Category Archives: open source

linux, open source, web authoring, windows

Installing SproutCore on Ubuntu on VirtualBox

12 Comments

If you check out the installation instructions for SproutCore you will notice that Windows developers are not really catered for (though I am sure it can be done). I also noticed some Windows issues in the Sproutcore forum. More evidence of the Windows/Unix disconnect.

Having been impressed by VirtualBox recently, I figured it might be easier to use VirtualBox and Ubuntu.

Here’s how it went. I ran up a new VirtualBox image and installed Ubuntu. Very easy; just point VirtualBox to the Ubuntu install iso. This worked, except that Ubuntu did not recognize the video driver and defaulted to 800 x 600 resolution. Solution: install dkms in Synaptic (or using apt-get); then install the VirtualBox Linux Additions. That gave me 1024 x 768, which is good enough.

Next, you need to install Ruby (developer version) (use sudo or root)

apt-get install ruby

apt-get install rubygems

apt-get install ruby1.8-dev

and some build tools as one of the SproutCore dependencies (hpricot) calls make when installed:

apt-get install build-essential

I thought that would be enough, but my first go at installing SproutCore failed, apparently because gem is not on the path. Although it seemed to work, I got “command not found” when running sproutcore. So:

export PATH=$PATH:/var/lib/gems/1.8/bin

Now you can install SproutCore:

gem install sproutcore

Several components, such as hpricot, ask which version to install. I chose the variant designated (ruby).

After that, the Hello World tutorial ran exactly as expected.

By the way, although this example makes it look as if SproutCore is a dynamic server framework, it is not. The usual way to deploy a SproutCore application is as static files; the server arrangement is for debugging.

Note: the command above only amends the path for the current session. To make it permanent, I added the following to lines to the end of /etc/profile (needs root permissions to edit)*:

PATH=$PATH:/var/lib/gems/1.8/bin
export PATH

*See comment below for an even better suggestion.

adobe, apple, java, open source, silverlight, software development, web authoring

The RIA dilemma: open vs predictable

4 Comments

There’s recently been a bit of hype (RoughlyDrafted.com) for Charles Jolley’s Sproutcore, yet another JavaScript framework, mainly because Apple is using it as its “Cocoa for the Web”, according to AppleInsider.

I tried the sample controls demo in IE7 but it didn’t work quite right. For example, the Picker pane opened but would not close. Tried again in Firefox 3.0 and everything was fine.

I’ve got no idea what the problem is with IE7; it is probably because of weak standards support in IE. However, it illustrates the advantages of a plug-in like Flash, Silverlight or Java. With these platforms, the application is largely insulated from differences between browsers.

The snag with the proprietary plug-in approach is that the vendor may not support every platform equally. Microsoft is entrusting the bulk of Silverlight Linux support to a third party. There are also issues of control. Apple most likely does not want any runtimes on iPhone because they open up a route to application deployment that bypasses its App Store and 30% revenue share. Google seems wary of Flash; RoughlyDrafted says that is because of the risk of content being turned into “opaque binaries” that are beyond the reach of its contextual advertising analysis, but it may just be  reluctance to cede such an important part of its platform to a third party.

Still, as a developer in search of a predictable app platform I’d rather target a plug-in than trust the browser vendors to be sufficiently consistent, and the Javascript libraries sufficiently smart, to enable my code to run reliably everywhere. It is easier to get away with a requirement for, say, Flash 9, than to insist that users choose a particular browser or operating system.

There are other factors of course. On the Javascript + HTML side, there are advantages in that it extends rather than replaces the HTML model. Things like clipboard support just work. Plus, it runs on iPhone.

On the plug-in side, you get the fast execution of a JIT compiler, and easy use of graphical and multimedia effects that take effort to do in JavaScript, or can’t be done at all.

I would be interested in comments from developers about what RIA platform you are choosing, and why.

google, microsoft, open source, software development

Google App Engine line endings snaglet exposes Windows/Unix disconnect

6 Comments

This amused me:

In case you can’t see the image, it shows the release notes for the Google App Engine SDK, which I’m trying right now. The notes say:

Fixed behavior with source files that have Windows line-endings or missing line-endings.

With a nice self-referential touch, the notes reveal the very problem they are describing. On Windows, a line ending is usually encoded by two characters (carriage return and line feed), whereas on Unix (and similar systems like Linux and Mac OS 10) a single line feed character is used. Notepad is the default viewer for text files on Windows, and displays these Google release notes with scrambled formatting. A programmer’s editor like CodeWright1 understands both conventions and the file displays fine.

It is a minor annoyance, but exposes a deeper problem. There are two factors at play here. One is that the open source world has tended to use Unix-like operating systems (maybe because open source operating systems are Unix-like); the other is that the favourite client OS among Web 2.0 geeks is the Mac. It’s likely therefore that most or all the folk working on App Engine do not use Windows and do not see this issue. They have taken the trouble to support Windows, but the Windows platform is just a little alien. The poor experience you get when double-clicking a readme is a symptom.

Another example is in the notes describing the options for the dev_appserver.py script, used to run the SDK. It says:

–datastore_path=PATH      Path to use for storing Datastore file stub data. (Default /tmp/dev_appserver.datastore)

What was that default again? There is no /tmp directory on Windows. I am sure the script uses a sensible default on Windows; but it will be different from what these notes say.

Let me add that the Unix directory structure is generally nicer to work with than Windows, with its archaic drive letters; and that I see little sense in the carriage return character being needed to end a line (it’s a throwback to the typewriter). Windows is also more wrong that right about using the backslash as a path divider (all IBM’s fault, apparently).

As a developer, I perceive these things as a small nudge that I might not be using the best OS for the task in hand. That’s unfortunate for Microsoft, and I’m not sure how it can fix it – though getting Notepad to respect Unix line endings would be a start.

1CodeWright is/was an excellent editor that was acquired and killed by Borland; unfortunately it does not work properly on Vista though I still find it handy occasionally.

.net, microsoft, open source, software development, web authoring

Ruby on Rails on .NET

1 Comment

Microsoft’s John Lam reports:

IronRuby dispatched some simple requests through an unmodified copy of Rails a few days ago. Today, we’re going to show off our progress live at RailsConf.

He adds that performance is terrible; so you might not want to migrate your project just yet. Why bother? Mainly, to get Rails productivity plus access to .NET libraries – in other words, integration with Microsoft’s platform.

Technorati tags: , , , ,
internet, linux, open source, security

More on Debian’s OpenSSL bungle

2 Comments

I reported on this in the Guardian. Interesting piece to research. First, the history. You can find the exchange between Karl Roeckx and Ulf Möller here. An unfortunate mistake; I make mistakes too (it was my fault that a name was misspelt in the Guardian piece, for example), so rather than heap blame on individuals I suggest this is more about a problem with the process; the only people making significant changes to the source code of such an critical library should be the committers responsible for that library. No doubt the incident is prompting a review of the process for updating Debian, Ubuntu and other distros; perhaps we will end up with a slower but less vulnerable flow of updates.

Second, a remark from Tim Callan at Verisign which there was not room for in this piece. I asked him whether Verisign knows which of the certificates it has issued are bad. “Unfortunately we don’t have those key pairs to look at them and scan them and tell which ones are good and which ones are not,” he told me. All Verisign can do is to ask its customers to check, which Callan says it is doing “very very aggressively.” In mitigation, Verisign does have a record of what operating system was used to purchase the certificate, but this is not the same thing; it is an imperfect process. The only fix is to revoke and replace the bad ones, which the company is offering to do for free.

Third, there are two distinct risks here. First, weak SSL certificates. Versign is embarrassed because it has been issuing weak certificates; its core product has been undermined. However, according to Netcraft, of the 870,000 secure web servers on the Internet, only 20,000 report themselves as Debian and 4,000 as Ubuntu. The true figure will be somewhat more than that, but that is a relatively small proportion; and exploiting the weakness takes a bit of effort.

The second problem is the possibility of intercepting or cracking SSH tunnels used to administer affected servers. We saw this demonstrated at a hacking briefing run by NCC Group yesterday. Let’s assume that administrators use SSH authenticated with a private key – a common scenario – and that the key was generated by the faulty Open SSL library. I suspect this will have been true for many more than 20,000 servers, though a lot will now have been fixed. All you need to do is to run a script against that server armed with a list of the possible keys – under a thousand, according to the demo we saw*. When you get a hit, you can connect to that server, most likely with full root permissions.

The most hardened servers will not be so easy to crack. They will authenticate as a user with limited rights, and use su to elevate. They will limit access to specific IP addresses. They will use additional passphrases. And they will have changed the keys within hours of the problem being discovered.

Still, there are plenty of less secure servers out there, so what that means is that an unknown number of servers will have been compromised, and more will follow. If you are lucky, the intruders will hack your website and do obvious damage so the server will get cleaned up. If you are unlucky, the intruder will be discreet and quietly start stealing credit card numbers, or taking advantage of any information or privileges obtained to get access to additional servers or data, or make occasional use of the server in botnet attacks. Who knows?

Servers getting rooted is not a new problem; and it’s not yet clear whether this incident is more than a ripple. Colin Phipps at Netcraft doesn’t think it is. “We’ll see a lot of panicked system administrators,” he told me, “and we’ll see a lot of scepticism about open source.” That last point is probably the most significant.

*I’m told this was artificially reduced for the demo – but there are only 32,676 keys possible private keys to brute force access. However, even using the full set of 2048-bit RSA keys NCC Group successfully broke into a system which used Debian to generate SSH keys in 20 minutes, and think it could often be done in half that time.

microsoft, open source

ODF support in Microsoft Office: a sign of strength, or weakness?

2 Comments

Big news in the document format wars today. Microsoft is (as far as I can tell) properly supporting ODF in Office. The press release states that both ODF and PDF will be fully integrated into Word, Excel and PowerPoint. This means Save As, not Export; and the possibility of setting ODF as a default save format.

The release adds:

Microsoft will join the Organization for the Advancement of Structured Information Standards (OASIS) technical committee working on the next version of ODF and will take part in the ISO/IEC working group being formed to work on ODF maintenance.

Reading the release, and comments by Doug Mahugh, it looks as if this is different code from the hopeless CleverAge translator, an open source project on SourceForge. That uses XSLT, which is inefficient for large documents and always seemed to me the wrong approach to take.

It seems that despite achieving ISO standardization for its own Open XML format, Microsoft is responding to pressure from large customers, especially in government and education, who want full ODF support.

Having said that, there are bound to be technical issues over the import and export. We have to wait to see the list of what may be converted incorrectly, or is not supported.

Let’s presume Microsoft has done a good job. Is this good for the company, or bad? Open Office does not support Open XML (don’t you love how everything is called “Open”), so this boosts ODF and therefore Open Office by making it more widely compatible. On the other hand, it could avoid lost sales to customers who would otherwise abandon Microsoft Office for lack of ODF support, which helps Microsoft. In the end, it’s hard to say how this will play out in terms of market share.

That said, it is undoubtedly good for users. Kudos to Microsoft for doing something to make their lives easier.

Technorati tags: , , , ,
open source, security, web authoring

Painful Debian / Ubuntu SSL bug

2 Comments

A bug in the Debian-modified version of OpenSSL (also used by Ubuntu) means that cryptographic keys generated on Debian systems for the last couple of years may be insecure. Instead of being well randomized, they are easily guessable.

More information about the vulnerability is here; how to fix it here.

How much does this matter? The full scope has not emerged yet; but as I understand it, it affects self-generated keys. Those who purchased certificates from a third-party certificate authority are not affected, unless one of those authorities turns out to have been using the broken version which is unlikely. Even if you purchased certificates from a third-party certificate authority, you would still be affected if you generated the certificate request on a system with the broken OpenSSL library (thanks to Nico for the correction below).

This means that a large number of supposedly secure SSH connections or SSL connections to web sites and servers over the last couple of years were actually not very secure at all.

If nothing else, it shows how easy it is to be falsely reassured, to think you are secure when you are not.

It also shows the risks of modifying security code. The problem is not with OpenSSL, but with changes made by a Debian coder who thought he was fixing something when in fact he was breaking it.

This site runs on Debian and I’ve spent some time today checking it for vulnerability and regenerating keys.

Technorati tags: , , ,
java, open source, software development

Sun’s bad quarter

I was interested to see Sun’s financial results after visiting the company earlier this year.

Not too good:

Revenues for the third quarter of fiscal 2008 were $3.266 billion, a decrease of 0.5 percent as compared with $3.283 billion for the third quarter of fiscal 2007 … Net loss for the third quarter of fiscal 2008 on a GAAP basis was $34 million, or ($0.04) per share, as compared with net income of $67 million, or $0.07 per share, for the third quarter of fiscal 2007.

When I visited we were told that rising income from developing nations would compensate for weakness in the USA, but apparently this is not the case. Although income from the likes of India and Brazil is rising, it is not enough to make up the difference. Another question: why is Sun under-performing relative to other companies such as IBM and Intel, both of which reported strong first quarters last month?

Sun is also set to cut 1,500 to 2,000 jobs, which suggests that the company does not expect demand to pick up soon.

The issue to me is whether Sun can make sense of its commitment to open source, or whether the proprietary guys are showing where the money really is. The MySQL purchase was great PR, but doubtful business sense.

Technorati tags: , , , ,
open source, software, software development, Sun

Schwartz vs Mickos on MySQL and open source

At least, that’s how it looks. I was intrigued when I saw reports raising the possibility of “high-end” features in MySQL being released under a closed-source license – confirmed (as a possibility) in a roundabout way here. I found it odd because Sun CEO Jonathan Schwartz had told me of Sun’s intention to open source everything.

So what does Schwartz think of the MySQL idea? Not much, according to his statement in this email interview with Tim O’Reilly:

Marten Mickos (SVP, Database Group at Sun, former CEO, MySQL) made some comments saying he was considering making available certain MySQL add-ons to MySQL Enterprise subscribers only – and as I said on stage, leaders at Sun have the autonomy to do what they think is right to maximize their business value – so long as they remember their responsibility to the corporation and all of its communities (from shareholders to developers). Not just their silo.

I think Marten got some fairly direct and immediate feedback saying the idea was a bad one – and we have no plans whatever of “hiding the ball,” of keeping any technology from the community. Everything Sun delivers will be freely available, via a free and open license (either GPL, LGPL or Mozilla/CDDL), to the community.

Everything.

No exception.

Seems clear enough to me.

linux, open source, ubuntu

What to say about Ubuntu Hardy Heron?

2 Comments

I installed Ubuntu Hardy Heron, a “long term support” release which went final yesterday.

It’s a tricky thing to assess. There are in general two things to say about Linux. First, you can take the line that it is a wonderful thing: free, fast, responsive and capable. You can do your work on this, even run a business on it. You can write applications in Java, C# or any number of other languages. You can have fun with it too – it’s great for multimedia, just a shame that few games support it. Finally, it is nice to know that most of the world’s malware is targetting someone else’s operating system.

Alternatively, you can argue that Linux is fiddly, perplexing, over-complicated, inconsistent, and still not ready for the general public.

It is tempting to give Ubuntu an easy ride because it is free and because we so much want it to succeed; we need an alternative to the Microsoft tax or the Apple tax. Unfortunately you never have to look far to find little problems or things that should be easy but end up consuming considerable effort.

Here’s one thing I noticed today. Close FireFox. Open  the Help Centre, and click a web link. The Help Centre opens FireFox with the link you requested, but then cannot be used until you close the FireFox instance. Trying to close it brings up a “Not responding” message. If FireFox was already running when you clicked the link, it is fine.

Here is another. Open Help Centre, click Playing Music, then Listen to online audio streams. It says I can install Real Player 10 and that it is available from the “commercial respository”. What is the “commercial” repository? This page describes four Ubuntu repositories: main, restricted, universe and multiverse. Real Player is not in any of them. Further, if you try and install it using apt get, the following message appears:

Package realplayer is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source
E: Package realplayer has no installation candidate

Hey, it’s Linux. Just Google and you’ll find a way. Who needs Real Player anyway? But that’s not the point … the point is that these little issues crop up and make running Linux less fun for non-geeks.

Here’s another one: I tried GNU Chess. I poked around in Preferences and chose the 3D view. It said:

You are unable to play in 3D mode due to the following problems:
No Python OpenGL support
No Python GTKGLExt support

Please contact your system administrator to resolve these problems, until then you will be able to play chess in 2D mode.

Fair enough; it is a clear, accurate and informative message – aside from the bit about “contacting your system administrator” which sounds like it was borrowed from Windows. You can just about forgive it in business software, but this is a game.

I still love Ubuntu. This one installed easily and updates nicely; the fancy graphics effects work smoothly; and most important, the same machine which felt slow with Vista now seems more like a high-performance workstation.

In other words, it it easy to support either line of argument. Personally I veer towards the favourable view; but I doubt fear of Ubuntu is keeping anyone in Redmond awake at nights.