Archive for June, 2006

This boy goes to ‘leven

Two. free. five. nine. ten.


No comments

Rails. Dreamhost.

Interesting things that I’ve noted recently:

  • I ran into a strange bug with rmagick that revealed that Dreamhost has an interesting configuration for rails, such that rmagick version 1.6.0 is the one that gets used, but 1.10.1 is what’s reported installed. (in this case, 10>6 by about 2 years). The bug was that drawing text on an image stopped at the first space character. The solution was to freeze my copy of rmagick (1.10.1, just like theirs should have been) with this rake task. This might have been easier if it was not installed there in the first place, but then again, I never managed to build rmagick on my machine.
  • Rails, by default, appends a ?[big number] to static file urls. This generally breaks caching in web browsers, which are conditioned to not cache anything with a query string. In turn, this makes pages that include css, javascript and images seem very slow to load, especially if the rest of the page is lightweight. I’m sure that there are issues with stale versions of files, but completly breaking caching seems a bad way to fix it.

    It’s possible to disable this behavoir by editing the link generation code in vendor/rails/actionpack/lib/action_view/helpers/asset_tag_helper.rb, commenting the line that starts “source << ‘?’ + rails_asset_id(source) ” I need a cleaner solution than that though…

  • The way to figure something out at Dreamhost is to submit a trouble ticket, then get annoyed enough that you go and google/hack at a solution because you’re frustrated that they’re not responding in 15 minutes late on a weekend.
  • Later… There’s a strange bug that when rmagick writes out a .png, it only writes 1024 bytes, but when Ruby’s file object attempts, it cleanly writes the whole file. Yay for one line fixes and 5 line comments.
No comments





I’m not going to be amused if he starts talking about the precious.

No comments

Subtle Bug, or why stored procedures aren’t RESTian

(Postgre)Sql is type safe. Sql has transactions. When you do something in a function, it should all complete, or none, and the type system should catche a lot of these errors before they bite you.

Until it doesn’t.

Spot the Bug: (apart from going a very long way around to set two columns of a table the same, assume that do_stuff has some other interesting effects)

create or replace function do_stuff(bigint) returns bigint as '
update tbl set other_id=$1 where id=$1;
select $id;
 ' language 'sql';

create or replace function foo() returns bigint as '
insert into tbl (id, other_id) 
  select id, null from transactions where id in (1,2,3);
select do_stuff(id) from transactions where id in (1,2,3);
' language 'sql';

There are really 2 bugs — one is that a select statement is doing non-restian stuff by changing state in the system. It’s a somewhat accepted practice, but it leads to other errors, namely:

This is specified as returning a bigint, yet the result of the last select in foo() can return a set. Since the return type rules, what you end up getting is the same as appending limit 1 to the end of the last query.

So, at least in postgresql, you’d end up wiht a table that looked like:

1 | 1
2 | null
3 | null

instead of the expected:

1 | 1
2 | 2
3 | 3

And that can make you sit and stare really hard at a function until none of it makes sense. The answer, apart from ‘don’t do that’ is to make the function return setof bigint, making it clear that what you’re getting out is possibly going to be more than just a single number.

No comments

Rails Observations, 3 weeks on.

I’m 3 weeks into an occasional night and weekend project — taking an hour or two when the boy is sleeping to get up to speed on Ruby on Rails. Three weeks in, maybe 20+ hours, and I’ve got a solution that’s nearly ready to be opened up to more than just in-family testing. What follows is some notes to the experience.

I’ve got some history with TurboGears and Webware for Python (and a lot of python backend non-web stuff), and a bunch of PHP recently and Frontier experience going back to the first boom. I’ve done my version of object relational mapping and scaffolding/form generation, I know what has worked in my products and where I feel that there’s friction that could be reduced.

Rails is different. Far enough different that I’m not bringing python baggage into it like I did for turbogears. I was dissapointed with TG (or was it subway?), partially because of the amount of stuff that I had to find and install, and I didn’t really gel with it. Then again, this is 6 months later, and I’ve kind of let the project go into hibernation without ever putting it on a deployment server. But this one is 3 weeks in, and I’m ready to show parts of ti to the world. That alone shows that it is possible to deploy early and often. With caching, it even runs fast enough on a old G4 to not be embarassed about it. I’d say that it’s generally about as fast as Frontier (on ancient hardware), in a ‘things take a second or so’ sort of way, not in any sort of quantified benchmarked manner. It’s downright snappy on my MacBook.

Rails on the mac is a one dmg install if you get the right dmg, and that makes a big difference.

Rails has had a lot of thought into laying things out, I like the convention vs. configuration. I like not repeating myself, but I must say that every time I’ve tried to reuse things vis subclassing, I’ve backed it out and am using copy/paste because things got pear shaped very quickly. Some stuff really is quick. I’m certainly not faster in it now than I am in php/python (well, apart from choosing a python web framework), but that will probably come with time.

There’s a good system for migrating data models forwards and backwards. That’s nice. Test harnesses are built in, also a very good thing. Basic Ajaxy stuff is really quick to implement. Edit in place is something that I’ve been wanting for a looooong time. Edit in place plus periodic autosave is enough to get around the dreaded browser window close problem.

I’ve fought with caching, since the assumption is that you’re caching html, and I’m caching images. My images get saved with .html, or they get stored in the in memory cache and then served out text/html, even though I’m setting a mime type on the return. I didn’t want to expose a gif/jpeg/png suffix in urls so that I could change the underlying representation away from png if IE6 became too much of a hassle. That’s just not an option without extensions, since the webserver won’t have a clue as to the correct mime type. My images change once a day, so what I’m doing for now is dumping them to a static directory, then serving from there with the lighttpd and having a cron job clear it out at midnight. I don’t like the cron job part, since it means that there’s something that’s not embedded in the deployment.

I’ve had some things that Just Haven’t Worked. One of my database migration scripts refused to do anything useful with the data when done in a ruby way. I think it’s because of a versioning difference between the old class and the new class, but the failure was less than obvious. (obj.find(:all) failed)

I’m certainly not writing ruby right now, I’m writing python with a ruby syntax. It would be good to go over this with someone who knows ruby and could point things out.

There’s a lot of fiddly stuff that happens around scaffolding and forms once you get rid of the scaffolding. There’s a lot of view related stuff that’s just not in my normal working flow. I don’t write forms in anything resembling html if I can help it at all, normally I drop a list of columns + data on a renderer. My stiff winds up being harder to lay stuff out manually, Tradeoff, yes. More flexible, but I kind of like the form infrastructure that I’ve built twice now.

The MVC layout is not what I was expecting, I am winding up with minimal glue in the controller, lots of stuff in the models, and html and such in the views. Reasonably to be expected, but significantly different from with the frontier view or the java servlet view. (I’m partial to the servlet view these days). It’s very hard to link to an action that returns an image and get it right. Stuff that I’d like to reuse winds up having to happen in views, which don’t reuse easily. I would have expected a more heavyweight controller, and lighter models, given that the default layout seems to be a controller/model/view for each object. This is probably because I’m just not up on ruby yet. There is another model, that of controllers for each permission level that span different object types. I’ve spent half an hour rearranging my bigest controller into admin and public and it seems to make more sense than the per object controllers.

The documentation out there is somewhat sketchy, lots of blog posts and an api document. The howtos aren’t really often what I’m looking for, and I managed to get an error message that didn’t show up in google at all. The Rails Recipes book is a help – but I’m still finding that the online resources aren’t the equivalent of python or php. To be fair, Rails the framework should be distinguished from Ruby the language – I’m comparing to language level documentation and Rails is significantly more subtle than that.

It’s not a silver bullet, but then, there never really is one. When things work, features are under an hour. It’s possible to get meaningful progress done between boy falling asleep and me crashing. We’ll see how I feel about it in another month.

No comments

Fremont Solstice 2006

The annual display of naked bicyclists, bighead costumes, samba dancers, and public artists of all ilks ran this morning.

Samba Girasol Dancer

Parade Album of 123 images, with none of the naked cyclist brigade, but still a few of the exposed body parts that the parade is somewhat famous for.


Cyclists Album of 50 images. Contains nudity with and without body paint, minimal clothing or not, broccoli, and some bike helmets. Both genders, front and rear, but nothing that’s too shocking for a parade at high noon in front of thousands of people.

Bugs of mass distruction

This year, there were a ton of naked bicyclists, at least twice as many as I’ve ever seen before (a couple hundred or so), twice as many belly dancers (250), and 4 drum and dance bands. More action and fewer random people in costumes was my take away impression.

Stilt Walkers

I shot 2 cards of jpegs, but some of one was slightly prefilled by some pictures that I neglected to delete off it from last time. I ran out of space at the end, so the last couple of groups in the parade are less well represented. I wish I’d realized that I didn’t clear off the card last time.

A tree, or an ent, or something

If any of these pictures are of you, and you want the full res versions, please email and I’ll send them to you.

No comments

Guns in Paradise

Well, it’s happening. Malware on OSX.

A friend found an IRC relay daemon on his laptop running under the Guest user, with no recollection of ever setting such a thing up. Found it via LittleSnitch when it tried to connect out to some irc servers.

I have logs and an image of the account. But I don’t know how the account was created in the first place.

The attack sounds very similar to this message and remotely similar to this message. But with a little more skill.

A while ago, October 22 2005, to be exact a guest account was created. We’re not sure how this happened, nor are we completely sure that it was done maliciously, but it was done. The machine had ssh exposed to the world. It’s possible that the Guest user was created prior to this and their home directory was only pointed at /Users/Guest on 10/22 since I have ‘last’ records of a guest logging in as early as September from China. Most of the logs on this machine have rolled over, so there’s not a lot that I can do to figure out how the account got created.

On the 12th, it looks like someone tried to bruteforce ssh, then this morning psybnc was downloaded from al-ex.ws43.com, unpacked and run from the command line. Ws43.com is a domain name used by a hosting service for free or low cost hosting, so it’s not a terribly good clue. Someone from connected and tried to access undernet’s irc. I do have earlier records of guest logins from that same address from earlier, so I’m thinking that this is more than one attack. That fits with the guest .bash_history, which makes it look like our intruder changed the guest password this morning just before he downloaded the irc tunnel.

So what we have is:

  • An apparently bruteforceable password, on an account that the owner doesn’t remember creating.
  • A sshd service that shouldn’t have been on.
  • 3 logins from a single ip address over the course of 6 months
  • A whois record from ws43.com giving a name that looks strikingly like the connection name on undernet.
  • And lots of links to .ro.

There’s nothing about this attack that’s particularly OSX specific. The details of the early stages aren’t terribly clear due to the passage of time, and fuzzy memories of what may have been turned on or who generated the account.

No comments

And again

The Eyes Again.

No comments


Wide Eyed

This is one of the best pictures of him recently. Everything just clicked in this one.

No comments

Boy, Caught.


No comments

Next Page »