Cell Phone Photo
Cell Phone Photo
Cell Phone Photo
Cell Phone Photo
Cell Phone Photo
Cell Phone Photo
Past Articles
On Thursday I presented remotely at RubyFest about MacRuby. I put together a 30 minute video and short demo app.
Download MacRuby Presentation at RubyFest, 46 MB
Im also putting the final tweaks on a MacRuby screencast at PeepCode, prepared by Alex Vollmer with technical review by Laurent Sansonetti. Look for it on Monday!
NOTE: The full tutorial screencast is now available here: PeepCode Meet MacRuby
PeepCode Screencasts Learn Ruby on Rails and Javascript! Hour-long screencasts for $9.
The first question most people ask me about PeepCode Screencasts is How many employees do you have?
Maybe its a more polite way of asking What was your gross revenue for the most recent fiscal quarter? At any rate, I now have something to tell them.
Two weeks ago, I started a collaboration with Dan Benjamin. He will be working half time at PeepCode, hopefully moving to full time in the near future.
Dan has made a name for himself many times over. He developed the CMS for A List Apart, the authoritative online magazine for people who make websites. He developed and sold Corkd, a social wine review website. And hes a perfect fit for PeepCode, given his multimedia and business experience starting The Talk Show with John Gruber and the Tack Sharp podcast with James Duncan Davidson. He also runs a popular blog at Hivelogic.
Dan is one of the most connected people I know, and I wouldnt be surprised if he is only two degrees away from Kevin Bacon. So Im especially flattered that he wanted to work with me. However, he is available for part-time consulting in the meantime, so contact him now if you want to work with him while hes still on the market.
April Sale!
What does this mean for PeepCode? New ideas. A better workflow. More content!
In two weeks weve already refined parts of the PeepCode screencast production workflow that will make it easier to work with other authors and keep the quality top notch.
For you it means an April sale! Get a year of PeepCode for only $129 (save $20). Or get one free credit with a 5 pack.
If youre an existing Unlimited subscriber, you can renew or extend your subscription at any time for only $109.
Comments are temporarily disabled, but will return.
PeepCode Screencasts Learn Ruby on Rails and Javascript! Hour-long screencasts for $9.
And with my handheld portable all-purpose lightweight doohickey I fuse thoughts and try not to be too picky. Buck65
Im personally offended that you enjoy the software you work with ;)al3x
Update: Full 60-minute screencast now available at PeepCode!
A few weeks ago I decided to try out Emacs. I wasnt especially dissatisfied with TextMate but felt that I had neglected to educate myself about a major part of computer science history. Somewhat like a DJ who has never heard Grandmaster Flash (who purportedly invented much of the hardware used to create music with multiple turntables). I felt that I needed to try out one of the classic text editors still used by many today.
My history with text editors over the last 10 years goes something like:
- BBEdit
- vim (for about 6 months)
- Smultron
- TextMate
Screencast
Ive assembled a short screencast of my initial impressions:
Initial Impressions
The Good Stuff
Heres a short list of what Im enjoying about it so far:
- Efficiently keyboard driven. No need to use the mouse at all.
- Window splits for viewing multiple files (and shells) at once.
- Powerful editing.
- The ease with which one can work with dozens of files without getting confused.
- Super customizable.
- Easy to keep settings, snippets, plugins, etc. synchronized between desktop and laptop with Git.
- Quality plugins from the community.
- The aha moment when parts of code make more sense given the fact that Emacs was used by Matz, Ryan Davis, Nathan Weizenbaum, etc. to author them.
- That unidentifiable elitist feeling you get from using a tool thats too difficult or awkward for most people.
The Awkward Bits
- No GUI for preferences.
- Mac OS X integration is just barely good enough to get by. For example, I cant get Hide Others to work except by using the mouse.
- Its assumed that youll do most work from within Emacs itself rather than piping text to it.
- Crashes when trying to switch color themes. This may be a problem with the color theme plugin Im using.
- Its difficult to think about content and files instead of icons and buttons.
Getting Started
Installing, learning, and configuring Emacs is unfortunately not easy. Im working on a PeepCode screencast with Phil Hagelberg that I hope to finish within the next few weeks. In the meantime, here are some resources I used to get started on Mac OS X:
- Install from Git mirror of the source
- See the nextstep/INSTALL file for Mac installation instructions.
- Phil Hagelbergs starter kitTremendously useful.
- My current configUse at your own risk. Yes, I use a huge font size.
Useful Plugins
- yasnippet.elTextMate-style tab trigger snippets with mirroring, defaults, etc.
- textmate.elProvides tremendously useful keyboard shortcuts for TextMate switchers. Ive modified it to work with my setup.
- magitGit integration.
See Also
- Full 60-minute screencast now available at PeepCode!
- Alex Payne on the flight to old text editors
- Phil Hagelberg on learning emacsPlus links to other blog articles about recent adopters
And a word from our sponsor
New hot-selling PeepCode Screencast authored by Lars Pind.
PeepCode Screencasts Learn Ruby on Rails and Javascript! Hour-long screencasts for $9.
This is the way the world ends / Not with a bang but a whimper. T. S. Eliot
BIBERACH, GERMANYLate last week, Christian Neukirchens influential tumbleblog Anarchaia breathed its last.
Anarchaia took the well established blog form and turned it into a multimedia stream of consciousness featuring photographs, poetry, lyrics, and links. Topics ranged from the merely curious to the highly technical. It managed to maintain the same visual theme throughout its lifespan which included a half-dozen posts almost daily.
The term tumblelog was coined in mid-2005 by Why the Lucky Stiff on his RedHanded blog.
Anarchaia also inspired the popular projectionist tumblelog, which launched a few months later. Entire startups were subsequently built around the form.
It is survived by the other Christian Neukirchen projects Rack, test/spec/bacon and his own blog. There are rumors that it has already reincarnated as Trivium.
PeepCode Screencasts Learn Ruby on Rails and Javascript! Hour-long screencasts for $9.
Ive had to rely at times on silence and on talking quick / Defending myself with nothing but my walking stick. Buck65
Here are nine easy tips that will help you communicate better at your next conference.
Dan Grigsbys presentation at RubyFringe was an intentional example of this. All the titles were at the top, with humorous stock photos below.
Keep it in the top third, if possible.
Giles Bowkett is such an entertaining speaker that people once skipped the first 20 minutes of lunch to hear the remainder of his presentation at RubyFringe (which involved more than 400 slides).
He also used only the typefaces included with Mac OS X, including Futura Condensed Medium and Condensed ExtraBold, which work really well in bright colors on black. So even if you dont choose to buy a single typeface, you can assemble a great-looking presentation.
- Giles Bowkett Videos Start 5 minutes in to see the slides.
Its easy with either:
Copy as RTF A TextMate plugin. You can paste the syntax-highlighted text and even edit it afterward in Keynote.
pygments A command-line syntax highlighter written in Python. Its used at GitHub to emit HTML but can also emit RTF from any source file. The resulting rich text can be pasted into Keynote.
pygmentize -f rtf -o out.rtf code.rb
Choosing just the right transition can soak up a lot of time and adds absolutely nothing to the content that people remember afterward.
Dan Grigsby also noted that transitions and multi-step builds make it difficult to go back and forth in the presentation since you have to wait for the transition to finish. Unless
Useful Keynote shortcuts (while the presentation is playing).
<table><tr><td>Key</td><td>Description</td></tr><tr><td>/</td><td>Show a list of keyboard shortcuts.</td></tr><tr><td>H</td><td>Pause the presentation and go to the last used application (useful for demos). Command-tab back to Keynote to resume the presentation.</td></tr><tr><td>= or -</td><td>Show a thumbnail menu that can be used to jump forward or backward to a specific slide. Use the arrow keys to select and the enter key to jump.</td></tr><tr><td>B</td><td>Pause and show a black screen.</td></tr></table>
I love live coding but often it goes awry, creating an awkward situation for both the presenter and the audience.
Give yourself some insurance and either record a short screencast that you can narrate during the presentation, or take screenshots that you can refer to.
Extra Credit!
If youre speaking at a conference, youre probably doing it to promote yourself, your projects, or your business. Make it stick in peoples minds by distinguishing yourself with a color scheme and a typeface that communicate the attitude you want to be remembered for.
Choose a color scheme and use it for all your presentations. Ideally, it would be the color scheme of your company or personal blog. If youve paid for a corporate identity, use it!
Resources
- Color Burn Widget A Mac OS X dashboard widget with a new color scheme every day.
- ColourLovers.com Tons of color combinations for every attitude.
Again, buy a typeface and use it on your blog and in your presentations.
Theyre not as expensive as you might think! You can get a single font for $20.
Here are some nice condensed ones as mentioned above:
Or try these shops:
I saved my favorite for the end
A presentation remote gives you the freedom to step away from the lectern and talk directly to the audience. The remote that comes with Mac laptops doesnt count! It only works if you have a direct line of sight to the infrared receiver on the front edge of the laptop.
A radio frequency transmitter works much better. The Kensington Presentation Remote can be bought for about $40. It works out of the box without the need to install any drivers, and its less distracting than phone-based options.
See you in Berlin!
Ill be in Berlin at RailsConf starting this Sunday. Find me and get a free PeepCode t-shirt!
PeepCode Screencasts Learn Ruby on Rails and Javascript! Hour-long screencasts for $9.
Doing Test Driven Development (TDD) effectively is not something that comes easy, even when youre working with a well structured Rails application. Up until March of this year there really was no guide I could recommend for developers who wanted to learn TDD with Rails.
What happened in March? Noel Rappin released his Rails Test Prescriptions PDF guide. You can start out by reading his FREE 84 page Getting Started With Rails Testing PDF Guide, and then maybe upgrade to his $9 dollar 286 page guide which covers advanced topics like creating Test helpers, stubbing, mocking, and even how to use factories, shoulda, rspec, and cucumber.
Noel is a great teacher providing examples that are really easy to follow and code downloads if you want to try writing tests on your own. So if youre not doing testing yet or you want to learn some best practices, definitely check out Rails Prescriptions.
Its also worth mentioning that Noel has posted some pretty interesting blog posts on the Rails Prescriptions Blog going over a few testing topics and even some testing interviews with developers like Chad Fowler, James Golick, Ryan Bates, and Mike Gunderloy. Lastly I cant talk about Noel without mentioning his contributions to the Pathfinder blog, Im a big fan of his blog posts.
After reviewing the feedback on the two recent security announcements weve made a few minor changes to the Ruby on Rails security policy.
The first change weve made is to include more information on what to do if you dont receive a response from the security team. In general reports to the security address should receive a response within 24 hours, however the sheer volume of spam to the address can, and has, lead to messages being caught in spam filters. In the event you dont receive a response there are now two direct-emails to the people currently looking after security reports. That page will be kept up to date as responsibilities are reassigned.
The second change is to more clearly outline the announcement policy for rails vulnerabilities. In short, we notify vendor-sec ahead of the public notification to allow time for people distributing rails to prepare packages for their distributions. Then when the time has come for public notification an email is sent to the security announcement list. Finally the announcement is posted to this blog.
The security announcement list is extremely low volume and youre strongly suggested to subscribe to it. This is the place which receives the first public announcements of all vulnerabilities in Rails, and also tends to receive additional notifications about vulnerabilities in ruby itself. Weve been using this list for several years but judging by confusion and misinformed comments following the announcement of CVE-2009-1904, not enough people were aware of its existence.
If you have any comments on the security policy, please send them via email to security@rubyonrails.org.
This week Im happy to tell you about a new set of articles which will be appearing here on the Rails blog called Community Highlights. This new series will feature people/projects/sites from the Rails community that may deserve a little extra recognition.
This week, were going to start with a few people who received awards on stage at Railsconf 2009, this years Ruby Heroes.
Brian Helmkamp
His Blog: http://www.brynary.com/ Twitter: brynary
Aman Gupta
Github: http://github.com/tmm1
Twitter: tmm1
Luis Lavena
His Blog: http://blog.mmediasys.com/ Twitter: luislavena
Pat Allan
His Blog: http://freelancing-gods.com/ Twitter: Pat
Dan Kubb
Github: http://github.com/dkubb
Twitter: dkubb
John Nunemaker
RailsTips: http://railstips.org/
Twitter: jnunemaker
Those are your six Ruby Heros for 2009. If youre interested you can also watch a video of the award ceremony which talks more about the methodology about how they were chosen and see 5 of these guys receive their awards on stage at Railsconf 2009.
A Denial of Service vulnerability has been found and fixed in ruby. The vulnerability is due to the BigDecimal method mishandling certain large input values and can cause the interpreter to crash. This could be used by an attacker to crash any ruby program which creates BigDecimal objects based on user input, including almost every Rails application. This vulnerability has been assigned the CVE name CVE-2009-1904.
For upgrade instructions and information on affected ruby versions please see the ruby security teams announcement.
All users are advised to upgrade their ruby installations immediately to avoid this problem. In the event that you are unable to upgrade your ruby installation, or are using an out-of-maintenance ruby version, there is a workaround available on github. You can either install it as a gem, or simply copy the file bigdecimal-segfault-fix.rb into config/initializers of your rails application.
NOTE: this workaround breaks valid formats supported by BigDecimal, users should not rely on this fix for an extended period of time but should instead immediately begin planning a migration to a supported ruby release.
The upcoming Rails 2.3.3 release will include some minor mitigating changes to reduce some potential attack vectors for this vulnerability. However these mitigations will not close every potential method of attack and users should still upgrade their ruby installation as soon as possible.
Thanks to Jose Fernndez for reporting the vulnerability to the rails security team, and to the ruby security team for confirming the nature of the bug and handling the release process.
A security problem has been reported with the digest authentication code in Ruby on Rails. This vulnerability can allow users to bypass your password protection. This vulnerability has been publicly disclosed on several websites, users are advised to take the mitigating steps described below immediately.
The issue comes from the handling of the block passed to authenticate_or_request_with_http_digest. This block must return the users password in the clear, or a sha1 hash of the users password. Unfortunately the documentation was unclear on this and the examples cited would return nil if the user was not found. The correct behaviour if the user doesnt exist is to return false.
If the return value was nil, rails proceeded to verify this value against the provided password. Because of this an attacker can provide an invalid username and no password and authentication will succeed.
Fixed Versions
We have altered the behaviour of the relevant code to make nil an authentication failure. This fix has been pushed to 2-3-stable and will be present in 2.3.3 due to be released in the next few days. All versions of edge rails after commit 1ad57cfe2fbda58439e4b7f84008ad23bc68e8b0 contain the fix.
Steps to Protect your application.
Users can protect themselves without upgrading by simply ensuring that their authentication blocks never return nil. To take an example from the documentation:
authenticate_or_request_with_http_digest(REALM) do |username| USERS[username]endShould instead be something like:
authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] || falseendDisclosure Notes
Due to communication difficulties and a mis-understanding between the reporter and the security team. This vulnerability has been publicly disclosed on several websites, users are advised to update their applications immediately. Steps are being taken to ensure that the security email is more reliable in the future. We regret the nature of this disclosure and will endeavor to ensure it doesnt happen again in the future.
The combination of Pitt and Soderbergh and Lewis wasn't enough to keep the Moneyball movie afloat...Sony canceled it "days before shooting was to begin".
Accounts from more than a dozen people involved with the film, who spoke on the condition of anonymity to avoid damaging professional relationships, described a process in which the heady rush toward production was halted by a studio suddenly confronted by plans for something artier and more complex than bargained for.
Sony was probably looking for something more BIG RED TEXTish.
Ben Fry just updated his interactive salary vs performance graph that compares the payrolls of major league teams to their records. Look at those overachieving Rays and Marlins! And those underachieving Indians, Mets, and Cubs!
Things will be significantly slower than usual around here this week...I am on vacation. Aside from some sporadic updates, I'll see you next week.
From Joseph Clarke in Triple Canopy, a comparison of the histories of the American megachurch and corporation.
Lakewood and America's twelve hundred other megachurches -- congregations that draw between two thousand and fifty thousand people per weekend -- are not simply vast machines for passive spectatorship. Sunday services are convergences of worshipers who spend their weeknights at prayer groups, Bible studies, ministries, and missionary training sessions. Successful megachurches are like well-run companies, with intricate corporate structures devised to keep each member personally engaged; their pastors are like chief executives, maximizing the productivity of laborers in the evangelism enterprise. Jumbotron notwithstanding, the architectural and organizational tropes of the megachurch are best compared to those of the modern white-collar workplace.
Anemone is a free, multi-threaded Ruby web spider framework from Chris Kite, which is useful for collecting information about websites. With Anemone you can write tasks to generate some interesting statistics on a site just by giving it the URL.
Its only dependency is Nokogiri (an HTML and XML parser). Other than that, you just need to install the gem to get started using Anemone's simple syntax which, among other things, allows you to tell it which pages to include (based on regular
Integrity is a simple and lightweight Continuous Integration server written in Sinatra (a DSL for quickly creating web-applications in Ruby). When commits are pushed to a Git repository, Integrity builds, runs tests, and reports the build status to each team member. It supports a variety of notifiers including Email, IRC, and Twitter.
When it comes to developing large projects with multiple team members, its common nowadays to set up a Continuous Integration (CI) server. CI is a development practice where developers combine their
MongoDB a is a high-performance, open source, schema-free, document-oriented database written in C++. It's sort of a cross between scalable key/value stores and traditional functionality-rich relational databases.
MongoDB might be useful as a fast, simple, non-transactional data store for a web application, or as a caching mechanism. You don't ever need to worry about migrations due to Mongo's schema-less nature.
Getting started with MongoDB using Ruby is now fairly straightforward thanks to the Mongo Ruby driver. This provides access to the core Mongo
The Interactive Ruby Shell (irb) and the Rails console are great for interacting and experimenting with your ruby application code, but sometimes it's hard to visualize the output. Gabriel Horner has come to the rescue with Hirb: a 'mini view framework' for irb which is designed to improve the default output to make it more human-readable.
Hirb does this by formatting console output according to its type, and paging if there's more than a screenful to display. For example, Hirb will automatically display
The latest installment of the series of posts crammed with random Ruby links, articles, and resources to kick off your week!
17 High Quality Videos from GoGaRuCo
Earlier this month, the videos from the GoGaRuCo (Golden Gate Ruby Conference) conference that took place back in April went online. The talks are all available in MPEG 4 video and MP3 audio formats. Video and audio quality are really good overall (no annoying humming or reverb that often plague such undertakings).
by Dan Benjamin, System Developer of A List Apart.
Bonus PDF by Casimir Saternos.
This screencast is for you if youve never used the Unix command line, or are learning it for the first time.
Navigating a text-based terminal can be intimidating at first, but experienced developer and systems administrator Dan Benjamin introduces it smoothly one concept at a time whether youre currently using Windows, Mac OS X, or Linux.
In this 70 minute screencast youll learn about the basic assumptions of Unix, how to look for help, and how to confidently work with files, directories, and programs. Also included is a bonus 60 page PDF reference guide!
This screencast covers:
- The Unix OS
- Tips & Gotchas
- Getting Help
- Terminal Clients
- Downloading the Samples
- Installing the Developer Tools
- Elements of the Prompt
- File Paths
- Arguments & Flags
- Listing Files
- Changing Directories
- Pipes & Redirection
- Archiving & Compression
- Delete, Copy, Move
- Managing Directories
- The Superuser
- Permissions
- Remote Control
- Transferring Files
- Conclusion
Most PeepCode screencasts assume that you know how to navigate the filesystem and issue commands. Most open source projects such as Ruby on Rails require similar knowledge as well. Watching this screencast will equip you to operate the command line confidently!
A future screencast in this series will cover more advanced command line topics for experienced developers.
Available to PeepCode Unlimited Subscribers or alone for only US$9!
by Alex Vollmer and Geoffrey Grosenbach
MacRuby takes the almost out of almost a desktop experience. With MacRuby, you can write real Mac OS X desktop applications with Ruby.
MacRuby is a Ruby interpreter built by Apple on top of Objective-C. Unlike other scripting interfaces to the Cocoa frameworks, MacRuby objects are fully functional peers of Objective-C objects with no translation layer. This means that your Ruby applications can do almost anything a compiled application could do, and at near-native speed.
Youll build a functional Twitter client from scratch, learning about both Cocoa and MacRuby along the way. Youll design an application graphically with Interface Builder and learn about the major design patterns in Cocoa applications. Youll work with network resources, parse XML, and POST data back to the server so youll be ready to write your own web-enabled desktop applications.
This screencast covers
- What is MacRuby?
- The basic syntax of MacRuby
- What you need to know about Objective-C to write MacRuby apps
- Building a basic application
- How to learn Cocoa and read the documentation
- Submitting network credentials with HTTP Basic Auth
- Designing with concurrency in mind and avoiding the spinning beachball of death
- Displaying tweets in a table view
- One-step authentication
- Reloading tweets
- Posting to a REST-based web service
- Packaging the Application
Watching this screencast will give you a head start toward becoming familiar and confident with programming Cocoa applications on the Mac with Ruby!
A future screencast in this series will cover the still-in-development HotCocoa frameworks for MacRuby.
Available to PeepCode Unlimited Subscribers or alone for only US$9!
By Phil Hagelberg. Technical editing by Clojure creator Rich Hickey
Clojure is a dynamic functional programming language designed to be as approachable as scripting languages, yet harness the power of multi-core machines in the manner of more cryptic languages such as Erlang.
In this 65 minute screencast, Clojure expert Phil Hagelberg walks through the stages of building a multi-user text adventure game (code available). Its the perfect project to learn about the basics of Clojure while having a fun time doing it, too!
Youll learn:
- The basic concepts and syntax of Clojure
- How to write a basic multi-threaded echo server
- How to use the basic data structures, including thread-safety
- How to optimize with lazy collections
- Coordinating data across threads
- Unit testing
- Common idioms
- Packaging and release of your project
Youve heard about functional programming. You want to write efficient programs that maximize current hardware. This screencast is the place to start! Youll also learn about Lisp, one of the foundational programming languages of the modern computer era.
In addition, this screencast is the first to use a brand new post-production workflow from PeepCode, featuring informative motion graphics and animated diagrams! Check out the preview.
Available to PeepCode Unlimited Subscribers or as a single purchase for only US$9!
NOTE: A free 5-minute screencast on Clojure IDEs will be uploaded soon.
Screencasts are a great way to promote your product, educate your customers, or teach your co-workers. A screencast of your desktop, iPhone, or web-based product can quickly convince people to signup for an account or purchase a copy. Theyre also a great way to promote your skills online as part of a screencast blog.
This 56 minute video reveals deep secrets learned over nearly 3 years of publishing PeepCode screencasts. Youll learn the bare basics of Apples Final Cut Pro video editor so you can edit and export high quality screencasts.
It also presents scripts and other techniques for staging your screencast and getting consistent results every time.
Chapters include:
- Intro
- Plan: Directories
- Record: Placement, Capture
- Window & Title Scripts
- Static and Movie Export
- Edit: Preferences, Session, Speed, Freeze Frame, Watermarking
- Audio: Equipment, Post-Production, Export
- Export: Quicktime, Compressor, Multi-core
Available to PeepCode Unlimited Subscribers or as a single purchase for only US$9!
By Lars Pinds of CoachTVBlog.
Email is both an indispensable and an inescapable part of our lives. Yet most of us either feel dread when checking email, or we use email as a distraction from more important tasks.
In this 45 minute presentation, accomplished entrepreneur and life coach Lars Pind presents a system that he has developed and taught to many people over several years. It combines ideas from GTD and Inbox Zero and adds other concrete strategies for facing up to your email and attacking it with a consistent plan.
If you dont have an email strategy, if you feel bogged down by the amount of email in your inbox, or if you want a better solution, help is on the way! View this screencast today and regain control of your email inbox!
Chapters include:
- Why?
- About the system
- Principles
- A scheduled activity
- Making the change
- Breaking the Addiction
- An exercise
- The Folders
- Checking email
- Gmail Tips
- A typical session
- Filters
- Now What?
- The other folders
- Getting Started
- Thats it!
- Sticking to it
- Summary
- Next steps
- Conclusion
Available to PeepCode Unlimited Subscribers or as a single purchase for only US$9!
 June 2009  |
||||||
|---|---|---|---|---|---|---|
| S | M | T | W | T | F | S |
| 31 | 1 | 2 | 3 | 4 | 5 | 6 |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 1 | 2 | 3 | 4 |
Upcoming Events
No events scheduled
So far the only gotchas were, I was using the MySQL plugin and not the gem. I’ve since configured my Site5 account to use gems so that’s not a problem and I had a few outdated conventions that I fixed. I’m hoping that I got everything, I mean, after all, my tests passed so everything should be fine! If you guys come across anything out of the ordinary, any error, anything I’d love it if you’d please let me know
Also, I’ve got 6 pounce invites if anyone still is looking for those. :)
I caught up with this thread on Joel’s discussion board today. We software developers will take any opportunity to rant about the bass-ackwards code we have to deal with on a regular basis. For passionate developers, it’s understandable that most code wouldn’t live up to our standardsonly a select few projects have the amount of resources necessary to truly pursue perfection. Over time the exposure to imperfect code can condition us with unfair knee-jerk reaction to new code.
How bad is the code really?
The world is full of terrible code. Usually that becomes painfully obvious at maintenance time. When an existing project is opened up for the first time by a new team member, I think the instinct is to see the flaws before the brilliance. What kinds of things make code stinky? Well it depends who you ask, but some possible reasons are:
- Unnecessary duplication of code (under-abstracted)
- Overly complicated code (over-abstracted or unnecessarily clever)
- Too many files/classes
- Giant monolithic classes
- Wrong design patterns applied
- Stupid algorithms
- Failure to use appropriate libraries or framework features (reinventing the wheel)
- Inconsistency (lack of conventions)
- Numerous obvious comments
- No documentation
Anyone whose done their share of code maintenance has probably been annoyed by most of the things on this list one time or another. “If only they had done it this way.” It’s easy to just assume the code sucks based on a first impression. Once you jump to that conclusion, every minor flaw affirms your prejudice.
Pet peeves
Let’s step back a minute and give ourselves an ego check. To an experienced developer there are hundreds of nuances that will stick out like a sore thumb, but they are likely to annoy you far more than they actually impact your productivity were you to consider them objectively.
If you’re not careful, your concern for the code boils over into judgement of the previous programmers. Maybe the last guy wasn’t up to snuff in this language, maybe his pet peeves were different, maybe he was just a blathering idiot. Whatever the case, why dwell on it?
I’ve managed to make it through a lot of bad code without slowing down much. Every once and a while a refactoring or straight-up delete and rewrite was necessary, but most of the time I was able to grit my teeth and get some changes done relatively quickly.
Real reasons code “sucks”
The problem facing you is likely to be different from what the last programmer faced. It would be foolish to assume that the software was designed with the same requirements that you have in front of you today. Who’s to say the business goals haven’t changed drastically since then?
You and the last developer have different information. Even after you’ve spent a lot of time on the code and understand all the intricacies and business goals, you still may not know the history of the project. Maybe the code has grown and shrunk and morphed into something completely different from when it started. If it’s time to refactor, maybe that’s your job.
It’s also quite possible that refactoring is not worth it. Good developers innately want maintainable and aesthetically pleasing code, but there is a cost. We can’t write perfect software before we understand it, and we can’t refactor without spending time. The developer is usually in a better position than the manager to assess the long-term cost of not refactoring, but he also has a vested interested in exaggerating that cost. To make a fair assessment, the developer must have a direct business interest. Even then there’s a great deal of uncertainty. It’s always a gamble.
Cognitive dissonance
Developers are conditioned to be right. Our job requires a fiercely logical thought process and the ability to make absolute assertions. Being wrong means things are broken, sometimes spectacularly so. And because we think so hard about things in this way, our conclusions are usually well-reasoned. But we are still human, and we still have the same defense mechanisms around our belief systems as everybody else. The insidious thing is that our reasoning blinds us to our own subjectivity. Our open-mindedness is a badge of pride, but also a set of subconscious blinders.
The only really objective thing about software is its output.
Software engineering is about making choices. Some choices are pragmatic (C++ for performance), some are philosophical (Ruby vs Python), but most are an intangible mixture of past experience and future expectations. When you see some code for the first time, the chances that it will mesh with your experience and philosophy are pretty slim. Eventually you may come to appreciate it for what it is, but in the meantime every tradeoff that didn’t follow your current line of thought will irk you.
Software is messy
None of this is to say that there aren’t real quality problems in the software industryof course there are. But I think it’s worth carefully considering our own motivations and biases before judging how bad the problem really is.
We may not like dealing with inadequately-funded balls of mud, but that’s probably where most of the paying work is. Even in relatively clean code bases, reasonable people can disagree on style or architecture points. Regardless of initial code quality, there will always be difficult and inelegant maintenance that needs to be done. My goal is to keep emotion out of it, and just fix problems. Refactoring is great if a business case can be made, otherwise just slog through as fast as possible without complaining.
Easier said than done, I know.
A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.
ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.
Impact
An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as:
BigDecimal("9E69999999").to_s("F")Vulnerable versions
1.8 series
- 1.8.6-p368 and all prior versions
- 1.8.7-p160 and all prior versions
1.9 series
- All 1.9.1 versions are not affected by this issue
Solution
1.8 series
Please upgrade to 1.8.6-p369 or ruby-1.8.7-p174.
- ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p369.tar.gz
- ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p174.tar.gz
Updates
- Ruby 1.8.7-p173 had a problem. If you have already downloaded it, please get a newer one. Ruby 1.8.6-p369 do not have this bug.
Recently we have a welcome, historic development that the Ruby 1.8.6's maintenance stewardship moved from me (Urabe Shyouhei) to Kirk Haines of Engine Yard.
Ruby 1.8.6 was released on 2007, and the Ruby core team has provided supports such as bug fixes and security alerts since then. As Ruby 1.8.6 became widely used, users asked us to last those support longer than we thought earlier. That was basically OK for us except one thing: who is to do that. Engine Yard kindly came forward to do the job, and we have worked on moving needed privileges from us to them. This announce is to finish that process.
This issue do not affect those current Ruby 1.8.6 users in the short run. Everything remains as they are. Users' benefit is that bug fixes and improvements for Ruby 1.8.6 lasts longer than we announced before. I believe that is what everyone want.
Ruby 1.9.1-p129 has been released.
This is a patch level release for Ruby 1.9.1. This fixes many bugs and two security vulnerabilities. This release contains security fix so we recommend all 1.9.1 users to upgrade your ruby.
Updates to already-released Ruby 1.8.7 and 1.8.6 have been released.
This time we have fixed dozens of bugs, including workarounds for CVE-2007-1558. Many segfaults are also fixed. For a complete list of what has been fixed, please read the ChangeLogs.
The released tarballs are available at:
- ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p368.tar.gz
- ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p368.tar.bz2
- ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p368.zip
- ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p160.tar.gz
- ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p160.tar.bz2
- ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p160.zip
Checksums:
MD5(ruby-1.8.6-p368.tar.gz)= 508bf1911173ac43e4e6c31d9dc36b8fSHA256(ruby-1.8.6-p368.tar.gz)= cc8cad3edd02d8c2de3c63a7d8a5cb85af39766dd47360a9c0f26339b101e2a0SIZE(ruby-1.8.6-p368.tar.gz)= 4602095MD5(ruby-1.8.6-p368.tar.bz2)= 623447c6d8c973193aae565a5538ccfcSHA256(ruby-1.8.6-p368.tar.bz2)= 1bd398a125040261f8e9e74289277c82063aae174ada9f300d2bea0a42ccdcc1SIZE(ruby-1.8.6-p368.tar.bz2)= 3967709MD5(ruby-1.8.6-p368.zip)= 3d301a4b1aded1922570585bbece2c29SHA256(ruby-1.8.6-p368.zip)= 8ba4bfd14d2914bfe2c18ffa9da084234be978fd0eee654f7a5c732a1beb0246SIZE(ruby-1.8.6-p368.zip)= 5619494MD5(ruby-1.8.7-p160.tar.gz)= 945398f97e2de6dd8ab6df68d10bb1a1SHA256(ruby-1.8.7-p160.tar.gz)= 47c3d1ae6b3dbda230d04f258304516fc1da571fa757d5e1d8d0104b49045530SIZE(ruby-1.8.7-p160.tar.gz)= 4818817MD5(ruby-1.8.7-p160.tar.bz2)= f8ddb886b8a81cf005f53e9a9541091dSHA256(ruby-1.8.7-p160.tar.bz2)= e524a086212d2142c03eb6b82cd602adcac9dcf8bf60049e89aa4ca69864984dSIZE(ruby-1.8.7-p160.tar.bz2)= 4137518MD5(ruby-1.8.7-p160.zip)= 06319bafa225df47fe26dfb52bc174a7SHA256(ruby-1.8.7-p160.zip)= c56fefbb9e7e186bf9feeb864793ad2a53062ce871b47ab0170316e38f738995SIZE(ruby-1.8.7-p160.zip)= 5876269
The ChangeLogs are bundled into those tarballs, and also available at the following locations:
- http://svn.ruby-lang.org/repos/ruby/tags/v1_8_6_368/ChangeLog
- http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_160/ChangeLog
Updates
- Earlier version of this document said it fixed CVE-2008-1447, but that has already been included in 1.8.7-p160 / 1.8.6-p368. Thanks to Tomas Hoger.
The schedule for the upcoming MountainWest RubyConf is available.
You can also keep track of the conference via twitter. Just follow @mwrc
MountainWest RubyConf is being held in Salt Lake City, UT, USA, March 13 and 14 2009.
RSS
