At last Thursday’s Ignite Boston, which I wrote up in a previous blog, provided an unexpected mirror in which two opposing views shined on each other, each view provided by one of the two keynotes by John Viega and Jonathan Zdziarski.

Both Viega and Zdziarski.are security experts and authors of books by O’Reilly and other publishers. Viega used the bully pulpit for an entreaty against the “full disclosure” philosophy, a fundamental article in the open source catechism. Zdziarski, who had not consulted with Viega beforehand, endorsed full disclosure whole-heartedly and with a doggedly pragmatic intent. The context for Zdziarski’s approach is the Apple iPhone, which has security vulnerabilities that, in his experience, Apple doesn’t fix until they’re made embarrassingly public.

Today Zdziarski sent me a long and frightening article from the National Journal about the threat of cyberwar. Although the basic premises in the article have been circulating for years, many of the details were new to me. And despite the focus of the title on China, the article makes it clear that governments as well as individuals (the “cyber-militia”) are engaging in disruptive behavior around the world. In fact, the article cites worries about what may be happening in the NSA.

It seems to me that the National Journal article provides more fodder for Viega than Zdziarski. Veiga insisted that the black hats planning DDOS attacks and identity theft aren’t as smart as they are commonly made out to be. They couldn’t create as much havoc if they had to rely only on the vulnerabilities they found themselves. They are helped immeasurably, he said, by the revelations of vulnerabilities in major software products by people with no malicious intent. The worldwide database of known vulnerabilities is swelled by individuals trying to show off their technical chops, and by companies in the security business trying to demonstrate the indispensibility of their products.

So long as software vendors are slow to fix bugs, full disclosure has to be an option, a kind of last resort, and I think Viega allowed for this. Open source projects have to promote a sense of responsibility among contributors to be discreet in reporting bugs with security implications. Perhaps it doesn’t matter much anyway–because most people keep using unpatched versions of software long after fixes come out.

Giles Bowkett’s Never Hate. Only Destroy. (disclosure: contains language your local third graders probably use and your work filter might block as inappropriate) contains a side point which crystallized something I’ve pondered for several weeks:

The whole point of the Cory Doctorow Problem is that the fundamental assumption with Internet celebrities - that a very smart person will always be interesting - is false…. What irritates me is essentially a search failure; I can seek excellent insight on social software and end up reading pointless trivia about a corporate amusement park filled with plastic birds on plastic trees.

This is my problem with current social networks as well. Your information is either public or it’s not. You’re either connected to someone or you’re not. There’s little to no sense of context.

Microsoft’s Port 25 has a blog entry…

Technical Analysis: VIM, PowerShell and Signed Code

…pointing to an 8 page PDF with detailed instructions for installing a PowerShell Syntax file for the Vim editor. The paper also has a section discussing deal with digital signature code signing when editing PowerShell scripts using Vim.

You can find more information about PowerShell here.

This Vim/PowerShell document was written by Chris Travers who does his usual excellent job of explaining how to use Open Source tools in a Windows environment.

As an aside, as daily vi user, even I’m not sure why I prefer vi/vim to many fancier editors with all kind of features. I think it basically comes down to speed and finger muscle memory after all these decades of vi use :-)

Yesterday’s How to Patch Perl 5 explained the big picture of how to add a new feature to a dynamic language with a virtual machine. Now it’s time to discuss the technical details.

Jesse Noller is championing the addition of the processing module to the standard library. We’re making extensive use of processing at work now, so I can say it is an extremely simple API for spawning and managing tasks in the background. Passing data between processes using the processing library is as easy as with standard threads.

As I have written before, I’m excited about this library and I’m looking forward to having it available everywhere without any extra effort on our part.

Perl 5 change #33858 adds three new features from Perl 6 to Perl 5.12. With recent interest in implementations of dynamic languages on various virtual machines, I thought it interesting to discuss how a feature comes about and how it works — even if you’re a very happy user of Perl or another dynamic language with no desire ever to look inside your favorite implementation, the details can be enlightening.

Here’s how it happened.

If you are interested in tracking IronRuby’s progress, John Lam’s blog is NOT the place to look these days. The place to look for IronRuby progress information is his Twitter account: John_Lam.

The apparent need people have for up to the minute updates on information of all kinds has pushed us from articles on websites to blogs and now to micro-blog-presence type services like Twitter.

You can find regular blog-sized Ruby and IronRuby items on…

Port 25 Ruby Blog Items

And, I just created a separate Twitter account for posting tech items that interest me (Open Source, Microsoft, Apple Mac OS X, mobile technology, green IT, etc.) at… toddogasawara

Although cookies almost seem like a prehistoric concept in web development, they’re a well understood commodity that still serve useful purposes. As such, I wanted to write up a quick column that demonstrates a common pattern involving cookies and JSON that you may find useful from time to time.

I just saw a note that yet another VAR is offering Open-Xchange to its client. Not a big story, but it did get me thinking about the current marketplace for open source Exchange replacements.

Let’s keep in mind that the “open source” market for Exchange replacements is actually a tad on the muddy side. Most of the replacements are more about being free, to some extent, than completely open source, e.g., Zimbra is MOSTLY open source, but the commercially licensed software does come with software that is not exactly open. Ditto for Scalix and a few others.

So maybe we should just consider Exchange replacements. Off the top of my head, we have:

• Zimbra
• Scalix
• Open-Xchange
• OSER

OSER you say? Well, that’s new to me too! I just found it via a Google search. OSER is the “Open Source Exchange Replacement Platform” (I don’t think “Platform” made it into the acronym).

Hmm, getting back to “open source”, how should we define “open source Exchange replacement”? Here are my thoughts:

First, if it’s an “Exchange replacement”, it must support Outlook and Outlook functionality. Otherwise, it’s not an “Exchange replacement”. It may be a groupware solution, but it’s not replacing Exchange. So, to me, this takes out mixed licensed applications such as Zimbra. Zimbra is an open source groupware application, but not an open source Exchange replacement. You don’t get the source code to what makes Zimbra an “Exchange replacement”. This goes for anyone that doesn’t offer the source code to their Outlook connector IMHO.

Second, well, that’s it really.

We have a good market for open source groupware, but not so much for open source Exchange replacements.

I think the point to take home here is that there really aren’t many players that are truly offering an open source Exchange replacement, but there are many players that offer an open source groupware framework and that offer closed source Exchange functionality that makes them a true “Exchange replacement”.

P.S. Yes, I like Zimbra.

Microsoft provides a free set of entry level developer tools called Visual Studio 2008 Express Editions. However, as far as I can tell, out of the box they do not support the languages I tend to use: PHP and Ruby (and starting to refresh my Python memory recently). Eclipse never appealed to me (never liked the UI and workflow). So, I took a look at NetBeans IDE 6.1 for the first time earlier this month. There’s a big 183MB installer for Windows that supports Java, C/C++, Ruby as well as a smaller 16MB Early Access for PHP plugin. I tried out the PHP edition and was surprised how fast it was (compared to my Eclipse experience on the same Core 2 Duo notebook running Windows Vista) and how well it seemed to work with PHP code. The fact that I liked what I saw in NetBeans IDE 6.1 surprised me since I tend to be old school and use vi or nedit when working on a Linux system.

It got me thinking though that Microsoft should provide some resources to the Visual Studio team to develop a Visual Studio Express Edition for IronPython and IronRuby.

The ever-creative Wade Olson (of KDE fame) tells an interesting story of immediately losing interest in otherwise-interesting hardware due to “Intellectual Property” protections. He caught himself going from caring to not caring in the time it took to read the phrase “Don’t expect Linux support anytime soon.”. His conclusion is:

Vendors need to beware: Intellectual Property gains, once thought to be a Competitive Advantage, will continually over time become a negative branding attribute.

I’ve noticed this myself. I don’t particularly care what Microsoft does, what NVidia does, or what Adobe does. Their products don’t really matter to me when I can use other products without giving up freedoms I consider essential.

Have you had similar experiences?

As I put the final touches on my upcoming book, Dojo: The Definitive Guide, it occurred to me that it might be a good idea to go ahead and post an unofficial table of contents preview for those of you who are interested. Aside from some page numbers adjusting ever so slightly, and some heading levels changing that make Chapter 13’s table of contents entry a lot more detailed (ironically, the most dense chapter in the book), this is pretty much the real deal.

As far as I know, the book will be available early next month. I plan to continue writing my “Dojo Goodness” column semi-regularly for quite some time, so be sure to check in every now and then if you’ve been following along.

If you’ll be at OSCON, you might also drop by for some gfx discussion.

Without further ado:

Preface

Part I: Base and Core

1. Toolkit Overview 3
Overview of Dojo’s Architecture 3
Prepping for Development 7
Terminology 13
Bootstrapping 15
Exploring Dojo with Firebug 22
Summary 32

2. Language and Browser Utilities 33
Looking Up DOM Nodes 33
Type Checking 34
String Utilities 35
Array Processing 36
Managing Source Code with Modules 40
JavaScript Object Utilities 49
Manipulating Object Context 53
DOM Utilities 56
Browser Utilities 63
Summary 67

3. Event Listeners and Pub/Sub Communication 68
Event and Keyboard Normalization 68
Event Listeners 71
Publish/Subscribe Communication 77
Summary 80

4. AJAX and Server Communication 82
Quick Overview of AJAX 82
AJAX Made Easy 84
Deferreds 91
Form and HTTP Utilities 100
Cross-Site Scripting with JSON-P 102
Core IO 103
JSON Remote Procedure Calls 112
OpenAjax Hub 114
Summary 115

5. Node Manipulation 116
Query: One Size Fits All 116
NodeList 123
Creating NodeList Extensions 132
Behavior 133
Summary 137

6. Internationalization (i18n) 138
Introduction 138
Internationalizing a Module 139
Dates, Numbers, and Currency 142
Summary 145

7. Drag and Drop 146
Dragging 146
Dropping 157
Summary 167

8. Animation and Special Effects 168
Animation 168
Core fx 182
Animation + Drag and Drop = Fun! 189
Colors 190
Summary 198

9. Data Abstraction 200
Shifting the Data Paradigm 200
Data API Overview 201
The APIs 202
Core Implementations of Data APIs 208
Summary 224

10. Simulated Classes and Inheritance 226
JavaScript Is Not Java 226
One Problem, Many Solutions 227
Simulating Classes with Dojo 231
Multiply Inheriting with Mixins 240
Summary 244

Part II: Dijit and Util

11. Dijit Overview 249
Motivation for Dijit 249
Accessibility (a11y) 252
Dijit for Designers 255
The Parser 260
Hands-on Dijit with NumberSpinner 264
Overview of Stock Dijits 270
Dijit API Drive-By 274
Summary 275

12. Dijit Anatomy and Lifecycle 276
Dijit Anatomy 276
Dijit Lifecycle Methods 279
Your First Dijit: HelloWorld 286
Parent-Child Relationships with _Container and _Contained 297
Rapidly Prototyping Widgets in Markup 298
Summary 299

13. Form Widgets 301
Drive-By Form Review 301
Form Dijits 305
Summary 343

14. Layout Widgets 345
Layout Dijit Commonalities 345
ContentPane 347
BorderContainer 351
StackContainer 356
TabContainer 358
AccordionContainer 360
Rendering and Visibility Considerations 362
Summary 363

15. Application Widgets 364
Tooltip 364
Dialog Widgets 365
ProgressBar 369
ColorPalette 371
Toolbar 372
Menu 376
TitlePane 379
InlineEditBox 380
Tree 382
Editor 394
Summary 400

16. Build Tools, Testing, and Production Considerations 401
Building 401
Dojo Objective Harness (DOH) 411
Browser-Based Test Harness 416
Performance Considerations 420
Summary 422

Appendix A. Firebug Primer 423
Appendix B. Brief Survey of DojoX 434
Index 437

Speaking of VirtualBox (yes, I actually spoke about it here), Jason Perlow just wrote a good review of the two in his blog.

I’ll be honest—and a little embarrassed—I didn’t even know about VirtualBox until last month. And when I read Jason’s blog just now I turned over to one of the guys here and he didn’t even know about VirtualBox (apparently my consultants don’t read my blog, I should work on that).
VirtualBox is getting cooler and cooler in my eyes. And the fact that it runs on my platforms that VMware is even cooler.

I have a feeling that VirtualBox is going to bust out pretty soon on the commercial scene in some way or another, probably via a third-party developer that releases enterprise-grade management and deployment tools.

Hmmm…

You know the drill by now. You can read the Parrot 0.6.2 release announcement on your own.

User-visible improvements include a tremendous amount of progress in Rakudo (Perl 6 on Parrot), including better object orientation, placeholder variables, and type checking. Much of this progress is due to two grants, one from the Mozilla Foundation for Patrick Michaud and the other from the Vienna Perl Mongers to Jonathan Worthington. By next month’s release, Rakudo very well may be mature enough that you can use it for your own projects. (IO needs a little work right now, and there are a couple of variable handling and assignment features in progress, but it’s very close.)

Other changes include tremendous improvements in performance (I doubled the speed of some long-running benchmarks) even without building an optimized build – but optimized builds work even faster now. There are also new OpenGL bindings in progress (and you can make and animate pretty pictures) now, as well as a resurrected Cardinal (Ruby on Parrot).

If we’re very fortunate, Rakudo and perhaps Cardinal will be able to use the SDL and OpenGL bindings by the next release.

Finally, the tutorial language Squaak (see Building a Compiler with Parrot Tutorial or the Squaak Tutorial wikibook) is now in the repository, so if you’ve ever dreamed of writing your own language, you can well and truly get started in an afternoon without diving into lex and yacc.

Information Week published the results of its survey of 536 business technology professionals asking questions surrounding the general question of…

How Open Is Microsoft?

The results might surprise some of you. For example, three years ago, 53% surveyed said Microsoft was not open at all. That number dropped to 19% in this year’s survey.

IW also provides Microsoft with what they call their put up or shut up list consisting of:

* Reveal the patents allegedly being violated by open source products.
* Dedicate developers to open source projects such as OpenPegasus (management software) and Python (programming language) and make contributions that beyond those serving its own interests.
* Support SVG, ECMAScript, and other key Web standards in IE 8.0.
* Work with IBM and Sun Microsystems to unify ODF and Open XML and make ODF-Open XML interoperability a native feature in Office.
* Fund and operate a joint interoperability lab with the Linux Foundation.
* Reduce or eliminate protocol patent license fees for common services like printing and file replication.
* Adopt open source practices, such as community input and development, for the .Net Framework and Silverlight.
* Demonstrate transparency by providing more information about what comes next in Windows 7.

To this list, I’ll add my annual plea to Microsoft to Open Source what might be the best stable light weight operating system ever developed: Windows 98 Second Edition (SE). It could easily be embedded in 64MB (or less) of firmware, run lightning fast with slow processors (by today’s standards), and had great hardware driver support. The Asus Eee PC hardware configuration would actually be overkill for Windows 98SE. And, I believe much of modern malware would not affect it. Once Open Sourced, it could probably be secured relatively easily by the talented FOSS programmer community.

I’ll be at the Portuguese Perl Workshop on June 6-7.

Before the conference, I’m also giving Stonehenge’s “Intermediate Perl” master class on June 4-5. The master class format is a two-day, low-cost format that allows the trainer to attend the the conference. For the Portuguese Perl Workshop, the two day class includes the workshop registration fee and costs €200. Students get a special price of €100. You can register for the class at the same time you register for the workshop.

I’m also giving one of the keynote addresses on “Why People are Passionate About Perl”. This time around, I’m soliciting comments for people on their own versions of “Why I am Passionate About Perl”. If you’d like to participate, post your version somewhere. You can send me a link if you like, but I’ll also try to track down the posts through Google.

There’s really nothing special about Perl and passion, so the exercise might be useful for other languages too. If you’re passionate about another language, just adjust the title. :)

Okay, this is pretty damn funny: Open Source in 2013.

My favorite line:

Americans, who through no fault of their own, lost jobs due to the closing of Microsoft they once believed were theirs for life, are assisted by the Linux Foundation’s worker retraining programs.

Information Week published the results of Q&A sessions with Microsoft’s Sam Ramji (senior director of platform strategy) and Tom Robertson (general manager of standards and interoperability).

Microsoft Open Source, Standards Chiefs Tout ‘Openness’

Here’s a sample of the questions Information Week asked:

• How do you approach people to work out cross-licensing or interoperability deals between Microsoft and the open source community?
  
• How much of this recent public push towards “openness” is about the realities of the Web and of the emergence of open source as a viable model versus something else? The people that you need to convince, they’re going to be skeptical.
  
• How do you convince people that Microsoft is no longer just creating de facto standards over time? That’s an argument that you’ve had to make over and over again as recently as Open XML.
  
• Are there certain thoughts about, here are the things we develop in an open source model versus a shared source model versus keeping it all proprietary?
  
• So how do you address the “distinction between popular perception and the reactions of leaders of open source communities,” as Sam put it? How do you go about changing the minds of those who think Microsoft will always be about ‘embrace, extend, extinguish’?
  
• Does Microsoft need to make its specs explicitly usable with the GPL? Why or why not?
  

Sam Ramji’s Port 25 blog posts

Course website: http://www.cs.tufts.edu/comp/50GD

I just finished teaching my game development course at Tufts University. The first time I taught this course back in 2006 went extremely well. I continued to use Java for the programming aspects of my course. Most of the syllabus remained the same, but the 3D component of the class was vastly different, namely:

• I eliminated the use of Java 3D, and used the Lightweight Java Game Library (LWJGL) for 3D development
• Deeper discussion of game engines, and used the JMonkey Engine (jME)

Both changes worked out extremely well, and I did not encounter many problems. In the end, it was a very successful semester, and I cannot credit my students enough for what they accomplished. I thought my 2006 class was the best class that I had, but this year’s class went over-the-top. The expectations and aspirations of the students this year were ambitious, and they all delivered nicely.

I invite everyone to check out my students’ works at http://www.cs.tufts.edu/comp/50GD/students_works/. If you have some time to kill, feel free to play and hack some of the games. Two games you can definitely download and play with no code compilation: Barrel Blaster and Zapped! Barrel Blaster is Windows-only, a final project created with Multimedia Fusion Developer 2. Zapped! was written entirely in Java: its’ soundtrack was homemade, and it has a vast set of challenging levels –just don’t get hit, that is the goal of the game! If you are a programmer, try out the CS3 game engine, a final project written in C++. If you have been curious about using LWJGL and jME, try Penelope, a StarFox-clone. There are several cool and sophisticated action/adventure/RPG games: EquipmentQuest (RPG, Final Fantasy-like), Singularity (isometric tile), and Journey to the West (sidescroller). There is even a 2D fighter: Legendary Vaporware Forever. If you want to delve into Blender and all it can do, there are models and a demo of its’ game engine. One student managed to tinker with the new open source game project, Solis (a 2D action/adventure game a la Zelda) –and created a new map based on the Tufts campus. Finally, my course notes and resources are available.

Everything is there for the taking: please feel free to use and distribute. There is something for everyone: from beginners to game hackers. I hope that this is valuable for hobbyists, game studios, and Computer Science departments that are interested in starting a course or a major in game development.

A proposal to help editors work better with dynamic languages — by not pretending they are static, and by leveraging their unit tests.

As a Test Driven Developer, using dynamic languages, editors frequently disappoint me. The main thrust of editor research, for the past few decades, targets debugging static languages. This post suggests a very simple fix.

I’ve spent several hours optimizing Parrot over the past few months. In particular, I’ve concentrated on the build process for Rakudo (Perl 6 on Parrot), as it exercises a lot of parts of Parrot. We don’t yet have accurate numbers on the improvements, but rough figures show that the parts of the build process I’ve optimized will be about twice as fast as they were three months ago, despite Rakudo having grown tremendously since then.

Some of this comes from luck, some comes from a deepening knowledge of Parrot internals, a lot of it comes thanks to Callgrind and KCacheGrind, and some of it is experience. My instincts are improving.

I just read a good article at TechRepublic about MySQL vs. Microsoft SQL. Overall, the article is pretty well-rounded. Good reading. (And short!)

The author based the review on several features, including:

• Licensing Cost
• Performance
• Replication
• Security
• Recovery

The final winner:

If you were hoping to get an ironclad recommendation that one database is better than the other, I’m going to disappoint you. From my point of view, any database that helps you do your job is a good database; one that doesn’t is a bad database. I can tell you that to make a good decision about which of SQL Server and MySQL will help you most, you’ll need to look beyond politics and hype and instead look at function and mission. What do you want to accomplish?

No surprise there of course.

What I did find interesting is that Sanders took the time to explain that MySQL is not free unless you are developing an open source application, but otherwise you have to pay for it. Hmm, I have to admit I’m not 100% on the licensing terms for MySQL. Is this totally accurate? What if I’m developing a revenue generating website based on top of MySQL as the RDBMS? Does that mean I have to pay MySQL AB?

For years, many people have argued that one of PHP’s big successes is deployment. The language has little to recommend it for anything beyond simple database-backed HTML templating, but there’s little easier than dropping a couple of .php files in a directory through FTP.

While there are still millions of wonderful (and ultimately unproductive) flamewars about how mod_php is faster than vanilla CGI Perl and Ruby uses too much memory and FastCGI is unstable and shared-everything on a monster JVM is obviously more scalable, none of that will ever matter to most of the deployed PHP code in the world today.

A Perlbuzz commenter named Yudel made the deployment/colonization point very clearly:

I still think in Perl, but as an only occasional programmer, I seldom find it the best tool for the job. The Perl community failed to successfully colonize the new ecosystems of programmers who don’t have root access. Simply asserting that PHP is linguistically inferior won’t convince anyone who has had to argue with a web hosting company about the load MovableType was placing on their servers.

mod_perl is great for what it does, but it’s clear that mod_perl isn’t what hosting providers most wanted. A slim Perl distribution — including perhaps a new Apache httpd module which only embeds Perl — with a good templating module, the DBI, and perhaps an XML parsing module or two could have put Perl on more $4.95/month hosting plans. The corollary to that of course is an easily installable bundle of Pure Perl for an application.

Sure, that doesn’t cover everything. You probably can’t get RT orPlagger or Angerwhale in such a system, but it’s a start.

Ceding the very low end of a technology to an upstart is just one of the ways to let distruptive innovation eat your lunch.

One flaw in this argument is that approximately zero webhosts supported Ruby before the Rails lovefest. As well, the Rails deployment strategy went through several iterations. Here’s the interesting point which subverts my argument somewhat: Rails hosting suddenly became lucrative enough that several Ruby-friendly hosts appeared.

I haven’t yet figured that out.

Miguel de Icaza announced the first public release of the Mono based Moonlight for Linux. This supports the Microsoft Silverlight 1.0 video playback, not the 2.0 version that includes a .Net Framework.

You can find the Moonlight website at:

http://www.mono-project.com/Moonlight

Other reference: Port 25 Moonlight blog entries

I recently communicated 3 security issues in the Safari browser to Apple.

Apple let me know that they will fix 1 of the issues I reported. I will not discuss the vulnerability Apple has promised to fix until they release the fix because it is a high risk issue affecting Safari on OSX and Windows.

I let Apple know that I’d like to discuss the 2 issues they won’t be fixing with the security community and they let me know they are fine with it.

I happened to come across this article in Redmond Developer News recently…

Redmond Among Contributors to Open Source PHP Framework

…about contributers to the Zend Framework. Among the many (400) contributers to the project are Google and Microsoft. It’s probably just me, but I found it amusing (in a good way) that the two arch-rivals contributed pieces to the same Open Source project.

The article goes on to describe how Microsoft sponsored work to enable InfoCard (now called CardSpace) support in a number of Open Source products including Zend and Ruby on Rails.

Yesterday Google celebrated the opening of a larger Cambridge, Massachusetts office, which takes up a substantial part of a building right next to the Kendall/MIT subway stop in the higher-than-high tech area of East Cambridge. I got a look at their new Friend Connect service (covered in a related Radar blog) and heard some fascinating comments that the staff kindly let me reproduce here.

Google staff certainly know how to say the right things and react in ways I approve to the situations Google finds itself in. More and more people I know (including authors) are Google employees, which is statistically predictable because more and more people in general are Google employees. The Cambridge office has been growing wildly since it began with the purchase of the company that created Android. And this office is one of 45 Google offices around the world.

This raises the question of whether the empire can be supported through continued sales of advertising, and whether Google’s stated openness carries through to employee behavior on the ground. I explored these questions with managers and staff at

On a recent consulting gig, a client had the requirement that a JavaScript deliverable needed to run in a self-enclosed script tag that would be arbitrarily placed within the body of a page. In other words, I needed to deliver a JavaScript file such that the following code snippet would work:

<!-- somewhere in the page... -->
<div id="specialContainer">
    <script type="text/javascript" src="foo.js"></script>
</div>
<!-- ... -->

So, in the end, it’s a pretty routine chore. A special container needs to exist at an arbitrary place in the page, the self-enclosed script tag will do some DOM building within it, and all of the magic happens therein. Well, hopefully, it goes without saying that I wanted to streamline the time it took me to complete this task with the help of Dojo.

Microsoft’s Patch Tuesday will be upon us soon patching 3 critical and 1 moderate security problems. Security issues aren’t just a problem for Microsoft software of course. And, I recently learned about…

oCERT: Open Source Computer Emergency Response Team

…which describes itself like this…

The oCERT project is a public effort providing security handling support to Open Source projects affected by security incidents or vulnerabilities, just like national CERTs offer services for their respective countries.

There doesn’t seem to be a lot there yet (only 4 advisories posted so far, the last on April 17). But, I hope oCERT will become a good resource for those of us who deploy a lot of Open Source applications.

Port 25 Security Related Blog items

Okay, actually, there are a number of virtualization options not listed in the title, but the one nobody seems to be talking much about Sun’s xVM VirtualBox. But, wait! you say, Sun begs to differ: “Sun xVM VirtualBox software is the world’s most popular open source virtualization platform because of its fast performance, ease of use, rich functionality, and modular design.”

Some cool features of VirtualBox include:

• Seamless windows - rather than a whole desktop environment, just the guest application windows can co-exist alongside native host applications.
• Shared Folders - easily move documents and files between the host and guest systems.
• Mouse pointer integration - it just works how you’d expect it to.
• Dynamically adjustable screen resolution in the guest.
• Time Synchronization.
• Shared clipboard.

A lot of that is available elsewhere (e.g., time sync and shared folders), but seamless windows is a nice touch.
AND, VirtualBox is open source!

Do check it out.

There’s an interesting four page PDF file that appeared recently on the Microsoft downloads site titled…

Open Source at Microsoft CodeBox: Bringing the Open Source Approach In-House

It answers the question: Could the community and collaborative concepts that
underlie open source projects be applied internally to Microsoft product engineering?

CodeBox is an software development environment that was developed as an internal tool to help Microsoft apply the Open Source software development model internally. It gives Microsoft’s programmers and internal tool to manage shared code.

If anyone was interested in a great Google App Engine project, I would love to see a community blog/speaker registration tool. Jeff Rush mentioned something like this a couple of PyCons ago, but now there is the technology available for free with Google App Engine. Basically, it would be cool to have a google app engine app that allowed organizers to book meetings and plan them, then post about the meetings, and finally “book” speakers that happen to be traveling to that city.

Currently there is this blog, but I find it difficult to post the data there, plus our meetup site, plus by email…etc. Making this process easier would be awesome.

On a side note, is there a chart somewhere that graphs what open source web application components are working and what isn’t on google app engine. For example:

Templates:

Genshi
Django
Mako

URL:

blah

Frameworks:

blah

I like numbers. They can mean a lot of things.

Rather than continuing silly arguments over obfuscated and flawed measurements of “language popularity”, perhaps a better way of measuring the viability of a language or platform is to measure the freshness of its ecosystem.

LaPerla’s How Fresh is the CPAN? measures the upload dates of one of the world’s largest and most active repositories of free software. Of the 12,000 (or is it 14,000 now?) distributions on the CPAN, 25% have a most recent upload date of February 2008 or newer. Half have an upload date of 2007 or newer.

You don’t get those kinds of statistics by putting “Ruby Programming” into Google and pretending the results are meaningful.

If you are at all familiar with the UNIX or Linux world, you will know about the Pluggable Authentication Module (PAM) functionality. Essentially, PAM is a highly extensible login framework for authenticating and authorizing a user for access to a server. Prior to PAM, most logins worked directly against the local /etc/passwd database, but with PAM, users are authenticated against the PAM library, which in turns relies on a series of “modules” (surprise!) that return a Yes/No response. On many UNIX and Linux boxes, PAM still relies on /etc/passwd, but it doesn’t have to—and often doesn’t. For example, LDAP is quite often supported for authentication, and this is done by simply adding the right LDAP module to your PAM configuration.

Yawn.

Well, it is all very cool of actually, but it is old news in the UNIX world.

Now, Windows has supported this, kind of, a little bit, with GINA and GINA chaining and what-have-you, but it is really JUST NOT DONE. In addition, the GINA chaining concept is rarely if ever used. (I have heard because of reliability issues.)

However, Vista now supports a new model known as Credential Provider, which is deceptively like… PAM! Well, cool. (And they say Microsoft doesn’t learn!)

Anyway, I suggest you take a look at this as it’s all very nifty stuff:

Windows Vista Sample Credential Providers Overview

Credential Provider Samples

New Authentication Functionality in Windows Vista

OK, I know this is NOT the Inside MySQL blog area. But, MySQL is the “M” in both LAMP and WAMP. And, as one of the people who wasn’t very happy by MySQL’s decision to close source parts of the upcoming MySQL 6.0, I thought I should help spread the good news announced by MySQL’s VP for Community Relations - Kaj Arnö:

MySQL Server is Open Source, even Backup extensions

His six main points are:

- MySQL Server is and will always remain fully functional and open source
- MySQL Connectors will be open source
- The main storage engines will be open source
- MySQL 6.0’s pending backup functionality will be open source
- The MyISAM driver for MySQL Backup will be open source, and
- The encryption and compression backup features will be open source

FYI: MySQL related blog posts on Port 25

The third Ignite Boston will be on Thursday, May 29, from 6 to 10pm at Tommy Doyle’s in Harvard Square, Cambridge, MA. This time, we’re using two floors at Tommy Doyle’s, so the acoustics will be better than our first event there. From 6-6:45 pm, mingle and talk tech with your fellow FOOs, alpha geeks, and techies from the greater Boston area. After the mingling and social stuff, we’ll have a couple of special keynote presentations by Jonathan Zdziarski of iPhone notoriety and John Viega of Security notoriety to kick off our Ignite talks. Then, onto guest speakers who’ll catch you up on the cool, new, innovative stuff going on in technology today. Don’t blink or you’ll miss their lightning-fast, five-minute presentations. During intermissions, get a cold beer and chat with speakers, sponsors, and O’Reilly’s own editors. Join us Thursday, May 29, for a fun, energetic evening of talking, learning, collaborating and drinking!

RSVP If you plan to attend, email IgniteBoston at oreilly dot com for the chance to win $300 worth of O’Reilly books of your choosing. You must be present to win. There will likely be other items like tee-shirts and other promo items for those who alert us ahead that they plan to attend.

Presentation Guidelines

Ignite is a user-generated event. If you’re interested in speaking, then submit a proposal for consideration.

Presentations must:

• Be no longer than 5 minutes
• Be on an innovative topic (no sales pitches, please!)
• Be viewable on a PC [a MacBook Pro with Powerpoint and Keynote, and PDF] with standard AV equipment
• Did we mention, no Sales Pitches.

Here is an application on Google App Engine Application I wrote for an upcoming PyAtl Talk, and an upcoming O’Reilly Online Article: http://greedycoin.appspot.com/

Quick notes: Really liking the datastore API. I also liked the Django templates even though I have touched them in over a year and a half. I am looking for Google App Engine consulting or contract work…anyone..anyone :)

(Cross-posted from perlbuzz.com)

Selena Deckelmann has come back from BarCampPortland with copies of every Post-It on the topic selection board. The topic selection board at an unconference like a BarCamp is where people write on a Post-It a topic they’d like to see presented, and put it on a board for all to see. Whichever topics people vote for are the topics that are presented.

Scanning through the photoset on Flickr is fascinating, as these often are. Topics range from Pirates Paying Artists to WordPress as CMS to How to lie with statistics to Should we replace Congress with a wiki?

Also fascinating to see how widespread Twitter has become, with half the Post-Its leaving @usernames as contact information.

Makes me want to start up a Bar Camp Chicago. And move to Portland.

Michael Desmond raises an interesting point in an article in Redmond Developer News…

Open Source and .NET

Desmond acknowledges the IronPython/IronRuby work as well as Microsoft working with Zend on PHP and FastCGI. He quotes DotNetNuke’s Bill Walker who told him: Case studies could be sponsored, articles could be included in Microsoft magazines, etc. We have people … who still believe DotNetNuke and other .NET open source software is for the hobbyist set only. Desmond closes by asking: Should Microsoft be doing more to make open source development a first-class citizen in the .NET space?

The answer, IMHO, is definitely yes. I’d like to see, for example, Microsoft’s Port 25 site reach out to various Windows related Open Source project team members to highlight them and their projects. Three that come to mind right away are: OpenNETCF (Windows Mobile and Embedded development), MindTouch Deki Wik, and SharpDevelop (free IDE for C#, VB.NET and Boo).

And, of course, there is always a lot to say about the better known Open Source projects like Apache httpd, Apache Tomcat, and Eclipse. Let the folks at Port 25 know what Open Source projects related to the Microsoft Windows platform you would like to read more about.

I thought I would point out that the full length version of our exclusive Video Interview with Mark Shuttleworth is now available. Originally we had a very short version that was posted, but now you can watch it all here.

Jeremy and I are on camera for only a few seconds at most, I promise, but the approximately 20 minute interview is truly incredible, and inspirational, if you haven’t watched it.

Patrick Michaud gave Rakudo Perl Talk to the Dallas/Fort Worth Perl Mongers last month. These slides are a great overview of the current status of Parrot’s Compiler Toolkit and Rakudo Perl 6.

Of particular note is Effectiveness of the Parrot Compiler Toolkit, which suggests that an initial port of Python 2.5 to Parrot took six hours and a port of LOLCODE took four hours. These are powerful tools, and they’re only getting more so.

If there is one Microsoft product that openly gets inspiration from and gives credit to UNIX and GNU Linux/Open Source, it is Microsoft PowerShell.

How open source has influenced Windows Server 2008

The PowerShell team is at the Microsoft Management Summit (MMS) in Las Vegas this week. And, they posted the PowerPoint 2007 slide deck for a peek at PowerShell V2 on their blog…

MMS: What’s Coming In PowerShell V2

I’m not at the MMS. So, I didn’t see the presentation. However, the slidedeck (downloadable from the blog entry linked above) lists four main topic areas (labeled Themes in the slides):

1. GUI over PowerShell
2. Production Scripting
3. Universal Code Execution Model
4. Community Feedback

In the Linux world, I’ve been asking people to use Python or Ruby instead of Bash scripts so that we don’t have to refactor from one more basic scripting language (say Bash) to a more sophisticated object oriented dynamic language (say Python or Ruby). In the Windows world, the jump has been from DOS batch language to Windows scripting (which I never liked) or Visual Basic/C#. That’s not really an option at all IMHO. PowerShell, on the other hand, brings Windows into the 21st century for system administrators who may not come from a deep software development background. It gives them a first class language and .Net citizen as an alternative to DOS batch (I hesitate to call it a language).

Though PowerShell still seems to have a strange look to it from my point of view, its ability to deal directly with .Net objects gives it the ability to more easily deal with systems level information than we have on Linux with even high-level dynamic languages like Python and Ruby.

Me? I’m still waiting for a binary ready-to-install IronRuby to test with Windows Server 2008 :-)

I was just reading Michael Mimoso’s account of a new MS-SQL injection attack that is making the rounds. Sigh.

The funny thing is that I was just talking to one of our consultants here at Puryear IT about.. SQL injection attacks. He was working on something involving MS-SQL, and commented that MS-SQL did not properly handle dangerous code in comments in SQL code, which made it possible to attack the SQL server if security was not properly setup. Then I found that blog. Good times.

Anyway, SQL injection attacks aren’t specific to MS-SQL. Almost every database server is susceptible to them, not because of the RDBMS itself, but usually because of:

• The fact that the RDBMS was not properly configured and secured.
• Applications, especially web applications, do a horrible job of checking for sane SQL statements.

There are a few ways to help yourself right out-of-the-box of course. For one, using prepared statements and relying on a properly designed database library in your code helps. For example, instead of using something like:

$input = INPUT-FROM-USER;
SELECT col1 FROM table1 WHERE col2 = $input;

You should be preparing the statement and relying more on your SQL library to reject any odd input, like so:

$input = INPUT-FROM-USER;
$prepared_sql = prepare(SELECT col1 FROM table1 WHERE col2 = ?);
$prepared_sql->run($input);

Generally, the latter form will allow you to not worry about escaping your input. (This is not always the case though, so consult the documentation for the SQL library you are using!) That said, it still makes sense to check for anything overtly dangerous in the user input.

Anyway, back on the original blog entry, I found this pretty funny: ‘”They’re blindly tossing SQL injections at sites and getting a high success rate. They’re upping the game,” Grossman said. “This is a new level of sophistication.”’ There is nothing new or sophisticated about blindly running exploits against servers on the Internet. It is an old technique actually, and unfortunately, it’s always had a good rate of return.