Planet Apache

SOA and Web services are becoming the most popular key words in nowadays software industry. As a results of that there are so many other technologies and components build around SOA. Among them ESB and Registry can be considered as top of the list. Different people have different definitions for them and there are a number of different implementations out there as well. It is a very hard questions to answer whether the ESB is more important or the Registry when it comes to SOA.

When we considering about SOA registry , which is of course not a new concepts. UDDI is one of the good example for a traditional way of dealing with SOA registry. I can not tell the exact reason but UDDI does not become that popular , that is why people try to find new alternatives for UDDI (based on SOAP , REST etc.. ). So if someone going to implement a new SOA registry then I think he has to address following items,

• Service publishing

  • The implementations should be provide a way to publish services as well as service related metadata such as WSDL , XML Schema and etc..

• Service discovery

  • The implementations should provide a way to discover the service. Say for a example I need to find GPS service , then from the registry I should be able to find out one or more end point addresses for that service. And invoke the service.

• Federation

  • Different implementations should be able to communicate with each other and share , validate data and so on. This is also a key feature in SOA governors.

So no matter how and who is going to implement a SOA registry , they need to address above. IMO without having support for at least first two items of above we can not claim what we have is a SOA Registry.

In addition to those SOA governors is also key factor we need to consider when we implement SOA registry. Governors is more about management side of the services. Service lifecycle , different kind of policy , ensuring various standard like WS-I , and then validating artifact like WSDL , Schema and Policy is also part of SOA governors.

In any given registry we can find two stages deployment time as well as runtime. At the deployment we will be using the registry to store various artifacts , however at the run time we will use the registry to authenticate , authorize , ensuring policy etc...

Went to the POPSignal party tonight, and it was fun. Met some cool new people / companies, like slingpage and bountii. Saw friends from familiar places like TripAdvisor and Conduit Labs. Had a couple of free beers, enjoyed hanging out with fellow internet marketing gurus. Not a bad way to spend a couple of hours. Thanks POPSignal!

It's pretty cool how most people have heard about HubSpot, know what we do more or less, and are interested. Recruiting is becoming easier. Two days ago we literally had a guy just knock down our door and not leave until our awesome admin promised to give me his resume. Kudos for tenacity.

We also got TechCrunch'ed today, second time this year, regarding our recent venture funding round. This time the servers held up well, giving me some gratification over the architecture changes since the last TechCrunch event.

Next week will be the third annual open source conference hosted by the China Open Source Promotion Union (the text encoding of that website is messed up at the moment). Same as last year, the event will be held in Guangzhou and feature local and foreign open source experts. A schedule is up online, but I don’t know where the registration form is. Last year registration included a fairly small fee, which I imagine you could pay directly at the Shangri La hotel.

I’ll be speaking this year, so hopefully I’ll see some of you, assuming I can renew my China visa (new rules, not cool).

Obligations To Ire

For the Weekend Wordsmith prompt Carrying A Grudge.

It takes enormous endurance
to remain angry,
even when you provide fresh reasons
day following day,
reopening wounds so old,
the original injury is a blur
in the broken rear-view mirror.

Sure, it flares up, fueled
by your careless actions,
selfish remarks, and callous manners,
but, most days, the petulant child
that you have become
merely buzzes, a trapped blue bottle
battering the panes
on a summer day when I'd rather
just be reading by the creek.

The grudge, long since
become an immovable burden,
shackled to me by a cable
of hatred and weary rage,
is to, too heavy to carry --
more like drag.

But so sure as I unfetter,
and try to escape,
you fling a hawser or two
around my raw, chafed ankles,
and remind me of my
obligations to ire.

People do crazy things before they get married

Lately I was getting a bit more into twitter. For obvious reasons I found this service that somehow made me lough when I found it. I just wish it would say “Yes” less often.

http://maps.google.com/maps?f=q&hl=en&geocode=&q=18830+may+st,+illinois&sll=41.73411,-87.65205&sspn=0.211366,0.43705&ie=UTF8&ll=41.550731999999996,-87.642016&spn=0.006624,0.017177&z=17&layer=c&cbll=41.547412,-87.642495&panoid=6WQU2RGVaPYdF6ai7m-Jpw&cbp=2,347.0794414881108,,1,14.340101064892934

Congrats. That is cool.

I know that James already noted Squawk, but this is just too damn cool to pass up!

Squawk stands for simple queues using awk. It's all about consuming and producing messages via STOMP (Streaming Text Orientated Messaging Protocol), a text-based, wire-level messaging protocol. Writing STOMP clients is extremely easy and there are already many STOMP clients available in different languages.

There have been many times in the past where I could have used message oriented middleware at the operating system level with shell scripting. This really opens up some possibilities. Distributed communication at the shell level is unreliable. The ability to use ActiveMQ for reliable messaging from the shell level means that any system level applications can easily communicate in a distributed yet reliable manner. Maybe we should consider trying to get ActiveMQ into some Linux distributions!

Update: For folks who are not aware of the reference to More Cowbell, see the original SNL video. Will Ferrell and Christopher Walken are priceless in this skit! What's even funnier is that open source can be just like this skit sometimes :-).

I've finally gotten the mini-mill and mini-lathe installed and running, though as a consequence moving around in the office has gotten much more difficult — and doing so barefoot more dangerous. I've started recording what I work on at Flickr, and the first actual product is a half-dozen 0.2" six-sided dice made from a slice of nickel-iron meteorite. You can see them in my eBay listings for as long as they're still at auction.

Here's a sample photograph; click the pic for an enlarged view.

A lot of effort went into making these, and since the dice made from stony meteorites are about U$100 apiece, when and where you can find them, I figure the even rarer ones made from meteoric metal should be more expensive.

Collect 'em all! ;-D

They weigh approximately 1 gram apiece.

At NFJS Boston last month, I ran into Alex Kotchnev. We had a number of chats about Tapestry and spurring wide adoption. I'm still working on some of those ideas. He's a NetBeans user whereas most of the documentation assumes Eclipse or IDEA. He's posted a blog about use Tapestry in NetBeans; specifically, using the Maven support to avoid typing the dreaded Maven project creation incantation.

I stayed around in San Francisco for one more day after JavaOne, in order to attend the Scala liftoff. The liftoff was an open space style conference (which has a more specific meaning than “unconference”, at least to me). My friend Kaliya Hamlin did a great job of facilitating the day.

Scala has steadily been gaining attention, and hasn’t yet hit (at least in my eyes) the hype part of the classic Gartner hype cycle. I’ve been poking about with Scala, mostly because of the type inferencing, the Actor library, and lift. I have great respect for the work that Martin Odersky has done over the years, which also has me interested. Couple that with what I learned about closures in Java at JavaOne, and the list of reasons to look more deeply at Scala is getting long, especially if you are determined to have a statically typed languages.

I wasn’t able to make it to any of sessions on lift. It just worked out that other sessions overlapped them in a pathological way. While this is unfortunate, I am sure that I’ll be able to pick up anything that I need from the mailing lists and other documentation. I was able to attend two sessions on actors. One of the sessions had people with questions about actors, but no Scala actor experts were in that group. There was some discussion of Pi-calculus and the join calculus, but no discussion of the actual actor theory.

Steve Yen’s session on actor-d was pretty useful. Steve set out to build a version of memcached using Scala’s actors. He spent most of his slot talking about Scala/Java isms that he ran into - this was important since he was comparing to the C memcached. By the time he got to the actor related stuff, he was almost out of time. Steve found that he had to remove actors from the main loop of his server in order to get sufficient performance. He wanted to get statistics from the server in the background and discovered that he main loop actor was always processing messages and was never idle long enough to report statistics. He ended up replacing the actor with plain old Java Threads (POJT?). This was in addition to all the fact that he ran into many of the standard Java problems as well. I’m not sure what to conclude from this. I don’t recall what kind of hardware he was on, and I am not convinced that he had the right architecture for an actor based system. Some of his experience also seemed contrary to what the lift folks have been claiming. I think that we are in for a decent amount of investigation here. One of Martin’s statements about Scala is that it is possible (and better) to extend the language via libraries than via actual language constructs. For the most part, I agree with this, but there are certain extensions which have interactions with the runtime - like concurrency. In those cases, I don’t see how the library approach allows taking advantage of runtime features. The current version of Scala actors is implemented as a library.

One of the things that I am currently working on is support for Python in NetBeans, so I dropped into the session on IDE support for Scala. With the exception of IntelliJ, none of the IDE plugin principals were present, so it was hard to have a really productive discussion. Martin did attend the session and we talked about the possibiliy of getting hooks into the existing Scala compiler, particularly the parser and the type inferencer. That could yield some big dividends for people working on IDE support. One IDE feature that I would like to see is the ability to hit a key, and have the IDE “light up” all the inferred types, overlaid on the existing program code. This would allow developers to see if their intuition about the types actually matched that of the type inferencer. I’d like a feature like this for Python/Ruby/Groovy/Javascript code as well. Further discussion was deferred to the scala-tools mailing list.

The other session that I participated in was the session on Scala community and governance. Several people wondered about this during Kaliya’s “What questions do you have about Scala” portion of the schedule building. When nobody else put up a session in this area, I grabbed a slot, hoping to spur some conversation - if for no other reason than my own education. Fortunately, Martin had already been thinking about the problem. He is going to adopt a Python style governance, with him (and EPFL) having the final say on language design matters. There will be Scala Enhancement Proposals (SEPs), like the Python PEPs. I’m very happy with this. I think that Python has done very well at maintaining the balance between (lots) of community input on the language design, while still retaining that “quality without a name”. One of the things that I said during the CommunityOne general session panel was that particular individuals in the right place, at the right time, matter at great deal. After watching Martin for the day, and seeing his interactions on the mailing list over the last few months, I think that the design of Scala is in very good hands.

We also talked about the evolution of the Scala libraries. The Scalax project is working to build a set of utility libraries for Scala. Martin views scalax as a place where anyone can submit a library, have it tested, vetted, reworked, etc. Eventually some code in scalax would be candidates for addition to the Scala standard libraries. This also seems like a sane approach to me. I like the idea of having a place for libraries to shakeout before going into the standard libraries. Martin also mentioned a LINQ in Scala project. I need to track that one down too.

It is good to be in a multi-language world again. There’s room for Scala, Python, Ruby, and others. Another language that I am keeping my eye on is Newspeak.

A friend of mine, Arrigo Triulzi (no web page that he wants to admit to), has just posted this fantastically scary missive to the Robust Open Source mailing list (no public archive, so I will quote it in its entirety)

I’ve been working on firmware for the past two and a bit years, in particular in the field of firmware viruses.

Without needlessly boring everyone with the various steps allow me to share an interesting observation: drivers often assume the hardware is misbehaved but never malicious. It is fascinating to discover what can be done by making the hardware malicious.

Summarising briefly my work, as yet unpublished except the obligatory notices to the affected vendors (in what follows please read NIC as strictly wired, no wireless cards):

1) there are remarkably naive “protection” methods to prevent malicious users from overwriting NIC firmware with something of their choice,

2) as an extension to 1) above it is amazing to discover how simply firmware can be updated over the wire on specific NICs,

3) from 1 & 2 above, after about two years, I’ve reached my goal of writing a totally transparent firewall bypass engine for those firewalls which are PC-based: you simply overwrite the firmware in both NICs and then perform PCI-to-PCI transfers between the two cards for suitably formatted IP packets (modern NICs have IP “offload engines” in hardware and therefore can trigger on incoming and outgoing packets). The resulting “Jedi Packet Trick” (sorry, couldn’t resist) fools, amongst others, CheckPoint FW-1, Linux-based Strongwall, etc. This is of course obvious as none of them check PCI-to-PCI transfers,

4) I have extended the technique to provide VM escape support: one writes packets from a bridged guest into the network which initiates the NIC firmware update, updates the firmware and then the NIC firmware is used to inject code into the underlying VM host. The requirement to write to the network is then dropped as all that is required is the pivoting in the NIC firmware.

This scares the crap out of me, just as it stands. But he’s missed a trick, IMO: because of the nature of the PCI bus, you can use the same technique on any machine with a vulnerable NIC to read all of RAM. You might even be able to read disk, too, depending on the disk controller.

Oh boy, this is going to be a can of worms once exploits start appearing (if they haven’t already, that is).

Share This

Geir posts this interesting blog entry. If Sun and others are really interested in figuring out how to improve the situation within the JCP, especially in really encouraging community involvement and interaction, I wonder who-oh-who could they possibly ask?

I've done some experiments today to check that ServiceMix 4 NMR can be easily deployed on Equinox instead of Felix. Have a look at this wiki page.

It was very good to see a lot of SOA and SCA coverage at JavaOne 2008, there was at least couple sessions about these topics each day, and several were mentioning Apache Tuscany.

Also, couple good feedback worth quoting from the blogsphere :

Michael Meehan wrote:

JavaOne report: Apache Tuscany, can SOA be this easy?

In front of a packed room of a few hundred developers at the 2008 JavaOne conference yesterday, IBM’s Jean-Sebastien Delfino gave a presentation of the Apache Tuscany project, an open source implementation of the Service Component Architecture (SCA) standard. SCA is designed to facilitate a standard method of constructing, assembling and developing composite services and the Tuscany implementation (currently in version 1.2) looks to be ridiculously easy to use.

One of the mantras in the SOA space is that it’s hard to do. Sure enough, enterprise architecture and end-to-end governance come with a high degree of difficulty, but Tuscany seemingly has made it a snap to stitch together a composite, Web-based service. According to Delfino, the idea is to abstract away the plumbing details using HTML-style annotations and map out the business logic of the service.

Jeff Anderson wrote:

The Highlights of SCA at JavaWorld 2008

Tuscany is a great open source implementation of SCA, with real-world production implementations
Jean-Sebastien Delfino and Mario Antollini gave a incredible presentation on Tuscany my favorite open source implementation of SCA. The highlight of the presentation (IMHO) was when Jean-Sebastien showed had easily extend the SCA specification to include mashups/Web 2.0 component creation. My opinion this is one of the highest values of SCA, a truly comprehensive component model that spans technologies, from simple AJAX/ATOM components to more complex WSDL/SOAP style services. Brilliant.
This session really showed how easy it was to make services, or components of any nature using SCA

As for the Brazilian community, they showed up again !!! We even had representatives from the Brazilian Government discussing the engagement of the Brazilian government in consuming and producing open source software, see panel abstract below :

PAN-7063: Free and Open-Source Software (FOSS): Use and Production by the Brazilian Government

The Brazilian government has been a pioneer in the use and production of free and open-source software (FOSS). This initiative is best represented by the Brazilian Public Software Portal (BPSP), a national web site that makes available the free and open-source software produced by the government and offers several services for the local FOSS community. This presentation by the government officials who are implementing this large initiative shows how the adoption of free software, such as Java™ technology-based applications and much more, was crucial to making not only the use but especially the development of new software in the government possible. The session also shows the results of the initiatives, presenting some of the amazing software solutions now available to users worldwide, and discusses some of the next steps planned by the Brazilian government.

And below, couple Brazilian dudes posing for pictures...

I am reliably informed that, despite my previous claim, at least one member of the OpenSSL team does read openssl-dev religiously. For which he should be commended. I read it sometimes, too, but not religiously.

So, forget I said that you don’t reach the OpenSSL developers by posting on openssl-dev.

Share This

There is no such event yet. But I think it would be great if there was. CocoaHeads is a monthly gathering of Cocoa enthusiasts. With presentations, tutorials and general discussion around Cocoa programming. There are meetings all over the world - just not in Germany. Actually not event in continental Europa.

If you would be interested in attending …please drop me a mail, a comment or whatever. If we can get more than 10 people interested I’ll step up and try to organize the event.

Last night I was invited by the Düsseldorf local section of the German Gesellschaft für Informatik (think ACM) to talk about Open Source Software.

I figured I should talk about the parts of the Open Source universe I actually know and so it became a "what is the ASF, how are we different from others, how do we work" kind of talk. The audience was very interested and we had some good questions and discussion during and after the talk. I enjoyed it and hope it has been the same for the audience.

This marked the first time I've been presenting to people that neither are customers nor coworkers and judging from the feedback I received it went pretty well - or people have just been nice.

The German slides are here and if anybody knows of an easy way to turn an S5 presentation into a slide-by-slide PDF I might put it up at Slideshare as well.

My Favorite SSB application Fluid got an update some days ago that allows you to fiddle with some window settings, namely the window opacity and the window decoration and the window placement (normal, above all windows, below all windows, above the dashboard). With the window decoration comes a black-window style with dark window borders and scroll bars that looks very cool. But using this style with Friendfeed for which I provided a custom userscript before yielded unpleasant results as the white background of friendfeed and the dark window borders do not match.

So I modified the user CSS file that is embedded in every Fluid SSB application (Right-click the application icon in Finder, select "Show package contents", browse to Contents/Resources) called default.css to give me a black background with white text and links (and I removed all the sidebar and clutter to make it a minimal interface)

The result looks like that and gives specialized desktop applications such as Twhirl or AlertThingy a run for it's money.

This amazingly off-the-mark article appeared in The Register yesterday. Dalibor just joined Sun and surely is still getting his bearings and has never participated in the JCP and it's possible he was misquoted by Gavin. As a friend of Dalibor, I've suggested to him that he should get it corrected. As the Apache Software Foundation representative to the JCP EC, I sent the following to the Sun EC reps and chair of the PMO trying to figure out what Sun is up to here :

Patrick, Danny, Calinel :

Given that fact that the statements contained in

    http://www.regdeveloper.co.uk/2008/05/14/jcp_individual_representation/

are given by a Sun employee identifying himself in his job role, can I assume that Sun is interested in taking this discussion public? I think that is a really healthy approach. I think there is confusion about the basic facts and I think clarification will be useful for the community as a whole.

I think I'll wait to see what Sun's intention is here before addressing some of the problems in the article. After all, it could be a just a huge misunderstanding. Why do I care? Because openness, transparency and the equitable "rule of law" is inherent in the ASF's struggle in securing an equitable Java SE TCK license from Sun.

Hopefully Sun will allow me to publish their answer. Not being able to would be supportive of "A culture favoring closed-door meetings" :)

For a long time now, we at Digital Rights Ireland have been campaigning for a law which would oblige companies who store our data to inform us of the details of any security breaches.

This is a hot-topic, with recent disclosures from the Bank of Ireland, and the Irish Blood Transfusion Service, of just this nature. Today I received a letter in the post from Adobe, informing me that some details I uploaded to their website may have been similarly subject to compromise.

As part of the process for making a student-discount purchase with Adobe, I was asked to upload a scan or photograph of my student card - which I was happy to do - and it appears that those images may have been available for others to view. According to the letter, this process may have been used for credit card details in some cases.

In the absence of a law obliging them to so, Adobe, BoI and the IBTS are actually to be commended for telling us about these breaches of security. Of course the notifications may be driven by an increasing consensus that not to do so would be a true negligence, as the real-world ramifications and triviality of identify theft is increasingly apparent, but it is welcome nonetheless. It is better at least to know that it has happened.

When the Bank of Ireland revealed its problems with laptop theft, it was big news, and widely discussed; ordinary consumers expressed fears, the data protection commissioner made recommendations and our collective security has improved since. Already, the adverse commercial effects of these notifications are spurring other businesses to review and audit their own practices. This can’t be but a good thing.

But despite these voluntary notifications, and the emerging consensus of their necessity, there are similar events like this every week that go unreported. Maybe the new minister for Justice, Dermot Ahern, with relevant experience from the Dept. of Communications, can remedy this situation. In the meantime, I think we’re actually better off with the companies who do tell us about these problems, at least they are proving a track record that the customer should matter.

Geir Magnusson Jr: Given that fact that the statements contained in [link] are given by a Sun employee identifying himself in his job role, can I assume that Sun is interested in taking this discussion public? I think that is a really healthy approach. I think there is confusion about the basic facts and I think clarification will be useful for the community as a whole.

Simon Phipps: The lesson to be learned is that the best way to get Java everywhere was to work with the community rather than expect the community to work with Sun. Let’s hope that lesson sticks and spreads.

There is a discussion going on.  At the moment, it appears to be between Sun and the press.

It is the right discussion to be having.  Let’s just make sure that the right people have every opportunity to participate.

I haven’t tried it yet (pesky day job :-)  ) but I see that Taste is now committed to Mahout.  In fact, I think Sean has already started on some parallelization efforts!  Very cool.

I let it slide for too long but now, Barcode4J 2.0 is finally available. Since the last alpha release I’ve been able to fix a number of bugs in DataMatrix and PDF417. As a last-minute addition I’ve added support for the USPS Intelligent Mail Barcode of which you can see an example below.

There’s also a detailed list of changes for this release.

I am increasingly fascinated by consistency options, in a distributed storage system, made available by topology awareness on the client. For example, if you consider a write committed iff the write has been made to a majority of all storage nodes and a majority of the local nodes, where local would typically be "same datacenter," it allows you to achieve repeatable read read what you wrote consistency locally when a majority of local nodes have responded to a read request with a matching response, while still providing overall consistency across the entire system.

• The new rules for buying a Mac (Macworld)
  Advice for buying a Mac

Interested in learning a little more about what's new in Tuscany and SCA 1.2 release ?
The following InfoQ article/interview gives you some interesting insights on some of the new features and possible directions for future releases. See a little bit below:

InfoQ: Among all the features that this release has introduce which ones do you consider most important?

LR: SCA is about building distributed composite applications, and the new SCA distributed domain support with an SCA Domain Manager application allows you to build and deploy your solution into multiple SCA Nodes. These nodes can run on different platforms and runtimes (e.g Geronimo, Tomcat, Jetty, etc) or just plain J2SE.

With OSGI support, users can now run Tuscany and SCA in a OSGI Runtime.

The new Tuscany Eclipse plugin improves the user experience for developers building SCA applications. It integrates Tuscany with Eclipse to help you add the Tuscany runtime to your project; edit composites by providing code assist, and to run composites directly from your development environment.

To download Tuscany SCA 1.2, please go to the Tuscany download page.

Storms

We stand here, high on the hill,
and watch the rains come
like an African monsoon
sweeping across the desiccated
plains, dry dusty barren.

So many of these storms
lately, we just watch it come,
resigned
to the deluge that we know
we can't run fast enough
to escape. Our sadness

washes around us, even
as the rain, so long in coming,
so feared and so anticipated,
soaks our upturned faces,
hides our tears.

All very cliché, of course,
which isn't to say it's not real,
just that it's universal.

No one gets to their heaven
without a fight.

And some never
get there at all,
though they fight, seemingly,
without a respite
while the storm rages.

Those of us who have found
it, by persistence or dumb luck,
may, now and then, offer
a brief shelter
to those who, so far, haven't.

Yesterday I drove past that place
I used to live,
on the way home to you.

I cowered behind that very window,
afraid
of the world outside,
afraid
that it wouldn't miss me,
that it wouldn't notice
that I had vanished behind that frame.

I watched, through that frame,
others living the life
I could not live,
because I was
afraid,
I knew not of what,

nor why I had been exiled
to this penitentiary
which I paid good money
to inhabit.

There, framed in that window,
another lonely soul
gazed out at me, wondering
if I saw as I went on my way,
past this refuge of those
too young to have lived,
and those done with it.

Last Christmas, The Girl begged and begged and begged for an iDog, which is a delightful little thing that dances to music either heard on its microphone or received from a audio input cable.

She played with it once or twice, but quickly lost interest. It's pretty stupid, and requires a lot of attention before it does anything interesting.

Earlier this week, The Girl and The Boy were fighting over it, so I brought it to work and plugged it into my desktop speakers. It is very weird. It whimpers occasionally, apparently when it doesn't like my music. It dances to stuff it likes. It blinks its lights in seemingly random patterns. It chirps and flashes green when you pat its head. It growls when you tweak its tail.

Here's the complete documentation, just in case you care.

When I was a kid, toys didn't come with 16-page users manuals. Sheesh.

A study last Fall in the UK found that swearing at work can inspire teamwork. According to the study:

"apparent misbehavior can serve an organization well." Taboo language, they said, can manifest itself in solidarity that helps create a much more pleasurable and productive place to work

I'll need to remember to point this out to the next manager who becomes offended by my recurrent use of the one magical, multipurpose word, fuck.

I went to one of our customers today to demo our Digital Asset Management System (it seems to be DAM-week, see also my presentation at the Henry Stewart Show) and one of the projects managers told me that he started playing around with Sling and how impressed he was with the power that is hidden in Sling and JCR and how easy it was to build something interesting. So, if you would like to see something cool, just as he did, download CRX Quickstart Edition, which contains CRX (a commerial grade content repository) and Sling (a web application framework built around the concepts of JCR, REST, AJAX, OSGi and Scripting) and take a look at Michael Marth's screencast first steps with CRX Quickstart. (This was the see something cool part)

Having seen something cool, it is time to learn something new, namely building applications using Sling and JCR and CRX Quickstart is a great way of doing to. Aside to the aforementioned screencast, there is a second one: the serverside.com in 15 minutes and the rest of the CRX Quickstart documentation we have assembled.

If you now want to win something shiny, namely a brand new MacBook Pro, apply your newly won knowledge and take part in the Day JCR Cup '08, which is one of the reasons we released CRX Quickstart. We want more developers to learn something new, more developers to build something cool and thought that winning something shiny might be a good incentive to do so.

3rd or 4th June 2008 (undecided yet) we set off from Perth to Cairns on our one way trip across the Nullabor and up through into Queensland. More details will follow, as my first entry into this newly installed Blog, I thought I better write something, consider this a teaser.

Members of Qpid Nation,

I am exceptionally pleased to announce that Qpid M2.1 is out, loud and
proud. This version features AMQP 0-9 support, Access Control Lists
and Role Based Access Control, loadable exchanges via OSGi plugins and
the usual slew of enhancements, bug fixes and love.

Release notes

Known issues


But most importantly, you can get it from:
http://www.apache.org/dist/incubator/qpid/M2.1-incubating/

and via maven:
http://people.apache.org/repo/m2-incubating-repository

- Aidan

http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c

And that is why you report bugs to upstream and let those that know what they are doing, sort them out. Not someone with a half-wit for a brain.

Random patching and “improvement” of code is evil. End of story.

“Given enough eyeballs, all bugs are shallow”, my ass. Look at all the debian, and debian related (hello, Ubuntu people!) users squirrel around to change every single bit of crypto that they created in the last two years.  Repeat after me: TWO YEARS.

Who of them freedom lovers ever bothered to look at the patches that this oh-so-trustworthy distribution provider has put into a package. Speaking of “single vendor lock-in”: How many distributions call themselves “free and open” just because they recompile or just ship the debian packages verbatim.

That is as good as shipping an OEM Windows, folks! And now you got burned. Bad for you. Good for community health in the long run. Keeps you on your toes.

bug debian linux openssl

Apache ActiveMQ 5.1.0 is now out. Both Bruce and Hiram cover this nicely - if you use ActiveMQ I'd recommend upgrading, its got tons of bug fixes.

Just found this amazing animation film made from graffity by BLU. Must have taken weeks to make!

It was years since I'd done this, and I'd forgotten everything about it but niq's article gets it all across nice and concise.

Here’s another example of the natural progression of Moore’s law and privacy invading systems; where in the powerless (shipping containers, pets, cattle, prisoners, solders, women and children, shoppers, etc) pay the start up costs.  In this case we are tracking high school students.  I think I may need to touch up my model a bit.  Clearly the police states are also a fertile source of funding for innovation.

First reference to karma on an apache mailing list:http://markmail.org/message/jrp2vtljf5ot3phf   Next clue, the following post points to CVS as a possible source: http://markmail.org/message/gieddyl4tmqupezt   Wading through the CVS archives, It looks like we have a person named dprice (Derek Price?) to blame at the very least for checking in a contribution into CVS: http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/contrib/cvs_acls.in?annotate=1.1&hideattic=0http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/contrib/cvs_acls.in?hideattic=0&view=log#rev1.1 [...]

The third milestone release of the Apache ServiceMix 4.0 Kernel was pushed just this week. Check out the release notes to see all the new features that have been added.

ServiceMix 4.0 a new container architecture for Apache ServiceMix and it is progressing nicely. The ServiceMix 4.0 runtime is an OSGi based container that supports many core services and the ability to easily add additional services. See the diagram below for a high level view of the architecture:



Based on conversations I had with folks at JavaOne, the interest in ServiceMix 4.0 is really building. If you'd like to ask questions or discuss it, please join the ServiceMix mailing lists.

B1.1 of Agile Web Development with Rails, 3rd Edition is out.  Unless you have an deep interest in the migration function, there isn’t much new content here — the primary focus on this update is addressing the errata and forum comments received to date.

This effort has turned out to be both harder and more rewarding than I would have ever anticipated.  Harder in that Rails has changed so much, there has been so much to learn (in terms of Rails 2.0, SQLite3, and also in terms of working with a different publisher, operating system, and toolset).  But I can’t begin to express how much I like the beta books program — the readers that this book has attracted so far have been great and their comments, questions, and feedback have been most appreciated.

Also, while this book has always had ample source code provided, I’m continuing to look for ways to both expand and automate.  Rerunning the code on rails edge, for example is now something I can repeatedly do in a matter of minutes.

Just got an update to version "286u-7" via Cydia. Basically, this is a nice terminal for the iPhone that lets me do usual shell things, and the packages that come via Cydia make it very powerful. Full apt, for example. ssh, svn. (I can setup a tunnel to an internal JIRA server at 10gen so that I can use my iPhone browser...)

The UI is half-screen of keyboard, and half-screen of terminal window. What's interesting is seeing how they are learning how to leverage the touch features of the screen. A terminal using the iPhone kbd is a little challenging, especially w/ the small screen for those of us where glasses are required more and more :) so finding ways of incorporating graphics and touch will make this tool all the more useful.

They are using single-finger touch to bring up a neat "grid" menu, short and long single finger swipe, and two finger swipe. I'm still figuring it out, but what I know is nice. For example, short swipes up and down gets you the up/down command history in the shell, just like an up/down arrow would. Short swipe up to the "northeast" is a ctrl-c, to the "southwest" is tab. "west" is backspace, and "east" is space. Two-finger swipe up ("north") is the conf page, down is hide/show keyboard, "west" and "east" flip between the multiple terminal sessions. When you touch and hold, a square "menu" of buttons comes up, and sliding to them either does the function (e.g. "clear"), or changes the "menu" to a set of variants. For example, sliding to the "ls" button - which is darker to indicate that there are options there - switches the rest of the squares to variants : "ls -a", "ls -al", "ls -s" etc.

The results are pretty nice - if you have experience working in a shell, you can go pretty fast. I've only used it for a few things so far - ssh-ing into a server at work, or setting up a tunnel so that I can control a Hudson instance running inside our firewall. The iPhone is an incredibly powerful little computer, and having a good command line makes it more so. I wonder when Android will run on it? :)

There have been an astonishing number of comments on my post about the Debian OpenSSL debacle, clearly this is a subject people have strong feelings about. But there are some points raised that need addressing, so here we go.

Firstly, many, many people seem to think that I am opposed to removing the use of uninitialised memory. I am not. As has been pointed out, this leads to undefined behaviour - and whilst that’s probably not a real issue given the current state of compiler technology, I can certainly believe in a future where compilers are clever enough to work out that on some calls the memory is not initialised and take action that might be unfortunate. I would also note in passing that my copy of K&R (second edition) does not discuss this issue, and ISO/IEC 9899, which some have quoted in support, rather post-dates the code in OpenSSL. To be clear, I am now in favour of addressing this issue correctly.

And this leads me to the second point. Many people seem to be confused about what change was actually made. There were, in fact, two changes. The first concerned a function called ssleay_rand_add(). As a developer using OpenSSL you would never call this function directly, but it is usually (unless a custom PRNG has been substituted, as happens in FIPS mode, for example) called indirectly via RAND_add(). This call is the only way entropy can be added to the PRNG’s pool. OpenSSL calls RAND_add() on buffers that may not have been initialised in a couple of places, and this is the cause of the valgrind warnings. However, rather than fix the calls to RAND_add(), the Debian maintainer instead removed the code that added the buffer handed to ssleay_rand_add() to the pool. This meant that the pool ended up with essentially no entropy. Clearly this was a very bad idea.

The second change was in ssleay_rand_bytes(), a function that extracts randomness from the pool into a buffer. Again, applications would access this via RAND_bytes() rather than directly. In this function, the contents of the buffer before it is filled are added to the pool. Once more, this could be uninitialised. The Debian developer also removed this call, and that is fine.

The third point: several people have come to the conclusion that OpenSSL relies on uninitialised memory for entropy. This is not so. OpenSSL gets its entropy from a variety of platform-dependent sources. Uninitialised memory is merely a bonus source of potential entropy, and is not counted as “real” entropy.

Fourthly, I said in my original post that if the Debian maintainer had asked the developers, then we would have advised against such a change. About 50% of the comments on my post point to this conversation on the openssl-dev mailing list. In this thread, the Debian maintainer states his intention to remove for debugging purposes a couple of lines that are “adding an unintialiased buffer to the pool”. In fact, the first line he quotes is the first one I described above, i.e. the only route to adding anything to the pool. Two OpenSSL developers responded, the first saying “use -DPURIFY” and the second saying “if it helps with debugging, I’m in favor of removing them”. Had they been inspired to check carefully what these lines of code actually were, rather than believing the description, then they would, indeed, have noticed the problem and said something, I am sure. But their response can hardly be taken as unconditional endorsement of the change.

Fifthly, I said that openssl-dev was not the way to ensure you had the attention of the OpenSSL team. Many have pointed out that the website says it is the place to discuss the development of OpenSSL, and this is true, it is what it says. But it is wrong. The reality is that the list is used to discuss application development questions and is not reliably read by the development team.

Sixthly, my objection to the fix Debian put in place has been misunderstood. The issue is not that they did not fully reverse their previous patch - as I say above, the second removal is actually fine. My issue is that it was committed to a public repository five days before an advisory was issued. Only a single attacker has to notice that and realise its import in order to start exploiting vulnerable systems - and I will be surprised if that has not happened.

I think that’s about enough clarification. The question is: what should we do to avoid this happening again? Firstly, if package maintainers think they are fixing a bug, then they should try to get it fixed upstream, not fix it locally. Had that been done in this case, there is no doubt none of this would have happened. Secondly, it seems clear that we (the OpenSSL team) need to find a way that people can reliably communicate with us in these kinds of cases.

The problem with the second is that there are a lot of people who think we should assist them, and OpenSSL is spectacularly underfunded compared to most other open source projects of its importance. No-one that I am aware of is paid by their employer to work full-time on it. Despite the widespread use of OpenSSL, almost no-one funds development on it. And, indeed, many commercial companies who absolutely depend on it refuse to even acknowledge publicly that they use it, despite the requirements of the licence, let alone contribute towards it in any way.

I welcome any suggestions to improve this situation.

Incidentally, some of the comments are not exactly what I would consider appropriate, and there’s a lot of repetition. I moderate comments on my blog, but only to remove spam (and the occasional cockup, such as people posting twice, not realising they are being moderated). I do not censor the comments, so don’t blame me for their content!

Share This

I’ve been to so many conferences and seen so many talks that it’s hard for me to really get excited about conference presentations. I went to talks here and there, but nothing at JavaOne was really reaching out at grabbing me (in fairness, this happens at other conferences also, so it’s not just JavaOne). Or at least that was true until the last day.

Friday opened with a keynote by James Gosling, who served as the MC for a train of presenters on various cool projects.

Cool stuff

First up was Tor Norbye, who has done a lot of good work on support for editing different languages in NetBeans. Tor has been working on JavaScript support for NetBeans 6.1, and he showed off some cool features, like detecting all the exits from a function, semantic highlighting of variables, and integrated debugging between NetBeans and Firefox. All of which was cool. When I was managing the Cosmo group at OSAF, I tried a bunch of Javascript IDE’s and never really liked any of them. I haven’t done a lot with NetBeans 6.1 yet, but I will. Tor showed one feature, which was the killer one for me. NetBeans knows what Javascript will work in which browser. You can configure the IDE for the browsers that you want to support, and this affects code completion, quick fix checking and so on. Definitely useful. Here are several more references on the Javascript support in NetBeans 6.1.

The Java Platform

It’s easy for me (and others, I’d bet) to think mostly of JavaEE or perhaps JavaME when thinking about Java. That’s understandable given the worlds fixation on web applications, and looking ahead to mobile. But the majority of the talks in Gosling’s keynote session had nothing to do with Java SE, EE, or ME (at least in the phone sense).

Probably the hit (applause meter wise) of the keynote was LiveScribe’s demonstration of their Pulse Smart Pen. This is an interesting pen that records the ink strokes that it makes, and any ambient audio that it records while the writing is happening. The ink and audio can be uploaded to a computer, as long as that computer runs Windows (apparently a Mac version is in the works). Unfortunately, the pen works by sensing marks on a special paper (that would be the razor blades), so there’s a limitation on how useful this can be. The presenter said that a future version of the software would allow people to print their own special paper, but that’s still a future item for now. By reading special marks on the special paper, you get a pretty cool user interface. The pen itself can run Java programs, and there is a developer kit available for it. If they can get by the limitation of special paper, I think that this is going to be pretty interesting.

Sentilla showed off their Mote hardware, which seem like RFID chips that can run Java programs. except that these RFID chips can form mesh networks amongst themselves and can have various kinds of sensors attached. There are lots of applications for these things, going well beyond inventory tracking and such.

Sun Distinguished Engineer Greg Bollella demonstrated Blue Wonder, which is a replacement for the computers used to control factories. Blue Wonder combines off the shelf x86 hardware, Solaris, and real time Java to provide a commodity solution for factory control applications. This is far afield of Web 2.0 applications, but just as cool, in my mind.

By the end of the keynote I was reminded of the long reach of the JVM platform, something that I’d lost sight of. The latest craze in the Web 2.0 space is location data — O’Reilly has an entire conference devoted to the topic. I think that sensor fusion of various kinds (not just location sensors) is going to play a big role in the next generation of really interesting applications. The JVM looks like it’s going to be a part of that. I don’t think than any other virtual machine technology is close in this regard.

Java’s future

I also went to a talk on Maxine, a meta-circular JVM. By the twitter reactions of the JRuby and Jython committers, I’d say that Maxine is going to get some well deserved attention when it is open sourced in June. I’m particularly interested because the PI’s for Maxine worked on PJava, and MVM. Given the differences between the Erlang VM and the JVM, I think that the ability to experiment with MVM is going to be pretty interesting. Apparently, there’s already some form of MVM support in Maxine - we’ll find out for sure in June.

During the conference I had a meeting with Cay Horstmann, and at the end of the meeting Josh Bloch saw Cay and wanted to talk to him about the BGGA closures proposal for Java. Turns out that Josh has an entire slide deck which consists of a stream of examples where BGGA does the wrong thing, generates really cryptic error messages, or requires an unbelievable amount of code. The fact that BGGA depends on generics, which are already really hard, doesn’t give me much confidence about closures in Java. If you are a statically typed language fan, I think that you ought to be worried about whether Java, the language, has any headroom left.

The last session that I went to was Cliff Click and Brian Goetz’s session on concurrency. Unsurprisingly, the summary of the talk is “abandon all hope, ye who enter here”. I was glad to see a section in the talk about hardware support/changes for concurrency. The problem is that concurrency is going to introduce end-to-end problems, from the hardware all the way up to the application level, and I think that every stop along the way is going to be affected. Unlike sequential programming, where we are still largely reinventing the wheels of the past, there is no real previous history of research results to be mined for concurrency. Hotspot and other VM’s are close to implementing most of the tricks learned from Smalltalk and Lisp, but those systems were mostly used in a sequential fashion, and while there were experiments with concurrency, there was much less experience with the concurrent systems than the sequential ones. Big challenges ahead.

JavaOne is a pretty intense experience, simply by virtue of the size. If CommunityOne was twice the size of OSCON, then JavaOne is three times the size of OSCON, and it shows . There was an immediate change in feel and atmosphere once JavaOne got into full swing. You could barely move sometimes, and there were a bunch of people whose job was to corral the crowds into some semblance of order.

As a Sun employee, I was on a restricted badge, which made it hard to get into sessions (you are basically flying standby). On the other hand, I had plenty to do. I participated in a dynamic languages panel for press and analysts (who have their own track), which was pretty fun. The discussion was lively enough that we could have gone for another hour. There was one persistent fellow who really wanted there to be just one language, or wanted us to declare language X better for task Y. When I got started in computing, people learned and worked in several languages. Its only been recently that a language (Java) was popular enough that people could just learn one language, and the growth of web applications pretty much guarantees a multi-language future because of server side and client side differences. In the end, we’re back to finding and using the best tool for the job, or at least the most comfortable tool for the job. This is probably going to cause heartburn for big IT shops, but developers seem to be happy about it.

I took a walk through the Java Pavilion with Tim Bray one afternoon. He got into the AMD booth’s aromatherapy display (and yes, he has a similar shot of me doing the same thing). One of the highlights of that excursion was Tim introducing me to Dan Ingalls, who made a number of very substantial contributions to Smalltalk, including its original VM and the BitBlt graphics operation. I am a great admirer of the work that was done in Smalltalk, and it was an honor to meet Dan and have him explain the Lively Kernel to me. A short (and probably not quite fair) description of the Lively Kernel is to take the lessons learned from Smalltalk/Squeak and implement them in the browser using Javascript, AJAX, and SVG.

Unsurprisingly, I got the most value at JavaOne from the networking. And that means dinners, hallway conversations, and yes, the parties. Usually when I go to conferences, I am just a party attender. This time, I also worked at some of the parties. It was a little different to walk around the SDN party wearing a t-shirt with “SDN Event Staff” painted large on the back. I still had a good time. Between the T-shirt and the camera, I definitely had some good conversations.

Another benefit of being at a huge is company is that they can really throw a big party. Like hiring Smash Mouth to play for a private concert:

I’ve uploaded the rest of my photos from the conference to this Flickr set.

I actually do have some technical commentary, but I am going to put that into another post.

Last year, I tried very hard to write every day, and did a pretty good job of sticking to that. This year, it's been spotty, at best.I wrote a lot while in Amsterdam, and very little since I got back. Trying very hard to write, but, as Bradbury observes in the foreword of Dandelion Wine:

Like every beginner, I thought you could beat, pummel, and thrash an idea into existence. Under such treatment, of course, any decent idea folds up its paws, turns on its back, fixes its eyes on eternity, and dies.

Having met two of my very favorite authors - Douglas Adams and Arthur C Clarke - I can not think of any author I'd more like to meet than Mr. Bradbury, but I have no idea what I'd ask him, for I feel that I already know him, from what he has written. And the most important thing I've learned from him is simply to write every day, whether I have something to write or not. Of course, very very few can ever hope to rise to his level, but I imagine I have good story or two hiding away somewhere, waiting for me to write it.

So the reason for having rich client applications is for a better off-line experience, right? Why then, does outlook suck? Why is it actually less responsive than gmail on firefox?