I’ve been doing some work on JavaScript editors recently, and was impressed by Microsoft’s Visual Studio in this respect. Here’s my post on the subject. By the way, even the free Express edition works fine for this; and you don’t need to use ASP.NET. You do need to use Internet Explorer of course; that’s another story.
Category Archives: software development
What’s the deal with Flash and the iPhone?
An brief comment from Adobe’s CEO Shantanu Narayen quoted by Bloomberg suggests that Apple and Adobe are actually working on putting Flash on the iPhone:
It’s a hard technical challenge, and that’s part of the reason Apple and Adobe are collaborating. The ball is in our court. The onus is on us to deliver.
Deliver what? I’d have thought it would be straightforward for Adobe to implement some level of Flash on the iPhone. There are at least two reasons though why Apple might be blocking it:
1. Flash is a client runtime. Apple may feel that allowing applications to run within Flash could threaten its App Store lock-in and market.
2. One of the frustrations of Flash on devices is that it lags behind the version of Flash available on desktops, and is often hard to update. That’s frustrating for users. Apple may want to address that by giving iPhone users an experience that comes close to that on the desktop.
So what is Apple waiting for Adobe to deliver? Better mobile performance and usability? Or some other piece that might address the first of the above concerns?
The outcome of this has a significance that goes beyond the iPhone. Although iPhone and iTouch users form only a small proportion of those browsing the web, it is an influential group and one that will grow. The lack of Flash support makes pure HTML and JavaScript solutions more attractive to web developers.
If anyone from Adobe can give us more insight into what it is working on with Apple, I’m keen to know.
Gears of War certificate expiry a reminder to developers: always timestamp signed code
Users of the PC version of Gears of War have been unable to run the game since yesterday (29th January 2009). If they try, they get a message:
You cannot run the game with modified executable code
Joe Graf from Epic has acknowledged the problem:
We have been notified of the issue and are working with Microsoft to get it resolved. Sorry for any problems related to this. I’ll post more once we have a resolution.
The workaround is to set back your system clock. An ugly solution. Of course, some users went through the agony of full Windows reinstalls in an effort to get playing again.
So what happened? This looks to me like a code-signing problem, not a DRM problem as such, though the motivation for it may have been to protect against piracy. Code signing is a technique for verifying both the publisher of an executable, and that it has not tampered with. When you sign code, for example using the signwizard utility in the Windows SDK, you have to select a certificate with which to sign, and then you have an option to apply a timestamp. The wizard doesn’t mention it, but the consequences of not applying a timestamp are severe:
Microsoft Authenticode allows you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the browser validates the timestamp. The timestamping service is provided courtesy of VeriSign. If you use the timestamping service when signing code, a hash of your code is sent to VeriSign’s server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired … If you do not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.
Unfortunately, there is no timestamping for Netscape Object Signing and JavaSoft Certificates. Therefore you need to re-sign your code with a new certificate after the old certificate expires.
I don’t know if this is the exact reason for the problems with Gears of War, and I’m surprised that the game refuses to run, as opposed to issuing a warning, but this could be where the anti-piracy measures kick in. Epic’s programmers may have assumed that the only reason the certificate would be invalid is if the code had been modified.
I blogged about a similar problem in February 2006, when a Java certificate expired causing APC’s PowerChute software (a utility for an uninterruptible power supply) to fail. That one caused servers to run slow or refuse to boot.
As far as I know, there is no way of telling whether other not-yet-expired certificates are sitting on our PCs waiting to cause havoc one morning. If there are some examples, I hope it does not affect software running, say, Air Traffic Control systems or nuclear power stations.
If you are a Windows developer, the message is: always timestamp when signing your code.
Adobe Flex community at odds over Fx prefix, lack of collaboration
Some members of the community around Adobe’s open source Flex SDK are fuming at a decision made by Adobe back in October 2008, to prefix the new skinnable components in the forthcoming “Gumbo” release with Fx. This means you can disambiguate old and new components such as Button without relying on namespaces. On the other hand, what is wrong with namespaces? The issue has provoked a lot of debate, partly on the merits or otherwise of the Fx prefix, and partly on the open source development process itself. The Fx decision was announced rather than discussed. Simeon Bateman, who is now all-but proposing an Fx-less fork of the SDK, says:
Creating an open source project is about openness in planning and development. Not just about giving people the right to do with the code what they will. And this part of the Flex project is a complete failure … The current Flex SDK team has about 20 developers and they are fiendishly working on the code for the next version of Flex, version 4 code named Gumbo. And they are doing all that development in private, behind closed doors with nothing but commit logs for us to know what is happening. This is an open source project and we have no idea what is going coming or what the timelines are for milestones. What the hell are the milestones?
Manish Jethani argues that Fx is a sign of haste and corporate pressure:
Even though Flex is an open source project, it is very much run per corporate interests. In a truly open source project like the Linux kernel, there are no deadlines — it’s ready when it’s ready. That’s how research departments work. But Flex is no research, Flex is business. Why, wouldn’t the ‘Fx’ prefix give Flex Builder yet another advantage over competing IDEs? Think about it.
Ben Clinkinbeard has created a survey to allow Flex developers to express their opinions, though as a commenter notes, it is more of an objection petition than a survey.
Adobe responded with an online open meeting to discuss this and other matters which took place this morning – you can play the recording online. It may have been frustrating for those who felt strongly about it, since after presenting the reasons for the change the presenters deferred further discussion to the online forum. As far as I can tell, the Fx decision is unlikely to change.
Well, there is open source, and there is collaborative development, and they are not the same thing. Adobe retains tight control over Flex for the sake of its commercial interests. It is a reminder that although the Flex SDK is open source it is not a community property in the same way as Apache.
Once crumb of comfort for Adobe is that this kind of intense debate shows the high value of Flex to its developers. It would be far, far worse if nobody cared.
Update: you can vote against the fx prefix or discuss it in Adobe’s bug-tracking system here.
Microsoft showing Silverlight 3 at Mix09
Looks like Mix09 (March 18-20) is the stage where Microsoft will reveal details of Silverlight 3 (is it really 3 already?). On the session list is:
What’s new in Silverlight 3 (Joe Stegman)
What’s new in Silverlight 3 media (Larry Olson)
Deep Dive into Silverlight graphics – come hear about the Silverlight 3 rendering pipeline (Seema Ramchandani, Marshall Agnew)
Why are web sites still storing passwords? Monster, USAJobs blunder highlights the risks
Sophos informs us that job sites Monster and USAJobs (an official US Job site) have been hacked. Messages on Monster and USAJobs confirm this. I’d like to draw attention to the fact that passwords were stolen:
We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords.
says Monster. And USAJobs says:
We recently learned that the Monster database was illegally accessed and certain contact and account data were taken, including user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.
Same wording – because Monster is the “technology provider” for USAJobs.
Sophos observes:
There is even more potential for danger, however, because passwords have been stolen. We know that too many people use the same password for every website that they access.
Right. But why is Monster even storing passwords? It is not necessary. All you need store is a one-way password hash, so the site can verify a password without recording it. This is easily done in every web platform out there.
There is a disadvantage. It means the site cannot email your lost password. Instead, it must reset your password. Since email passes in plain text, emailing passwords is a bad idea anyway, and I hate to see sites doing this; it’s a useful alert though that the site places a low value on security.
Any site can get hacked, but what isn’t stored can’t be stolen.
Technical blunders like this can be costly; there’s no excuse for it that I can think of.
Office Ribbon in Silverlight – amazing stuff from divelements SandRibbon
I blinked when I tried the live demo of SandRibbon for Silverlight, from divelements. It looks remarkably like Office 2007:
The control is in beta, and promises:
All the commonly-used functionality of the Office 2007 UI is made available for you to use with this product, and most of the less common functionality too. Customers who have used SandRibbon for WPF will find the API familiar. The visual constructs used are compatible with all other Silverlight controls, both built-in and third-party.
The company already has a sandcontrol control for WPF. However, the Silverlight control shows how well you can replicate the look and feel of a desktop application in a cross-platform browser application. Now, put this together with the automatic online/offline synch in Live Mesh, and you could have a version of Office with seamless online and offline support. Microsoft may deliver something like this in the web versions of Office 14, though it is going to have one eye on its lucrative desktop sales and I doubt whether it will really exploit what is now possible.
Want Google Earth in your browser? Don’t use Google Chrome.
I’ve been trying various mapping APIs and took a look at Google’s new Earth browser plug-in. It looked a bit odd in IE7 so I tried Google Chrome. Not supported:
Given that it now works in Safari on the Mac (which also uses Webkit) I’m a little surprised. No doubt the team will add it soon, but this sort of thing doesn’t help Chrome adoptiom.
10 steps to a well-behaved Windows application
I wrote a short summary of Microsoft’s latest (I think) guidelines for well-behaved Windows applications.
It is a significant topic. A large part of the thinking behind Vista’s contentious User Account Control (which is being continued in Windows 7) is to push app developers into writing applications that conform more closely to the guidelines, especially in respect of where they write data. If all applications conformed, there would be little need to log on as local administrator, and Windows would be more secure.
SQLite developer argues for quick bug disclosure and fixes, despite egg on face
SQLite developer D Richard Hipp has posted to his mailing list to announce a third release in the space of a few days, to fix bugs discovered in version 3.6.10:
Some concern has been expressed that we are releasing too frequently. (Three releases in one week is a lot!) The concern is that this creates the impression of volatility and unreliability. We have been told that we should delay releases in order to create the impression of stability. But the SQLite developers feel that truth is more important than perception, not the other way around. We think it is important to make the highest quality and most stable version of SQLite available to users at all times. This week has seen two important bugs being discovered shortly after a major release, and so we have issued two emergency patch releases after the regularly scheduled major release. This makes us look bad. This puts "egg on our face." We do not like that. But, three releases also ensures that the best quality SQLite code base is available available to you at all times.
He goes on to say that an extended beta period would be unlikely to reduce the risk of bugs found on release, because most bugs in SQLite are found by internal testing rather than by external users. He also argues against withholding releases until they “testing is finished”:
The fallacy there is that we never finish testing. We are constantly writing new test cases for SQLite and thinking of new ways to stress and potentially break the code. This is a continuous, never-ending, and on-going process. All existing tests pass before each release. But we will always be writing new tests the day after a release, regardless of how long we delay that release. And sometimes those new tests will uncover new problems.
Anyone who has ever developed an application will know that sinking feeling when problems are discovered in code that has been distributed. Thoroughly implemented unit testing, as in SQLite, improves quality greatly. When bugs are found though, full disclosure and prompt fixes are the best possible response, so I agree with Hipp’s general approach here.