Wednesday, November 21, 2007

Mark Pilgrim's System Administration for Dummies

(Note: Originally written on 2007/11/11. It's been languishing on my computer since then.)

To begin with, I have to say that, like many people on the "Internets", I enjoy reading dive into mark for its sharp wit and no-holds-barred writing style, no matter who employs him.
His latest post is no exception. A few things bothered me about it, though.

For one, it (implicitly) assumes that you're going to be installing MySQL™ on your Ubuntu™ desktop machine and start using it to develop some application that needs a relational database for X, Y, or Z. However, ignorant CEOs and CIOs also read things written on the Internets, and when they happen to find this post via their Google™ search du jour for new technology to integrate into the fold, they'll turn to their system administrators and ask, "Why do I pay you so much when all I have to do to install a relational database is click a button a few times?" Thank you, Mr. Pilgrim, for devaluing system administrators in one fell swoop.

Another part that bothered me was the end. Here's how I imagine your average Ubuntu™ user's thought processes: "OK, I've installed this MySQL™ thing. Now what? How do I access this server thing? I have to use some sort of client, right? What kind of client do I get? Can I just search for 'mysql client' and do the same thing? Oh crap, that's for the terminal!" There goes that whole anti-"sudo make me a sandwich" argument. I guess it would be different if this HOWTO was in serial form.

On the other hand, it seems to be a much better experience than installing DB2™ on Ubuntu™.

Sunday, November 11, 2007

Common Sense and Websites

Just recently, I ran across the third Wordpress weblog in my feed list that had been hit with spam via what I assume to be the vulnerability fixed in version 2.3.1. It only shows up in feed readers, because it uses CSS to hide itself on the regular pages. That CSS is stripped by most feed readers' sanitizing process that removes all markup that may be malicious.

The striking thing about it is that all of the weblogs were related to web development: one was on a personal browser developer's website, one was a prominent web development news site, and the most recent one was the official weblog of a web browser. Now, I'm not necessarily putting the single browser developer at fault, since web applications aren't necessarily his area of interest. His webhost should make sure that classic security holes (like PHP's register_globals option) are turned offor disabled. On the other hand, the other two sites should know better. The web development news site has a significant number of posts on web application security, and the browser vendor deals with the security of its product every day, so surely they should be monitoring (or at least, find an automated process to monitor) feeds such as the ones at the National Vulnerability Database, in case exploits are discovered for any web applications that they may have installed.

To everyone else, if you can, please make sure that your webhosting environment is properly secured. Also, definitely subscribe to the news feeds of all the web applications that you run, because more often than not, there will be security vulnerabilities discovered, so you should upgrade as soon as possible in those cases.

Tuesday, November 06, 2007

Attention Gmail Developers: Please Address This IMAP Issue

I figure this is worth a shot, given that this blog is hosted on a sister application.

To the developers working on Gmail: I would like to know your position on comment #3 in flameeyes's post from a Claws-Mail developer. Are you or are you not following the IMAP specification in this respect? If not, why not? Additionally, can it be fixed?

Monday, November 05, 2007

OiNK: The Best Kept (Open) Secret on the Internet

Everywhere I turn, there's a new post lamenting the fall of the mighty OiNK music torrent tracker. Yes, it's a pity, but what's surprising to me was the number of people who actually used it (and blogged about losing it after the takedown). It's like these people want to say, "Yes, I was a part of the secret organization before it disbanded!" It's an odd sort of sensation reading those posts; those of us who were also contributors to "the cause" say to ourselves, "Right on, brother! Fight the power! I, too, miss what has been wrongfully taken away from us!"

As I think about it, it gets more and more surreal. Why are we sad about something that is plainly an illegal means of retrieving goods? Is it because of the slightly better feeling in our conscience that says, "it's OK, I'm helping others who can't necessarily find this music any other way through seeding", rationalizing it as a sense of community and giving back? I am boggled.

Saturday, November 03, 2007

Avant Window Navigator 0.2.1 Released

After about a month of bug reports, segmentation faults, patches, and prodding of the core developers, we finally have a new release of everyone's favorite composited dock, AWN.

After some prodding on IRC, I created a branch of the 0.2 release branch, called 0.2-stable-testing. Here's how I described my workflow on this branch in the forums:

  • I get patches from IRC/forums/launchpad. If they aren't on launchpad, I ask that they go there so I can put a reference to them in the commit message.
  • When the patch is on launchpad, I add the stable branch to the bug with the status message "fix in progress".
  • I install/run awn with the patch applied, and check the console. If there are no extra assert/CRITICAL/WARNING messages, and I don't crash within 10 minutes, I commit the patch (usually with whitespace fixes, etc.) to the branch, and push to launchpad.
  • I change the status message on the bug to "fix available" and note the revision that the patch was applied on.

In all, there were a total of 13 recorded bugs fixed in my branch. About halfway through, I posted a call for a bugfix release:

So apparently, AWN is now on the front page of launchpad. This inevitably means more users, and more of the same questions about crashes, etc. occurring with the 0.2 release. Many of these crashes have been addressed in my 0.2-stable-testing branch, and I am pleased to report that several people are actively testing this branch and indeed finding it stable. So, I propose that the rest of the patches in my branch be reviewed (you can find them at the bottom of the branch details page), and a point release (0.2.1) be made.

Additionally, I don't think it's in our best interests to have the only available method of retrieving awn-extras be through bzr (even though I am a strong advocate of bzr). We need, at the very least, a snapshot of awn-extras to be released. Preferably, the buggy clock applet should be fixed, moved or removed before this happens.

The result is where we are today. There are only two things that concern me about this release: Two minor features crept in, and I had found a bug the night before, but was too tired to file it. I have been opposed to adding new features (however minor they are) in a point release, because it's convention to leave new stuff to version bumps of one of the more major versions (e.g., 0.2 to 0.3, or 1.0 to 2.0). There's a good reason that most projects do this, too. New features (especially those that are untested)bring new bugs, which is not ideal for a bugfix release.

Thanks are in order for moonbeam (who wrote most of the stability patches), mhr3 (who reviewed said patches), and njpatel (who released it). It sounds like 0.3 is going to be very interesting. Hopefully I can get my desktop-agnostic branch finished and merged.

Friday, November 02, 2007

The Lessig lecture at the UW

I had the great fortune to listen to Professor Lawrence Lessig tonight. I've been a fan of his ideas (free culture, code as law, etc.) as well as his presentation style. Well, I got to see all of that at the lecture. His speaking style is even more impressive in person. He tied together a good deal of the work he's done over the years, including a preview of his new work on corruption, which the audience wanted him to speak on in the the Q&A that followed the presentation.

The presentation itself is a little hard to explain for me, because it dealt with so much material, and yet I didn't miss a heartbeat of it. The first part of the lecture dealt with the question posed in the title advertised: Is Google (2008) Microsoft (1998)? Short answer: yes and no, but don't assign morality labels to businesses (much like you shouldn't assign them to technology), because they're interested in only one thing: making the shareholders happy. The second part explained the "new" model of content distribution and ownership, and how Google and Facebook, for example, still don't exactly "get" it (c.f. the Google Maps API TOS or the Facebook Apps Developer TOS).

In all, I am very glad that I got to see Lessig speak in person when he came around to this area of the country.

Edit: Here's a tangentially-related Slashdot post: Google As The Next Microsoft? Also: Not Evil != Unselfish

Gmail's new "features", not bugs: A review

I, like many people on the Internets, was ecstatic at the announcements of IMAP for Gmail and the blogosphere-dubbed "Gmail 2.0". I'm all for a faster Gmail experience, not to mention an implementation of the mail retrieval protocol that was developed at my alma mater. However, my enthusiasm waned in two parts, when I actually tried out these features.

When IMAP was finally enabled on my account, I opened up claws-mail and configured it to use Gmail as its mail source. When it did the mail sync operation, I noticed that it didn't populate the virtual "label" folders properly. By that point, I gave up and did something else. I learned later during my blog reading that Gentoo's flameeyes had the same problem. If you look at the comments, you'll see that Claws-Mails's developers have acknowledged the problem as Google's fault. As a(n annoyed) developer, I would agree with their assessment. As a pragmatic developer, however, I agree with flameeyes's assessment: The Claws-Mails developers should follow Postel's Law.

Part two: trying out "Gmail 2.0". Regardless of how I feel about the blogosphere's echo chamber (and by extension, the mainstream media's echo chamber), I'm using that term for it because it's convenient. Yeah, it's a cop-out. Anyway, this refactoring of Gmail's dynamic JavaScript engine seems to me, to be a step back, in terms of speed (or at least, perceived speed). Sometimes when I change tabs back to Gmail, the message list column is squeezed horizontally, as if I changed my browser window size to 200x900. When I change label views, there tends to be a lapse between unloading the old label's mail and loading the new label's mail. This leaves a big green box in the interim.

I do realize that these features are relatively new, but you'd think user/unit testing would catch these things.