ogasawara mentioned this last week on his list of open source software for Microsoft Windows. Here are the steps to create an encrypted data volume on your USB drive on Windows:

1. Backup any existing data on the USB stick onto your hard drive.
2. Erase the USB drive.
3. Download and install TrueCrypt (will install to C:\Program Files\TrueCrypt by default).
4. Copy the TrueCrypt program (C:\Program Files\TrueCrypt\TrueCrypt.exe) onto your USB drive. It is a small program (only 603 K as of this writing). The reason for this is that if you use the USB stick on another computer, it will likely not have TrueCrypt installed, but you can open your encrypted data volume using the TrueCrypt program that is on your USB stick.
5. Open the TrueCrypt Format program (C:\Program Files\TrueCrypt\TrueCrypt Format.exe) and choose “Create a standard TrueCrypt volume”
6. Enter the location and file name of the encrypted volume. Say that your USB drive is “E:” and you want to call your encrypted volume “Things”, then enter “E:\Things.tc” (where .tc is the file extension of a TrueCrypt volume).
7. Choose your encryption algorithm (AES is fine).
8. Enter the size of your encrypted volume. The screen will display the amount of free space that you have on your device. Make the size of your encrypted volume less than the total available to allow for wiggle-room for some purpose (e.g. emergency, configuration file). Say that it shows that I have 118.70 MB free on my USB drive, a 100 MB encrypted volume would be fine.
9. Create a password for the encrypted volume.
10. Move your mouse cursor around the screen for a few seconds to randomize the pool. Then format the encrypted volume, and exit the TrueCrypt format program.
11. Your USB drive should now have two files: the TrueCrypt program and the encrypted volume file (in this case, Things.tc). You can double-click on the file Things.tc. The TrueCrypt executable (that is installed on your computer, not the one on your USB drive) will open, and notice that the Things.tc is ready to be mounted.
12. Now double-click on a drive letter, any drive letter listed. These are all the unused drive letters available on your computer. Let’s choose “Z”.
13. Enter the password for the encrypted volume.
14. On successful entry of your password, your encrypted volume will be mounted, and it will show as your “Z:” drive under your list of hard drives.
15. Move any files that you want to be encrypted onto your “Z” drive.
16. Remember, you need to dismount the encrypted volume before you eject your USB drive. To do this, go into the TrueCrypt program (or double-click on the TrueCrypt icon on the lower-right corner of the screen next to the clock), and click “Dismount”

So now you have created an encrypted volume. But what about privacy on surfing the Internet? Look at the mess that occurred when AOL released the search data for over 500,000 users –yes, the searches can be traced back to the user. One piece of software that will allow you to surf the Internet anonymously is Torpark (again, open source). It is a portable version of the Firefox browser with Tor. Download Torpark and install onto your encrypted volume. Run the Torpark program (e.g. Z:\Torpark 1.5.0.7\Torpark.exe). The Tor connections will be established and a customized version of Firefox will load. Torpark is currently available only for Windows.

There are businesses that sell encrypted/privacy USB devices, or “computers on a stick.” Now, you can build one on your own. Remember, this is not a foolproof solution to the data security or privacy problems. For general computer users, this is a good start and good practice. One can still (attempt to) crack the password to your secured volume. But isn’t having the data encrypted using some universal method better than absolutely no encryption at all? You are still not completely anonymous on the web using Tor (e.g. you reveal your identity on forms). But it does protect the transport of data from one computer to another pretty well, and that is important.

When Google bought YouTube, lawyers and business analysts across the U.S. warned it would be swamped by lawsuits over copyright violations. Sounds scary enough–but what about facing criminal indictment for posting a violent video clip? On this basis, the Italian government has launched a criminal proceeding against Google and raided their Milan office, according to the Italian Internet anti-censorship organization ALCEI.

I missed this trick a while back, but for everyone who has to program in Python and misses actual working closures, close over a container variable or use a function attribute. jjlinuxland’s Modifying a Counter in a Closure and the comments explain more.

Now to play with lambda to see if this trick makes them more useful….

This week on the Perl 6 mailing lists

“…of course [that] can’t be a bug as there are no specs ;)”

– Leopold Toetsch, in ‘[perl #40968] [BUG] :multi doesn’t seem to work right’

Enjoy this imaginative Thanksgiving story about the dangers of DRM and the potential of open e-books, from David Rothman of Teleread.

Josh Clark just sent me an e-mail to say:

I’ve just made available a free Perl Critic plugin for the BBEdit text editor for OSX. It gives a handy GUI for running scripts through Perl Critic, and I thought that Mac users of Perl.com might find it useful.

Perl::Critic is one of my favorite open source projects. Integrating this with any editor is fantastic. BBEdit-using Perl hackers, install this plugin now!

This week on the Perl 6 mailing lists

“Sadly, the hallucinogens are essential, not external.”

– Mark J. Reed in ‘List assignment question’

I recently had need (actually, more of a want thing) to mount a remote server from my laptop. The server in question has NFS running, so I figured it would be easy to mount my home directory on the server to some location on my laptop. It was simple. But when I mount it, all the files in my home directory were owned by some user which does not exist on my laptop. I thought I had tackled this problem in the past and found a way to map IDs from one system to another system when you NFS mount. Googling around turned up “idmap”, but I didn’t find clear documentation on how to configure it to do what I wanted, particularly when I only own the client side.

Then a friend recommended I look at sshfs. (Thanks, Michael!) Basically, if you have SSH access to a server, you can mount a directory on that server and access it locally. All I had to do on my Ubuntu laptop was to install the “sshfs” package. sshfs uses FUSE, so it installs all the FUSE dependencies it needs.

The command I use to mount the remote server looks like this:


sudo sshfs {{user id}}@{{server hostname}}:{{desired remote share}} {{desired local mount point}} -o idmap=user -o allow_other -o uid={{local user id}} -o gid={{local group id}}


This will not only mount the remote share, but will resolve any user id mismatches with the ones you specify with the uid and gid options. The performance is pretty good when both machines have a good network connection between them. But when I mount a directory on my server at home (meaning over a DSL connection), it lags noticeably. I think this is a great option for mounting a remote system when all you have is SSH access to it. It even works well when you don’t feel like fighting through user id/host mismatches. If anyone has a client-side only fix for the NFS user id mismatch, I’d love to read about it!

We all know that Hello World is the first program many people write in a new language or to test that their development environment is properly configured.

But there’s actually a family of domain and paradigm specific Hello Worlds, for instance, the factorial program could be the Hello World of functional programming.

I’ve been told that the Hello World of CGI is a page with a drop down menu of colors. On submitting, the page background is changed to the selected color. I used this in my entrance into Ruby CGI early today.

I’d love to make this list longer, but I don’t know what the prototypical first program is for OO, or for Logic programming or database access. If I collect more I’ll post them here. If you have ideas, please leave a comment.

Rails fans are understandably proud of the magic metaprogramming facilities of Ruby, the database introspection capabilities of ActiveRecord, and the fact that the most basic model class is only two lines long (at least in every tutorial I’ve seen).

I say that’s two lines too many.

Here’s how to have zero-line model modules in Perl — as many as you want. (If you have a complete CRUD application, you can use the same idea to generate RESTful controllers, too.)

I read today in the November 15th issue of Software Development Times (an actual paper publication!) that buffer overflows are no longer the most common update security problem reported by CVE (cve.mitre.org).

The three most common types of security vulnerabilities in 2005 were cross-site scripting (16.0%), SQL injection (12.9%) and buffer overflows (9.8%). So far in 2005, buffer overflows has lost the #3 place to PHP remote includes.

The good news is that Perl has long had capabilities in the language and its most common libraries that effectively shut down many of these attacks.

It’s not surprising that buffer overflows are on the way out. Perl programmers have long been able to not worry about buffer overflows. Dynamic strings mean no buffer overruns. Fortunately, all the new dynamic languages like Ruby, Python and PHP have dynamic strings as well, leaving only C and C++ programmers having to worry about the size of their malloc buffers.

Where Perl shines in web security is with its built-in “taint mode”. When taint mode is enabled, all data from an external source, such as from a web input form, is assumed to be untrusted and tainted. If a user types in her name, the resulting string is marked internally as tainted. Most of the time, this effect is invisible.

print "Hello, $name, glad to see you.\n";

Perl will print out the the user’s name, because no matter what $name is, it doesn’t present a security risk. However, consider this common rookie programmer mistake.

$dbh = ... code to make a database connection ...;
$dbh->do( "insert into visitors (name) values ('$name')" );

That works fine for values of $name like “Bob Smith”, but consider a string like:

'); drop table visitors;

Your SQL expands out into

insert into visitors (name) values (''); drop table visitors;')

That results in three statements, separated by semicolons: One inserts an empty value in the “visitors” table, the second deletes the “visitors” table, and the third a syntax error. The effect is that one well-crafted string from a miscreant means you’ve lost your data table. The possibilities are endless.

Taint mode to the rescue!

With Perl’s taint mode, and DBI’s TaintIn attribute enabled, SQL injection attacks can’t happen. Perl’s DBI module sees the tainted data, since any data created from tainted data is also tainted, and refuses to execute the command. In effect, DBI says “You don’t know that the SQL command you’re passing me is trustworthy, so I won’t run it.”

Of course, DBI handles the safe way of doing SQL calls, using placeholders:

$sth = $dbh->prepare( "insert into visitors (name) values (?)" );
$sth->execute( $name );

The data is passed to DBI, but entirely separately from the command. The command is not created using tainted data, so is safe for DBI to execute.

SQL injection prevention is just the beginning of the value of taint mode to Perl programmers. Tainted data also can’t be used for executing system commands or reading source code, as in the PHP remote include exploits. For a more thorough discussion of how taint mode works, and why you want it on in every web program you write, see the perlsec documentation for Perl with perldoc perlsec, or online at http://perldoc.perl.org/perlsec.html

I hope that other dynamic languages continue to borrow Perl’s features and add explicit taint-mode checking to their bags of tricks. Modern web development demands it.

I wanted to get a Django site working under Python 2.5 the other day using Sqlite. I downloaded the source for Python 2.5 (even though 2.5 is in the Ubuntu repository), compiled, downloaded the Django 0.95 release, installed it, and tried to create a new blank database. Error. Here is the exact traceback:

Traceback (most recent call last):
File "manage.py", line 2, in
from django.core.management import execute_manager
ImportError: No module named django.core.management


After digging for a few minutes, I realized that I didn’t have the Sqlite header files on my system when I compiled Python. I added the libsqlite-dev package on my laptop (which is running Ubuntu), did the make && make install dance, and tried it again. No error.

Had I taken the time to read all 1291 lines of the README in the Python 2.5 release, I would have read this around line 760:

Building the sqlite3 module
—————————

To build the sqlite3 module, you’ll need the sqlite3 or libsqlite3
packages installed, including the header files. Many modern operating
systems distribute the headers in a separate package to the library -
often it will be the same name as the main package, but with a -dev or
-devel suffix.

The version of pysqlite2 that’s including in Python needs sqlite3 3.0.8
or later. setup.py attempts to check that it can find a correct version.

Now all is well with the world.

Microsoft’s Jason Matusow wants comments on Microsoft’s patent pledge to F/OSS developers. That’s the pledge where Microsoft won’t initiate legal action against any developer who never distributes his or her code in any commercial fashion.

Here’s my comment: that’s useless and insulting.

The Perl community is not new to hackathons; the Pugs hackathon in Toronto in 2005 before YAPC::NA is one of the best known. However, most of these sprints took place before or after conferences: OSCON, YAPC, et cetera.

I went to the Chicago Perl Hackathon this past weekend. Barring some troubles during the trip, it went flawlessly.

So the other day Sun announced that Java would be released as true open source software under the terms of the GPL(v2). A few years ago, when I was developing a considerable number of my projects in Java, this would have been greatly welcomed news for both myself and other BSD users. After all, for the past several years, getting Java built and operational on our operating system has been much akin to pulling so many teeth, and the results were almost always wholly dependent on how well you crossed your fingers.

So the question now is this: What does it mean for BSD developers? We’ll no doubt soon be seeing JDK binary packages and complete source trees available via ports, but after several years of incredible platform bloat and withering industry attention, do BSD developers even care about Java anymore?

Over the past year, I’ve spent most of my time coding system-level stuff in pure C, and it’s quite obvious that other developers have latched onto other languages like Ruby. Like those ex-lovers who refused to give us back our LPs, is Java dead to us, or is there still hope for a rebirth?

I prefer programming to administering systems–so much so that if there’s a way for me to avoid deploying software or running backups or installing software, I’ll take it.

I also prefer re-using existing software to writing my own, mostly. If someone else has already built something I can use trivially, great!

What happens when you combine those two concepts?

My colleague Tony Stubblebine, who you may remember used to be a senior software developer here at O’Reilly, recently went to a Salesforce conference. Their AppExchange program caught his attention, and he twisted our arms into publishing a three-part series on building your own hosted applications with AppExchange.

Even if you’re not in the business of writing hosted business software, the development and deployment and business models are very interesting.

This week on the Perl 6 mailing lists

“…problem 2 is probably just me being confused (though I’d love an explanation, from @leo ;-)).”

– Jonathan Worthington, in ’set_pmc_keyed_int delegates to set_pmc_keyed…?’

There are a lot of applications left for clusters and grids to explore, as two companies I’ve talked to recently show.

Cleversafe: Better reliability and security by letting go of data

Cleversafe is commercializing a distributed storage technology that first showed potential back in the 1990s, and that was being widely discussed in 2001 when the peer-to-peer craze hit and people first talked seriously of monetizing the grid computing model of SETI@home. The Cleversafe approach is doubly interesting because it is distributed in two senses:

• The data is stored on many systems, geographically scattered around the world to facilitate disaster recovery.

• Responsibility for the system is distributed. Cleversafe provides only the technology (open source) and the service. Actual storage will be purchased from a variety of companies, so that no one entity has control over users’ data.

In the most blatent misuse of the Web 2.0 meme, Sun wants Web 2.0 entrepreneurs to buy Sun hardware to launch a new web company!

I realize that this is way off topic for what I typically write. But this is an honest question. It’s not a troll. It’s hopefully not flamebait. And it for sure isn’t an attempt to push my political bias. I want anyone who is interested and can cordially formulate their thoughts to voice themselves, whether you answer the question “Is a Democratically Controlled Congress Good for Tech America?” in the affirmative or in the negative. Feel free to point out failings of the previous Congress and point out how the new Congress will do better. Or point out the strengths of the previous Congress and how the policies of the new Congress will be detrimental to the technological well-being of the United States.

Here are some guidelines:

1. No bashing of any person or political party. I’m not in the habit of editing or deleting comments, but I will remove any bashing comments.
2. Try to focus on the technological implications of this new Congress. I don’t want comments specifically of the economy, taxes, abortion, religion, etc. unless there is a direct tie to technology.

I’m really interested in reading your comments.

The London Perl Workshop 2006 has just been announced. It will be on Saturday December 9th at Westminster University. The announcement also contains details of how to submit talks for the workshop.

The LPW is (like all of the other local Perl workshops) a grass-roots, one day, free Perl conference. The talks are of a very high standard and it’s a great way to meet people from the Perl community (who come from all over the world to be at the workshop). The two previous ones have been very enjoyable. I’m just gutted that I’ll have to miss this one because I’ll be out of the country.

Alan Coopersmith reported that he has integrated DTrace probes into X.org. This is great news; it means that OpenSolaris (and soon, Mac OS X and FreeBSD) developers can profile the X server very easily. It will likely lead to performance improvements.

DTrace is one of the best technologies to come out of Sun in a long time, and it’s one of the top features of OpenSolaris. I heard that it only took a dozen or so probes to instrument MySQL effectively, too.

I’ve never done any J2EE programming. However, I have written business-critical code. I’ve written my fair share of LAMP code, and I’ve written enough Java code to last me the rest of my life. It’s no secret that I prefer Perl to Java for web development (and just about everything else).

I appreciate that addressing practical problems allows thoughtful developers to identify common problems and extract patterns and convenient abstractions to make solving similar problems easier in the future. I expect a mature language and platform to allow and encourage that.

What if all software patent applications had to include all of the relevant source code?

This week on the Perl 6 mailing lists

“That fuzziness is classic $Larry. Some of the rest of @Larry can be more *mumble*matic.”

– chromatic in ‘where constraints as roles’

If you don’t get fat checks from an enterprisey company for your software work, should you care what they do and why?