This week on the Perl 6 mailing lists
“Q: Can February March? A: No, but April May…”
– Larry Wall’s r14313 log message for a date correction
March 2007 Archives
At SD West last week, I sat in on the Agile — With or Despite of Global Development roundtable. While traditional agile development (as you might see in XP or Scrum, to some extent) recommends small teams that sit together, many organizations and projects are larger, with team members in multiple locations.
This separation makes producing software more difficult. (That’s one of the reasons agile development tries to keep team sizes small and everyone together.)
Microsoft Port 25’s Michael Francisco lists a bunch of new projects hosted on CodePlex in his blog…
Two projects in the alpha development stage caught my attention…
Windows Installer PowerShell Extensions: Exposes Windows Installer functionality to PowerShell. Head over to this project and read the descriptions of some of the proposed PowerShell Cmdlets. This project should be an interest to watch develop over time.
Crash a Party: This sample mashup uses the Windows Live Contacts Control and Virtual Earth to place your Windows Live Contacts on a map. This one sounded fun. I visited the mashup site linked on the project page and fired up the Live Contacts Control. However, instead of clicking through the contacts and sending them over to be visualized on the Virtual Earth map, I canceled the session. Why? I didn’t want to accidently expose my friends to a web app that I hadn’t fully investigated. Identity and Trust are the cornerstones of the Web 2.0 world. How do you decide on what and who to trust? I don’t even provide my cell number for my Twitter account fearing a SMS deluge that might be caused by a large number of legitimate twittering from friends or an accidental text flood.
Why does Microsoft talk about Total Cost of Ownership when you merely license their software?
Perhaps all of these TCO studies are true; it does cost Microsoft less to own Windows than it would to try to buy all of the copyrights for every competing project.
Recently there was a thread on the O’Reilly Radar started by Tim O’Reilly posting a chart that I put together from our book sales data. The chart showed comparative market share for most of the relevant programming languages. I have updated this in the chart below and have included 2005 data as well.
A litte insight to the numbers behind this graph. The percent shows that a lanugage like Java represents ~23% of all book sales when looking at the language dimension. That means, I compared all the languages and which books have ‘XYZ using Java’, or ‘Embedded FOO on Java’, etc. So it does not have to be a strict Java Programming book, but rather a book that is Java-centric or the examples contain mostly Java code. I compared aggregated sales units during Jan-Feb for 2005, 2006 and 2007.
Disclaimer:
This is not an exhaustive study as I threw out Languages that did not have a representative sample in one of the years. In other words, if a language area show up with 15 units in 2005, but not in 2006 [or 2007] it was dropped. These are the bottomfeeders. So if you use one of those languages, Squeak, you will not find the results in my chart.
Some observations:
During the previous two years and this year, during January and February, the biggest declines were seen with Java ~5.5% down, C/C++ ~4.5% down, Visual Basic ~2% down and Perl ~1.5% down. The reason I point these out, is that is is market share for books, the unit sales numbers, which I will not supply, are a bit more alarming if you are on the declining list.
During the previous two years and this year, during January and February, the winners seem to be: Javascript ~5.5% [almost exactly what Java lost], Ruby ~5.25%, .Net Languages ~3% and C# ~2.75.
So when you look at the top for both lists, the totals are a bit different. There is a 3% difference on the winners side. What is says to me, is that most of the growth was seen in the four top languages, while the decline was spread a bit wider.
Your observations?
Do you really care about languages and what books sales tell us about trends? Don’t think for a moment, as past posters have said, that some languages have better market share because one language has ’sucky’ books. I did a quick analysis of GPA ratings on Amazon by language, and there are not any really significant wins for one language over another. One thing that does factor tough, is early to market. On average, when a language or technology topic is in its infancy stages, the market is more forgiving on the reviews. About .5 for the first books to show up in a category. You could say the the first are usually the best, but that does not hold up either.
Do you think maturity of a market shows in this data? Javascript/Ajax, Ruby/Rails are top two and are fairly nascent. Java and C++ are mature technologies with presumably less newbies clamoring to learn them. So what do you think?
If there is enough interest, I will follow up with some efficiency and average title metrics.
Although the launches of Windows Vista and Office 2007 got all the attention during the Winter 2006-2007 period, I think that when people look back on this period in a few years, the standout Microsoft release will be PowerShell. I’ve mentioned a couple of Port 25 interviews and comments on PowerShell in the past. Here are some of the pertinent ones to refresh your memory.
Watching a community grow - Powershell
Powershell Released: An interview with Architect Jeffrey Snover
Powershell in Action! Hank interviews Bruce Payette
PowerShell is currently a free downlaod add-on product for Windows XP, Windows Vista, and Windows Server 2003 (I couldn’t get it to install under Longhorn Server Beta-2). This week, however, Microsoft’s Jeffrey Snover (PowerShell Architect) Announced: PowerShell to Ship in Windows Server (Longhorn)!!!! This is good news indeed. Having spent the last couple of decades working on UNIX/Linux servers (mostly from the command line), I find managing Windows Servers from the GUI often slows me down and makes remote management a chore. Having PowerShell built into the future version of Windows Server makes life easier for those of us with mixed server environments.
Here’s a PowerShell goodie I found on Microsoft’s CodePlex site that is an example of the power PowerShell brings to Windows.
This brings together the Windows data objects that PowerShell has access to with the statistical analysis power of the Open Source R statistical package. The oldsters among you (if you remember the late 20th century, you are old :-), will find that your old S statistical package books mostly applies to help you use the powerful R statistical package.
TAP::Parser is the intended replacement for the venerable Test::Harness module. The intent is to clean up the code in such a way that writing custom test harnesses and supporting new TAP features is possible. (I’ve hacked on Test::Harness:: Straps; it wasn’t the easiest programming task I’ve ever tackled.)
I added TODO tests to Parrot’s test tools a while ago, to make it easier
to distinguish expected test failures from accidental failures.
Unfortunately, Test::Harness displays very little information
about TODO tests that passed. In TAP terms, these are bonus tests.
The programmer expected them to fail, but they actually passed, so they
need further investigation.
It would be nice to collect information on skipped, TODO, and bonus
tests in the normal test run. Though I could write a harness via
Test::Harness::Straps, I decided to try
TAP::Parser instead. Here’s what I discovered.
This week’s recipe can be found here. It shows how to use closures to perform various sorting operations. Before you click on the link, let me point out the same thing as one of the commenters of this recipe: this recipe is pretty much obsoleted by mixing operator.itemgetter with list.sort(key=foo). I thought this recipe was interesting, though, because it showed a really good use for closures. Having a concrete idea of how a certain feature can be used sometimes helps to use the feature in other ways. Hopefully that will be the case here.
BusinessWeek has a great article on Microsoft’s recent stumbles in online search. It’s reflective of Microsoft’s - and, indeed, any successful company’s - attempts to cast itself in a new mold.
If Microsoft can’t keep pace, it risks seeing its Windows and Office software franchises erode as Google and others launch Web-based rivals. “It behooves Microsoft to be there,” says Charles Di Bona, an analyst with Sanford C. Bernstein & Co. (AB ). “If they don’t get there, it gives others a platform from which to attack Microsoft’s core business.”Just as troubling, Microsoft’s search problem reflects its approach to new markets in general. It spends little time focusing on tiny, emerging niches that generate little, if any, sales. But those are precisely the markets that can quickly blossom on the Net into meaningful businesses. “Bill [Gates] and Steve [Ballmer] and the leadership don’t understand the value of small things,” says Robert Scoble, a former Microsoftie whose blog recently took the company to task for its Web missteps. “That cripples their entire Internet strategy from the start.”
This is the same trouble the company has had with open source, though I believe it has generally been more successful with open source than with these other, product-related decisions. Once Microsoft figured out that open source is a development methodology, and not a traditional competitor, it has responded much more productively to the “threat” than it has to search, online applications, etc.
In open source, I believe Microsoft’s best strategy is to start creating entirely new products completely in the open. It doesn’t have to sacrifice its Windows or Office cash cows to open source. Rather, it can experiment in safer territory.
What Microsoft can’t afford to do is sit around and wait for open source to happen to the company. It won’t. Open source requires a complete restructuring of how one thinks and behaves as a company. It’s asking too much of Microsoft to make this shift (just as my old company, Novell, failed to make the corporate shift). But it’s not too much to ask of a division within Microsoft. Or a product. It needs to happen sooner, not later.
The Seneca Free Software and Open Source Symposium (FSOSS) is a great community-oriented event held in Toronto each October. I’m co-chairing the 6th edition this fall, which for the first time will include two days of presentations and workshops (October 25-26). If you’re interested in speaking or teaching, we’re looking for solid presentation and workshop proposals at http://fsoss.senecac.on.ca/2007/.
I just noticed that the stable 3.0 branch of The Metasploit Framework is now available:
The Metasploit Framework (”Metasploit”) is a development platform for creating security tools and exploits. Version 3.0 contains 177 exploits, 104 payloads, 17 encoders, and 3 nop modules. Additionally, 30 auxiliary modules are included that perform a wide range of tasks, including host discovery, protocol fuzzing, and denial of service testing.
Download Metasploit Framework 3.0 here.
In addition to many improvements over version 2, the new version is a complete rewrite of the framework in Ruby. More details in the release notes.
I just used GNU find to search a directory hierarchy for files matching a particular naming pattern. I’ve been programming for long enough that writing a tree-walking algorithm to search for appropriately-named leaves is almost trivial, but the point is that I don’t have to do that. Piping the output of find into my filter program to search within the files was sufficient.
I use the other findutils programs–especially locate–several times each week. Without them, I’d get lost in a sea of thousands of files. Thank you to all of the developers and contributors. You saved me a few minutes today, as you do almost every day.
Open source is not as open as it claims, and Microsoft is not as closed as is claimed. Thus spake Brad Abrams, group program manager for ASP.NET AJAX at Microsoft.
Abrams argued that Microsoft is not the cathedral when it comes to ASP.NET AJAX but is quite transparent. Furthermore, he stated that most successful open source efforts are backed by a commercial vendor, making them less bazaar than they claim to be.“I’m not sure the bazaar analogy works,” Abrams said. “Neither cathedral nor bazaar are the same in the AJAX Web space; rather there is a continuum that reaches across space.”
According to Abrams, ASP.NET AJAX offers the best of both the commercial and open worlds. On the commercial side Microsoft offers 24 x 7 support. “In the open source world you can talk to people and get answers,” Abrams said. “But we’re offering guaranteed support.”…
On the open side of things, Abrams claimed that Microsoft was providing ASP.NET AJAX components with 100 percent source code availability. The components are being licensed under Microsoft’s permissive license, which allows users to view, modify and redistribute source code for non-commercial and/or commercial purposes.
Fair enough, and no doubt true. It also points to an important point (though not stated): different groups within Microsoft are more open than others. I’m willing to bet that the emerging groups have more leeway to be open than the old cash cows within the company. That’s to be expected.
Fragment of my business card
Bryan poses three scenarios that encourages openness: Curiosit & Creativity, Economic Opportunity & Problem Solving, and Status & Recognition.
A few days earlier (March 21), internetnews.com reported on the keynote given by Brad Abrams, Microsoft Group Program Manager for ASP.NET AJAX at the AJAXWorld conference.
Microsoft Not a Cathedral; Open Source Not a Bazaar
Abrams reflects on Eric S. Raymonds oft referenced The Cathedral & the Bazaar saying that Microsoft is not the cathedral when it comes to ASP.NET AJAX but is quite transparent and “I’m not sure the bazaar analogy works,” Abrams said. “Neither cathedral nor bazaar are the same in the AJAX Web space; rather there is a continuum that reaches across space.”
I suggest that there is room for extrapolating a bit on both these points of view. To Bryan’s list I’ll add Do the right thing. Being open in terms of information in general and source code in particular often just feels like the right thing to do. Microsoft itself has recognized the value of sharing information by awarding its Most Valuable Professional (MVP) designation to those they describe as: …are a highly select group of experts that represents the technical community’s best and brightest, and they share a deep commitment to community and a willingness to help others.. And, the creation of the Microsoft Open Source Lab seems to demonstrate that they are serious about understanding FOSS better.
My take on Abrams’ point that the Cathedral and Bazaar analogies may be less applicable these days is to add a less colorful but perhaps useful analogy of workshops in clear view of each other and where things simply need to be built or repaired. For years I’ve been trying to promote a pragmatic view of just getting work done in a heterogenous environment. The section of my business card showed here pretty much says it all for me.
As Paul Kedrosky is reporting, Microsoft continues to struggle with its online strategy.
This is further evidence that Microsoft needs to look forward, rather than trying to tie everything into its history. The way forward is by burning the boats, not by continuously plugging the holes in those boats. Microsoft will never succeed in the online world until it competes as vigorously there as Google does, which will be difficult while its interest is in hording the riches it has made in the past with the offline world.
I was discussing object oriented (OO) programming with someone who was working on a horrible piece of software with class names like StartSession. I’ll call him “Alice”. Naturally, when wading through these classes, he finds 400 line “methods” in classes which are merely OO façades around procedural modules. This is disappointing, but it’s all too common. If you think that StartSession is a good name for a class, someone has done a poor job of teaching OO to you.
I think part of the problem is that while there are some excellent university professors who do a fantastic job of teaching OO, many professors I took classes from had little to no real experience outside of the classroom, or those with experience clearly went back to teaching due to the old adage “those who can’t, teach”. Surprisingly, two of the best instructors I had were teaching COBOL. Both of them clearly had decades of real-world experience under their belts and it showed in the classroom. They understood their material, they understood the pitfalls, and taught us how to work within the constraints of the language.
Getting back to Alice, he told me about an idea he once implemented to make it clear to other programmers that OO classes can be thought of as responsible agents. One of the first classes he wrote for his work was named the AuthenticationFairy.
Earlier in the week, I said that we wouldn’t be running an article this week because I was getting up to speed and didn’t have one ready yet. I was wrong…
It turns out that hidden way in the back, behind the camel chow and under the orbital death ray spare parts, we had an article that’s been waiting to run. Please enjoy the PHP Search Engine Showdown with our compliments.
It seems that Dell is scratching its head trying to figure out what it would take to get Linux on their desktop and laptop systems in order to meet customer demand (as hinted at on the DellIdeaStorm site). But I’m not convinced that preinstallation is what Linux customers really want from Dell or the other hardware vendors. Most experienced sysadmins have preferred distributions, application sets, and partitioning layouts, and it isn’t possible to provide a one-size-fits-all preinstall image. (This problem isn’t unique to Linux — most companies re-image their Windows systems to their liking). Furthermore, the rapid release rate of most distributions would make image preparation a continuous task for the hardware vendors.
What I think we really want is in-tree drivers. If a hardware vendor took pains to ensure that their product lines — or, perhaps, just their “Linux-ready” product line — incorporated only hardware for which there were drivers in the kernel tree (and/or drivers in the major hardware-dependent projects, such as X.org [video] or pam [biometrics & smart cards]), those systems would automatically be compatible with all of the major Linux distributions and would remain so for a reasonable length of time.
This would require the vendor’s systems to be built around established hardware for which drivers already exist, or drivers will need to be pushed into the kernel before the systems are shipped (which creates an interesting problem: how do you get many eyes looking at code for hardware that isn’t available? — but if we wait until the hardware is widely available, then Linux will never support the latest hardware. We may need to rething some of our procedures if we want to see broad support for new hardware in Linux). Of course, there is a third way: design new hardware to use existing protocols and interfaces, in the same way that HP SCSI scanners used a stable protocol for years, Postscript and HP PCL printers are (largely) backwards-compatible (for two decades!), and new USB 2.0 high speed flash drives can be successfully accessed by ancient USB 1.0 storage drivers. This requires good engineering (which is a good thing!).
If such systems were shipped with WhoCaresLinux X.Y.Z, we’d still be happy. We could easily install the latest Ubuntu/SUSE/Fedora/Debian/any distribution with confidence that it would run well.
What do you think: Would you be satisfied to know that a vendor’s system offerings were all covered by in-tree drivers, even if Linux was not preinstalled or the preinstalled distro was not the one you intended to use?
CodePlex is a Microsoft’s Open Source project hosting site. The source code is managed using a Microsoft Visual Studio Team Foundation Server. But, what if you want to use the site from a non-Windows workstation running,for example, Linux or Mac OS X? The answer appeared earlier this week in a Port 25 blog item titled…
Cross-Platform Access to Codeplex Compliments of our Friends at Teamprise
Teamprise is offering three tools to let you use CodePlex from a non-Windows platform. These tools are:
- Teamprise plug-in for Eclipse
- Teamprise Explorer (a stand alone GUI client)
- Teamprise Command Line Client
Will “Coke” Coleda released Parrot 0.4.10 on 20 March 2007. I’m particularly excited about this version because we finally have Parrot::Embed compiling and running (with the appropriate path setting for certain platforms) on multiple platforms.
Parrot::Embed allows you to use Parrot code in your Perl programs. Right now it supports basic subroutines (though multidispatch works on the Parrot side). Soon it will support Parrot objects.
Yes, there is a Ruby version in progress.
If there’s any interest, I’m happy to walk through the code or show examples of its use.
You may notice that no articles are going up this week on the ONLamp / Database / SysAdmin time-space continuum this week (at least I think there aren’t any, I’m still getting used to our content management system…) This is mostly due to me settling into my new job here, but rest assured there are plenty of articles in the pipeline, and you’ll be seeing two of them next week. Stephane Faroult will have the first half of an excellent piece on how to emulate Analytic Functions in MySQL, and Raju Varghese continues his look at how to visualize server log files using Gnuplot.
In addition, you may recall that I mentioned last week that there might be some new and fun things coming to ONLamp in the near future. In fact, the first of these has made significant progress over the last week, and is now looking likely to appear in mid-April, a weekly ONLamp-themed comic strip. If things continue to go as planned, I’ll be writing the strips and a good friend and outstanding comic book artist, Randy Silverman, will be doing the art. Look for some sneak peeks in the near future!
Initial response to my call for articles has been amazing, I already have several writers committed to upcoming features as a result. I’m still looking for more interesting writing, especially on the topics of Perl/PHP/Python/Ruby and Databases. This is a great way to get your name out into the world, and earn some money besides!
I’ll have some more geeky things to talk about later in the week, I’ve just returned from a 3 day corporate (day job, not O’Reilly) tech summit, and getting my bearings back.
Microsoft has taken an increasingly warm approach to open source. It’s not going to revolutionize the company tomorrow, but Bill Hilf and others are successfully nudging the company toward greater and greater experiments with open source.
Since the company will eventually get to an open source model, or die fighting it, I have some advice for Microsoft:
Go GPL.
This will sound ridiculous to those who don’t appreciate the nuances of the GPL, but the GPL is capitalism, pure and simple. It is the best way to benefit customers while inhibiting competitors, as I’ve argued before, which lends itself perfectly to Microsoft’s business. From my interview with Charlie Babcock:
If a competitor takes your code, modifies it and redistributes it, then the giveback provision reasserts itself….So your competitor will be required to give the originating company all the changes that its made.And the community that’s formed around the original GPL code will probably not assist the competitor with further improvements. But it will quickly assimilate a competitor’s changes, test them, modify and expand them and in general make life miserable for the competitor.
“With the GPL, you get the value of the changes back. You don’t get that with other licenses,” Asay notes. And if the original code supplier is on the ball, its going to move faster than any competitor can keep up.
“It’s produced the best open source companies on the planet–Red Hat, MySQL and JBoss. The GPL is best suited for commercial companies….” he says.
But more profoundly, the GPL enables a fundamental change between a software company and its customers that in the long run is going to give GPL companies immense staying power.
“The GPL aligns the company’s interest with the customer’s. It forces me to stop thinking of the relationship as ending when I ship a set of bits. Instead, that’s the start,” and the nature of the ongoing relationship is determined by the caliber of upgrades to those bits, the quality of technical support, the strength of the programming community that forms around the bits.
Isn’t this precisely where Microsoft competes? On the value of its ecosystem and the ability to deliver updates to customers? Why couldn’t Microsoft have essentially the same model (for enterprises) with GPL’d code as it does with its proprietary license?
It could. It should. Hopefully, it will.
Some open source licenses don’t readily lend themselves to commercial open source. Apache/BSD licensing, for example, is hard to monetize (directly). But the GPL is very easy to monetize directly: customers get the value they want and competitors are scared to touch it. Everyone (that matters) wins.
Microsoft needs to ditch its weird view on the GPL. It used to call it anti-American. It’s actually the exact opposite. It is the most American of open source licenses. Microsoft could embrace it and continue to pull in its billions…and what could be more American than crass materialism? :-)
This week on the Perl 6 mailing lists
“It seems you are presuming a Waterfall model of development here. We’re not doing the Waterfall, we’re doing the Whirlpool, where the strange attractor whirls around with feedback at many levels but eventually converges on something in the middle. In other words, a whirlpool sucks, but the trick is to position your whirlpool over your intended destination, and you’ll eventually get there, though perhaps a bit dizzier than you’d like.”
– Larry Wall, in ‘What criteria mark the closure of perl6 specification’
MIT Press released the book…
Perspectives on Free and Open Source Software (2005)
…as a free PDF. I just took a brief look into it. But, you gotta give credit to an academic oriented book (vs. pop book) that uses phrases like nerdish stereotype (p. 32) :-). There’s a section that starts on page 59 titled Comparison between Open Source and Closed Source Programming Incentives that I suspect will become required reading for the staff of Microsoft’s Open Source Lab.
I also hope that someone at the Lab takes a look at the document mentioned to on page 66 (An internal Microsoft document on open source (Valloppillil 1998) describes a number of pressures that limit the implementation of features of open source development within Microsoft.) and reflects on this nearly decade old point of view.
BTW, don’t assume that this book is some kind of FOSS cheerleader. Take a look at Chapter 4 written by Robert L. Glass who takes FOSS to task.
Martin Michlmayr is writing his PhD thesis about release management in large F/OSS projects. He’s published some of his findings:
- Introduction
- Project Summaries:
I’m curious to see his conclusions!
We had a situation come up at work the other day where we seemed to be receiving some spurious data from a data provider. The data providing process connects to one of our processes on some specific port and sends a relentless stream of data. Said spurious data uncovered a bug in our process which was causing it to die abnormally. My first action was to get tcpdump to show me what was going on. But the results were just wrong. I suspect the incorrect results I was seeing were caused by the antiquated version of tcpdump running on an antiquated FreeBSD machine and trying to view the results on Wireshark/Ethereal on a recent Ubuntu box.
So, I figured a logging proxy help. So I whipped one up using Twisted. It worked pretty well. I know I didn’t get everything right since I don’t regularly use Twisted. Basically, every connection that is made to the proxy from the data provider initiates a client connection to my server process. That connection also creates a log file on disk with a name that identifies where the connection came from. Each piece of data that is sent from the data provider is logged and forwarded on to my process. What it doesn’t handle properly is my process going down. I didn’t spend enough time to figure out exactly how to attach a reference to the server piece of the proxy onto the client piece.
Enter the recipe of the week. Just ten days ago, this excellent recipe was either submitted or updated (I can’t tell which). This recipe contains code for a proxy server which would fit my needs and log a hexdump of the received data. I haven’t tried it in the context of what I was trying to do, but given the testing I did with it, it looks like it would work quite nicely. The only thing I would change is the format of the logging. For my purposes, I’d still need to have a raw log of the transmitted data. But this is a great recipe that shows an example of a working proxy in Twisted.
Besides e-mail, the only real office document I ever use is a spreadsheet. I’m a very happy Gnumeric user. My needs are reasonably simple; I share spreadsheets with Excel users and rely on some formulas.
It may not seem like an elaborate or flashy feature, but Gnumeric just works for what I need it to do. I’ve never had a problem reading or saving spreadsheets in formats that non-Gnumeric users can read. It works almost transparently, and the only reason I think about how often I use it is because I deliberately made a note of the applications I use the most.
There’s little better praise than “It works so well that I never think about it.” Thanks to all of the Gnumeric developers and contributors!
In what might be a minor move at any other company, Microsoft’s decision to move FoxPro to its CodePlex open source site is big news. And good news, too, in my opinion (one that I share with Jason Matusow, apparently.)
Why is it big news? An increasing number of companies have started to treat open source as a dumping ground for old, unwanted code. FoxPro certainly seems to fill that description, though not for existing customers that use it and rely on it. But this move is bigger than just one piece of code. It reflects, I believe, a shifting mindset within Microsoft.
No, it won’t be licensed under an OSI-approved (read: open source) license. It will be under one of Microsoft’s Shared Source licenses, as Mary Jo Foley points out. That’s OK, because I think this decision is less about open source and more about collaborative community development. Very few get this aspect of open source right, and I’m hoping that Microsoft will do better than many of the rest of us.
Microsoft, for all its faults, has traditionally understood the importance of developers better than most companies. Steve Ballmer’s famous developer dance is just one indication of this. To the extent that Microsoft can figure out the open source development model, and marry it with the passive-aggressive open source licensing model, it will win big in this new world of software.
Ian Murdock, founder of Debian announced today that he is joining Sun to “head up operating system platform strategy”.
Chris Travers, who wrote the recent Port 25 tutorial for installing PostgreSQL on Windows, is back again with a tutorial describing how to install MySQL on Windows Vista. You can find the paper linked in a Port 25 blog entry from Jamie Cannon at titled…
MySQL on Windows: Configuration & Install
Chris’ paper focuses on installing MySQL on Windows Vista because its new security features require a few tweaks to allow MySQL to install properly. The general information provided in the paper could also be applied to Windows Server, however.
Since it isn’t discussed in the paper, I thought I’d mention that MySQL comes in two flavors now: The Enterprise Edition appeared late last year (2006) and has a tiered pricing depending on the kind of support desired. The Community Edition is still a free download. However, the two editions have forked in a way that appears similar to the relationship between Red Hat Enterprise Edition (RHEL) and Fedora Core.
MySQL Enterprise Edition is the version MySQL recommends for use with mission critical applications. It is said to be more stable and will have minor point releases available as a binary download for the various supported platforms.
MySQL Community Edition does not have formal support options from MySQL. It will include new features before the Enterprise Edition and can be, I guess, considered be the testing ground version. Binary ready to run installation files will only be released twice a year for this version.
The two versions will converge about every 18 months and then fork again for the next round.
I used to install/upgrade MySQL using the RPM releases from MySQL. However, since the code was forked, I have been installing MySQL for Linux from source code which is released for every minor point version. One minor issue on the Linux side of the world is that the RPM installer assumes the socket file is located at /var/lib/mysql/mysql.sock while the source code version points to /tmp/mysql.sock. Tweaking the my.cnf file for MySQL and php.ini for PHP takes care of this from a LAMP point of view. I haven’t tried to build from source for Microsoft Windows.
Looking at
Chris Shiflett has revealed that Amazon is susceptible to a XSRF vulnerability. He contacted them about this a whole year ago, but they haven’t fixed it:
I feel like Amazon has exploited my cooperative behavior and placed me in a moral dilemma. In fact, at this point, I feel like I’ve already done the wrong thing by withholding this information for so long. The silence ends today.
The vulnerability in question is a XSRF (also see my post The Unfortunate Prevalence of Cross Site Request Forgery Vulnerabilities) that allows a malicious website to add items to your shopping cart. Shiflett has put up a temporary demonstration of the issue.
Given the sheer simplicity of the attack, Shiflett goes on to state:
There’s nothing particularly sophisticated about this attack, so I feel confident that someone else has discovered it by now, and as a user of Amazon myself, I’m not comfortable with that.
I agree in full. Amazon has had a whole year to fix this vulnerability. As a fellow Amazon user, and as an advocate of responsible disclosure, I support and applaud Shiflett’s decision to go public with this issue.
Steve Loughran’s How to Own an OSS Project, part 1 and especially How to Own an OSS Project, part 2 bring up the always-relevant issues of security, transparency, and trust. In particular, the second entry asks a most insightful question: how can you trust the documentation?
It doesn’t help when the documentation suggests outdated practices which are, at best, dangerous and, at worst, completely wrong. (I’ve patched a few of these in Perl 5, myself.) Add to that active malice, such as a recent dangerous answer to a novice question in comp.lang.lisp, or running obfuscated code outside of a locked-down sandbox, and it’s almost a wonder there aren’t more security problems related to source code posted on the Internet.