On a recent consulting gig, a client had the requirement that a JavaScript deliverable needed to run in a self-enclosed script tag that would be arbitrarily placed within the body of a page. In other words, I needed to deliver a JavaScript file such that the following code snippet would work:

<!-- somewhere in the page... -->
<div id="specialContainer">
    <script type="text/javascript" src="foo.js"></script>
</div>
<!-- ... -->

So, in the end, it’s a pretty routine chore. A special container needs to exist at an arbitrary place in the page, the self-enclosed script tag will do some DOM building within it, and all of the magic happens therein. Well, hopefully, it goes without saying that I wanted to streamline the time it took me to complete this task with the help of Dojo.

Microsoft’s Patch Tuesday will be upon us soon patching 3 critical and 1 moderate security problems. Security issues aren’t just a problem for Microsoft software of course. And, I recently learned about…

oCERT: Open Source Computer Emergency Response Team

…which describes itself like this…

The oCERT project is a public effort providing security handling support to Open Source projects affected by security incidents or vulnerabilities, just like national CERTs offer services for their respective countries.

There doesn’t seem to be a lot there yet (only 4 advisories posted so far, the last on April 17). But, I hope oCERT will become a good resource for those of us who deploy a lot of Open Source applications.

Port 25 Security Related Blog items

Okay, actually, there are a number of virtualization options not listed in the title, but the one nobody seems to be talking much about Sun’s xVM VirtualBox. But, wait! you say, Sun begs to differ: “Sun xVM VirtualBox software is the world’s most popular open source virtualization platform because of its fast performance, ease of use, rich functionality, and modular design.”

Some cool features of VirtualBox include:

• Seamless windows - rather than a whole desktop environment, just the guest application windows can co-exist alongside native host applications.
• Shared Folders - easily move documents and files between the host and guest systems.
• Mouse pointer integration - it just works how you’d expect it to.
• Dynamically adjustable screen resolution in the guest.
• Time Synchronization.
• Shared clipboard.

A lot of that is available elsewhere (e.g., time sync and shared folders), but seamless windows is a nice touch.
AND, VirtualBox is open source!

Do check it out.

There’s an interesting four page PDF file that appeared recently on the Microsoft downloads site titled…

Open Source at Microsoft CodeBox: Bringing the Open Source Approach In-House

It answers the question: Could the community and collaborative concepts that
underlie open source projects be applied internally to Microsoft product engineering?

CodeBox is an software development environment that was developed as an internal tool to help Microsoft apply the Open Source software development model internally. It gives Microsoft’s programmers and internal tool to manage shared code.

If anyone was interested in a great Google App Engine project, I would love to see a community blog/speaker registration tool. Jeff Rush mentioned something like this a couple of PyCons ago, but now there is the technology available for free with Google App Engine. Basically, it would be cool to have a google app engine app that allowed organizers to book meetings and plan them, then post about the meetings, and finally “book” speakers that happen to be traveling to that city.

Currently there is this blog, but I find it difficult to post the data there, plus our meetup site, plus by email…etc. Making this process easier would be awesome.

On a side note, is there a chart somewhere that graphs what open source web application components are working and what isn’t on google app engine. For example:

Templates:

Genshi
Django
Mako

URL:

blah

Frameworks:

blah

I like numbers. They can mean a lot of things.

Rather than continuing silly arguments over obfuscated and flawed measurements of “language popularity”, perhaps a better way of measuring the viability of a language or platform is to measure the freshness of its ecosystem.

LaPerla’s How Fresh is the CPAN? measures the upload dates of one of the world’s largest and most active repositories of free software. Of the 12,000 (or is it 14,000 now?) distributions on the CPAN, 25% have a most recent upload date of February 2008 or newer. Half have an upload date of 2007 or newer.

You don’t get those kinds of statistics by putting “Ruby Programming” into Google and pretending the results are meaningful.

If you are at all familiar with the UNIX or Linux world, you will know about the Pluggable Authentication Module (PAM) functionality. Essentially, PAM is a highly extensible login framework for authenticating and authorizing a user for access to a server. Prior to PAM, most logins worked directly against the local /etc/passwd database, but with PAM, users are authenticated against the PAM library, which in turns relies on a series of “modules” (surprise!) that return a Yes/No response. On many UNIX and Linux boxes, PAM still relies on /etc/passwd, but it doesn’t have to—and often doesn’t. For example, LDAP is quite often supported for authentication, and this is done by simply adding the right LDAP module to your PAM configuration.

Yawn.

Well, it is all very cool of actually, but it is old news in the UNIX world.

Now, Windows has supported this, kind of, a little bit, with GINA and GINA chaining and what-have-you, but it is really JUST NOT DONE. In addition, the GINA chaining concept is rarely if ever used. (I have heard because of reliability issues.)

However, Vista now supports a new model known as Credential Provider, which is deceptively like… PAM! Well, cool. (And they say Microsoft doesn’t learn!)

Anyway, I suggest you take a look at this as it’s all very nifty stuff:

Windows Vista Sample Credential Providers Overview

Credential Provider Samples

New Authentication Functionality in Windows Vista

OK, I know this is NOT the Inside MySQL blog area. But, MySQL is the “M” in both LAMP and WAMP. And, as one of the people who wasn’t very happy by MySQL’s decision to close source parts of the upcoming MySQL 6.0, I thought I should help spread the good news announced by MySQL’s VP for Community Relations - Kaj Arnö:

MySQL Server is Open Source, even Backup extensions

His six main points are:

- MySQL Server is and will always remain fully functional and open source
- MySQL Connectors will be open source
- The main storage engines will be open source
- MySQL 6.0’s pending backup functionality will be open source
- The MyISAM driver for MySQL Backup will be open source, and
- The encryption and compression backup features will be open source

FYI: MySQL related blog posts on Port 25

The third Ignite Boston will be on Thursday, May 29, from 6 to 10pm at Tommy Doyle’s in Harvard Square, Cambridge, MA. This time, we’re using two floors at Tommy Doyle’s, so the acoustics will be better than our first event there. From 6-6:45 pm, mingle and talk tech with your fellow FOOs, alpha geeks, and techies from the greater Boston area. After the mingling and social stuff, we’ll have a couple of special keynote presentations by Jonathan Zdziarski of iPhone notoriety and John Viega of Security notoriety to kick off our Ignite talks. Then, onto guest speakers who’ll catch you up on the cool, new, innovative stuff going on in technology today. Don’t blink or you’ll miss their lightning-fast, five-minute presentations. During intermissions, get a cold beer and chat with speakers, sponsors, and O’Reilly’s own editors. Join us Thursday, May 29, for a fun, energetic evening of talking, learning, collaborating and drinking!

RSVP If you plan to attend, email IgniteBoston at oreilly dot com for the chance to win $300 worth of O’Reilly books of your choosing. You must be present to win. There will likely be other items like tee-shirts and other promo items for those who alert us ahead that they plan to attend.

Presentation Guidelines

Ignite is a user-generated event. If you’re interested in speaking, then submit a proposal for consideration.

Presentations must:

• Be no longer than 5 minutes
• Be on an innovative topic (no sales pitches, please!)
• Be viewable on a PC [a MacBook Pro with Powerpoint and Keynote, and PDF] with standard AV equipment
• Did we mention, no Sales Pitches.

Here is an application on Google App Engine Application I wrote for an upcoming PyAtl Talk, and an upcoming O’Reilly Online Article: http://greedycoin.appspot.com/

Quick notes: Really liking the datastore API. I also liked the Django templates even though I have touched them in over a year and a half. I am looking for Google App Engine consulting or contract work…anyone..anyone :)

(Cross-posted from perlbuzz.com)

Selena Deckelmann has come back from BarCampPortland with copies of every Post-It on the topic selection board. The topic selection board at an unconference like a BarCamp is where people write on a Post-It a topic they’d like to see presented, and put it on a board for all to see. Whichever topics people vote for are the topics that are presented.

Scanning through the photoset on Flickr is fascinating, as these often are. Topics range from Pirates Paying Artists to WordPress as CMS to How to lie with statistics to Should we replace Congress with a wiki?

Also fascinating to see how widespread Twitter has become, with half the Post-Its leaving @usernames as contact information.

Makes me want to start up a Bar Camp Chicago. And move to Portland.

Michael Desmond raises an interesting point in an article in Redmond Developer News…

Open Source and .NET

Desmond acknowledges the IronPython/IronRuby work as well as Microsoft working with Zend on PHP and FastCGI. He quotes DotNetNuke’s Bill Walker who told him: Case studies could be sponsored, articles could be included in Microsoft magazines, etc. We have people … who still believe DotNetNuke and other .NET open source software is for the hobbyist set only. Desmond closes by asking: Should Microsoft be doing more to make open source development a first-class citizen in the .NET space?

The answer, IMHO, is definitely yes. I’d like to see, for example, Microsoft’s Port 25 site reach out to various Windows related Open Source project team members to highlight them and their projects. Three that come to mind right away are: OpenNETCF (Windows Mobile and Embedded development), MindTouch Deki Wik, and SharpDevelop (free IDE for C#, VB.NET and Boo).

And, of course, there is always a lot to say about the better known Open Source projects like Apache httpd, Apache Tomcat, and Eclipse. Let the folks at Port 25 know what Open Source projects related to the Microsoft Windows platform you would like to read more about.

I thought I would point out that the full length version of our exclusive Video Interview with Mark Shuttleworth is now available. Originally we had a very short version that was posted, but now you can watch it all here.

Jeremy and I are on camera for only a few seconds at most, I promise, but the approximately 20 minute interview is truly incredible, and inspirational, if you haven’t watched it.

Patrick Michaud gave Rakudo Perl Talk to the Dallas/Fort Worth Perl Mongers last month. These slides are a great overview of the current status of Parrot’s Compiler Toolkit and Rakudo Perl 6.

Of particular note is Effectiveness of the Parrot Compiler Toolkit, which suggests that an initial port of Python 2.5 to Parrot took six hours and a port of LOLCODE took four hours. These are powerful tools, and they’re only getting more so.

If there is one Microsoft product that openly gets inspiration from and gives credit to UNIX and GNU Linux/Open Source, it is Microsoft PowerShell.

How open source has influenced Windows Server 2008

The PowerShell team is at the Microsoft Management Summit (MMS) in Las Vegas this week. And, they posted the PowerPoint 2007 slide deck for a peek at PowerShell V2 on their blog…

MMS: What’s Coming In PowerShell V2

I’m not at the MMS. So, I didn’t see the presentation. However, the slidedeck (downloadable from the blog entry linked above) lists four main topic areas (labeled Themes in the slides):

1. GUI over PowerShell
2. Production Scripting
3. Universal Code Execution Model
4. Community Feedback

In the Linux world, I’ve been asking people to use Python or Ruby instead of Bash scripts so that we don’t have to refactor from one more basic scripting language (say Bash) to a more sophisticated object oriented dynamic language (say Python or Ruby). In the Windows world, the jump has been from DOS batch language to Windows scripting (which I never liked) or Visual Basic/C#. That’s not really an option at all IMHO. PowerShell, on the other hand, brings Windows into the 21st century for system administrators who may not come from a deep software development background. It gives them a first class language and .Net citizen as an alternative to DOS batch (I hesitate to call it a language).

Though PowerShell still seems to have a strange look to it from my point of view, its ability to deal directly with .Net objects gives it the ability to more easily deal with systems level information than we have on Linux with even high-level dynamic languages like Python and Ruby.

Me? I’m still waiting for a binary ready-to-install IronRuby to test with Windows Server 2008 :-)

I was just reading Michael Mimoso’s account of a new MS-SQL injection attack that is making the rounds. Sigh.

The funny thing is that I was just talking to one of our consultants here at Puryear IT about.. SQL injection attacks. He was working on something involving MS-SQL, and commented that MS-SQL did not properly handle dangerous code in comments in SQL code, which made it possible to attack the SQL server if security was not properly setup. Then I found that blog. Good times.

Anyway, SQL injection attacks aren’t specific to MS-SQL. Almost every database server is susceptible to them, not because of the RDBMS itself, but usually because of:

• The fact that the RDBMS was not properly configured and secured.
• Applications, especially web applications, do a horrible job of checking for sane SQL statements.

There are a few ways to help yourself right out-of-the-box of course. For one, using prepared statements and relying on a properly designed database library in your code helps. For example, instead of using something like:

$input = INPUT-FROM-USER;
SELECT col1 FROM table1 WHERE col2 = $input;

You should be preparing the statement and relying more on your SQL library to reject any odd input, like so:

$input = INPUT-FROM-USER;
$prepared_sql = prepare(SELECT col1 FROM table1 WHERE col2 = ?);
$prepared_sql->run($input);

Generally, the latter form will allow you to not worry about escaping your input. (This is not always the case though, so consult the documentation for the SQL library you are using!) That said, it still makes sense to check for anything overtly dangerous in the user input.

Anyway, back on the original blog entry, I found this pretty funny: ‘”They’re blindly tossing SQL injections at sites and getting a high success rate. They’re upping the game,” Grossman said. “This is a new level of sophistication.”’ There is nothing new or sophisticated about blindly running exploits against servers on the Internet. It is an old technique actually, and unfortunately, it’s always had a good rate of return.