Who’s coding the Linux OS?

LWN.net has an article (subscriber only until March 1st) on who wrote the current release of the Linux kernel, 2.6.20. The author analyzes the code repository to see who submitted changes and what company they work for. Here are the conclusions:

The end result of all this is that a number of the widely-expressed opinions about kernel development turn out to be true. There really are thousands of developers – at least, almost 2,000 who put in at least one patch over the course of the last year. Linus Torvalds is directly responsible for a very small portion of the code which makes it into the kernel. Contemporary kernel development is spread out among a broad group of people, most of whom are paid for the work they do. Overall, the picture is of a broad-based and well-supported development community.

The top contributing companies are:

Unknown: 19%

Red Hat: 12.8%

None: 11.0%

IBM: 7.3%

Other stats that caught my eye: Novell with 3.4%, Intel 3.4%, Sony with 2.4%, Nokia 1.6%.

The figures should not be relied on too much (note the large “Unknown” category) but it is still interesting. Contrary to a myth still sometimes peddled, Linux is not primarily the work of hobbyists in back bedrooms or students pulling all-nighters; but nor is it wholly taken over by the usual commercial suspects. I think these are healthy indicators.

Don Dodge has more extracts and commentary.

 

Technorati tags: ,

Can CodeGear make sense of PHP development on Windows?

I had a chat with CodeGear’s David Intersimone and Jason Vokes about Delphi for PHP, following which I wrote a short article for The Register.

I do have reservations about the CodeGear product, though I’ve not seen it yet. My main concerns are first, that CodeGear will find it difficult to work alongside PHP’s open source community; second, that Delphi for PHP will have an unexciting feature set in its first release; and third, that over-reliance on data-binding frameworks may get in the way of lean, fast PHP development. I am not a great enthusiast for data binding, which can all too easily be inefficient, hard to debug, and restrictive in terms of database drivers. I also think the name is silly, and that long-term it makes no sense for Delphi for PHP to have its own IDE, as opposed to using Borland Developer Studio or Eclipse.

Drag-and-drop form building is hardly an exciting feature these days. I’m more interested in aspects like how easily developers and designers can collaborate, or how the IDE helps developers create secure applications, profile performance, or refactor existing spaghetti PHP into something resembling a well-structured application.

Then again, PHP is poorly served by IDEs right now, so there must be an opportunity here. One of the reasons is that setting up to test and debug PHP on Windows is awkward, posing a problem for those who develop on Windows but deploy to Linux web servers. It is an ugly mismatch. Will you use Apache on Windows, or try to get IIS working well with PHP? Presumably you want MySQL as well? Or perhaps run one of those combined installers like XAMPP and hope that that all this stuff is being installed in a secure manner and won’t break IIS, ASP.NET, or anything else.

This is before you start thinking about the IDE. Will it be the Zend/Eclipse PHP Development Tools? Or the less official PHPEclipse? Something else? And not forgetting Dreamweaver, which is great for designers but less good for code unless you are happy with the built-in wizards.

It appears that folk often run into difficulties simply getting debugging working sensibly in their PHP setups.

Delphi for PHP will not necessarily be any better. In the past, Borland has not been shy about installing lots of miscellaneous bits onto your system unless you are careful what you click; it may be no different from XAMPP. Yet if it can pull off a smooth installation with a half-decent PHP editor, smooth debugging, and no conflict with our existing Visual Studio / ASP.NET / IIS setups, then that alone will make it a worthwhile proposition.

 

Got Paint.NET?

I am late with this; Paint.NET 3.0 was released at the end of last month. It deserves more publicity, since it is of high quality. If you have .NET Framework 2.0, Download it here.

The application is fine for general use; I may switch to it from my old favourite Paint Shop Pro, for trimming and touching up screen captures. One feature I like is the way it handles multiple documents. A thumbnail of each open document appears at top right, in a fat toolbar; click a thumbnail to switch to that document.

Paint.NET is particularly interesting for developers. It is written in C#, and started out as a design project; as I understand it, one of the intentions was to discover whether Microsoft’s .NET Framework was up to the task, given that image applications do a lot of intensive number-crunching. Most of the code is C# but not quite all. There is a shell extension written in C++ and some use of PInvoke and COM interop. I get the impression that the chief developer Rick Brewster is now more interested in creating an excellent application than in proving a point about .NET.

One point of interest is the user of multi-threading for optimized performance on multicore processors. Brewster has recently posted his performance tests on various processors from two to eight cores:

The 8-core system is frightfully fast, and it’s very clear that having rendering code optimized for multiple threads is a big win. However, I will be honest and state that the performance scaling is not at the level I was hoping for: we’re already seeing diminishing returns at this point! In general, I am seeing gains of about 3.0x on a quad-core system, and 5.1x on an 8-core system (compared to running with only 1 thread). Unfortunately, I do not have an 8-core Opteron system to compare against which might provide some more meaty information to chew on (does it scale better? worse?).

I take his point, though a 5.1x gain on an 8-core system strikes me as decent. I recommend downloading the source code and taking a look; it is well commented and has workarounds for various System.Windows.Forms annoyances. Before you ask the obvious question, Brewster recently commented in the Paint.NET forum that he has not yet looked at WPF (Windows Presentation Foundation).

 

Technorati tags: , , ,

Peeking into Vista’s virtual store

In the user data area in Vista is a virtual store. Find it at:

C:\Users\[USERNAME]\AppData\Local\VirtualStore\

It is worth having a peek now and again. Here’s part of mine:

The Virtual Store is a feature of User Account Control, the centerpiece of Vista’s enhanced security. Applications that try to write to protected system locations, including Program Files, Windows, and HKEY_LOCAL_MACHINE in the registry, are prevented from doing so. Instead, a compatibility feature kicks in, and these applications write to a location in your home directory. Registry entries are written to a special area in HKEY_CURRENT_USER. The application mostly won’t know the difference, though there are limitations and you can get strange results. For example, if an application deletes a file from the virtual store when a file of the same name exists in the real location, the delete appears to succeed but the file still exists. Virtualization also fails (by design) if the application is run under another user account, or using Run As Administrator. The files written to the first user’s virtual store are invisible to these other users.

Virtualization is a stop-gap measure. Well-behaved applications should not write to these locations except when first installed, or for maintenance, both of which are administrative tasks. So the Virtual Store is a hall of shame. Microsoft features heavily in mine; we can just about forgive the appearance of the beta Expression tools, but Visual Foxpro 9.0? Adobe’s Flex Builder 2 is another disappointment. In most cases there are only one or two files, so we are not talking about major design issues, but they still need fixing.

If you are developing software, it is worth checking your virtual store in case stuff is slipping through. Note that you must have UAC enabled, and not be using Run As Administrator, since either of these settings will prevent the virtual store being used.

Technorati tags: , , ,

Annoying Word 2007 problem: can’t select text

I run Word 2007 on Vista. Today I hit a curious problem. Word opened, but something was badly wrong. I could not select text with the mouse. The document scroll bar did not work. Word crashed on exit. And going into Options – Addins, I could not navigate beyond the “Popular” section.

After several crashes an Office Diagnostics wizard popped up and offered to help. Kind of it. It chugged through numerous tests and finally told me it could not see anything wrong. Never mind.

Checking the newgroups, I found fellow-sufferers but no solution. I decided to be methodical. I started Word in safe mode. (winword /a). It worked. Probably an add-in. I went to the COM add-ins and tried to disable them. Message: “The connected state of Office add-ins registered in HKEY_LOCAL_MACHINE cannot be changed”. OK, registry then. Navigated to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins

Found three add-ins listed. I changed the value of the LoadBehavior key from 3 to 0 for each add-in.

Word now worked OK, but still crashed on closing. I found I could restore two of the add-ins without problems. The guilty party: OfficePrintAddIn, a component of Flash Paper.

I had a look at active templates. There was one called FlashPaperWordUITemplate.2302.dot. If I tried to unload it, Word crashed. Perhaps it needs the related COM add-in to be loaded. I closed Word, found the template file, and deleted it. Everything is fine now.

A quicker route might be to uninstall Macromedia Flash Paper, unless you use this of course.

I’m still puzzled about why this problem only showed up today. I’d not made any changes to Flash Paper or Word that I’m aware of. And I don’t blame Macromedia (now Adobe) for this; Word 2007 did not exist when this Flash add-in was released.

Posted in the hope that it saves someone else some time.

 

Technorati tags: ,

How secure is OpenID?

Everybody is talking about OpenID. Big players are adopting it. But should you trust it for things that matter – financial transactions, for example?

Here’s an important post from Microsoft’s identity architect Kim Cameron:

So let’s think about this.  Where is the root of trust?  In conventional systems like PKI or SAML or Kerberos, the root of trust is the identity provider.  I trust the identity provider to say something about the subject.  How do I know I’m hearing from the legitimate identity provider?  I have some kind of cryptographic key.  The relevant key distribution has a cost – such as that involved in obtaining or issuing public key certificates, or registering with a Key Distribution Center.

But in OpenID, the root of trust is the OpenID URL itself.  What you see is what you get.  In the example above, I trust Francis’ web page since it represents his thinking and is under his control.  His web page delegates to his OpenID identity provider (OP) through the link mechanism in (5).  Because of that, I trust his identity provider to speak on behalf of his web page.  How do I know I am looking at his web page or talking to his identity provider?  By calling them up on DNS.

I’m delving into the details here because I think this is what gives OpenID its legs.  It is as strong, and as weak, as DNS.  In other words, it is great for transactions that won’t attract criminal attack, and terrible for those that will.

And here’s Cameron’s conclusion:

OpenID cannot replace crypto-based approaches in which there are trusted authorities rather than trusted web pages.  But it can add a whole new dimension, and bring the “long tail” of web sites into the identity fabric.

Note that Cameron is not opposed to OpenID. Apart from anything else, he recognizes that this may well be the beginning of an identity revolution – part of a process, at the end of which we get a safer, less spam laden, less criminal-infested internet.

At the same time, he’s right. The whole OpenID structure hinges on the URL routing to the correct machine on the Internet. In other words, DNS. Now do some research on DNS poisoning. Scary.

Now, it strikes me that you can largely fix this by requiring SSL connections. In other words, have the OpenID URL be an https:// URL, and have the relying party (the website where you want to log in) check for a valid SSL certificate. Note thought that SSL must be used at every stage. OpenID lets you use your own URL as the identifier, but redirect to another OpenID identity provider. Both URLs must use SSL to maintain integrity.

Another idea is to use an OpenID for non-critical logins, however you define those.

Note that this issue is different from the phishing risk, for which CardSpace strikes me as a good solution.

 

Rasmus Lerdorf on security, hormones and PHP

PHP inventor Rasmus Lerdorf spoke yesterday at the Future of Web Apps conference in London. It was the highlight of the conference: at once funny, insightful, techie and thought-provoking.

“I had no intention of writing a language”, he told us. “I hate programming with a passion. It’s boring. It’s tedious. It’s hard. I love solving problems. You endure the pain to get to the end destination.”

In case there are any non-geeks reading, I should explain that PHP is the most popular server-side programming language on the Web. This blog is driven by a PHP application called WordPress. PHP is also free, and one of the big successes of open source.

Lerdorf related the history of PHP, which originally stood for “Personal Home Page tools”. They were little scripts he wrote for his own home page, “my own little hack to reuse the C code I had written”. He then shared his work with friends. He showed us some code samples. Here is PHP in 1994:

<!--getenv HTTP_USER_AGENT--> 
<!--ifsubstr $exec_result Mozilla--> 
Hey, you are using Netscape!<p> 
<!--endif-->

By 1995 PHP looked more like what we would recognize at PHP. By 2007 it has sprouted all sorts of modern object-oriented features and Lerdorf noted that while he understood the importance of these, it has somewhat moved away from its original intent as a quick and dirty tool.

Lerdorf made PHP a completely open source project in 1997. He was fed up with maintaining scripts for other people and realised that he could not do it alone. “No one person can possibly learn 20 different database APIs”. So he contacted all the people who had made suggestions to him, gave them access to PHP’s source on CVS (a source code management system), and relinquished control.

This was the lead-in to some reflections on why people bother to contribute to open source software. Lerdorf gives 4 reasons:

  1. Self-interest
  2. Self-expression
  3. Hormones
  4. Improve the world

The last of these is, in his view, the least important. But why hormones? His theory is that open source is one way geeks get human interaction, despite preferring keyboards and screens to going out and meeting people. It follows that factors like recognition (within their circle) and a sense of ownership are critical to successful open source projects, or even to any form of user-generated content. “You have to think about how people feel about themselves”, says Lerdorf. In fact, his comments chimed nicely with what Kevn Rose said about Digg.

Performance and security

Next, Lerdorf addressed the two major hurdles facing web applications. He is a strong believer in performance as a feature. “Unless you can make it work, there’s no point.” He dived into a couple of profiling tools to make his point, showing how to identify bottlenecks in PHP applications.

Security on the web is awful – I fully take the blame

Then security. “Security on the web today is awful. I know a lot of people blame PHP for that … I fully take the blame for some of it, but not all of it.”

What could he have done? Well, PHP does not spoonfeed security; Microsoft’s ASP.NET is actually better in that respect (my comment, not his). It could be more secure by design. On the other hand, as Lerdorf notes, “there was no such thing as cross-site scripting in 1995”. He gave us a great explanation of how cross-site scripting works; it is not the easiest thing to explain. PHP 5.2 has a new filter function for making user-input safe.

How to be safe on the web? “You can never click on a link. Sorry. Unless you understand everything in that link, and some of them are huge. You can never be sure that it is safe….most people are really easy to trick.”

Finally, Lerdorf gave us a few general comments on future directions, the possibilities opened up by geocoding in Flickr, for example. He says don’t make new portals, “We have enough portals out there.” Use the APIs published by major sites, and finally – make it fast.

Technorati tags: , , , , , ,

More Future of Web Apps hits and misses

The Carson Future of Web Apps London conference is over; here are my quick reflections on day two.

Adobe covers old ground

Adobe’s Mark Anders (formerly at Microsoft and much invoved in ASP.NET) spoke about Flex and Apollo, explaining how FlexBuilder and MXML form a developer-firendly way to compile Flash binaries; this is familiar ground for me and I was disappointed that he didn’t go into more depth, expecially considering that we had a similar talk from Andrew Shorten at this event last year. Still, there were some interesting performance comparisons showing off the JIT compiler in Flash 9.0 – it is much faster for ActionScript, as I’ve confirmed with my own tests.

Chris Wilson on IE

Microsoft’s Chris Wilson (co-author of the first NCSA Mosaic for Windows) spoke on IE7; his talk was billed as “The Future of the Browser” but it was not about that, it was more of an apologia concerning why IE was frozen for 5 years between IE 6.0 and IE 7.0 (I think it is worse than that, since IE 6.0 was not really a major advance on 5.0). He gave three main reasons: in 2001 few people were building browser-based rich web apps so there seemed little point investing in the technology; in 2002 Microsoft’s security push drained resources; and complacency from lack of competition. Wilson assured us of Microsoft’s commitment to standards, reminded us of compatibility issues (“don’t break the web”), and said that we can expect better standard support, improved user experience, and further security features in future versions of IE. A good bridge-building talk.

I caught Chris Wilson afterwards and explained my disappointment with Outlook’s use of the IE7 RSS platform, which is a botch (see here for why). I’ve asked several others at Microsoft this same question and received mumbled answers and promises to follow up that have not materialized. Wilson by contrast says he is aware of the problem and that many of Microsoft’s employees are complaining about it as well; he’s turned off RSS sync in Outlook 2007 himself, for exactly this reason. He says it will be fixed somehow but gave no clues as to when; at worst it could be the next version of Office.

I also asked when we can expect IE8. Wilson says it will be no later than two years from the release of IE7, but probably close to that. IE is no longer tied to major releases of Windows itself.

Design challenges at the New York TImes

Khoi Vinh is Design Director at NTTimes.com and gave us some great insights into the problem of maintaining strong design when content is changing rapidly. In essence, he said that tools cannot keep pace with real-time, forcing compromise. He also spoke about how changing media means many-to-many interaction (not 1-to-many), and how user interface design should risk offending experts, by going for ease of use with perhaps some compromises on advanced features, rather than offending novices with UIs they cannot make sense of. Excellent talk.

The promise of OpenID

Simon Willison gave an animated talk on the future of OpenID, enthusing about the benefits of single sign-on. This was mostly a great presentation, pitched at the right level with examples, and honest about the risks and pitfalls as well as the advantages. He mentioned how Microsoft’ s CardSpace helps solve the phishing problem, by moving the authentication UI into the browser, but mistakenly said this is a feature of Vista – it is not, it is a feature of .NET Framework 3.0 and available for Windows XP. (I spoke later to Chris Wilson about this, who hinted that progress in implementing CardSpace for other browsers such as FireFox and Safari is well advanced). I particularly liked the way Willison brought out some potential future benefits from a well-supported Internet identity standard, such as networks of trust enabling whitelists to combat problems like comment spam.

Google, Vodafone disappointments

After three strong presentations in a row I was feeling upbeat about this conference, but sadly it took a dive. Carson had decided to experiment with user-generated content, giving attendees the chance to put forward their own presentations; attendees voted on which ones they would like to see, and the top three got 15 minutes each. Good idea, but didn’t work well in this instance for several reasons – lack of presentation skills, not enough participation, perhaps none of the submissions was really strong enough.

Jonathan Rochelle from Google spoke on “How web built Google Docs & Spreadsheets”. I had been looking forward to this session, but it was a big disappointment, very high-level with no real insight into how the application was put together. Rochelle is too much a company man and gave little away. Then Daniel Applequist from Vodafone spoke on the mobile internet, observing that there are 1000 million XHTML-capable mobile phones versus a mere 150 million wi-fi equipped laptops. Unfortunately Applequist didn’t succeed in enthusing the conference, perhaps the mid-afternoon timing was to blame.

Great PHP talk and closing words

It was worth hanging on for Rasmus Lerdorf’s presentation on PHP. This was outstanding and I am going to post separately about it. In part this may be because I had not heard him speak before; but I really enjoyed this talk.

This post is already too long, and I’ve already posted about NetVibes, so I will close by just mentioning the entertaining Moo session from Richard Moross and Stefan Maddalinski. They love the UK’s Royal Mail.

Thanks to Carson for a thought-provoking couple of days – but please make the wi-fi work properly next time!

Netvibes Universal Widget API and OpenID

Widgets are a great concept – the user interface components of Web 2.0, perhaps? Problem: which widgets? Google Desktop? Microsoft Live? Dashboard on the Mac? Konfabulator? Or Netvibes?

Netvibes CEO Tariq Krim reckons he has the answer, announcing at the Future of Web Apps conference in London his Universal Widget API. Not sure exactly how this will work, but the idea is that you write your widget once and it runs everywhere. Dashboard and Google were specifically mentioned, along with “a bunch of others.”

After the announcement he left the stage, then dashed back, grabbed the microphone, and added a promise to support OpenID. More momentum.

Technorati tags: , , , ,

Notes on the Future of Web Apps

This is the beginning of the second day at Carson’s Future of Web Apps conference in London. I was drawn by the excellent speaker line-up, including Kevin Rose from Digg, Werner Vogels who is the CTO at Amazon.com responsible for services including S3 and EC2 (web storage and on-demand virtual servers), Mike Arrington from TechCrunch, and PHP inventor Rasmus Lerdorf. There are also speakers from Adobe, Microsoft, Yahoo, Google, NetVibes and various other organizations flying under the Web 2.0 banner.

The first day was worthwhile but mixed. I am a little jaded I guess, having been to a number of these sorts of conferences. There is too much Web 2.0 tub-thumping, too many sales pitches, and not enough investigation of hard questions. In particular, I would like to hear more about business models. Cool free apps are great, but sustainability is important too.

I was disappointed by Werner Vogels’ talk yesterday. A shame, since I remain impressed by what Amazon is doing. He gave pretty much a repeat of what we already know about S3, EC2 and Mechanical Turk. Having heard Jeff Barr present the same stuff on two other occasions (including this same conference last year), I was hoping for more. How is S3 coping when stressed, is performance holding up, what have been the pressure points? Is the pricing sustainable (I think it is too cheap)? Why is there still no SLA? What are the main feature requests from users, and how will they be addressed?

I don’t mean to pick on Vogels; some of the same criticisms apply to other speakers.

Fortunately there is good stuff here as well. The second part of Rose’s talk on Digg was interesting and I plan to cover this separately. Bradley Horowitz from Yahoo gave a though-provoking talk on automatic content filtering, detecting “interesting” Flickr images, and distinguishing between synonyms like Jaguar (car) and Jaguar (animal) in user-generated content. I enjoyed the brief talk from ThinkFree on its online Office suite, though TJ Kang mystified me by being seemingly unconcerned about the business aspect. ThinkFree has an online Microsoft Office viewer which looks useful – upload your .doc or .xls, have users view it in HTML.

There is a small exhibition here with stands from Google, Yahoo, Microsoft, Adobe and others. Adobe has a neat Apollo app on show, a desktop application which uses the EBay web service API to give you full access to EBay without having to visit the site. I’ve asked for a screenshot as this type of application will be increasingly common in future. Of course it could just as easily be written in Microsoft’s WPF, but without the cross-platform compatibility.

A couple of notes on Microsoft, a newcomer to this conference and showing off the Expression range of design tools. First, I noticed that several ex-Macromedia folk are now working for Microsoft, including Andrew Shorten who presented Flex here last year. Shake-out from the Adobe merge, but good for Microsoft in my view. Second, the first release of WPF/E will be soon, but without C# and CLR support; this will follow in the second release. Interesting, especially since Flash 9 already has a JIT compiler for its JavaScript implementation. However the plan is that there won’t be a long wait for the updated WPF/E – less than a year, I was told.

Microsoft is giving away free copies of Expression Web Designer. It is actually a decent product, but what do you do when everyone (at a conference like this) is using Dreamweaver?

Oh yes, and Java? Hardly mentioned here (though ThinkFree uses it, so does Flex server-side of course).