Jedi/Sector One's random thoughts

From igvita.com:

"With all the recent buzz about real-time web, surely this is the year XMPP/AMQP Publish-Subscribe (PubSub) makes it to the big leagues! Or maybe not. Ejabberd (XMPP), RabbitMQ (AMQP) and other pubsub server implementations have come a long way but they remain cumbersome to setup and maintain, and perhaps more importantly, the clients require special libraries and a steep learning curve. That is not to say that either XMPP or AMQP are doomed for failure, in fact, they will continue to thrive, but there is a great case for a simplified PubSub implementation to cover the ad-hoc cases where a dedicated TCP channel might be an overkill: enter Webhooks.

The best part about Webhooks is that most of us are already familiar with them: callbacks over HTTP. Pioneered by PayPal and Subversion as a way to send real-time notifications to the client, they have found their way into many dozens of products we all use every day. Need pre or post commit hooks for your SVN or Git repository? Both GitHub and SVN support HTTP callbacks. Need a payment alert from PayPal, or an alert when a wiki page is modified? There are webhooks for that too. This simple mechanism allows us to build web services that work together via a simple and ubiquitous protocol we can all understand: HTTP!"

Read more

[Elliptics Network 2.5.0] has just been released.

"This is a major milestone in the elliptics network roadmap. System got full support of all essential operations needed for the fully self-contained distributed hash table storage creation.

Elliptics network is an object based distributed storage which supports different kinds of object replication, data deduplication, high-level file-based API and low-level object-based one. All logically complex parts are hidden behind provided API including failover connection processing, routing table maintenance, joining and synchronization protocols, merge strategies and IO itself.

Example applications contain a full-featured IO server and client capable of data replication and parallel reading and failover processing, system statistics gathering tool, notification receiver and history dump utility."

I'm dying to give it a try.

If you're running a highly loaded web site powered by PHP, you must be using php-fpm, don't you?

While new releases of php-fpm always immediately follow PHP releases, it's still a PITA to always patch the PHP source code at every release.

How come php-fpm hasn't been merged into PHP at the first place? The main reason is an incompatible license. Or rather... was.

Andrei just announced that the license of php-fpm had been changed. It's now the PHP license, and php-fpm can now technically get officially merged into PHP.

Here's a relevant post of the High-performance PHP group.

PHP is still going to suck, but faster :)

Here is a cool demo of a clever technique that displays your browser history without using Javascript. Yep, not without any single line of Javascript.

Well done.

Just released: Bayon, a simple and fast hard-clustering tool, with support for repeated bisection clustering and K-means clustering.

Feed him a list of documents, optionally with weighted terms, ask for any number of groups you want it to output, and Bayon will do its best to assign documents to groups.

That kind of tool can bring a lot of benefits to Ning-like web sites, forums, etc.

And it seems to work just as advertised.

Yet another gem by Mixi.

Presentations of the Los Angeles Ruby Conference 2009 are now online.

Here are my picks:

• Resource-oriented architectures, and Google Waves
• Scaling 'most popular' lists - a very common issue
• Mobilize your Rails app
• Flying Robot: Unmanned Aerial Vehicles Using Ruby and Arduino
• Johnson - is it Javascript, is it Ruby, or? WTF?
• PoolParty

Straight away from Railswaycon 2009, here's a great presentation about event-driven and fibers-driven development: Embracing events in Ruby. Neverblock is amazing!

Python zealots can also read the Python counterpart.

Meanwhile, PHP zealots can keep swearing by PHP 6, that's gonna introduce innovative brain-blasting technology: unicode support (woah!) and basic "goto" support (re-woah!).

Coroutines puts an end to latency in SOA and database-driven apps, where apps keep being stupidly stuck waiting for a remote server to answer instead of keeping the ball rolling.

As demonstrated in this presentation, web developpers still have loads to learn from games coders. But it seems to sink in slowly.

It was just announced that the following TLDs are likely to emerge soon:

• .RADIO
• .ECO (Ecological)
• .GREEN (Ecological)
• .MOVIE (Movie/Film Industry)
• .FAM (Family)
• .MUSIC (Music)
• .HEALTH (dot health)
• .SPORT (dot Sport)
• .INDIGI (for indigenous peoples)
• .NYC (New York City)
• .BERLIN (Berlin Germany)
• .PARIS (Paris France)
• .BZH (Brittany, a region in France)
• .ENG (England, a kingdom in the U.K.)
• .GAL (Galicia, a region in Spain)
• .MED (Mediterranean)
• .LLI (Leonese Language and Leonese Culture)
• .GAY
• .WEB
• .POST
• .MAIL (for emails and to control spam)
• .GEO (generic geographical locations)
• .XXX (Adult Entertainment)
• .BCN (Barcelona)
• .LAT (Latin America)

Are those really useful or is it just a way for the ICANN to make a quick buck?

Some videos of what happened at the Google IO conference are now online.

Wave really looks like a giant step forward.

Side note about spam prevention in Wave: "In the press conference right after the keynote, a reporter asked about spam prevention. Lars Rasmussen responded that it hasn't been given much thought yet, since it is a closed developer's preview for now, but also mentioned that most likely Wave would use a whitelist option, where you'd have to add a friend/coworker before they could send/invite you to Waves."

Meanwhile, Microsoft just launched a real-time focused version of IE8 using OneRiot components.

A new release of UCARP is now available for download.

As a workaround for some OS / setups, that new version adds an option (--nomcast) to use broadcast advertisements instead of multicast.

Thanks a lot to Steve Kehlet and Juan Antonio for bringing in and testing that new feature.

Marc Schoenefeld writes:

"regarding the regarding OSX java threat CVE-2008-5353 you can either join the current panic, or fix the issue in five minutes yourself.

If you belong to the second group of people you can follow the steps listed here, and also on http://www.illegalaccess.org

Basically the approach takes non-vulnerable classes from a fixed java version (like sun jdk 1.5.0_18 and makes it available to the OSX java class loader, which then fixes the issue). It is a non-intrusive fix, so it does not impair any patch (if any) that apple will rollout.

1. Get the src.zip of a recent non-OSX java distribution (like Sun Java 5/JDK 1.5.0_18 for Linux)
2. unzip src.zip java/util/Calendar.java
3. javac java/util/Calendar.java
4. zip /somepath/FixedCalendar.jar java/util/Calendar*.class
5. In ~/Library/Caches/Java/deployment.properties set option deployment.javapi.jre.1.5.0.args=-Xbootclasspath/p\:/somepath/FixedCalendar.jar
6. Start up a browser, browse to http://www.java.com/en/download/help/testvm.xml, see the dancing duke, open Java Console, press s, you should now see FixedCalendar.jar in the sun.boot.class.path
7. If you are brave, try the PoC exploit on http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html, it should give you a bootstrap failure now"

Elliptics Network is a a fault tolerant distributed hash table object storage, made by the genius who already brang POHMELFS.

A new benchmark of Elliptics Network has been published, and it demonstrates its parallel scalability.

Pretty good. Elliptics Network is yet another project to keep an eye on.

Rados, from the Ceph project is also moving on, btw, but it's still not production-ready yet.

The slides and videos of the MountainWest event are now available.

Some very interesting stuff in here.

Even if you don't have any Ruby skill, I'd really suggest you to have a look at these presentations. Some of the technologies described here can be very helpful to build modern applications, regardless of the language they are built in. And these technologies are for sure people with swear by in a few years.

Here are some picks:

• Modern SQL-free databases: Redis and its competitor, MongoDB - two excellent presentations.
• Vertebra - Practical cloud computing. That presentation really wowed me. Vertebra makes traditional architectures really look like dinosaurs.
• Improving the usability, ie. improving the user experience of web sites and applications with intuitive interfaces.
• In a World of Middleware, Who Needs Monolithic Applications? - Rack
• Machine learning - We can learn from that one, too.
• Rhodes - a great framework for building mobile applications on iPhone, BlackBerry, Symbian, Android, and Windows Mobile devices
• Behavior driven development
• Event Machine - some advanced tricks
• FFI - libffi is a really cool way of writing extensions.

Just saw that one on the highload PHP list:

Pinba is a realtime statistics server for PHP.

It is a daemon gathering information sent by PHP processes by UDP. It is used at Badoo.

It accumulates and processes data sent over UDP by multiple PHP processes and displays statistics in a nice human-readable form of simple "reports", also providing read-only interface to the raw data in order to make possible generation of more sophisticated reports.

With Pinba extension users also can measure particular parts of the code using timers with arbitrary tags.

Here's a link to the Pinba manual

SecureThoughts.com has disclosed a frightening vulnerability in Internet Explorer 8: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection.

That one is similar to an important issue that already affected Firefox and IE7.

But it looks like it hasn't been fixed for good. If a web page doesn't specify a charset, the browser can be tricked to load it with the charset of a malicious web site. And the deal is, that UTF7 doesn't encode characters like brackets the same way as ASCII, UTF8 or Latin charsets. If a page is rendered as UTF7 while, server-side, XSS-prevention mechanisms aren't aware that UTF7 is what the browser loaded the page as. And XSS-prevention mechanisms just become pointless, opening wide XSS holes.

Just read the scary details on the SecureThoughts web site.

And double check that every page you serve explicitely sents a charset.