Understanding Nothing

Dive Into OS X has relaunched, now with a wiki. Mark writes:

“The biggest conceptual hurdle of wikis is that there is absolutely no access control. Anyone could, in theory, sabotage the wiki … The only solution for this is community self-policing; thanks to the built-in revision history, deleted material can always be recalled, so inappropriate changes can be undone (by anyone). Of course, none of my readers would be so obnoxious, and in fact, several high-profile wikis that have run for years (like the Portland Pattern Repository ) have had surprisingly few problems with vandals. Vandalism, like copyright infringement, is a social problem. Please don’t vandalize the wiki.”

I’ve found myself trying to explain #5 (“Because they are hackers, they are power users, so the interface design ends up too complicated for most people to use.”) too many times over the last few years.

The schedule for The Perl Conference 6 has been announced. And, for me at least, it’s a disappointment.

When the Call For Participation was put out, the theme was announced as “Doing More With Less”. The heavy focus on Perl 6 and Parrot this year seems only to meet this if we take “less” to mean “not yet available”. I’ll be surprised if Perl 6 is in existence by TPC 7. At one level I’m looking forward to its arrival, but I don’t believe it’s anywhere near time to start making the lead talks of a conference.

For whatever reason there also doesn’t really seem to be very much else at the conference I’d really want to hear. Over on London.pm, my criticism of this led Randal Schwartz to challenge me to describe what I would want to see.

I thought about it for a day, and came back with the following. It’s not enough to build a whole conference around, but it shows the sorts of things that would have enticed me to go:

Doing More With Less Money

The obvious one for an Open Source conference. What are the open source equivalents to big dollar approaches. Some of this exists in the conference (an overview of the perl content management systems etc), but I’d have expected more (I’m surprised there isn’t something on RT, with its recent introduction as the bug-reporting arm of CPAN).

Doing More With Less Skill

(or some more ‘politically correct’ version of this that wouldn’t have made people think that attending was the equivalent of being seen with a shelf full of “… For Dummies” books.)

A lot of modules on CPAN have quite complex and arcane interfaces which provide you a lot of power, as long as you’re happy with closures and callbacks and anonymous data structures/subroutines etc, when actually quite a lot of perl programmers are frightened even of references.

Recently however quite a few people have been writing ::Simple modules aimed at providing a large subset of the functionality wrapped in an easy interface. I’d have liked to have seen a few talks on this sort of approach, possibly with a BOF for people who are interested in not just providing the sorts of Power Tools that let other developers do amazing
things, but providing a nice learning curve into them. (This doesn’t have to just be aimed at beginners: Damian could easily have done a bit on Filter::Simple and Attribute::Handlers which took exactly the same approach at a more advanced level…)

Doing More With Less Hassle

Even advanced and experienced Perl programmers spend a lot of time doing monotonous tasks again and again. Joel Spolksy explained in a recent article why he was moving Fog Creek gradually to .NET. One of the reasons he gave was that: “All the grungy stuff that takes 75% of the time creating web applications with ASP (such as form validation and error reporting) becomes trivial. ASP.NET is as big a jump in productivity over ASP as Java is to C.” What are the Perl equivalents of this?

Doing More With Less Time

One of the things I’ve found when building applications (usually web-based, but not always), is that most of the “heavy lifting” has been done before, and released to CPAN for me, saving me huge amounts of time. I still have to write a lot of glue code though, tying all these things together. And I know that lots of people have probably written almost identical (but probably much better) glue before me. I’d have liked to have seen some people talking about how they tie lots of packages together: perhaps a “How to Build a $20,000 website in an afternoon” session – my version would have been on how to tie Class::DBI, Template::Toolkit, CGI::Untaint, Class::DBI::FromCGI, Date::Simple and Spreadsheet::ParseExcelSimple together to provide a database-backed website based on information supplied by a client in Excel files. But I’d like to hear other people’s eqivalents.

Doing More With Less Power

I don’t really mean the “political” power question here (“My company is moving most of its development to Java / C# / whatever. I know I can get work done ten times faster in Perl – what should I do”), although that could be interesting too.

Instead, I’m talking about things like The Fractional Horsepower Webserver. Jon Udell presented a wonderful paper at TPC 2 (1998) on a desktop HTTP server that ran a distributed contact manager application. 4 years on, with desktop servers on the rise again, and peer to peer much more commonplace, what’s happening in this area?

For years the Perl world has been great at writing (unix) server based applications, but relatively poor at writing (windows-based) desktop applications. As the two continue to coalesce what great Perl-based desktop applications are being written using a local web-browser as their front end?

A few years ago, when BlackStar was at the height of its success, I was on a trade mission to Boston and Pittsburgh with a variety of other local business people, artists and dignitaries – including Sammy Wilson. At one point the official photographer of the event decided that it would be good to get a photograph of myself with Sammy – something to do with East Belfast, IIRC.

I jokingly asked if he would keep his clothes on for it, and was strenously warned not to let him overhear me making comments like that, as he still got really annoyed at such things. So I was quite amused whilst driving down the Short Strand a few days ago to notice a recently painted Sinn Féin mural with a delightful Sammy Wilson image.

The above site shows photographs of lots of great Belfast murals.

I really like Clockwork Orangemen. And it’s pity that Lesbians Are Everywhere isn’t actually real.

Whilst checking my referer log, in relation to my previous post, I discovered that I currently have the top match on Daypop for “Google Ranking“.

I wonder if my linking back to it means that it could take over that position itself…

Andrew wants to know how you know who’s replying to your weblog posts.

I’ve found that people take two main approaches. Some people email you, either to discuss your post, or, most often, to point you to the response they’ve written in their blog. Others just link to you, and wait for you to find out through your refer(r)er logs.

Emailing seems to almost go against the spirit of “conversation via weblog”, but I’m not sure that the “find me through your logs” approach isn’t a little too subtle.

Hmmm … can I access previous days referer log entries in Radio? Must investigate…

Jon Udell says that “I’m sure Paul Kulchenko will soon fix the SOAP::Lite vulnerability that was just noticed.”

This is quite a strange tale. It discussed on the Perl-5-Porters list back in December. At that time the discussion centred less around SOAP, but about why Perl’s taint mode didn’t help.

For those that don’t know, this feature tells the language not to trust any data received from the outside world unless the author has taken steps to verify that that information is safe (usually through a regular expression, although there are a variety of tools that can help with the monotony of this).

Several orthogonal issues arose out of this. Firstly, in a language as dynamic as Perl, what exactly should you check – in this case the problem is down to resolving method calls at run-time based on possibly unsafe data, whereas previously taint had been used more for areas like I/O and executing other arbitary programs.

Secondly, and more imporatntly IMO, a change arose (not directly out of this but around the same time), to help with the gradual migration to taint-safe code. One of the areas in which taint mode is most useful, and most important, is in web-programming. When your forms are taking input from the big bad web(tm) you need to be very sure of what you’re doing with that information. But, if you’re running under mod_perl, taintedness is very much an ‘all or nothing’ across your entire application.

This causes problems if you come in late to a project that isn’t running in taint mode. It’s very difficult to bootstrap your way back into safe territory. You can attempt to migrate your code to a taintsafe approach (and abstracting all input processing to using a tool like that described earlier can help greatly with this). But you can’t actually turn taint on until you’ve found every last unsafe construct without risking your entire application blowing up at run-time (trying to do something unsafe with an unchecked tainted variable throws a fatal exception).

This issue has come up many times on the perl internals list, and it generally generates a lot of heat. Proponents of the current system point out that if you haven’t closed every possible problem case then your entire application can blow up in even more dangerous ways at run time anyway – you’re just relying on no-one else finding the holes before you. People in precisely this situtation, on the other hand, would point out that they’d like to move to a truly safe environment, but without being able to turn taint on an area at a time, it’s a very difficult path to take.

This time around however, we got a result. Larry Wall blessed the idea of taint warnings. From version 5.8 you will now have the ability to turn on a taint pragma which warns rather than dies when you attempt to do something potentially unsafe. In most cases this should alert you to the hole before someone passes something actually unsafe through it. So now (or at least soon, if you don’t run bleadperl), you can turn that on everywhere, watch for warnings, and when you’re comfortable that you should be clean, turn full taint mode on.

However. No-one then went back to the original problem. The SOAP::Lite problem remained. Possibly no-one ever told Paul about it. And then it raised its head again this week, 4 months later.

Jarrko, the current pumpking, had a wonderful response:

While it’s true that Perl strives to give you enough rope I sometimes wonder was it morally right to buy a whole sisal plantation.

This time, the loophole has been closed.

The story provides an interesting take on the open source approach to security. When everything comes together properly, as has often been pointed out, security works well. Holes can be closed quicker than the equivalent closed source world. But things don’t always come together properly, and attention can very easily be diverted elsewhere. Of course that “elsewhere” can often be very useful too :)

Over at NewsIsFree, they’ve picked up on my wiki-rants and made an interesting suggestion:

If NewsIsFree was more of community … I’d like to launch a NewsWiki, a wiki where people could link and organize news items gathered from all our feeds … Maybe I’ll do it anyway!

Sounds great to me!

I picked up a copy of The Interpretation of Matthew recently. It’s a compilation of some of the most important articles on Matthew written over the past century – many of which had never been available in English translation before.

The first article, by Ernst von Dobshutz from 1928, predating the rise of redation criticism, focuses on the changes that Matthew made to Mark, adding many phrases numerous times. (He notes the use of “and it happened, when Jesus had finished these sayings” to conclude each of the five passages of sayings, but doesn’t draw any parallel to the Pentateuch. I must investigate when this idea arose…)

He then goes on to posit that Matthew had obviously undergone rabbinic schooling – probably under R. Jochanan ben Zakkai who was also fond of reciting Hosea’s “I desire mercy and not sacrifice” to console his disciples after the loss of the Temple.

This ties in quite neatly with another book I’m reading at the minute: Harvey Falk’s Jesus The Pharisee. In it he argues that in the ongoing battle between the two Pharisaic camps of Bet Shammai and Bet Hillel, Jesus, and later Paul (who trained under Gamaliel, Hillel’s grandson), were followers of Hillel, attempting to spread knowledge of the seven Noahide commandments to the Gentiles.

In Northern Ireland, of course, all Jews still have to be either Protestant or Catholic. The concept that Paul, Matthew, or Jesus would have been Jewish isn’t one that comes naturally to most people. Even though I’ve theoretically studied this stuff I really don’t know enough about it all. Guess its time to get that university library associate membership…

It seems that each of the various drag and drop event handlers only know about either the object being dragged, or the area into which it’s being dropped. Not both. This means that when dropping an object its receiver can’t know what’s arriving.

There is a dataTransfer object that can be seen by both ends, which acts as a clipboard onto which you can paste relevant information: but seemingly only either text or a URL (presumably for dragging text or images respectively) – not the object itself.

This means I’ve had to resort to the terrible hack:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

 
  function makeMovable() {
    event.dataTransfer.setData("Text", event.srcElement.id);
    event.dataTransfer.setData("URL",  "http://ok/");
  }
 
  function dropItem() {
    if (! isMovable()) return;
    ...
  }
 
  function isMovable() {
    return ((event.dataTransfer.getData("URL") == "http://ok/")
      && event.dataTransfer.getData("Text"));
  }

[I tried just setting both and making sure both were set, but text dragged from an href has both set already :( ]

This can’t be the best way to do this.