Archive | OpenSource

Open Source means that users have the freedom to see how software works, adapt it for the own needs, fix bugs and limitations and contribute back to the community.

What’s on your network?

This article in ZDNet points to flaws in Microsoft’s SMB file sharing systems (“Windows networking”) that are, unfortunately, faithfully reproduced in Samba:

http://www.zdnet.com/article/its-not-just-windows-anymore-samba-has-a-major-smb-bug/

See also:

https://access.redhat.com/security/cve/CVE-2017-7494

This means that an old Samba server you have could be be misused as a vector for malware to get a foothold on systems where local Windows machines could get infected. Over the weekend, I went through and cleaned out, updated, reconfigured, or blocked access at some of my client sites.

I also took a long look at our in-house dev network for stuff that could be a problem and found a couple of issues:

– An old Western Digital NAS device was running an *ancient* version of Linux and Samba, and unfortunately is no longer being supported by the manufacturer (last update, 2012). In addition to basic SMB file serving, it supplied media streaming over various protocols and offered ftp (turned off). Despite being in fine shape, mechanically and electronically, I had to turn it off, because, even though the source code is available (yeah, GPL), cross-compiling and rebuilding an ARM 2.6 kernel and utilities into a modern version, and getting it to work on an unsupported device is more effort than I have time for.

– A couple of our networked printers shipped from the factory with all their protocols turned on, even if not configured nor active: SNMP, Web server,  SMB, FTP, tftp, LPD, Raw port, IPP, AirPrint, Web Services, Google Cloud Print, SMTP, mDNS and LLMNR, several of which I had to look up. Surely, there could be no flaws there! And, to boot, two of them were running older versions of firmware, also worth updating.

I am a strong skeptic of the IOT marketing that drops devices into your home/office network that communicate with “the cloud” and can be run from your cellphones, or likely anyone else’s. Unlike PCs with firewalls, intrusion detection, malware scanners and intentionally secure devices like routers, IOT devices are trying to “Just Work” and security might not be in mind.

I knew this was the case for things like “Smart” TVs and voice-recognition devices, but it hadn’t dawned on me that printers would also be in that category.

Be careful out there.

Please stay on the line, as calls are answered in the order in which they are received

Astute fans may have noticed the site seems to be having a little trouble. Yup. The site became non-responsive the morning of 20-Nov-2014, and the usual actions had little effect. There were few clues in the logs nor diagnostics easily pulled from the software. To get up and running quickly, I did the famous “WordPress 5 minute Install” and restored the essential configuration. I’ll be restoring the usual theme, fonts, plugins and assets (pictures, links, videos, etc.) from backups as time allows.

Thank you for your understanding.

Notes from Feb 25th Web Dev Meeting: Brian Cardarella on Ember.js

The Portsmouth Web Dev meetup is hosted at Alpha Loft in Portsmouth. This month there were two meetings: Ember on the 25th and Lightning talks on the 26th. On the 25th was the first, with Brian Cardarella of dockyard.com giving the main presentation on Ember.js.

Brian started with a bit of a history lesson. Ember spun off of SproutCore from Strobe. SproutCore 1.0 suffered from the slow (at the time) JavaScript runtimes and overly-complex UI widgets, resulting in a poor user experience. The 2.0 branch was started and Yehuda Katz (core contributor, Rails, jQuery and more) and Carl ??? and pushed off UI elements to focus on the core and on speed.

The run loop is the core event loop engine of Ember, and code in Ember can enqueue new items onto the loop, which continues to loop as long as there are items to be processed. There is great documentation in the Ember Guides, and a good video overview. Brian suggests that the Ember Starter Kit is just that, a good way to get started, but likely not appropriately robust for a professional application.

Enough background, we jumped into http://ember.jsbin.com/ and Brian commenced live coding in Ember to demonstrate how the Ember application essentially hooks into the body tag of the DOM and can read and write elements from there. He showed how actions could be triggered by observed changes, that setters and getters were required for property manipulation.

Ember has its own form of MVC (doesn’t everything?) where Models are business rules containers, and Controllers are contexts in which your interactions with models occurs, essentially acting as proxies. Views are nearly becoming deprecated as their functionality is being replaced with HTML5 Web Components (there’s currently a polyfill for these called polymer.) Routes are similar to Rails with nesting. URLs can be considered a state manager for an Ember app, so two users see the same thing at the same URL, unlike some other JS frameworks. There is an Ember Inspector for Chrome and FireFox that allows you to dive deep into the View Tree, Routes and Data for debugging. Excellent peer support is available on IRC at emberjs and emberjs-dev.

Brian and Dockyard have built Ember-AppKit-Rails as a gem to create a shared directory for an Ember app and its Rails backend. Note this is Very Beta, Somewhat Experimental and may be abandoned. You have been warned. Brian explained there are not yet any Best Practices worked out, so different attempts have been tried. Side-by-side projects where the two are separate may turn out to be a better design; Brian is looking at Ember AppKit [Update: Deprecated, but URL updated for reference]. Ember is designed to deal with different backends, depending on their API syntax. The one he was using was ActiveModelAdaptor, build to work with Rails.

An excellent question on “Where do you do validation?” And the answer: pretty much everywhere. Brian is the author of ClientSideValidations and has some experience with this. He tried something similar with Ember but points out that the context of the front end and backends can be so different that the validations aren’t necessarily the same.

Brian then proceeded to do a demonstration of an under-development project by Dockyard and even in its early stages, it appeared pretty promising.

Brian recommended downloading Ember, reading through the Guides, and taking some time to learn the components. Promises are a key element to the Ember framework and are worth reviewing; ECMAScript 6 will have promises built in. Handlebars, the templating language, is expected to be replaced by HTMLBars in the next major revision. Best practices and calling conventions (especially error/exception/validation handling) are still up in the air; check out JSONAPI.org for some work on this front.

So, we had an action-packed, fact-filled, acronym-filled session with a lot of good material and an excellent overview of the state of Ember and its promising future. Thanks for Brian for speaking and for Josh Cyr, Alpha Loft proprietor, for hosting!

Happy Birthday, iMac

iMac

My iMac is celebrating its 10th birthday today. Laura and I purchased the machine on 2/3/4 and were immediately enchanted. Here’s the launch video with Jonny Ives, Phil Schiller, Annie Leibovitz, Seal, Francis Ford Coppola and a great soundtrack:

http://www.youtube.com/watch?v=ZWGuUkYZYIE

That was great, and I loved the commercials, too:

While the iMac is no longer safe to keep attached to the internet (its Power PC CPU limits it to OS X 10.4), the machine still serves in a place of honor in the workout room, powering videos and music for our workouts and serving as a backup DVD burner.

CDN Syncing!

Magnifying glass

Detective Work

So, I rolled up the sleeves and dug into the web server logs and the code of the CDN synchronizing tool. I found the GitHub site where the code came from, forked the code and created a branch with a couple of different attempts at fixing it. On my third attempt, seem to have a working hourly sync run using the WordPress pseudo-cron functionality. I’ll bundle up my changes and offer a pull request to the upstream developers so they can have the changes as well.

Blog optimization update: WordPress, CDN, Speed, Caching, Accessibility

Keep Calm and Clear Cache

Keep Calm

I’ve continued to do some research on optimizing the blog responsiveness, and I’m pleased with the results. Anecdotal tests this morning, with no local caching, showed a 2 second load time with a 1.2 second DOMLoaded event. That’s pretty good. Here are a few notes on things I’ve been working on:

  • Google’s PageSpeed Tools offered some helpful insights.
  • Minifying some of the text assets – HTML, CSS, and JavaScript – is working well, though I’d like to be more easily able to toggle this for debuggng.
  • Using the Rackspace CloudFiles caching with WordPress lacks a good automated tool on the WordPress side to keep the cache synced with changes. I’ve been using the SuperCache plugin for local speedups, and it supports a variety of CDNs. The CDN-Sync-Tool plugin is no longer available on the WordPress.org site, and several forks on GitHub all seem to be out of date. It’s unclear, so far, where the problem is. The WP cron jobs are failing. Whether that’s an internal configuration problem, or unsupported calls to an old API, I haven’t worked out yet. Next time I try this, I’ll look at some deeper pilot testing for CDNs with better WordPress support.
  • Inspired by “Why Bother with Accessibilty” by Laura Kalbag, part of the excellent 24ways series, I did some initial accessibility testing. The WAVE Web Accessibility Evaluation Tool tests your site for accessibility, an essential feature these days. Accessibility makes your site more understandable and easier to navigate for all users. Disabilities aren’t someone else’s problems; they are a state we will all pass through at one stage or another.There are a few glitches in my templates that I will work to rectify. A larger problem s the observation that my style choices have lead to a rather low-contrast site.

Using SQLite to Bypass the 2 GB .DBF Filesize Limit

Front page to ebook

Click to visit Hentzenwerke

The Hentzenwerke site has been updated, crediting me with editing Whil’s latest ebook, “Using SQLite to Bypass the 2 GB .DBF Filesize Limit.” Whil posits an interesting problem: how to work around the FoxPro 2-gigabyte DBF file limit when the client’s import file balloons in size? In this case, the problem was not that the data had exceeded the limit, but that additional data was included within the import file; more haystack hiding the needles. His solution was to use SQLite as an intermediate step, load in the bloated data, and then cherry-pick the few columns that really needed to be imported for this application. Sample files, instructions on working with SQLite, and example code of importing the SQLite data into VFP are included.
I volunteered to go over his first edition of the ebook and provide a technical review and light edit. I added a few suggestions for alternative techniques, poked at his prose when it got a little awkward, and tested his code and found a few typos. He, in turn, was gracious enough to roll his eyes and ignore my comments. I appreciate him giving me credit as editor on the book.

Notes from Seacoast WordPress Developers Group, 4-Dec-2013

Seven people attended the December meeting of the Seacoast WordPress Developers group, held at the AlphaLoft coworking space in Portsmouth, NH. The main topic was “Best Business Practices,” which was a great topic but, as always, the conversations and netwokring and recommendations that went on around the main topic were also very helpful and informative. Among those tidbits:

  • The Ewww image optimizer can reduce the size of images and speed webpage loading with minimal quality change.
  • Matt Mullenweg delivers an annual “State of the Word” speech with lots of interesting insights.
  • Open question: What topics would YOU like to learn about? The group is about YOU. How can we get YOU to attend?
  • Which SEO are people familiar with? WordPress SEO by Yoast was the most popular mentioned
  • Question on speeding sites, and a recommendation for the P3 Plugin Performance Profiler

On to the main topic: “Best Business Practices” can easily degenerate into a “Client Horror Stories” session. Kudos to organizer Amanda Giles for keeping a tight rein on the discussions and getting us to focus on covering as much as possible. Andy provided a redacted proposal he had written up for a client and we reviewed and discussed it. There was a lot of good back and forth. Andy had some very insightful item in his proposal that made it clear what the client would see at each phase, what items were optional or deferred to a later project phase, and how client decisions could affect the outcome in terms of schedule and cost. This was a great launching point for a lot of discussion on terms, contracts (my stance: pay a lawyer for a few hours to draft a good contract!), how to handle open-ended items like design reviews and never-ending revisions, terms for stock photos and graphics, and so forth. The discussion was very worthwhile and everyone felt they had their questions answered and learned a few new things. What more can you ask for a meeting?

Our next two meetings are scheduled for TUESDAY (not the normal meeting night) January 7th and Wednesday, February 5th. Please consider joining the Meetup group to keep up on the details on upcoming meetings.

rbenv on Fedora 19: for want of a nail,…

… a kingdom was lost.

Fortunately, I don’t have a kingdom at stake. My tale is more like the House That Jack Built. I had to spend a little time building the tools to build the code to build the language upon which I build solutions for clients. And the path was strewn with gotchas, but I persevered. Since I’ll likely need to do it again some day, I’ll record it here in hopes I can retrace my patch, er, path.

I’ve installed Fedora 19 on my main development laptop, replacing an older Mint 12 install that had gotten too old to maintain easily. I’ve spent some time updating and configuring the machine in my spare time. With FireFox already installed, Chromium was an early addition. Thanks to syncing, these browsers retain the history and passwords of the sites I spent all day on. I moved over my ssh keys and configurations and vim configurations and installed git and the basic development setup is ready to go: most of my coding occurs on remote systems. Next came Apache and PHP in order to develop locally. Finally, I started on Ruby and Rails. Here, I took a tangent from past installs and installed rbenv rather than RVM, the Ruby Versions Manager. I have seen problems with RVM and the 2.0 version is coming along slowly. In the meantime, Bundler has come along and solved a number of problems with gems, gemsets and disk clutter, but in a different and incompatible way with RVM. I thought that this was a good opportunity to inform myself of a new tool, should I run across it on a new gig. Also, I had seen a Drew Neil videocast in his VimCasts series recently where he showed some very useful tools, but rbenv was a pre-requisite. Due to the way RVM works, rbenv can’t be installed side-by-side, so I had to remove RVM. No time like the present!

However, there’s a catch. Isn’t there always? Fedora 19 uses a version of OpenSSL which is configured differently than what used to be typical. I am no crypto expert, but I understand they disallowed some form of elliptical curve (EC) encryption. Ruby, as part of its build process, tests for that specific functionality, so builds will break on Fedora 19 (and recent Red Hat, too). There is a fix in the pipeline: https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/41808, which changes the behavior from requiring this specific form of encryption, which wasn’t really required, just a poorly chosen hard-coded test) and instead tests to confirm that there are some algorithms for encryption by iterating through them. So. Now, I knew there was a fix, I just had to figure out how to wedge it into my system. Thank goodness for internet search engines! Here http://philippe.bourgau.net/how-to-install-a-patched-ruby-interpreter-wit/ was a similar enough situation that I could interpret the process for my system, with different version numbers, of course, and a few tweaks. After a few false starts, I had my own custom patched versions of Ruby 2.0 and 1.9 installed a ready to go.

It may not be clear why I didn’t just install the version of Ruby that comes with Fedora 19. At the moment, that version is the same (p247) as the current version, but as a developer, I don’t want to have to count on the distribution to keep their versions up to date in order to have the most recent version on my systems. Since I’ll be deploying systems into production, and therefore exposed to potential attack from the internet, I need to have the ability to build from the latest source code and to apply patches as needed. This provides the best possible security to my clients for this app. I also need to support older versions, so having worked out the recipe for 2.0, I was able to backport the same changes into Ruby 1.9.3 and install that on the system as well. At the moment, I don’t have any need for Ruby 1.8.7, but now that I’ve worked out the build routine, I’m confident I could deploy that if needed.

Linux printing on a Lexmark E312L via IOGear GPSU01 print server

Just updated the Lenovo ThinkPad T61 to Fedora 19, and it went pretty smoothly. I alternate between two distros on separate partitions, so one can act as the recovery partition for the other, and as a general fall-back. I can pretty much bulk-copy most of my home partition from one to the other and the fresh install will update what’s changed, while I can still retain much of the customization I’ve done.
In this case, I was updating from Linux Mint 12, which had gotten too old to keep up to date. I was replacing an even older Fedora 16 install. The initial versions of Fedora with GNOME3 had just proven too unstable to rely on as my primary development workstation. This new Fedora 19 install put most of the daily tools on the machine, and I’ve been installing utilities —— vim, vim-X11, GIMP, ack —— as I found the need for them.
One of the things that’s better to just redo from scratch is the printing configurations, as the Ubuntu-based Mint and RedHat-related Fedora part ways in this and several other aspects of running an OS. Both are running CUPS, but that’s about as far as it goes.
My laser is an old Lexmark E312L which has its own interesting story: the ‘L’ model was supposed to be Lightweight or Lame or something, sold cheaply in office supply stores, a weaker sibling of the 312 model, with a half-filled toner cartridge and limited to HP-PCL with no PostScript, but it seems that Lenovo had some issues and just slip-streamed the full 312 engine, PostScript and all, into the L models. The only clue are the internal diagnostics you can run by holding down the reset button on startup. Finding the PPD to run that was a bit tricky, but here’s the one that worked for me: PPD page at OpenPrinting.Org. Lesson learned: don’t judge a printer by its cover.

IOGear GPSU01 print server

IOGear GPSU01 print server, decade-old and humming along.

The print server is another thing. The Lexmark only came with parallel and USB ports, so to host it on a network, I bought a IOGear GPSU01 print server over a decade ago. That wild $60 extravagance doesn’t seem so crazy now, after a decade of nearly flawless printing. It serves up nearly every protocol under the sun from Apple File Sharing to Novell (remember them?) to its own HTTP and CUPS servers. The trick with this one was to remember which of the myriad protocols and settings to choose. I found a blog post that set me on the right track, and learned that the optimal settings for my use was to address the printer using the Internet Printing Protocol and the CUPS port as ipp://laser.in.tedroche.com:631/lp1 With those clues in hand, a couple of tweaks to my localhost:631 (my local CUPS server admin interface) and I was printing flawlessly.

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.