Jan 23

Nifty Things for Week 23 January 2015







Jan 16

Nifty Things for Week 16 January 2015


Open Source

Web Development



  • midonet — Open Source Network virtualization

Machine Learning


Pretty Things



Jan 13

It’s a Trap: Losing Faith in Protex

Continuing the Open Source audit, I discovered something disconcerting about Protex. I was under the impression that a snippet match would be two pieces of code which match disregarding whitespace. However, this is not necessarily the case.

Exotic bug eating plant, venus flytrap

Protex indicated that a function from a source file is part of a snippet match for a function in MathML (which is GPL).

The function in the source file differs from the other in a number of instances. The source file has, as an example, this:

whereas MathML has:

There is a good bit more to the snippet, but the two lines above are indicative of the differences between the two files. While the code is functionally equivalent, it is not textually equivalent.

Unfortunately, given security constraints at the company, they would not allow their source code to be loaded into Protex, so there was no easy way to compare the snippets side-by-side (which is something which Protex normally does). I spent a good while looking for other versions of the function before I did a side-by-side comparison. In so doing and comparing dates, I found other versions of the function on the net which match the one in the project and predate the entry for MathML. Not to mention having a slightly more permissive license.

Trust, but Verify indeed.

Jan 12

Part of what makes Open Source analysis “interesting”

You unlock this door with the key of imagination. Beyond it is another dimension: a dimension of sound, a dimension of sight, a dimension of mind. You’re moving into a land of both shadow and substance, of things and ideas. You’ve just crossed over into… the Open Source Zone. — Not Rod Serling

Consider a file called jquery.autocomplete.js. One might think that perhaps it’s part of the jquery library… but it’s not.

BlackDuck’s Protex reports over 100 projects including this file at a 100% match. Here’s a sampling of the licenses for the first ~100 projects:

  • Apache License 2.0: 11
  • BSD 3-clause:1
  • Eclipse Public License 1.0: 4
  • Erlang Public License v1.1: 1
  • GNU General Public License 1.0: 1
  • GNU General Public License v2.0 or later: 27
  • GNU Lesser General Public License v3.0: 2
  • General Public License v3.0: 1
  • MIT License: 10
  • Microsoft Reciprocal License: 1
  • Mozilla Public License 1.1: 1
  • Unspecified: 26

The adventure lies in deciding which project originated the code and/or which license to use if the original file can’t be located.

As it turns out…. the original version appears to be at http://www.pengoworks.com/workshop/jquery/autocomplete.htm which is not in Protex. Nor is there a license file associated with it (or a license in the documentation). Additionally, the page warns:

WARNING: This is provided for users who absolutely need access to the original code. The code is very outdated and it’s not recommended to use this code in current applications. The code is not compatible with newer versions of jQuery.
Instead, we recommend checking out one of the many fantastic modern autocomplete libraries, like (…)

The question then becomes which license to choose.

The nice thing about standards is that you have so many to choose from. — Andrew S. Tanenbaum, Computer Networks, 2nd ed., p. 254

Jan 11

Desperately Seeking Open Source Governance

“Developers have the attention spans of slightly moronic woodland creatures.” — Linus Torvalds

I’m auditing code produced by an offshore company to be used as a SaaS product for a corporation. I’m not done, but thus far have discovered such fun things as:

  • Affero GPL 3
  • Unlicensed code — published to Github and a website, but no license attached. This makes it unusable.
  • Cut -n- Pasted GPL v3.0 code — without any attribution

Offshoring is not easy; at the least there are communication issues due to language and cultural barriers to overcome. Moreover difference in timezones can greatly impact communication.

I’m not necessarily an advocate of “waterfall” type projects, but in the case of offshored projects the design and definition phase can definitely assist in defining of standards and criteria by which project success is determined.

One definite area for criteria would be to govern the use of Open Source within work-for-hire. I “have been and always will be” a proponent of Open Source — in fact any code I write for myself is licensed under the MIT license.

There are obligations which must be met in order to use Open Source code. While the obligations exist for individuals as well as companies, the reputation cost for a company which is sued for violating licenses vastly outweighs the financial impact. Consequently the use of Open Source needs governance.

Governance can be a very involved process, but depending on the size of the organization, need not necessarily be.

A Modest Proposal for a Governance Methodology

The vast majority of Open Source uses these licenses (in no particular order):

  • MIT
  • Apache
  • Eclipse
  • GPL
  • LGPL
  • AGPL
  • Artistic License (Perl)

(for more detail see Top 20 Open Source Licenses] and/or Pick a License, any License)

Additionally a few use cases cover the vast majority:

  • Internal Tool
  • Library
  • Application delivered to customer
  • Web application code and assets delivered across the net
  • Server side code

A simple matrix can be created of the licenses and their uses to determine if a particular combination is:

  • allowed — code is allowed for this use case, it may not be for another.
  • forbidden — code is forbidden for this particular case
  • needs further review — cases where the license is not a popular license or anything which might need more clarification prior to use

Once approval is obtained, whether automatically via the matrix or after review, the use of the code is documented, preferably with a list of obligations, and stored in the source code repository.

Trust, but Verify

On a regular basis, the source repository is reviewed to ensure that there are no surprises. While on one level code review can be a helpful practice, repetative tasks such as this are best performed by a computer. There are open source and commercial projects to scan software:

These scans serve two purposes. First, they help prevent surprises. Second, they keep everyone honest. It’s entirely possible that a developer chooses to use a library which is licensed with an appropriate license but unfortunately the library includes code from another library which is released under a license which has more stringent obligations. A tool helps to identify these issues.

At the end of the day Open Source is here to stay. I believe that this is a good thing. However, there still needs to be some thought given to licensing obligations and how individual Open Source projects are used in an application. This governance needs to extend to work-for-hire produced for a company.

Jan 09

Nifty Things for Week 9 January 2015





Big Data Project From: http://cloudtweaks.com/2012/10/the-lighter-side-of-the-cloud-big-data-project/

Ops & Monitoring





On the basis that innovation is neither neutral, nor an end-in-itself, here are some guidelines:
We cherish the fact that people are innately curious, playful, and creative.
This is one reason technology is not going to go away: it’s too much fun.
But we will think (and do) social and environmental value before ‘tech’
We will place the interest of the commons above the interests of private property.
Our watchword is use, not own, because possession is an old paradigm.
We will deliver value to people — not deliver people to systems.
We will give priority to human agency and will not treat humans as a ‘factor’ in some bigger picture.
We will design services that prioritize the participation of people, not services that disable them.
We will design experiences with you, if asked. We will not presume to design them for you.
We do not believe in ‘idiot-proof’ technology — because we are not idiots, and neither are you.
John Thackara — See more at: http://www.doorsofperception.com/handouts/rules-of-the-road-for-design/




  • StandStand — Preorder a portable standing desk. This looks pretty cool!



Jan 02

How to make Ubuntu Snappy no longer snappy


In wishing to test my Snappy Swarm — scripts to run Docker Swarm under Ubuntu Snappy (work in progress, but almost ready for a release) — I decided to try running the scripts inside a Virtualbox instance spawned by Vagrant. kvm doesn’t work inside virtualbox, so qemu was the way to go. I’m modifying the scripts to discover if kvm is available and if not to use qemu.

Long story short, boot using qemu inside a virtualbox instance and ….


Snappy is no longer snappy!

Jan 02

Nifty Things for Week 2 Jan 2015


  • Taiga — Open Source agile project management. Supports Scrum & Kanban out of the box.
  • Open Daylight — Software defined networking


Life Lessons

And for this year, my wish for each of us is small and very simple.

And it’s this.

I hope that in this year to come, you make mistakes.

Because if you are making mistakes, then you are making new things, trying new things, learning, living, pushing yourself, changing yourself, changing your world. You’re doing things you’ve never done before, and more importantly, you’re Doing Something.

So that’s my wish for you, and all of us, and my wish for myself. Make New Mistakes. Make glorious, amazing mistakes. Make mistakes nobody’s ever made before. Don’t freeze, don’t stop, don’t worry that it isn’t good enough, or it isn’t perfect, whatever it is: art, or love, or work or family or life.

Whatever it is you’re scared of doing, Do it.

Make your mistakes, next year and forever.

Neil Gaiman



Paradigms & Methodologies


What DevOps does is bring the social more in balance with the technical than it has been in the past. — Kevin Behr, author and Chief Science Officer, Praxis Flow


Dec 26

Advent Calendars for 2014

It’s a bit late, perhaps, but here’s a list of some of the advent calendars for 2014.

A huge list of Advent Calendars can be found at Qiita.

A “Planet” aggregator for Advent Calendars is hosted by Len Jaffe.

Dec 26

Nifty Things for Week of 26 December

Arts and Crafts

Fun Stuff





Memoization is useful for concurrency as well as Resource Oriented Computing. Rather than calculate an immutable each time it’s needed, the value is calculated once and cached.

Development and Philosophy


Older posts «