Jan 23
Jan 16
Jan 13
Continuing the Open Source audit, I discovered something disconcerting about Protex. I was under the impression that a snippet match would be two pieces of code which match disregarding whitespace. However, this is not necessarily the case.
Protex indicated that a function from a source file is part of a snippet match for a function in MathML (which is GPL).
The function in the source file differs from the other in a number of instances. The source file has, as an example, this:
|
1 2 |
output.append("&#" + code + ";"); |
whereas MathML has:
|
1 2 |
output.append("&#").append(code).append(";"); |
There is a good bit more to the snippet, but the two lines above are indicative of the differences between the two files. While the code is functionally equivalent, it is not textually equivalent.
Unfortunately, given security constraints at the company, they would not allow their source code to be loaded into Protex, so there was no easy way to compare the snippets side-by-side (which is something which Protex normally does). I spent a good while looking for other versions of the function before I did a side-by-side comparison. In so doing and comparing dates, I found other versions of the function on the net which match the one in the project and predate the entry for MathML. Not to mention having a slightly more permissive license.
Trust, but Verify indeed.
Jan 12
You unlock this door with the key of imagination. Beyond it is another dimension: a dimension of sound, a dimension of sight, a dimension of mind. You’re moving into a land of both shadow and substance, of things and ideas. You’ve just crossed over into… the Open Source Zone. — Not Rod Serling
Consider a file called jquery.autocomplete.js. One might think that perhaps it’s part of the jquery library… but it’s not.
BlackDuck’s Protex reports over 100 projects including this file at a 100% match. Here’s a sampling of the licenses for the first ~100 projects:
The adventure lies in deciding which project originated the code and/or which license to use if the original file can’t be located.
As it turns out…. the original version appears to be at http://www.pengoworks.com/workshop/jquery/autocomplete.htm which is not in Protex. Nor is there a license file associated with it (or a license in the documentation). Additionally, the page warns:
WARNING: This is provided for users who absolutely need access to the original code. The code is very outdated and it’s not recommended to use this code in current applications. The code is not compatible with newer versions of jQuery.
Instead, we recommend checking out one of the many fantastic modern autocomplete libraries, like (…)
The question then becomes which license to choose.
The nice thing about standards is that you have so many to choose from. — Andrew S. Tanenbaum, Computer Networks, 2nd ed., p. 254
Jan 11
“Developers have the attention spans of slightly moronic woodland creatures.” — Linus Torvalds
I’m auditing code produced by an offshore company to be used as a SaaS product for a corporation. I’m not done, but thus far have discovered such fun things as:
Offshoring is not easy; at the least there are communication issues due to language and cultural barriers to overcome. Moreover difference in timezones can greatly impact communication.
I’m not necessarily an advocate of “waterfall” type projects, but in the case of offshored projects the design and definition phase can definitely assist in defining of standards and criteria by which project success is determined.
One definite area for criteria would be to govern the use of Open Source within work-for-hire. I “have been and always will be” a proponent of Open Source — in fact any code I write for myself is licensed under the MIT license.
There are obligations which must be met in order to use Open Source code. While the obligations exist for individuals as well as companies, the reputation cost for a company which is sued for violating licenses vastly outweighs the financial impact. Consequently the use of Open Source needs governance.
Governance can be a very involved process, but depending on the size of the organization, need not necessarily be.
The vast majority of Open Source uses these licenses (in no particular order):
(for more detail see Top 20 Open Source Licenses] and/or Pick a License, any License)
Additionally a few use cases cover the vast majority:
A simple matrix can be created of the licenses and their uses to determine if a particular combination is:
Once approval is obtained, whether automatically via the matrix or after review, the use of the code is documented, preferably with a list of obligations, and stored in the source code repository.
On a regular basis, the source repository is reviewed to ensure that there are no surprises. While on one level code review can be a helpful practice, repetative tasks such as this are best performed by a computer. There are open source and commercial projects to scan software:
These scans serve two purposes. First, they help prevent surprises. Second, they keep everyone honest. It’s entirely possible that a developer chooses to use a library which is licensed with an appropriate license but unfortunately the library includes code from another library which is released under a license which has more stringent obligations. A tool helps to identify these issues.
At the end of the day Open Source is here to stay. I believe that this is a good thing. However, there still needs to be some thought given to licensing obligations and how individual Open Source projects are used in an application. This governance needs to extend to work-for-hire produced for a company.
Jan 09
From: http://cloudtweaks.com/2012/10/the-lighter-side-of-the-cloud-big-data-project/
On the basis that innovation is neither neutral, nor an end-in-itself, here are some guidelines:
We cherish the fact that people are innately curious, playful, and creative.
This is one reason technology is not going to go away: it’s too much fun.
But we will think (and do) social and environmental value before ‘tech’
We will place the interest of the commons above the interests of private property.
Our watchword is use, not own, because possession is an old paradigm.
We will deliver value to people — not deliver people to systems.
We will give priority to human agency and will not treat humans as a ‘factor’ in some bigger picture.
We will design services that prioritize the participation of people, not services that disable them.
We will design experiences with you, if asked. We will not presume to design them for you.
We do not believe in ‘idiot-proof’ technology — because we are not idiots, and neither are you.
John Thackara — See more at: http://www.doorsofperception.com/handouts/rules-of-the-road-for-design/
Jan 02
In wishing to test my Snappy Swarm — scripts to run Docker Swarm under Ubuntu Snappy (work in progress, but almost ready for a release) — I decided to try running the scripts inside a Virtualbox instance spawned by Vagrant. kvm doesn’t work inside virtualbox, so qemu was the way to go. I’m modifying the scripts to discover if kvm is available and if not to use qemu.
Long story short, boot using qemu inside a virtualbox instance and ….
Voila!
Jan 02
And for this year, my wish for each of us is small and very simple.
And it’s this.
I hope that in this year to come, you make mistakes.
Because if you are making mistakes, then you are making new things, trying new things, learning, living, pushing yourself, changing yourself, changing your world. You’re doing things you’ve never done before, and more importantly, you’re Doing Something.
So that’s my wish for you, and all of us, and my wish for myself. Make New Mistakes. Make glorious, amazing mistakes. Make mistakes nobody’s ever made before. Don’t freeze, don’t stop, don’t worry that it isn’t good enough, or it isn’t perfect, whatever it is: art, or love, or work or family or life.
Whatever it is you’re scared of doing, Do it.
Make your mistakes, next year and forever.
What DevOps does is bring the social more in balance with the technical than it has been in the past. — Kevin Behr, author and Chief Science Officer, Praxis Flow
Dec 26
It’s a bit late, perhaps, but here’s a list of some of the advent calendars for 2014.
A huge list of Advent Calendars can be found at Qiita.
A “Planet” aggregator for Advent Calendars is hosted by Len Jaffe.
Dec 26
Memoization is useful for concurrency as well as Resource Oriented Computing. Rather than calculate an immutable each time it’s needed, the value is calculated once and cached.
© 2008-2016 by Matthew K. Williams
Ramblings by Matt Williams is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Based on a work at http://matthewkwilliams.com.
Powered by WordPress and the Graphene Theme.