RealTime IT News

Blog Archives

Windows 8 and the Linux Desktop Windfall

By Sean Michael Kerner   |    March 28, 2012

Linux Tux

From the 'Year of the Linux Desktop' files:

Microsoft's Window 8 is nearing completion and with it comes the new Metro interface. It's an interface that could translate into a big win for the Linux desktop. Windows 8 is a dramatic shift from the previous generation of Windows and that will no doubt upset and confuse lots of users.

With Windows 8 reaching general availability status soon, it will also mean that Windows XP is finally on its last legs.

So let's recap, new interface that many people won't like. Old operating that needs to be replaced.

When there is such a dilemma, it's an opportunity for other vendors as users have to make a choice. The easy choice is to stay with the tried and true but since Metro is new, that's not the easy choice is it? The aging Windows XP hardware users also won't want to move.

Linux can be an excellent choice for both sets of users.

Linux can and does run well on lots of old hardware, including boxes that won't support Windows 8. Linux can give those users a path forward without the need to buy expensive (and perhaps un-needed), new hardware. Even though Microsoft may not want to support users running older hardware, there are plenty of Linux distributions that will.

For newer hardware, there are multiple types of Linux desktops out there provide a very attractive non-Metro approach. Sure the Ubuntu Unity interface is also a distraction for lots of people, but GNOME 3.4 (out today) is pure awesome and Cinnamon provides a more traditional desktop interface that many people (myself included) find very practical.

The problem with this whole situation is right now, no Linux vendor is really pushing hard to be the Windows 8 migration choice on the desktop. What I suspect will drive the bulk of migrations are regular people like you and me. We have a friend/relative/etc stuck on old hardware or that doesn't want Metro and we know a better (free) alternative.

Windows 8 is great opportunity for Linux lovers everywhere to let their neighbors know there is another desktop choice (and it's not Apple).

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.

Linux Powers Red Hat Over $1 Billion - Why Open Source Matters

By Sean Michael Kerner   |    March 28, 2012

Red Hat Billion

From the 'Open Source $$' files:

Today Red Hat will officially become the first pure play Open Source and Linux vendor to top $1 Billion in revenues.

WOW.

We've known this day was coming for a while, Red Hat has continued to thrive despite the economic downturn. In fact, the economic downturn has had a positive effect for Red Hat as enterprises around the world turn away from proprietary solutions and choose open source.

Red Hat's first $Billion is a major milestone for Red Hat. It's also a major milestone for the Open Source and Linux industries.

While there are lots of companies that profit from Open Source, Red Hat has stood (almost) alone in its stance of making all of its software Open Source (eventually). Open Source isn't just a marketing slogan or some kind of Open Core trick for Red Hat, it's at the core of everything they do and it's at the core of their $1 Billion in revenues this year.

Open Source delivers better software, but that's not the whole story when it comes to Red Hat, is it?

Over all the years that I've followed Red Hat, from their founder Bob Young, to former CEO Matt Szulik to current CEO Jim Whitehurst, the message that has remained the same is that Red Hat isn't just about the bits.

In the proprietary world, software vendors make their money from the bits, Red Hat doesn't. Red Hat's model is all about support and adding value to the bits with services. It's a model that 10 years ago seemed odd to some, but Red Hat has proven them wrong haven't they?


At various points in time, Microsoft, Sun/Oracle and even other Linux vendors have attacked Red Hat and tried to steal or erode their share. To date, those efforts have had little success on Red Hat's bottom line.

Red Hat's success is not an example that all open source companies can or will follow. There seems to be a never ending congo-line of companies lately that embrace the open core model, where bits are sold. It's an easier model for some that just can't build the same momentum and support model that Red Hat has built.

Other Linux vendors, like SUSE or Canonical for example can and will make money too, but neither of them approach Red Hat's level of success today. Only time will tell if they ever do. In the meantime, open source companies everywhere will likely now point to Red Hat (as they long have) as the standard bearer for what it means to be an Open Source company that can stay true to their values and also deliver value to investors.

 

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.

Mozilla BrowserQuest The Future of Open Source HTML5 Gaming?

By Sean Michael Kerner   |    March 27, 2012

Mozilla BrowserQuest

From the I Can Haz GameZ?

Mozilla believes that the Web is the platform for apps, and not just business productivity apps, but gaming apps as well. To prove their point, the open source foundation now has a full HTML5 browser game out now called BrowserQuest.

It leverages WebSockets and Canvas to enable a MMOG

The WebSockets bit is particularly innovative as a way to enable multiple players in the game.

"When you start to play, your browser opens up a WebSocket connection to one of several load-balanced game servers," Mozilla Developer Paul Rouget wrote. "Each server hosts multiple world instances and handles the player synchronization and game logic within all instances. Because the server code is running on Node.js, both the server and client codebases share a small portion of the same JavaScript source code.

While the game itself is now live as a demo, that's not the real magic either. The real magic is that the code for the game is all open source and available now on Github.

The idea of using HTML5 as the basis for building games isn't new or unique to Mozilla. I've played around a bit with Scirra's Construct which is a full HTML5 building tool (unfortunately the new version isn't open source anymore though..).

The BrowserQuest code also is not a game development environment either, rather it's the source code for the actual game – meaning you can modify it, but it's not an engine that you're going to want to use to build 'any' HTML5 game that you want.

That said, thanks to the power and brilliance of Github, I've just forked BrowserQuest and expect to have hours of fun this week attempting to modify this game. My first idea is to create an episode called BrowserQuest: The Quest for Standards where players will fight evil demons from the land of 'G' and they'll also have to defeat the big blue 'E'.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.

Are You Using Insecure Open Source Components?

By Sean Michael Kerner   |    March 26, 2012

Linux Top 5 on Linux Planet

From the 'Is it FUD?' files:

I'm always suspicious when I see press releases and studies that claim that somehow open source software is less secure than other forms of software. That's why I was particularly suspicious of a new study out today sponsored by Apache Maven sponsor Sonatype, claiming that there is widespread use of insecure open source components.

According to the study:

There were more than 46 million downloads of insecure versions of the 31 most popular open-source security libraries and web frameworks. Google Web Toolkit (GWT) was downloaded 17.7 million times with known vulnerabilities. Other popular vulnerable libraries downloaded included Xerces, Spring MVC, and Struts 1.x.

Yeaah, I know I just shook my head too. Reality of course is that any open source release can have vulnerabilities in a legacy version. The 'magic' is that many (if not most) open source projects patch rapidly. That's ultimately why open source is more secure.

Sonatype knows this too and the report notes that:

Community scrutiny drives flaw discovery: Open-source security libraries are roughly 20 percent more likely to have reported security vulnerabilities than other types of components.

So where is the gap? According to them it's an update issue.

Uh huh.

In my experience, using a Linux server/desktop when my upstream distro has an update for a component the update system (yum/apt etc..) gets the update. There isn't much of a problem. The Linux repository system ensures that if you subscribe to a repo and that repo is updated, then you've got the latest stuff.

It's not clear to me whether or not the Sonatype study is just looking at Windows boxen and/or if the issue applies in their estimation to Linux too (so hey if you work for Sonatype – pls respond to me and lemme know).

No question there are vulnerable open source components, but no question they get updated by their upstream projects as fast (if not faster) than any other form of software. The only question that need to be answered is – are you up to date?

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.

GCC 4.7 Compiles Open Source History

By Sean Michael Kerner   |    March 23, 2012

GNU GCC

From the 'Only Compiler That Matters' files:

In the pantheon of Free Software, one program stands at the base of (nearly) all others: GCC. First release all the way back in 1987, by Richard Stallman it has been the compiler of choice for the last 25 years.

"When Richard Stallman announced the first public release of GCC in 1987, few could have imagined the broad impact that it has had," SUSE Linux developer Richard Guenther wrote in the mailing list announcement for GCC 4.7. "It has prototyped many language features that later were adopted as part of their respective standards -- everything from "long long" type to transactional memory."

This week, GCC 4.7 came out marking the latest installment of the world's most popular compiler (open or otherwise). At a high-level the big new features that stand out for me are the improved support for the new ISO C++11 standard. There is also support for software transactional memory on selected architectures. The C++ compiler supports a bigger subset of the new ISO C++11 standard.

There are also improvements to the link-time optimization (LTO) framework.

The GCC 4.7 release comes about a year after GCC 4.6, which added some general optimization features that no doubt have helped to speed up any software it has been used to compile in the last year. The GCC 4.x branch itself first debuted back in 2005, which also introduced general optimization capabilities.

What continues to amaze me with GCC is that every year, with unbreakable cadence, GCC continues to find new ways to improve. That's not an easy thing to do year-after-year. Sure there are also things such as support for new hardware and languages, but it is the unwavering focus on optimization that has been the hallmark of the GCC 4.x branch in particular that will continue to make this project extremely relevant for many years to come.

 

 

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

Git PHP. RIP Subversion

By Sean Michael Kerner   |    March 23, 2012

php

From the 'We all Git It' files:

In the early days of open source development many devs used cvs. Then lots of people migrated to the next gen of cvs with SVN (Subversion) and now the third wave is the move to Git.

The PHP open source project his week joined the growing ranks of projects big and small that use Git. By moving to Git, I fully expect that PHP development will accelerate. The gap between recent PHP releases hasn't been great - PHP 5.4 came out at the beginning of March over two years after PHP 5.3.

Git provides better distributed development capabilities with its unparalleled clone/fork features. With PHP on Git, I think we can expect to see more activity than we've seen in years.

"You can clone or fork the source from our GitHub mirror, and we also now support pull requests made via GitHub. The source is also available via git.php.net, and full instructions on cloning the php-src tree can be found at php.net/git."

The move to Git for PHP is another nail in the coffin of Subversion when it comes to open source projects. Git is the defacto standard now and that's not going to change anytime soon.

 

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

What Follows a Fedora Linux Miracle ?

By Sean Michael Kerner   |    March 21, 2012

fedora 17 Beefy MiracleFrom the 'Miracle Continues' files:

Though we're still a few month away from the May release date for Fedora 17 - aka 'The Beefy Miracle' - the Fedora community is now turning its attention to naming Fedora 18.

The Fedora naming process is like no other. Community members suggest and vote on names, there is no benevolent dictator that chooses these names. The only catch is that the name needs to somehow/somewhat be related to the previous release name.

"I know that it may be hard to *top* Beefy Miracle (ahahahaha, get it? As in toppings!) but I do have every bit of faith that many of you have already thought of name suggestions that may or may not be more mature, or more neutral with regards to dietary restrictions. :)" Fedora Project Leader Robyn Bergeron wrote.

So far there are a few interesting names on the table (listed on the naming wiki). Among my favorites are:

  • Mannah (Beefy Miracle is a miracle food and so is Mannah)
  • Wonderful Coffee (wonderful is one possible translation of miraculous, both BEEF and C0FFEE can be written in hex)
  • Dingo (Beefy miracle is a hot dog and so is a Dingo)


The community has until March 27th at 23:59:59 UTC. Voting runs from April 6ths to April 12th and the winner will be announced April 13th.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

Ubuntu Linux and Canonical Moving Forward, Two Years After Leadership Change

By Sean Michael Kerner   |    March 19, 2012

ubuntu

From the 'Leadership Changes that Work' files:

Two years ago in March of 2010, Mark Shuttleworth stepped down as CEO of Canonical Ubuntu Linux. Shuttleworth moved aside to deal with the strategic technical issues of the project and his Chief Operating Office Jane Silber stepped up to become the CEO.

It's a move that today in 2012 is still working out well for Ubuntu and Canonical. I recently got the chance to chat with Silber and she told me point blank that there is no way she is going back to her former position at Canonical, she's loves her job as CEO too much.

"It's really good and challenging for sure, but it's also such an exciting time for Canonical and Ubuntu right now, from our increased product development activities to work that is going on in the cloud, it's just an incredible time and I'm loving it," Silber said.

And what about Mark Shuttleworth?

Though Shuttleworth isn't the CEO, Silber said that he's absolutely engaged in what we're doing.

"He leads strategy now so the things that we're seeing with Ubuntu TV and converged devices are really evidence of the successful working relationship that he and I have," Silber said.

Long story short – it means that Shuttleworth is doing what he want to do, namely drive strategy and technology innovation and Silber is running the business. It's a business that is on the cusp of its biggest release ever with Ubuntu 12.04 coming in a few short weeks.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

Mozilla Firefox Gives in on Web Video Patents

By Sean Michael Kerner   |    March 19, 2012

firefox

From the 'Open Web Video' files:

Mozilla's initial attempt to help enable an open web without the patent-encumbered H.264 video codecs has failed. In my opinion, this is a sad day for the open web and a terrible precedent for Mozilla to set.

Mozilla had tried to get around using H.264 by using and supporting open web video formats. The problem is that content providers haven't embraced the same model and more importantly, Google hasn't either (even though they champion WebM, H.264 still runs on Android).

According to Mozilla CTO Brendan Eich, H.264 is absolutely required right now to compete on mobile.

"I do not believe that we can reject H.264 content in Firefox on Android or in B2G and survive the shift to mobile," Eich wrote. "Losing a battle is a bitter experience. I won't sugar-coat this pill. But we must swallow it if we are to succeed in our mobile initiatives. Failure on mobile is too likely to consign Mozilla to decline and irrelevance."

What this means is that big content and tech vendors, notable Google, Microsoft and Apple are the ones still calling the shots in mobile. Though Mozilla has hundreds of millions of desktop users, it's still not enough (yet) to effect the open web video change they wanted. Unlike Apple, which was able to successfully exclude Flash from iOS, Mozilla is unwilling to take the same risk with H.264.

Though Mozilla is giving in now on H.264, that doesn't mean they have given up.

"Our first approach at bringing open codecs to the Web has ended up at an impasse on mobile, but we're not done yet," Mozilla Chief, Mitchell Baker blogged. "We shouldn't beat ourselves up for somehow failing to live up to Mozilla’s values. We'll find a way around this impasse."

The ultimate answer of course is likely to come only through scale. Mozilla will need to become successful enough on mobile such that they can set the terms of engagement (much as Apple has). That said, it is re-assuring that Mozilla's top people aren't happy with the H.264 situation and that there is a desire and commitment to make things better.

If there is one thing that the open source model does well, it's that it enables developers to scratch 'the itch' and H.264 sure is 'itchy' isn't it?

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

LibreOffice 3.5.1 Continues Open Source Office Cadence

By Sean Michael Kerner   |    March 15, 2012

LIbreOffice

From the 'More Stable Goodness' files:

The Document Foundation is out now with yet another LibreOffice release. This time its' the 3.5.1 release, which follows the 3.5.0 release by a month.

This is mostly a bug and stability fix, but it's an important one, for alot of reasons. For people that spend the bulk of their day using LibreOffice, stability is critical. It's something that Sun/Oracle never put as much emphasis on as The Document Foundation has.

Simply put, the regular update release cadence of LibreOffice provides the highest quality open source office suite ever created.

For 3.5.1 all kinds of little fixes that matter like a simple PDF export bug, that likely should have landed for the 3.5.0 release. Or a crash that occurred with empty data input in charts. And my personal favorite Bug #38745, also known as a fix for, 'hilariously stupid stack guards'.

Yeah it's a lot of little things, but it's the 'fit and finish' that makes the difference between a program that nice to use every so often, and one that you rely on, day in and day out.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

Has Ubuntu Linux been Certified on Intel Xeon E5 ?

By Sean Michael Kerner   |    March 15, 2012

ubuntuFrom the 'E5 Inside' files:

Intel launched its' next generation Xeon E5 processor family last week, promising better raw compute performance and a new Data Direct I/O system. I wondered last week, how Linux vendors would be leveraging the E5, since Linux plays such a huge role in the server space.

In my initial inquiries, I heard back from HP and Dell and both those vendors mentioned they had certified their servers for E5 with Red Hat and SUSE. No mention of Ubuntu. So I checked in with Canonical/Ubuntu to see if in fact they are supporting E5 for the upcoming 12.04 Ubuntu Linux release.

The short answer: Absolutely.

"We have had over five years of technical collaboration with Intel across US, China, India and Europe, and that is now happening on a larger scale than ever before," Chris Kenyon, VP Sales & Business Development at Canonical told me. "This great working relationship means that we collaborate on specific features for each chipset ensuring that they are integrated into Ubuntu in time for product launch."

 

Kenyon added that Canonical has integrated platform specific features and have ensured they're functional within the 12.04 release. Those features include: updated VT-d extensions and large page support, enhancements to KVM adding additional support for APIC register virtualization and virtual-interrupt support, LTR Support (latency tolerance reporting), IDO (identification based ordering), and many more.

The E5 is a big deal in the server world as the first big release since the nehalem/westmere series. Linux is well positioned with multiple vendors to support the E5. For Canonical the stakes are especially high as they will likely be the first Enterprise Linux vendor to have a brand new distribution release with 12.04. Red Hat and SUSE are supporting the E5 on existing RHEL 6.x and SLES 11 platforms.

 It will be interesting to see when Ubuntu 12.04 is live, how many tier1 hardware vendors Canonical is able to sign up and officially claim as certified platforms.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

Is the OpenStack Foundation All about Big Money?

By Sean Michael Kerner   |    March 14, 2012

openstack

From the 'Apache Way' files:

The OpenStack foundation is gearing up and figuring out how to organize itself. Part of the discussion involves money and membership class fees.

It's a topic that is never an easy one with open source software and always draws critics. With the OpenStack Foundation, the plan is to have a super-member class that will cost $2.5 million.

Yeaah, I did a double take too. Reminds me of the old OSDL days when they charged anyone that wanted to associated with Linux $1 million.

With OpenStack there is at least one vocal opponent of the super-member plan - OpenStack co-founder Joshua McKenty.

If we have a simple pay-to-play model, then we can trust market economics and enforce transparency of spending," McKenty wrote. "If we have a simple 'meritocracy', then we can expect the most skilled and dedicated to rise to the top, provided we’re extremely careful about how we measure skill and dedication. If we blend the two, I’m deeply concerned that we’ll see the worst of both systems play out over time – the selfishness of market-driven economics dominating our decisions with the petulant moralism of the meritocracy. "

An interesting argument and McKenty knows alot more OpenStack than I do. That said, I think that McKenty is wrong.

You need to look no farther than the Apache Software Foundation to see how this dual system of money and meritocracy can work. The Apache Software Foundation takes big money from vendors like Microsoft, who yield little influence on development. Development is managed by The Apache Way of meritocracy and it works. The Eclipse Foundation has a similar model that has also worked well.

So yes, you can have big money and a meritocracy for developers too.

 


Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

The Longterm Linux Kernel Cabal

By Sean Michael Kerner   |    March 09, 2012

From the 'No Conspiracy Here?' files:

How do Linux kernel devs figure out which kernel will be the basis for their enterprise distros?

The Linux kernel community is made up of lots of different developers working at different companies. But as it turns out, those companies don't really control their own kernel roadmaps as much as they might think.

Linux Kernel (Jolly Good) Fellow, Greg Kroah-Hartman has publicly exposed a 'cabal' that has set the tone for the last set of major enterprise Linux releases across all major vendors.

Kernel devs are a tight community and work together at conference, IRC and mailing lists - something that we already knew. What I personally did not know was how those interactions combined to set broader policies.

Kroah-Hartman and his 'cabal' of developers devised such a 'conspiracy' for the 2.6.32 kernel, which at the time became the base for every major enterprise distro. 

"We all agreed, informally, to push for a specific kernel release within our communities/companies that I would then maintain in the kernel.org community in the same way I had done for the 2.6.16 kernel release," Kroah-Hartman wrote in a blog post. "We all drifted back to our companies, and planted the seeds that maybe something like the 2.6.32 kernel would be a nice one to do our product on. This planting worked so well, I had to refrain from fits of laughter in one meeting where a project manager got up and said, "We decided that the 2.6.32 kernel would be the best for our product, what does engineering think about this?"


That's funny.

Product managers really don't control Linux do they? It is the kernel developers and always has been, no matter what corporate management may want or think. The collective open development nature of the kernel is what makes it the thriving success story that empowers so many of us to live, work and play.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

Mozilla Doesn't Want Pepper for Linux Flash

By Sean Michael Kerner   |    March 08, 2012

firefoxFrom the 'Google Standards Aren't Real Standards' files:

A couple week ago, Adobe announced that is was abandoning Flash on Linux to Google. The idea being that Chrome integrates Flash and Google can be the place where Linux users go for Flash.

But what about Firefox? Why can't Firefox on Linux also get the same benefit?

As it turns out, that's a bug that Mozilla WONTFIX.

"Pepper is a non-standard API *and codebase* implemented by open source at chromium.org," Mozilla CTO, Brendan Eich wrote in a mailing list posting. "It's not a specified API other browsers can implement, and I know of no plans by any other browser (even Safari) to attempt to support it."
Eich added that, Mozilla's position is to avoid proprietary large APIs and instead improve the standardized Web APIs. Going a step further, in Eich's view, the Linux Pepper-integrated Flash for Chrome is from Google and for Chrome only.

Yup, that means that Google has implemented it's own features - even though they're open source - that no other browser will use. That's right, open source isn' always as 'open' as the name might imply and there is more to being open than just having open source code.

 

 

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

Mozilla Firefox 13 Set to Improve Security with ASLR

By Sean Michael Kerner   |    March 06, 2012

firefoxFrom the 'Random is Good' files:

Add-ons have long been the weakest link in the chain of Firefox security. In Firefox 13, Mozilla is to close the gap a little tighter by forcing add-ons to do something they should have been doing all along:

Implement ASLR (Address Space Layout Randomization).

ASLR is an important (and common) way to help prevent memory attacks, which more often than not are used as the basis for many modern attack vectors. If memory is always in the same register (as opposed to being randomized), it's easy to target use-after-free type attacks.

As of Firefox 13, ASLR will be mandatory for add-on developers to include. As such, Firefox 13 will not load any XPCOM component DLLs that aren't running with ASLR.

Why that's important to note is that implementing the ASLR gate will likely break a pile of add-ons that aren't implementing ASLR today. Firefox 13 is currently set for release on April 24th 2012.

That change will also mean that add-ons built for Firefox 13 will NOT all necessarily work on the Firefox ESR Enterprise release. Firefox ESR is based on Firefox 10 which does not have the ASLR requirement for add-ons. It will likely take until 2013, when the next major release of Firefox ESR is out until the ASLR requirement comes to enterprise users.

Yes, I think this will lead to some confusion, but not much. It means that add-ons devs that only care about the enterprise have time (as they can just focus on the non-ASLR version). If they care about all Firefox users, they can build to the new specs, but that doesn't necessarily mean two versions of the same add-ons, as the ASLR requirement *might* not always break backwards compatibility.

 

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

Github Security is Broken

By Sean Michael Kerner   |    March 05, 2012

githubFrom the 'Bender from the Future' files:

Over the last several years, github has become the premier development hub for all things open source. 

So when the github platform as a whole has a security problem, open source developers really need to take notice.

Late last week, a flaw in the underlying github ruby code was discovered and reported to github. Github disagreed with the severity and closed the bug without fixing it, which led to one of the best back/forth discussions I've ever seen in an open forum about a security issue. You see the researcher that discovered the flaw, Egor Homakov didn't stay quiet, he kept pushing the issue.

One of my favorite Homakov posts was titled," geez. github y u SO open?" which was part of his thread, "I'm Bender from Future."

For his efforts, Github didn't reward Homakov, instead they suspended him from Github. To Github's credit they did eventually reinstate Homakov.

"Now that we've had a chance to review his activity, and have determined that no malicious intent was present, @homakov's account has been reinstated," Github's blog states.

The problem with this whole security issue, is that at the core, it's an exploit that could have enabled anyone to inject anything they wanted to, into any Github account. That's a major problem, whether it's in Rails or anything else on Github. Instead of dealing with Homakov responsibly, Github put roadblocks in his way, until he forced their hand.

I strongly suspect that after this issue, Github won't be as flippant the next time a security flaw is reported. I really do wonder however how many other issues are in the Github platform that have been ignored, issues where the researcher wasn't as aggressive as Homakov.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.

PHP 5.4 Will Make the Web Faster

By Sean Michael Kerner   |    March 01, 2012

phpFrom the 'Open Source Language of the Web' files:

PHP 5.4 has just officially been release - and it's a really big deal.

I've been tracking the development of PHP 5.4 since at least November of 2010 and the early alpha milestones. This is the first major PHP update since PHP 5.3 came out in June of 2009. In alot of ways though, the PHP 5.4 release is more important since it will be an evolutionary step forward that likely won't require code rewrites.

The big item for me is performance and memory management which are improved by double digit percentages. That's right - if you want to make your PHP driven website go faster - use PHP 5.4

From a devops perspective, PHP 5.4 has a built-in webserver, which could be a huge benefit for developers.

Developers will also benefit from the new Traits method for code re-use. Uh huh, PHP code with PHP 5.4 will be cleaner than ever before.

"A Trait is intended to reduce some limitations of single inheritance by enabling a developer to reuse sets of methods freely in several independent classes living in different class hierarchies," PHP.net's page on Traits explains.

Going a step further, PHP 5.4 will finally rid PHP of an evil that has been lurking in the code for years. Magic Quotes have officially reached end of life (they were deprecated in php 5.3 but now they're finally gone).

While the php open source community has names this new PHP release as a dot release, at least one PHP luminary, thinks it could have been much more.

"PHP 5.4 is a HUGE milestone (IMO warrants a major version # :)" Zend CEO, Andi Gutmans tweeted.

Yeah I was thinking the same thing...PHP 6!!!

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.