Planet Apache

Jacopo CappellatoQuattro Stracci

After a very long time I add a new post here... it is not mine actually, it is a lyrics by Francesco Guccini, the great Italian songwriter, and, of course, it is in Italian :(

"Quattro Stracci" by Francesco Guccini

E guardo fuori dalla finestra e vedo quel muro solito che tu sai. 
Sigaretta o penna nella mia destra, simboli frivoli che non hai amato mai; 
quello che ho addosso non ti è mai piaciuto, racconto e dico e ti sembro muto, 
fumare e scrivere ti suona strano, meglio le mani di un artigiano 
e cancellarmi è tutto quel che fai; 
ma io sono fiero del mio sognare, di questo eterno mio incespicare 
e rido in faccia a quello che cerchi e che mai avrai!

Non sai che ci vuole scienza, ci vuol costanza, ad invecchiare senza maturità, 
ma maturo o meno io ne ho abbastanza della complessa tua semplicità. 
Ma poi chi ha detto che tu abbia ragione, coi tuoi "also sprach" di maturazione 
o è un' illusione pronta per l'uso da eterna vittima di un sopruso,
abuso d' un mondo chiuso e fatalità; 
ognuno vada dove vuole andare, ognuno invecchi come gli pare, 
ma non raccontare a me che cos'è la libertà!

La libertà delle tue pozioni, di yoga, di erbe, psiche e di omeopatia, 
di manuali contro le frustrazioni, le inibizioni che provavi quì a casa mia, 
la noia data da uno non pratico, che non ha il polso di un matematico, 
che coi motori non ci sa fare e che non sa neanche guidare, 
un tipo perso dietro le nuvole e la poesia, 
ma ora scommetto che vorrai provare quel che con me non volevi fare: 
fare l' amore, tirare tardi o la fantasia!

La fantasia può portare male se non si conosce bene come domarla, 
ma costa poco, val quel che vale, e nessuno ti può più impedire di adoperarla; 
io, se Dio vuole, non son tuo padre, non ho nemmeno le palle quadre, 
tu hai la fantasia delle idee contorte, vai con la mente e le gambe corte, 
poi avrai sempre il momento giusto per sistemarla: 
le vie del mondo ti sono aperte, tanto hai le spalle sempre coperte 
ed avrai sempre le scuse buone per rifiutarla!

Per rifiutare sei stata un genio, sprecando il tempo a rifiutare me,
ma non c'è un alibi, non c'è un rimedio, se guardo bene no, non c'è un perchè; 
nata di marzo, nata balzana, casta che sogna d' esser puttana, 
quando sei dentro vuoi esser fuori cercando sempre i passati amori 
ed hai annullato tutti fuori che te, 
ma io qui ti inchiodo a quei tuoi pensieri, quei quattro stracci in cui hai buttato l' ieri, 
persa a cercar per sempre quello che non c'è, 
io qui ti inchiodo a quei tuoi pensieri, quei quattro stracci in cui hai buttato l' ieri 
persa a cercar per sempre quello che non c'è, 
io qui ti inchiodo a quei tuoi pensieri, quei quattro stracci in cui hai buttato l' ieri 
persa a cercar per sempre quello che non c'è...

Geir Magnusson Jr.How are TCKs that much different than a suite of unit and functional tests?

Doug Lea pointed out (in a closed forum, but knowing Doug, I don't think he'll be upset w/ me saying this in public) that there's widespread misconception in the industry about TCKs - that they are necessarily hard and difficult beasts to create. Example, from Frank at Artima :

But developing and maintaining a good TCK is a huge task, and one few open-source projects are accustomed to.

I think that Eclipse has 30k+ tests. Apache Harmony has a massive pile. GNU Classpath has something like 20k. There are tons in Apache Commons. Clearly it can be done. A TCK is really just a thorough (and if you've used them, not always so thorough) pile of unit tests :)

Geir Magnusson Jr.Hans Muller left Sun for Adobe

The Reg is reporting that Hans Muller left Sun for Adobe. Unfortunate, given Sun's apparent move of going "all in" in this area with the Java FX strategery. (Hey, it was the main subject of the JavaOne opening keynote two years running...)

While I'm confident that Sun still has enough remaining technical chops to deliver the core technology - some of the smartest people I know work there, and work on this - I think that Sun needs to modify it's DNA and get people that not only understand how to market to the development and design community, but also create tooling for designers as Adobe (clearly) and Microsoft (to some degree) - the two companies that Sun has decided to take on, head on - have at least a decade head start on them. Hint I - this will require investing heavily now, rather than trying to limp by on the cheap. Hint II - another walled-garden OSS community ain't gonna cut it because the best OSS tooling are tools that developers built for themselves. (Eclipse, NetBeans (sorta), gcc, ant, etc...). Designers don't build these kinds of tools for themselves.

This reminds me - given the sheer number and quality of Java engineering defections (I've lost track of the world-class rockstars that are just at Google, let alone Azul, etc)... I worry about the effect this will have on Sun's ability to deliver the next rev of Java SE...

Rich BowenNot in Russia

Those of you who follow my blog via the RSS feed may have just seen an article describing my first day in Moscow. This is a result of a bug in the blog software. I marked that entry "Don't Allow Comments", because it was receiving hundreds of spammy comments every day, and it was pushed back onto the RSS feed.

The trip to Russia was 3 years ago, and, alas, I have no plans to visit Russia any time soon.

Robert Burrell DonkinHama: Matrix Computations On Hadoop

Hama proposes to build a highly scalable parallel matrix computation library on . Unfortunately, they are currently short of one or two members to act as mentors.

Justin MasonFree SSL cert reissuance for Debian victims — unless you’re on RapidSSL

If you’ve been following the Debian OpenSSL pRNG security debacle, you may have noticed that there’s a painful problem for people who’ve used a Debian or Ubuntu system in the process of buying a commercial SSL key — they are in a situation where those commercially-purchased keys need to be regenerated.

(When an SSL key is obtained from a commercial Certificate Authority, you first have to generate a Certificate Signing Request on your own machine, then send that to the CA, who extracts its contents and applies a signature to produce a valid CA-issued certificate.)

Things are looking up for these victims, though — some smart cookie at Debian came up with these instructions:

SSL Certificate Reissuance

If you paid good money to have a vulnerable key signed by a Certificate Authority (CA), chances are your CA can re-issue a certificate for free, provided all information in the CSR is identical to the original CSR. Create a new key with a non-vulnerable OpenSSL installation, re-create the CSR with the same information as your original (vulnerable) key’s CSR, and submit it to your CA according to their reissuance policy:

  • GeoTrust: Here (Available throughout the lifetime of the certificate. Tucows/OpenSRS in this case, but the instructions are generic to any GeoTrust client.)
  • Thawte: Here (Available throughout the lifetime of the certificate.)
  • VeriSign: Unknown
  • GoDaddy: Here (Only possible within 30 days of the initial order. GoDaddy calls the process “re-keying”, while they call the act of sending you the same signed certificate as your original order a “reissuance”.)
  • ipsCA: Generate a new CSR as if you are purchasing a new certificate, follow through the procedure up until you get to the point where you are required to pay with your credit card. At that point contact support via their email and let them know that you are requesting a revocation and re-issue and include the ticket number of your new CSR request.
  • CAcert: This is a cost free certification authority. Simply revoke your old certificates and add new ones. (The key has to be created on a fixed machine and ONLY the certification request has to be uploaded!) At the moment the certificate generation will take some time as it seems that many users are re issue there certificate.
  • Digicert: Login to Your account to re-issue (free).

This is slightly incorrect, however (unfortunately for me). While GeoTrust claim to offer free reissuance of all its SSL certificates, they don’t really. Their low-cost RapidSSL certs require that you buy ‘reissue insurance’ for $20 to avail of this, if you need to reissue more than 7 days after the initial purchase. :(

Wiki updated.

Rich BowenOpen Source Forum, Russia, day one

Photos Here

Here I am, in Russia. I haven't had time to write yet, due to the network not being available throughout the conference. That's just as well, since I've attended some interesting talks, rather than wasting my time on IRC.

I left my Swiss Card in my bag, so ended up having to go through the TSA roadblock twice. I need to remember to pick it back up when I get back to Lexington.

I left Lexington a little early. After checking in, they said that they could get me on an earlier flight, so that I'd have a little more time in Cincinatti. That worked out well, since I was able to wander around the airport in Cinci, get some good photos, and get some folks to stamp Daba's passport.

The flight to Paris was uneventful, but very long. I haven't been on a 7+ hour flight in many years. I suppose since 2000 when I went to London. I managed to sleep a little, but not much. There was a couple on the plane, sitting next to me, who were on their way to a short vacation in Paris, and I had a nice chat with them.

I was in Paris for about 2 hours, and was amazed with how quiet the airport was. It wasn't empty - there were hundreds of people there - but they were so much quieter than a crowd of the same size would be in the US. I wonder why that is.

Out of Paris, I was on Aeroflot. I mentioned earlier that this was something I was looking forward to. I'm happy to admit that the flight to Moscow was uneventful, and very enjoyable. The plane was in excellent condition. The staff was helpful and courteous. The food was good. The coffee was simply amazing. It's not hard to understand why folks visiting the USA have so much trouble with the coffee. When I have a plastic cup of coffee on an airplane, and it's better than most of what I've had for the last several weeks, that tells you something.

And I didn't understand a single word that was said to me from the moment I got onto the plane until I was standing in line at customs in Moscow.

Moscow airport was the only place where I was unable to get anyone to stamp Daba's passport. This was because I was unable to communicate to the gentleman at the passport desk. This is a running theme. I feel very ignorant in my inability to communicate. I greatly regret not taking some kind of language course, so that I would at least be able to communicate at some rudimentary level. As it is, I can say yes, no, thankyou, and please. That's pretty pathetic. If/When you travel, do yourself a favor, and take the time to learn a few things. I meant to, but the last few months have just been so busy, and I didn't even learn basic things.

When I got through customs, there was a driver with a sign with my name on it, and he took me to the hotel. It was a fairly long drive, and I was anxious not to miss any of it.

First of all, the driving in Moscow is ... interesting. Nobody wears seatbelts. And lanes seem to be, at best, a polite suggestion. Significant stretches of the road had no painted lanes at all, and people were driving where they needed to drive to get where they wanted to. There were several times when I was certain that we were going to get smooshed. But what was great about this was that there was no evidence that people were getting enraged with the way that their fellow drivers were driving. Driving like that in the USA would very likely get somebody swearing pretty fiercly, if not shooting. Here, it was a little scary, but it was safe, in some strange way, because it appeared to be what folks expected.

The hotel - Hotel Belgrade - is in Arbaskaya, across the road from the Foreign Ministry, a *huge* structure built during the height of the Soviet Union. Wow. I also saw a tiny little church with beautiful domes. I got a set of those nesting dolls that I can never remember the name of, and a lovely little wooden egg with a painting of St. Basil's on it.

For dinner, I went to a place that the desk clerk at the hotel recommended, and had a lamb shishkebab and some rice-like grain that was completely unlike anything I have ever had. It was *fantastic*.

This morning I had breakfast with Larry Wall and Peter Beckman. That was pretty cool. And then I walked over to the conference with Larry. If I had known it was that close, I would have come over last night for the reception, but I thought it was quite a bit farther.

The conference so far has been very cool. The passion that people have here for Open Source is completely understandable. 1) Why would they want to send their money to the USA? 2) Why would they want their mission critical code - particularly government applications - to be running on code written by people in the USA?

The ability to jumpstart a business with existing code, and then hire people locally, and keep money in the country, is just *great*, and very appealing to anyone outside of the USA who has really thought about how the global economy works. When you send money to the USA, it doesn't usually come back.

The wireless network here has been somewhat unreliable, so we're now using my Airport Express. :-) Wireless network proudly brought to you by Asbury College. Go, Eagles!

Oh, yeah, one more thing. I had a great little conversation with Maddog Hall about small regional one- and two-day conferences, and why they fail, and what can be done to help them not fail. I sincerely hope that out of this will come some conversations in Lexington so that Kentucky can have a regional conference that is every bit as cool as the Ohio LinuxFest was. We have great people in the area, and there are some definite things that we did wrong the first two times around. (The first one actually happened, which made it inifinitely superior to the second one!)

The photos (link at the top) are not organized in any particular way, other than date. More to come, I'm sure.

Henri YandellAnother update

A week since my last update. Life continues to be busy.

The new job role has turned up the heat - I’m going from looking for things to juggle to juggling lots of things - especially with the old job role still intended to fill my time.  Each day at 4pm I tend to be exhausted - not due to lack of sleep (tonight’s late night not withstanding) as I get lots of sleep, but due to having nearly all my time outside of work and sleep being filled with Nathan.

I’ve managed to do a little coding. Commons Collections is getting closer to the next bugfix release - real close, and Codec too. I’ve started moving towards Lang 3.0 - including such wonderful things as removing deprecations! Maybe… depending what the opinions are etc.  It continues to be what I call dim sum coding - coding that works well with a high amount of context switching. Tonight’s late night comes from committing an extra hour or two to breaking the back of a painful serialization issue [mostly just in terms of figuring out why it didn’t like the test framework, and then once I had real tests why it wasn’t working in the first place].

Levi’s growing happily along. A fair bit of work as any new baby is, but still being remarkably chilled. Nathan’s also a delight and we’re starting to get a weekend routine, him and I. Must repeat this weekend despite relatives being here.

Yoav ShapiraPOPSignal party tonight

Went to the POPSignal party tonight, and it was fun. Met some cool new people / companies, like slingpage and bountii. Saw friends from familiar places like TripAdvisor and Conduit Labs. Had a couple of free beers, enjoyed hanging out with fellow internet marketing gurus. Not a bad way to spend a couple of hours. Thanks POPSignal!

It's pretty cool how most people have heard about HubSpot, know what we do more or less, and are interested. Recruiting is becoming easier. Two days ago we literally had a guy just knock down our door and not leave until our awesome admin promised to give me his resume. Kudos for tenacity.

We also got TechCrunch'ed today, second time this year, regarding our recent venture funding round. This time the servers held up well, giving me some gratification over the architecture changes since the last TechCrunch event.

J Aaron FarrOpen Source Conference in Guangzhou Next Week

Next week will be the third annual open source conference hosted by the China Open Source Promotion Union (the text encoding of that website is messed up at the moment). Same as last year, the event will be held in Guangzhou and feature local and foreign open source experts. A schedule is up online, but I don’t know where the registration form is. Last year registration included a fairly small fee, which I imagine you could pay directly at the Shangri La hotel.

I’ll be speaking this year, so hopefully I’ll see some of you, assuming I can renew my China visa (new rules, not cool).

Rich BowenObligations to Ire

Obligations To Ire

For the Weekend Wordsmith prompt Carrying A Grudge.

It takes enormous endurance
to remain angry,
even when you provide fresh reasons
day following day,
reopening wounds so old,
the original injury is a blur
in the broken rear-view mirror.

Sure, it flares up, fueled
by your careless actions,
selfish remarks, and callous manners,
but, most days, the petulant child
that you have become
merely buzzes, a trapped blue bottle
battering the panes
on a summer day when I'd rather
just be reading by the creek.

The grudge, long since
become an immovable burden,
shackled to me by a cable
of hatred and weary rage,
is to, too heavy to carry --
more like drag.

But so sure as I unfetter,
and try to escape,
you fling a hawser or two
around my raw, chafed ankles,
and remind me of my
obligations to ire.

Reinhard PoetzApache Cocoon 2.2.0 Released

After too many years of development, Apache Cocoon 2.2.0 finally arrived. As I wrote in  Cocoon 2.2: A new architecture a lot of things have improved. There is also a Getting Started guide that  helps you with you first steps. Have fun!

Torsten CurdtIs Twitter Down?

Is Twitter Down?Lately I was getting a bit more into twitter. For obvious reasons I found this service that somehow made me lough when I found it. I just wish it would say “Yes” less often.

Henning SchmiedehausenMy personal heroine…

Rodent of Unusual Size (Ken Coar)Incoming!! Nickel-iron meteorite dice for sale

I've finally gotten the mini-mill and mini-lathe installed and running, though as a consequence moving around in the office has gotten much more difficult — and doing so barefoot more dangerous. I've started recording what I work on at Flickr, and the first actual product is a half-dozen 0.2" six-sided dice made from a slice of nickel-iron meteorite. You can see them in my eBay listings for as long as they're still at auction.

Here's a sample photograph; click the pic for an enlarged view.

A lot of effort went into making these, and since the dice made from stony meteorites are about U$100 apiece, when and where you can find them, I figure the even rarer ones made from meteoric metal should be more expensive.

Collect 'em all! ;-D

They weigh approximately 1 gram apiece.

Howard M. Lewis ShipTapestry 5 with NetBeans

At NFJS Boston last month, I ran into Alex Kotchnev. We had a number of chats about Tapestry and spurring wide adoption. I'm still working on some of those ideas. He's a NetBeans user whereas most of the documentation assumes Eclipse or IDEA. He's posted a blog about use Tapestry in NetBeans; specifically, using the Maven support to avoid typing the dreaded Maven project creation incantation.

Ted LeungScala liftoff

I stayed around in San Francisco for one more day after JavaOne, in order to attend the Scala liftoff. The liftoff was an open space style conference (which has a more specific meaning than “unconference”, at least to me). My friend Kaliya Hamlin did a great job of facilitating the day.

Scala liftoff 2008

Scala has steadily been gaining attention, and hasn’t yet hit (at least in my eyes) the hype part of the classic Gartner hype cycle. I’ve been poking about with Scala, mostly because of the type inferencing, the Actor library, and lift. I have great respect for the work that Martin Odersky has done over the years, which also has me interested. Couple that with what I learned about closures in Java at JavaOne, and the list of reasons to look more deeply at Scala is getting long, especially if you are determined to have a statically typed languages.

Scala liftoff 2008

I wasn’t able to make it to any of sessions on lift. It just worked out that other sessions overlapped them in a pathological way. While this is unfortunate, I am sure that I’ll be able to pick up anything that I need from the mailing lists and other documentation. I was able to attend two sessions on actors. One of the sessions had people with questions about actors, but no Scala actor experts were in that group. There was some discussion of Pi-calculus and the join calculus, but no discussion of the actual actor theory.

Steve Yen’s session on actor-d was pretty useful. Steve set out to build a version of memcached using Scala’s actors. He spent most of his slot talking about Scala/Java isms that he ran into - this was important since he was comparing to the C memcached. By the time he got to the actor related stuff, he was almost out of time. Steve found that he had to remove actors from the main loop of his server in order to get sufficient performance. He wanted to get statistics from the server in the background and discovered that he main loop actor was always processing messages and was never idle long enough to report statistics. He ended up replacing the actor with plain old Java Threads (POJT?). This was in addition to all the fact that he ran into many of the standard Java problems as well. I’m not sure what to conclude from this. I don’t recall what kind of hardware he was on, and I am not convinced that he had the right architecture for an actor based system. Some of his experience also seemed contrary to what the lift folks have been claiming. I think that we are in for a decent amount of investigation here. One of Martin’s statements about Scala is that it is possible (and better) to extend the language via libraries than via actual language constructs. For the most part, I agree with this, but there are certain extensions which have interactions with the runtime - like concurrency. In those cases, I don’t see how the library approach allows taking advantage of runtime features. The current version of Scala actors is implemented as a library.

One of the things that I am currently working on is support for Python in NetBeans, so I dropped into the session on IDE support for Scala. With the exception of IntelliJ, none of the IDE plugin principals were present, so it was hard to have a really productive discussion. Martin did attend the session and we talked about the possibiliy of getting hooks into the existing Scala compiler, particularly the parser and the type inferencer. That could yield some big dividends for people working on IDE support. One IDE feature that I would like to see is the ability to hit a key, and have the IDE “light up” all the inferred types, overlaid on the existing program code. This would allow developers to see if their intuition about the types actually matched that of the type inferencer. I’d like a feature like this for Python/Ruby/Groovy/Javascript code as well. Further discussion was deferred to the scala-tools mailing list.

Scala liftoff 2008

The other session that I participated in was the session on Scala community and governance. Several people wondered about this during Kaliya’s “What questions do you have about Scala” portion of the schedule building. When nobody else put up a session in this area, I grabbed a slot, hoping to spur some conversation - if for no other reason than my own education. Fortunately, Martin had already been thinking about the problem. He is going to adopt a Python style governance, with him (and EPFL) having the final say on language design matters. There will be Scala Enhancement Proposals (SEPs), like the Python PEPs. I’m very happy with this. I think that Python has done very well at maintaining the balance between (lots) of community input on the language design, while still retaining that “quality without a name”. One of the things that I said during the CommunityOne general session panel was that particular individuals in the right place, at the right time, matter at great deal. After watching Martin for the day, and seeing his interactions on the mailing list over the last few months, I think that the design of Scala is in very good hands.

We also talked about the evolution of the Scala libraries. The Scalax project is working to build a set of utility libraries for Scala. Martin views scalax as a place where anyone can submit a library, have it tested, vetted, reworked, etc. Eventually some code in scalax would be candidates for addition to the Scala standard libraries. This also seems like a sane approach to me. I like the idea of having a place for libraries to shakeout before going into the standard libraries. Martin also mentioned a LINQ in Scala project. I need to track that one down too.

It is good to be in a multi-language world again. There’s room for Scala, Python, Ruby, and others. Another language that I am keeping my eye on is Newspeak.

Ben LaurieExploiting Network Cards

A friend of mine, Arrigo Triulzi (no web page that he wants to admit to), has just posted this fantastically scary missive to the Robust Open Source mailing list (no public archive, so I will quote it in its entirety)

I’ve been working on firmware for the past two and a bit years, in particular in the field of firmware viruses.

Without needlessly boring everyone with the various steps allow me to share an interesting observation: drivers often assume the hardware is misbehaved but never malicious. It is fascinating to discover what can be done by making the hardware malicious.

Summarising briefly my work, as yet unpublished except the obligatory notices to the affected vendors (in what follows please read NIC as strictly wired, no wireless cards):

1) there are remarkably naive “protection” methods to prevent malicious users from overwriting NIC firmware with something of their choice,

2) as an extension to 1) above it is amazing to discover how simply firmware can be updated over the wire on specific NICs,

3) from 1 & 2 above, after about two years, I’ve reached my goal of writing a totally transparent firewall bypass engine for those firewalls which are PC-based: you simply overwrite the firmware in both NICs and then perform PCI-to-PCI transfers between the two cards for suitably formatted IP packets (modern NICs have IP “offload engines” in hardware and therefore can trigger on incoming and outgoing packets). The resulting “Jedi Packet Trick” (sorry, couldn’t resist) fools, amongst others, CheckPoint FW-1, Linux-based Strongwall, etc. This is of course obvious as none of them check PCI-to-PCI transfers,

4) I have extended the technique to provide VM escape support: one writes packets from a bridged guest into the network which initiates the NIC firmware update, updates the firmware and then the NIC firmware is used to inject code into the underlying VM host. The requirement to write to the network is then dropped as all that is required is the pivoting in the NIC firmware.

This scares the crap out of me, just as it stands. But he’s missed a trick, IMO: because of the nature of the PCI bus, you can use the same technique on any machine with a vulnerable NIC to read all of RAM. You might even be able to read disk, too, depending on the disk controller.

Oh boy, this is going to be a can of worms once exploits start appearing (if they haven’t already, that is).

Jim JagielskiJCP changes?

Geir posts this interesting blog entry. If Sun and others are really interested in figuring out how to improve the situation within the JCP, especially in really encouraging community involvement and interaction, I wonder who-oh-who could they possibly ask?

Guillaume NodetServiceMix 4 NMR on Equinox

I've done some experiments today to check that ServiceMix 4 NMR can be easily deployed on Equinox instead of Felix. Have a look at this wiki page.

Luciano ResendeJavaOne 2008 : Tuscany and SCA coverage, and the Brazilian community off course...

It was very good to see a lot of SOA and SCA coverage at JavaOne 2008, there was at least couple sessions about these topics each day, and several were mentioning Apache Tuscany.

Also, couple good feedback worth quoting from the blogsphere :

Michael Meehan wrote:

JavaOne report: Apache Tuscany, can SOA be this easy?

In front of a packed room of a few hundred developers at the 2008 JavaOne conference yesterday, IBM’s Jean-Sebastien Delfino gave a presentation of the Apache Tuscany project, an open source implementation of the Service Component Architecture (SCA) standard. SCA is designed to facilitate a standard method of constructing, assembling and developing composite services and the Tuscany implementation (currently in version 1.2) looks to be ridiculously easy to use.

One of the mantras in the SOA space is that it’s hard to do. Sure enough, enterprise architecture and end-to-end governance come with a high degree of difficulty, but Tuscany seemingly has made it a snap to stitch together a composite, Web-based service. According to Delfino, the idea is to abstract away the plumbing details using HTML-style annotations and map out the business logic of the service.

Jeff Anderson wrote:

The Highlights of SCA at JavaWorld 2008

Tuscany is a great open source implementation of SCA, with real-world production implementations
Jean-Sebastien Delfino and Mario Antollini gave a incredible presentation on Tuscany my favorite open source implementation of SCA. The highlight of the presentation (IMHO) was when Jean-Sebastien showed had easily extend the SCA specification to include mashups/Web 2.0 component creation. My opinion this is one of the highest values of SCA, a truly comprehensive component model that spans technologies, from simple AJAX/ATOM components to more complex WSDL/SOAP style services. Brilliant.
This session really showed how easy it was to make services, or components of any nature using SCA

As for the Brazilian community, they showed up again !!! We even had representatives from the Brazilian Government discussing the engagement of the Brazilian government in consuming and producing open source software, see panel abstract below :

PAN-7063: Free and Open-Source Software (FOSS): Use and Production by the Brazilian Government

The Brazilian government has been a pioneer in the use and production of free and open-source software (FOSS). This initiative is best represented by the Brazilian Public Software Portal (BPSP), a national web site that makes available the free and open-source software produced by the government and offers several services for the local FOSS community. This presentation by the government officials who are implementing this large initiative shows how the adoption of free software, such as Java™ technology-based applications and much more, was crucial to making not only the use but especially the development of new software in the government possible. The session also shows the results of the initiatives, presenting some of the amazing software solutions now available to users worldwide, and discusses some of the next steps planned by the Brazilian government.

And below, couple Brazilian dudes posing for pictures...

Ben LaurieDebian and OpenSSL: The Last Word?

I am reliably informed that, despite my previous claim, at least one member of the OpenSSL team does read openssl-dev religiously. For which he should be commended. I read it sometimes, too, but not religiously.

So, forget I said that you don’t reach the OpenSSL developers by posting on openssl-dev.

Stefan BodewigTalk at Regionalgruppe Düsseldorf der Gesellschaft für Informatik

Last night I was invited by the Düsseldorf local section of the German Gesellschaft für Informatik (think ACM) to talk about Open Source Software.

I figured I should talk about the parts of the Open Source universe I actually know and so it became a "what is the ASF, how are we different from others, how do we work" kind of talk. The audience was very interested and we had some good questions and discussion during and after the talk. I enjoyed it and hope it has been the same for the audience.

This marked the first time I've been presenting to people that neither are customers nor coworkers and judging from the feedback I received it went pretty well - or people have just been nice.

The German slides are here and if anybody knows of an easy way to turn an S5 presentation into a slide-by-slide PDF I might put it up at Slideshare as well.

Torsten CurdtCocoaHeads Frankfurt

There is no such event yet. But I think it would be great if there was. CocoaHeads is a monthly gathering of Cocoa enthusiasts. With presentations, tutorials and general discussion around Cocoa programming. There are meetings all over the world - just not in Germany. Actually not event in continental Europa.

If you would be interested in attending …please drop me a mail, a comment or whatever. If we can get more than 10 people interested I’ll step up and try to organize the event.

Lars TrieloffBlack Friendfeed Widget with Fluid

My Favorite SSB application Fluid got an update some days ago that allows you to fiddle with some window settings, namely the window opacity and the window decoration and the window placement (normal, above all windows, below all windows, above the dashboard). With the window decoration comes a black-window style with dark window borders and scroll bars that looks very cool. But using this style with Friendfeed for which I provided a custom userscript before yielded unpleasant results as the white background of friendfeed and the dark window borders do not match.

So I modified the user CSS file that is embedded in every Fluid SSB application (Right-click the application icon in Finder, select "Show package contents", browse to Contents/Resources) called default.css to give me a black background with white text and links (and I removed all the sidebar and clutter to make it a minimal interface)

The result looks like that and gives specialized desktop applications such as Twhirl or AlertThingy a run for it's money.

Geir Magnusson Jr."Men in suits"?

This amazingly off-the-mark article appeared in The Register yesterday. Dalibor just joined Sun and surely is still getting his bearings and has never participated in the JCP and it's possible he was misquoted by Gavin. As a friend of Dalibor, I've suggested to him that he should get it corrected. As the Apache Software Foundation representative to the JCP EC, I sent the following to the Sun EC reps and chair of the PMO trying to figure out what Sun is up to here :

Patrick, Danny, Calinel :

Given that fact that the statements contained in

are given by a Sun employee identifying himself in his job role, can I assume that Sun is interested in taking this discussion public? I think that is a really healthy approach. I think there is confusion about the basic facts and I think clarification will be useful for the community as a whole.

I think I'll wait to see what Sun's intention is here before addressing some of the problems in the article. After all, it could be a just a huge misunderstanding. Why do I care? Because openness, transparency and the equitable "rule of law" is inherent in the ASF's struggle in securing an equitable Java SE TCK license from Sun.

Hopefully Sun will allow me to publish their answer. Not being able to would be supportive of "A culture favoring closed-door meetings" :)

Colm MacCárthaighSecurity breach disclosure practice

For a long time now, we at Digital Rights Ireland have been campaigning for a law which would oblige companies who store our data to inform us of the details of any security breaches.

This is a hot-topic, with recent disclosures from the Bank of Ireland, and the Irish Blood Transfusion Service, of just this nature. Today I received a letter in the post from Adobe, informing me that some details I uploaded to their website may have been similarly subject to compromise.

As part of the process for making a student-discount purchase with Adobe, I was asked to upload a scan or photograph of my student card - which I was happy to do - and it appears that those images may have been available for others to view. According to the letter, this process may have been used for credit card details in some cases.

In the absence of a law obliging them to so, Adobe, BoI and the IBTS are actually to be commended for telling us about these breaches of security. Of course the notifications may be driven by an increasing consensus that not to do so would be a true negligence, as the real-world ramifications and triviality of identify theft is increasingly apparent, but it is welcome nonetheless. It is better at least to know that it has happened.

When the Bank of Ireland revealed its problems with laptop theft, it was big news, and widely discussed; ordinary consumers expressed fears, the data protection commissioner made recommendations and our collective security has improved since. Already, the adverse commercial effects of these notifications are spurring other businesses to review and audit their own practices. This can’t be but a good thing.

But despite these voluntary notifications, and the emerging consensus of their necessity, there are similar events like this every week that go unreported. Maybe the new minister for Justice, Dermot Ahern, with relevant experience from the Dept. of Communications, can remedy this situation. In the meantime, I think we’re actually better off with the companies who do tell us about these problems, at least they are proving a track record that the customer should matter.

Sam RubyMen in Suits

Geir Magnusson Jr: Given that fact that the statements contained in [link] are given by a Sun employee identifying himself in his job role, can I assume that Sun is interested in taking this discussion public? I think that is a really healthy approach. I think there is confusion about the basic facts and I think clarification will be useful for the community as a whole.

Simon Phipps: The lesson to be learned is that the best way to get Java everywhere was to work with the community rather than expect the community to work with Sun. Let’s hope that lesson sticks and spreads.

There is a discussion going on.  At the moment, it appears to be between Sun and the press.

It is the right discussion to be having.  Let’s just make sure that the right people have every opportunity to participate.

Jeremias MärkiBarcode4J 2.0 released

I let it slide for too long but now, Barcode4J 2.0 is finally available. Since the last alpha release I’ve been able to fix a number of bugs in DataMatrix and PDF417. As a last-minute addition I’ve added support for the USPS Intelligent Mail Barcode of which you can see an example below.

USPS Intelligent Mail Barcode Example

There’s also a detailed list of changes for this release.

Brian McCallisterTopology Aware Consistency Policies

I am increasingly fascinated by consistency options, in a distributed storage system, made available by topology awareness on the client. For example, if you consider a write committed iff the write has been made to a majority of all storage nodes and a majority of the local nodes, where local would typically be "same datacenter," it allows you to achieve repeatable read read what you wrote consistency locally when a majority of local nodes have responded to a read request with a matching response, while still providing overall consistency across the entire system.

Ask Bjørn HansenLinks for 2008-05-14 []

Luciano ResendeInfoQ post about Tuscany SCA 1.2 Release

Interested in learning a little more about what's new in Tuscany and SCA 1.2 release ?
The following InfoQ article/interview gives you some interesting insights on some of the new features and possible directions for future releases. See a little bit below:

InfoQ: Among all the features that this release has introduce which ones do you consider most important?

LR: SCA is about building distributed composite applications, and the new SCA distributed domain support with an SCA Domain Manager application allows you to build and deploy your solution into multiple SCA Nodes. These nodes can run on different platforms and runtimes (e.g Geronimo, Tomcat, Jetty, etc) or just plain J2SE.

With OSGI support, users can now run Tuscany and SCA in a OSGI Runtime.

The new Tuscany Eclipse plugin improves the user experience for developers building SCA applications. It integrates Tuscany with Eclipse to help you add the Tuscany runtime to your project; edit composites by providing code assist, and to run composites directly from your development environment.

To download Tuscany SCA 1.2, please go to the Tuscany download page.

Rich BowenStorms


We stand here, high on the hill,
and watch the rains come
like an African monsoon
sweeping across the desiccated
plains, dry dusty barren.

So many of these storms
lately, we just watch it come,
to the deluge that we know
we can't run fast enough
to escape. Our sadness

washes around us, even
as the rain, so long in coming,
so feared and so anticipated,
soaks our upturned faces,
hides our tears.

All very cliché, of course,
which isn't to say it's not real,
just that it's universal.

No one gets to their heaven
without a fight.

And some never
get there at all,
though they fight, seemingly,
without a respite
while the storm rages.

Those of us who have found
it, by persistence or dumb luck,
may, now and then, offer
a brief shelter
to those who, so far, haven't.

Rich BowenFramed

Yesterday I drove past that place
I used to live,
on the way home to you.

I cowered behind that very window,
of the world outside,
that it wouldn't miss me,
that it wouldn't notice
that I had vanished behind that frame.

I watched, through that frame,
others living the life
I could not live,
because I was
I knew not of what,

nor why I had been exiled
to this penitentiary
which I paid good money
to inhabit.

There, framed in that window,
another lonely soul
gazed out at me, wondering
if I saw as I went on my way,
past this refuge of those
too young to have lived,
and those done with it.

Rich BoweniDog

Last Christmas, The Girl begged and begged and begged for an iDog, which is a delightful little thing that dances to music either heard on its microphone or received from a audio input cable.

She played with it once or twice, but quickly lost interest. It's pretty stupid, and requires a lot of attention before it does anything interesting.

Earlier this week, The Girl and The Boy were fighting over it, so I brought it to work and plugged it into my desktop speakers. It is very weird. It whimpers occasionally, apparently when it doesn't like my music. It dances to stuff it likes. It blinks its lights in seemingly random patterns. It chirps and flashes green when you pat its head. It growls when you tweak its tail.

Here's the complete documentation, just in case you care.

When I was a kid, toys didn't come with 16-page users manuals. Sheesh.

Lars TrieloffSee something cool, learn something new, win something shiny

I went to one of our customers today to demo our Digital Asset Management System (it seems to be DAM-week, see also my presentation at the Henry Stewart Show) and one of the projects managers told me that he started playing around with Sling and how impressed he was with the power that is hidden in Sling and JCR and how easy it was to build something interesting. So, if you would like to see something cool, just as he did, download CRX Quickstart Edition, which contains CRX (a commerial grade content repository) and Sling (a web application framework built around the concepts of JCR, REST, AJAX, OSGi and Scripting) and take a look at Michael Marth's screencast first steps with CRX Quickstart. (This was the see something cool part)

Having seen something cool, it is time to learn something new, namely building applications using Sling and JCR and CRX Quickstart is a great way of doing to. Aside to the aforementioned screencast, there is a second one: the in 15 minutes and the rest of the CRX Quickstart documentation we have assembled.

If you now want to win something shiny, namely a brand new MacBook Pro, apply your newly won knowledge and take part in the Day JCR Cup '08, which is one of the reasons we released CRX Quickstart. We want more developers to learn something new, more developers to build something cool and thought that winning something shiny might be a good incentive to do so.

Nick Kewniq

Much has been said about the Debian/OpenSSL bug by people closer to it than I am. An expert view comes from Ben Laurie, who lays in to the Debian packagers for fixing an apparent bug locally, and not sharing it with upstream. In a second post, Ben clarifies some confusing issues, like whether OpenSSL is relying on uninitialised memory for entropy (not quite, but what it’s doing is not good either).

Ben’s wrath is well-deserved, but it seems to me there’s a fundamental reason why the OpenSSL folks must bear a share of the blame. Given the use of uninitialised memory, why wasn’t there a great big comment right there in the code, explaining it? Anything like that is sure to raise alarm bells in anyone reviewing the code, and send a programmer straight into fix-the-bug mode. And that’s an apparent-bug with a fix so simple that a compiler or runtime library could do it automatically. Don’t blame the Debian maintainer for fixing a blunder so trivial it must be a typo!

Why the “fix” went beyond just initialising that memory and broke it is beyond the scope of my (non-) research on the subject, and therefore this post.

UPDATE: Kudos to Michal Čihař for pointing out the upside to this sorry tale.

Henning Schmiedehausen…why you should never, never, *never* patch code that you do not understand fully…

And that is why you report bugs to upstream and let those that know what they are doing, sort them out. Not someone with a half-wit for a brain.

Random patching and “improvement” of code is evil. End of story.

“Given enough eyeballs, all bugs are shallow”, my ass. Look at all the debian, and debian related (hello, Ubuntu people!) users squirrel around to change every single bit of crypto that they created in the last two years.  Repeat after me: TWO YEARS.

Who of them freedom lovers ever bothered to look at the patches that this oh-so-trustworthy distribution provider has put into a package. Speaking of “single vendor lock-in”: How many distributions call themselves “free and open” just because they recompile or just ship the debian packages verbatim.

That is as good as shipping an OEM Windows, folks! And now you got burned. Bad for you. Good for community health in the long run. Keeps you on your toes.

James StrachanApache ActiveMQ 5.1 and Apache ServiceMix Kernel 1.0-m3 Released!

Apache ActiveMQ 5.1.0 is now out. Both Bruce and Hiram cover this nicely - if you use ActiveMQ I'd recommend upgrading, its got tons of bug fixes.

Also things are really hotting up in the spiffy new OSGi based ServiceMix Kernel that has just released 1.0-m3. Both Guillaume and Bruce have the low down. Grab it while its hot!

Hopefully soon ActiveMQ may come built on ServiceMix Kernel by default which will certainly really help make it easy to hot-redeploy Enterprise Integration Patterns routing rules within the broker.

Ortwin Glück[General] Animation film

Just found this amazing animation film made from graffity by BLU. Must have taken weeks to make!

Danny AngusUsing Apache2 as a reverse proxy

It was years since I'd done this, and I'd forgotten everything about it but niq's article gets it all across nice and concise.

Ben HydeTracking the powerless

Here’s another example of the natural progression of Moore’s law and privacy invading systems; where in the powerless (shipping containers, pets, cattle, prisoners, solders, women and children, shoppers, etc) pay the start up costs.  In this case we are tracking high school students.  I think I may need to touch up my model a bit.  Clearly the police states are also a fertile source of funding for innovation.

Davanum Srinivasdavanum

First reference to karma on an apache mailing list:   Next clue, the following post points to CVS as a possible source:   Wading through the CVS archives, It looks like we have a person named dprice (Derek Price?) to blame at the very least for checking in a contribution into CVS: [...]

Sam RubyBeta 1.1

B1.1 of Agile Web Development with Rails, 3rd Edition is out.  Unless you have an deep interest in the migration function, there isn’t much new content here — the primary focus on this update is addressing the errata and forum comments received to date.

This effort has turned out to be both harder and more rewarding than I would have ever anticipated.  Harder in that Rails has changed so much, there has been so much to learn (in terms of Rails 2.0, SQLite3, and also in terms of working with a different publisher, operating system, and toolset).  But I can’t begin to express how much I like the beta books program — the readers that this book has attracted so far have been great and their comments, questions, and feedback have been most appreciated.

Also, while this book has always had ample source code provided, I’m continuing to look for ways to both expand and automate.  Rerunning the code on rails edge, for example is now something I can repeatedly do in a matter of minutes.

Geir Magnusson Jr.MobileTerminal upgrade on iPhone

Just got an update to version "286u-7" via Cydia. Basically, this is a nice terminal for the iPhone that lets me do usual shell things, and the packages that come via Cydia make it very powerful. Full apt, for example. ssh, svn. (I can setup a tunnel to an internal JIRA server at 10gen so that I can use my iPhone browser...)

The UI is half-screen of keyboard, and half-screen of terminal window. What's interesting is seeing how they are learning how to leverage the touch features of the screen. A terminal using the iPhone kbd is a little challenging, especially w/ the small screen for those of us where glasses are required more and more :) so finding ways of incorporating graphics and touch will make this tool all the more useful.

They are using single-finger touch to bring up a neat "grid" menu, short and long single finger swipe, and two finger swipe. I'm still figuring it out, but what I know is nice. For example, short swipes up and down gets you the up/down command history in the shell, just like an up/down arrow would. Short swipe up to the "northeast" is a ctrl-c, to the "southwest" is tab. "west" is backspace, and "east" is space. Two-finger swipe up ("north") is the conf page, down is hide/show keyboard, "west" and "east" flip between the multiple terminal sessions. When you touch and hold, a square "menu" of buttons comes up, and sliding to them either does the function (e.g. "clear"), or changes the "menu" to a set of variants. For example, sliding to the "ls" button - which is darker to indicate that there are options there - switches the rest of the squares to variants : "ls -a", "ls -al", "ls -s" etc.

The results are pretty nice - if you have experience working in a shell, you can go pretty fast. I've only used it for a few things so far - ssh-ing into a server at work, or setting up a tunnel so that I can control a Hudson instance running inside our firewall. The iPhone is an incredibly powerful little computer, and having a good command line makes it more so. I wonder when Android will run on it? :)

Ben LaurieDebian and OpenSSL: The Aftermath

There have been an astonishing number of comments on my post about the Debian OpenSSL debacle, clearly this is a subject people have strong feelings about. But there are some points raised that need addressing, so here we go.

Firstly, many, many people seem to think that I am opposed to removing the use of uninitialised memory. I am not. As has been pointed out, this leads to undefined behaviour - and whilst that’s probably not a real issue given the current state of compiler technology, I can certainly believe in a future where compilers are clever enough to work out that on some calls the memory is not initialised and take action that might be unfortunate. I would also note in passing that my copy of K&R (second edition) does not discuss this issue, and ISO/IEC 9899, which some have quoted in support, rather post-dates the code in OpenSSL. To be clear, I am now in favour of addressing this issue correctly.

And this leads me to the second point. Many people seem to be confused about what change was actually made. There were, in fact, two changes. The first concerned a function called ssleay_rand_add(). As a developer using OpenSSL you would never call this function directly, but it is usually (unless a custom PRNG has been substituted, as happens in FIPS mode, for example) called indirectly via RAND_add(). This call is the only way entropy can be added to the PRNG’s pool. OpenSSL calls RAND_add() on buffers that may not have been initialised in a couple of places, and this is the cause of the valgrind warnings. However, rather than fix the calls to RAND_add(), the Debian maintainer instead removed the code that added the buffer handed to ssleay_rand_add() to the pool. This meant that the pool ended up with essentially no entropy. Clearly this was a very bad idea.

The second change was in ssleay_rand_bytes(), a function that extracts randomness from the pool into a buffer. Again, applications would access this via RAND_bytes() rather than directly. In this function, the contents of the buffer before it is filled are added to the pool. Once more, this could be uninitialised. The Debian developer also removed this call, and that is fine.

The third point: several people have come to the conclusion that OpenSSL relies on uninitialised memory for entropy. This is not so. OpenSSL gets its entropy from a variety of platform-dependent sources. Uninitialised memory is merely a bonus source of potential entropy, and is not counted as “real” entropy.

Fourthly, I said in my original post that if the Debian maintainer had asked the developers, then we would have advised against such a change. About 50% of the comments on my post point to this conversation on the openssl-dev mailing list. In this thread, the Debian maintainer states his intention to remove for debugging purposes a couple of lines that are “adding an unintialiased buffer to the pool”. In fact, the first line he quotes is the first one I described above, i.e. the only route to adding anything to the pool. Two OpenSSL developers responded, the first saying “use -DPURIFY” and the second saying “if it helps with debugging, I’m in favor of removing them”. Had they been inspired to check carefully what these lines of code actually were, rather than believing the description, then they would, indeed, have noticed the problem and said something, I am sure. But their response can hardly be taken as unconditional endorsement of the change.

Fifthly, I said that openssl-dev was not the way to ensure you had the attention of the OpenSSL team. Many have pointed out that the website says it is the place to discuss the development of OpenSSL, and this is true, it is what it says. But it is wrong. The reality is that the list is used to discuss application development questions and is not reliably read by the development team.

Sixthly, my objection to the fix Debian put in place has been misunderstood. The issue is not that they did not fully reverse their previous patch - as I say above, the second removal is actually fine. My issue is that it was committed to a public repository five days before an advisory was issued. Only a single attacker has to notice that and realise its import in order to start exploiting vulnerable systems - and I will be surprised if that has not happened.

I think that’s about enough clarification. The question is: what should we do to avoid this happening again? Firstly, if package maintainers think they are fixing a bug, then they should try to get it fixed upstream, not fix it locally. Had that been done in this case, there is no doubt none of this would have happened. Secondly, it seems clear that we (the OpenSSL team) need to find a way that people can reliably communicate with us in these kinds of cases.

The problem with the second is that there are a lot of people who think we should assist them, and OpenSSL is spectacularly underfunded compared to most other open source projects of its importance. No-one that I am aware of is paid by their employer to work full-time on it. Despite the widespread use of OpenSSL, almost no-one funds development on it. And, indeed, many commercial companies who absolutely depend on it refuse to even acknowledge publicly that they use it, despite the requirements of the licence, let alone contribute towards it in any way.

I welcome any suggestions to improve this situation.

Incidentally, some of the comments are not exactly what I would consider appropriate, and there’s a lot of repetition. I moderate comments on my blog, but only to remove spam (and the occasional cockup, such as people posting twice, not realising they are being moderated). I do not censor the comments, so don’t blame me for their content!

Bertrand Delacretazlivescribe.jpg

livescribe.jpgI wasn’t impressed at first when looking at the livescribe smart pen hardware specs (although impressive, that’s in a way just another smart pen), but the demos made the coin drop: synchronizing audio with smart paper notes sounds like the killer app for smart pens, and that pen seems to do it right. Can’t wait to try it!

Ted LeungJavaOne 2008: Part 2

I’ve been to so many conferences and seen so many talks that it’s hard for me to really get excited about conference presentations. I went to talks here and there, but nothing at JavaOne was really reaching out at grabbing me (in fairness, this happens at other conferences also, so it’s not just JavaOne). Or at least that was true until the last day.

Friday opened with a keynote by James Gosling, who served as the MC for a train of presenters on various cool projects.

Cool stuff

First up was Tor Norbye, who has done a lot of good work on support for editing different languages in NetBeans. Tor has been working on JavaScript support for NetBeans 6.1, and he showed off some cool features, like detecting all the exits from a function, semantic highlighting of variables, and integrated debugging between NetBeans and Firefox. All of which was cool. When I was managing the Cosmo group at OSAF, I tried a bunch of Javascript IDE’s and never really liked any of them. I haven’t done a lot with NetBeans 6.1 yet, but I will. Tor showed one feature, which was the killer one for me. NetBeans knows what Javascript will work in which browser. You can configure the IDE for the browsers that you want to support, and this affects code completion, quick fix checking and so on. Definitely useful. Here are several more references on the Javascript support in NetBeans 6.1.

The Java Platform

It’s easy for me (and others, I’d bet) to think mostly of JavaEE or perhaps JavaME when thinking about Java. That’s understandable given the worlds fixation on web applications, and looking ahead to mobile. But the majority of the talks in Gosling’s keynote session had nothing to do with Java SE, EE, or ME (at least in the phone sense).

Probably the hit (applause meter wise) of the keynote was LiveScribe’s demonstration of their Pulse Smart Pen. This is an interesting pen that records the ink strokes that it makes, and any ambient audio that it records while the writing is happening. The ink and audio can be uploaded to a computer, as long as that computer runs Windows (apparently a Mac version is in the works). Unfortunately, the pen works by sensing marks on a special paper (that would be the razor blades), so there’s a limitation on how useful this can be. The presenter said that a future version of the software would allow people to print their own special paper, but that’s still a future item for now. By reading special marks on the special paper, you get a pretty cool user interface. The pen itself can run Java programs, and there is a developer kit available for it. If they can get by the limitation of special paper, I think that this is going to be pretty interesting.

Sentilla showed off their Mote hardware, which seem like RFID chips that can run Java programs. except that these RFID chips can form mesh networks amongst themselves and can have various kinds of sensors attached. There are lots of applications for these things, going well beyond inventory tracking and such.

Sun Distinguished Engineer Greg Bollella demonstrated Blue Wonder, which is a replacement for the computers used to control factories. Blue Wonder combines off the shelf x86 hardware, Solaris, and real time Java to provide a commodity solution for factory control applications. This is far afield of Web 2.0 applications, but just as cool, in my mind.

By the end of the keynote I was reminded of the long reach of the JVM platform, something that I’d lost sight of. The latest craze in the Web 2.0 space is location data — O’Reilly has an entire conference devoted to the topic. I think that sensor fusion of various kinds (not just location sensors) is going to play a big role in the next generation of really interesting applications. The JVM looks like it’s going to be a part of that. I don’t think than any other virtual machine technology is close in this regard.

Java’s future

I also went to a talk on Maxine, a meta-circular JVM. By the twitter reactions of the JRuby and Jython committers, I’d say that Maxine is going to get some well deserved attention when it is open sourced in June. I’m particularly interested because the PI’s for Maxine worked on PJava, and MVM. Given the differences between the Erlang VM and the JVM, I think that the ability to experiment with MVM is going to be pretty interesting. Apparently, there’s already some form of MVM support in Maxine - we’ll find out for sure in June.

During the conference I had a meeting with Cay Horstmann, and at the end of the meeting Josh Bloch saw Cay and wanted to talk to him about the BGGA closures proposal for Java. Turns out that Josh has an entire slide deck which consists of a stream of examples where BGGA does the wrong thing, generates really cryptic error messages, or requires an unbelievable amount of code. The fact that BGGA depends on generics, which are already really hard, doesn’t give me much confidence about closures in Java. If you are a statically typed language fan, I think that you ought to be worried about whether Java, the language, has any headroom left.

The last session that I went to was Cliff Click and Brian Goetz’s session on concurrency. Unsurprisingly, the summary of the talk is “abandon all hope, ye who enter here”. I was glad to see a section in the talk about hardware support/changes for concurrency. The problem is that concurrency is going to introduce end-to-end problems, from the hardware all the way up to the application level, and I think that every stop along the way is going to be affected. Unlike sequential programming, where we are still largely reinventing the wheels of the past, there is no real previous history of research results to be mined for concurrency. Hotspot and other VM’s are close to implementing most of the tricks learned from Smalltalk and Lisp, but those systems were mostly used in a sequential fashion, and while there were experiments with concurrency, there was much less experience with the concurrent systems than the sequential ones. Big challenges ahead.

Dave BrondsemaThat doesn't happen very often

On Saturday morning I woke up to people talking about string concatenation, and how many parameters some function needed.

Ted LeungJavaOne 2008: Part 1

JavaOne is a pretty intense experience, simply by virtue of the size. If CommunityOne was twice the size of OSCON, then JavaOne is three times the size of OSCON, and it shows . There was an immediate change in feel and atmosphere once JavaOne got into full swing. You could barely move sometimes, and there were a bunch of people whose job was to corral the crowds into some semblance of order.

JavaOne 2008

As a Sun employee, I was on a restricted badge, which made it hard to get into sessions (you are basically flying standby). On the other hand, I had plenty to do. I participated in a dynamic languages panel for press and analysts (who have their own track), which was pretty fun. The discussion was lively enough that we could have gone for another hour. There was one persistent fellow who really wanted there to be just one language, or wanted us to declare language X better for task Y. When I got started in computing, people learned and worked in several languages. Its only been recently that a language (Java) was popular enough that people could just learn one language, and the growth of web applications pretty much guarantees a multi-language future because of server side and client side differences. In the end, we’re back to finding and using the best tool for the job, or at least the most comfortable tool for the job. This is probably going to cause heartburn for big IT shops, but developers seem to be happy about it.

JavaOne 2008

I took a walk through the Java Pavilion with Tim Bray one afternoon. He got into the AMD booth’s aromatherapy display (and yes, he has a similar shot of me doing the same thing). One of the highlights of that excursion was Tim introducing me to Dan Ingalls, who made a number of very substantial contributions to Smalltalk, including its original VM and the BitBlt graphics operation. I am a great admirer of the work that was done in Smalltalk, and it was an honor to meet Dan and have him explain the Lively Kernel to me. A short (and probably not quite fair) description of the Lively Kernel is to take the lessons learned from Smalltalk/Squeak and implement them in the browser using Javascript, AJAX, and SVG.

JavaOne 2008

Unsurprisingly, I got the most value at JavaOne from the networking. And that means dinners, hallway conversations, and yes, the parties. Usually when I go to conferences, I am just a party attender. This time, I also worked at some of the parties. It was a little different to walk around the SDN party wearing a t-shirt with “SDN Event Staff” painted large on the back. I still had a good time. Between the T-shirt and the camera, I definitely had some good conversations.

JavaOne 2008

Another benefit of being at a huge is company is that they can really throw a big party. Like hiring Smash Mouth to play for a private concert:

JavaOne 2008

I’ve uploaded the rest of my photos from the conference to this Flickr set.

I actually do have some technical commentary, but I am going to put that into another post.

Rich BowenWrite every day

Last year, I tried very hard to write every day, and did a pretty good job of sticking to that. This year, it's been spotty, at best.I wrote a lot while in Amsterdam, and very little since I got back. Trying very hard to write, but, as Bradbury observes in the foreword of Dandelion Wine:

Like every beginner, I thought you could beat, pummel, and thrash an idea into existence. Under such treatment, of course, any decent idea folds up its paws, turns on its back, fixes its eyes on eternity, and dies.

Having met two of my very favorite authors - Douglas Adams and Arthur C Clarke - I can not think of any author I'd more like to meet than Mr. Bradbury, but I have no idea what I'd ask him, for I feel that I already know him, from what he has written. And the most important thing I've learned from him is simply to write every day, whether I have something to write or not. Of course, very very few can ever hope to rise to his level, but I imagine I have good story or two hiding away somewhere, waiting for me to write it.

Steve LoughranTired of Outlook

So the reason for having rich client applications is for a better off-line experience, right? Why then, does outlook suck? Why is it actually less responsive than gmail on firefox?

Why, when you have set 'empty deleted items on shutdown' does it try and delete the deleted items folder contents (a directory on the server), one by one, with some animation? Not only does this take so long on OS reboot (it's reboot tuesday) that the OS gets fed up and kills it, making the database corrupt, given that the mailbox is server hosted, surely a quick request to the server (rm, "inbox/deleted/*") could do the work. The client -that is meant to be a cache of the server- could do its cleanup in the background, some other time.

Trustin LeeChanging the default sound card automatically in Linux

Many people including me usually use a USB sound card or a USB speaker to enjoy noise-free high-fidelity sound. I simply don't understand why all the main board manufacturers ship with a built-in sound chipset which just sucks. It's not an exception for all laptops.

In a non-portable system such as a desktop PC, you usually don't need to change your default sound card because your USB sound card is always connected. However, it's a whole different story for a laptop computer. USB sound card is often disconnected and connected again. For example, I connected my USB speaker to the docking station. The expected behaviour is that the default sound card is chosen automatically - the sound system should be reconfigured so that my USB speaker becomes the default sound card when I dock to the docking station.

Currently, there's no desktop environment that addresses this problem AFAIK, so I wrote a quick and dirty script file that reconfigures the sound system automatically when a new sound card is detected. The script assumes that you are running HAL and DBUS, which are very common in modern Linux distributions.
# Path: /usr/local/bin/alsa-watch

if [ "x`pgrep -of 'alsa-watch'`" != "x$$" ]; then
exit 1


dbus-monitor --system --monitor "type='signal',path='/org/freedesktop/Hal/Manager',interface='org.freedesktop.Hal.Manager'" | while read -r EVT; do
echo "$EVT" | egrep -qi "(DeviceAdded|DeviceRemoved)"
if [ "$?" = '0' ]; then
read -r EVT_VAL
echo "$EVT_VAL" | egrep -qi 'sound_card_[0-9]+"'
if [ "$?" = '0' ]; then
} &
Another script needed to run alsa-watch is alsa-reconfigure. The following is what I put into the alsa-reconfigure script. You could do something different such as restarting PulseAudio daemon and modifying relevant GConf settings.
# Path: /usr/local/bin/alsa-reconfigure

# Update /etc/asound.conf.
cat /proc/asound/cards | grep -q USB-Audio
if [ "$?" == "0" ]; then
CARD=`cat /proc/asound/cards | grep USB-Audio | head -1 | perl -pi -e "s/\\s*([0-9])+.*/\\1/"`
CARD=`cat /proc/asound/cards | head -1 | perl -pi -e "s/\\s*([0-9])+.*/\\1/"`

echo \
" {
type dmix
slave.pcm \"hw:$CARD\"
ipc_key 1024

pcm.!default {
type plug
slave.pcm \"foo\"

ctl.!default {
type hw
card $CARD
" > /etc/asound.conf
I execute alsa-watch in my /etc/rc.local file and it works perfectly for me. :)

Robert Burrell DonkinOpenSSL: Debian And Ubuntu Bust The Random Number Generator

have announced that with immense stupidity they decided to remove the entropy from the . This is not a good idea. Off to change my SSH keys and passwords...

Guillaume NodetApache ServiceMix Kernel 1.0-m3

We've just released the third milestone of ServiceMix Kernel 1.0-m3. This small OSGi based container is really nice, if you haven't had a look at it yet, go and grab it.

It adds a bunch of cool new features. For example you can run:

osgi list | utils grep ServiceMix


log d | utils grep WARN

If you want to have a quick run at it, go and look at the quick start guide.

Jim JagielskiUndependable Power Supply

Through the years, I've used lots and lots of UPSs. Lots.

I have never had such troubles as I have had with the Cyber Power units. They are basically worthless. They have a lifetime of maybe 1 year (with basically NO usage at all... Maybe a total of 3 cycles, down to only say 75% capacity) and fail without warning. Power hiccup and they simply die. You plug 'em back in, run the diagnostic tests and "Lordy Lordy All is in perfect operating condition!"... unless, of course, you unplug the unit from the wall at which point it will go belly up and die with nary a whimper.

I can see UPSs failing... it happens, sure. But with every other UPS type I've ever used I've gotten advance notice when the unit is starting to go south. Not with these. You have absolutely no idea if it's good or bad. It will fail at the drop of a hat and with no warning at all.

Avoid 'em.

Steve LoughranUpgrading to Ubuntu 8.04, week 2

DNS is still hosed. Either the the network stack is dropping most of the DNS packets or Virgin Media are screwing up. Either hypothesis is currently valid. What is clear is that DNS takes 30s to respond. What is more interesting is what fails. Ivy, deserves special mention here. On a machine where DNS is playing up, sorting dependencies takes forever. The only way to get the build to work is to disable the network adapter. I've filed a bug.

OpenOffice is complaining a lot on start up. I'm not the only one. It looks like a recurrence of an old problem -bad migration of settings.

Power management? The SCSI driver wont go into ACPI D3 state, so no Hibernate for me. Same as before.

I have managed to roll back to FireFox 2, by removing my .mozilla directory. Before upgrading to Ubuntu 8.04, take a copy of the .mozilla directory if you ever want to roll back to firefox 2.

I can't say its been a seamless upgrade. The network is unusable; everything else on the LAN seems happy, DNS is just not working properly. I've turned off ipv6, disabled mDNS, edited resolv.conf, edited /etc/host.conf, edited /etc/nsswitch.conf. No use whatsoever. Next: ethernet packet sniffing time.

Shane Curcuru“Third base!”

Abbot and Costello in typeface. Beautiful. Many versions exist, but I agree they should have explicitly named the last outfielder - Naturally.

Justin MasonSerious Debian/Ubuntu openssl/openssh bug found

via Reddit, this Debian Security announcement:

‘Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems (ie since 2006! –jm) is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.’

and, of course, here’s the Ubuntu Security Notice for the hole:

Who is affected

Systems which are running any of the following releases:

  • Ubuntu 7.04 (Feisty)
  • Ubuntu 7.10 (Gutsy)
  • Ubuntu 8.04 LTS (Hardy)
  • Ubuntu “Intrepid Ibex” (development): libssl <= 0.9.8g-8
  • Debian 4.0 (etch) (see corresponding Debian security advisory)

and have openssh-server installed or have been used to create an OpenSSH key or X.509 (SSL) certificate. All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied. This includes the automatically generated host keys used by OpenSSH, which are the basis for its server spoofing and man-in-the-middle protection.

It was apparently caused by this incorrect “fix” applied by the Debian maintainers to their package. One wonders why that fix never made it upstream.

Bad news….

Update: Ben Laurie tears into Debian for this:

What can we learn from this? Firstly, vendors should not be fixing problems (or, really, anything) in open source packages by patching them locally - they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to “add value” by getting in between the user of the software and its author.


For what it’s worth, we in Apache SpamAssassin work closely with our Debian packaging team, tracking the debbugs traffic for the spamassassin package, and one of the Debian packagers is even on the SpamAssassin PMC. So that’s one way to reduce the risk of upstream-vs-package fork bugs like this, since we’d have spotted that change going in, and nixed it before it caused this failure.

Here’s a question: should the OpenSSL dev team have monitored the bug traffic for Debian and the other packagers? Do upstream developers have a duty to monitor downstream changes too?

This comment puts it a little strongly, but is generally on the money in this regard:

the important part for OpenSSL is to find a way to escape the blame for their fuck-up. They failed to publish the correct contact address for such important questions regarding OpenSSL. Branden (another commenter –jm) noted that the mail address mentioned by Ben is not documented anywhere. It is OpenSSL’s responsibility that they allowed the misuse of openssl-dev for offtopic questions and then silently moving the dev stuff to a secret other list nobody outside OpenSSL knew about.

I’m sure Debian is willing to take their fair share of the blame if OpenSSL finally admits that their mistake played a major role here as well. After all the Debian maintainer might have misrepresented the nature of his plans, but he gave warning signs and said he was unsure. But as it appears now all the people who might have noticed secretly left openssl-dev, the documented place for that kind of questions. This is hardly the fault of the maintainer.

Update 2: this Reddit comment explains the hole in good detail:

Valgrind was warning about unitialized data in the buffer passed into ssleay_rand_bytes, which was causing all kinds of problems using Valgrind. Now, instead of just fixing that one use, for some reason, the Debian maintainers decided to also comment out the entropy mixed in from the buffer passed into ssleay_rand_add. This is the very data that is supposed to be used to see the random number generator; this is the actual data that is being used to provide real randomness as a seed for the pseudo-random number generator. This means that pretty much all data generated by the random number generator from that point forward is trivially predictable. I have no idea why this line was commented out; perhaps someone, somewhere, was calling it with uninitialized data, though all of the uses I’ve found were with initialized data taken from an appropriate entropy pool.

So, any data generated by the pseudo-random number generator since this patch should be considered suspect. This includes any private keys generated using OpenSSH on affected Debian systems. It also includes the symmetric keys that are actually used for the bulk of the encryption.

A pretty major fuck-up, all told.

Update 3: Here’s a how-to page on put together by the folks from the #debian IRC channel. It has how-to information on testing your keys for vulnerability using a script called ‘’, details of exactly what packages and keys are vulnerable, and instructions on how to regenerate keys in each of the (many) affected apps.

It notes this about Apache2 SSL keys:

According to folks in #debian-security, if you have generated an SSL key (normally the step just prior to generating the CSR, and then sending it off to your SSL certificate provider), then the certificate should be considered vulnerable.

So, bad news — SSL keys will need to be regenerated. Add ‘costly’ to the list of downsides.

Looking at ‘’, it gets even worse for ssh users. It appears the OpenSSH packages on affected Debian systems could only generate 1 of only 262148 distinct keypairs. Obviously, this is trivial to brute-force. With a little precomputation (which would only take 14 hours on a single desktop!), an attacker can generate all of those keypairs, and write a pretty competent SSH worm. :(

David N. WeltonRestaurants, immigrants, and the popularity of various cuisines

A little off-topic exercise conducted in the "eye of the storm", when Ilenia and Helen were still in the hospital:

A post on Seth Robert's blog brings up the idea that many Chinese restaurants were opened as a way to go into business without competing with native male workers. The post made the rounds of several other online journals.

That was the push I needed to get up and go collect a few statistics of my own, regarding an idea I've been kicking around for a while. My theory is that the number of restaurants of a given type, divided by the number of immigrants from that country might be an interesting way of guaging the popularity of the cuisine in question.

In order to simplify things just a bit, I actually used data from Italy, for the following reasons:

  • Most immigration to Italy is pretty recent, so it's not necessary to account for the length of time different immigrant groups have been present, and the effects that may have had on the diffusion of a given cuisine.

  • Immigration statistics were readily available:

  • Italian the language almost completely corresponds to Italy the country (outside of a chunk of Switzerland, San Marino, and the Vatican), something that makes things that much easier.

  • I speak Italian, so it was easy to find out all the information I needed

Unfortunately, finding out the number of restaurants of various types is far from an exact measurement, and since this is a quick fun project, I just went for Yahoo search (they deserve credit for keeping their search API open when Google's was closed) results on terms like "Ristorante Turco" (Turkish), "Ristorante Messicano" (Mexican), and so on. This was the most expedient means of gathering information quickly, but this approach does present a number of obvious problems, listed here in the hope that someone without diapers to change and a business to run might come up with some good answers:

  • Some hits likely come from people talking about a restaurant that happens to be in a country, like "ristorante americano". "Nel tipico ristorante americano, ...." or in other words, "In a typical American restaurant", rather than an American-style restaurant in Italy, which is what we were looking for in the first place. This is probably also true of countries close to Italy, where people go on vacation and thus have occasion to write about their experiences in a "ristorante tedesco" (German), rather than going to eat in a German restaurant in Italy. Perhaps the search query could be improved in an attempt to eliminate this sort of false positive.

  • Some restaurants probably are not known as, nor brand themselves with a country name, but instead utilize titles like "Middle Eastern", "Arab", "South American", "African", or others that do not correspond with any one country in particular. It would be possible to group countries together with other adjectives, and get statistics for these clusters as well.

  • Measuring hits is measuring what people are talking about, rather than simply restaurants that exist, so if restaurants from a certain country are more talked about than others, that would muddy the statistics a bit. However, it seems reasonable that people would mostly talk about restaurants in proportion to their popularity, and I don't see a particular reason why there would be more talk of Vietnamese restaurants, say, than Thai restaurants, compared to the actual numbers.

That said, for a quick project, this approach seemed to work out ok, and the results appear credible. Obviously, the results also reflect people discussing certain cuisines, rather than an actual number of restaurants, but since it does reflect interest, we'll use the number in any case.

Since the number of restaurants/interest in a type of restaurant was clearly not correlated directly with the number of immigrants, other factors must come into play. For instance, "ristorante giapponese" turns up 125,000 hits, but the stats say only 6873 Japanese nationals live in Italy. As above, hits don't mean actual restaurants, but clearly Japanese cuisine is not being popularized through immigration.

Here's my guess: these statistics show, to some degree, what people in the host country actually like to eat. Food that tastes good means more restaurants. Things that aren't that popular mean few restaurants, even if there are many immigrants. To pick on one country, there are many Philippino immigrants in Italy, but very few search hits - and anecdotally, I've never seen a Philippino restaurant in Italy either, whereas even smaller towns like Padova have Chinese, Mexican (well, it's called that, even if it's a shadow of the real thing), Japanese, various Arab and middle eastern restaurants, and even a few less common things like Eritrean. And I know that many native and foreign restaurants employ Philippino cooks.

Below is the chart I whipped up showing the number of Yahoo hits per immigrant. The Italian names shouldn't be too hard to figure out. A few tricky ones: Giordano-Jordanian, Giamaicano-Jamaican, Spagnolo-Spanish. If you're interested in numbers or source code, contact me.

Immigrants and Restaurants