Aranfoolcaytar

My pet module XBBCode is finally available for Drupal 6 - at least the core engine and the basic tags. It has undergone a lot of clean-up, including the user interface.

The module will only be packaged as a public release when all sub-modules are converted, but for now, the trunk is available here:

http://svn.ermarian.net/drupal/modules/xbbcode/trunk

A word of warning: If you are working with Collections in Java that are over 5000 records, do not implement a toString that aggregates them all as text. String concatenation is obscenely slow in that context, which means you will wait several minutes for data sets that are larger. Presumably this is dependent on String length as well as record count, so it also matters how big the text of each record is.

Workaround? Use void print() instead of String toString(). Admittedly, it's not as flexible, but it's orders of magnitude faster.

And that's what I have learned for today.

Drupal 6.x is looming. A few months ago, I wouldn't have chosen that particular word, but as it's getting closer and closer, I see past the smoothness and shiny new features and remember what a major Drupal version upgrade actually means for me as a site developer: Endless hours of coding to get my modules compatible with the new API.

DHTML menu, now, was easy. I pretty much spent half a day on getting it to work in D6 - after being stumped for several days regarding the new menu system, of course.

XBBCode, on the other hand, I set off to the side. This is not because its structure has to undergo some major refactoring - in fact the filter API hasn't changed at all (or at least not in a way that broke my module). Rather, it uses a few high-level menu items and configuration forms - and as always, the new Drupal version completely revamped the menu system and Form API. Forgive me for waxing cynical for a bit. Form API is a thing of beauty once you understand it - and hopefully that will be the case before it is rewritten again and gets even more beautiful.

Still, after some reading and bothering the other developers on IRC, I finally pushed XBBCode into a shape where it works in Drupal 6. The engine with all its settings forms and custom tags is functional - though not E_NOTICE-free, because of a strange behavior of the new menu system that I still have to figure out. The basic tags package required practically no updating.

I am expecting more trouble with the other sub-modules that implement their own settings forms, but none of them are as bad as the engine itself.

The new version of XBBCode 6.x-dev is not yet on SVN. I still have to split off the DRUPAL-5 branch before I commit the 6.x version into the repository. So this is little more than a hype topic. I expect to have the version done in another week, however.

Tiu estas cxiom.

Ankarau, mia scio de la lingvo estas tre primitiva, sed mi lernas rapide!

Childhood's End arrived yesterday (I got it after an emphatic recommendation, which I haven't regretted taking to heart), and I spent most of today reading. This is powerful stuff.

I'm not through yet, though the end is not far off. So far, the most moving quote was this:

What you will have brought into the world may be utterly alien, it may share none of your desires or hopes, it may look upon your greatest achievements as childish toys - yet it is something wonderful, and you will have created it.

It has been an exceptionally busy week. Last Monday, I went to Bavaria to take a course in statistical mathematics (specifically, statistical methods for quality analysis). It is now Friday afternoon, and I am sitting in the train home, so I have some time to write.

Well, I say I am sitting, which is true in the loosest sense of the word. The train is packed as a can of sardines, as we say in German, and there are no seats left. Instead, I picked one of the entrances, put my backpack down on the floor and sat down on it. My laptop is now fulfilling its nominal function while I am hoping it won't sterilize me (or worse, run out of power before I'm done writing).

Sunday

So anyway, let's start on Sunday afternoon, when my dad and I went down to Frankfurt by car. We had to stop by Aachen first to get my laptop's power cord (this statistical course is based as much on computer calculation as paper, if not more), and then we were on our way.

Around Koblenz, we put in a stop at a way station along the autobahn to get dinner. It was here that I also saw the most futuristic and sanitary lavatory ever. Seriously, this was Sci-Fi stuff - have you ever read Asimov's Caves of Steel? This thing put me in mind of the Spacer facilities. The toilets are self-cleaning: They flush when you get up, and a robotic arm extends to wipe the rim that you sat on. None of the devices - foam dispenser, water tap, towel dispenser - required physical contact; all had sensor plates. When we left the station, the sun had already gone down and we drove on until we arrived in Frankfurt late in the night.

[img=http://lh3.google.com/arancaytar.ilyaran/RuuobCkrQ-I/AAAAAAAABVU/8ohLVRoOwws/CAM_5139.JPG?imgmax=512]

I had only a short time to go online and have some dinner, then write in my diary: After that it was time to sleep - I had to get up at six in the morning.

Monday

The journey down to Niedernberg was much shorter than the one to Frankfurt, but it still took us over another state border: We had now entered Bavaria - home of Beer, Weisswurst and Lederhosen. As if obeying an unwritten rule, the brisk early fall weather cleared up as we passed the border and gave way to summer.

But enough of the journey. Very soon, we arrived at the Seehotel Niedernberg, the hotel that the course was taking place at. I was half an hour early, so I had first pick of the seats (front row for me; my bad eyes have no chance of reading the flipchart and the projection screen otherwise). The view was utterly awesome. I should have expected something like this from the conference room of a luxurious hotel (this was the sort of room where I imagine companies might have gone into merger talks), but it was still surprising. Through the window, we saw this:

[img=http://lh5.google.com/arancaytar.ilyaran/Ruun2ikrQrI/AAAAAAAABS0/VceEWpeKHhA/CAM_5116.JPG?imgmax=512]

Over the next twenty minutes, the other participants came in one by one. I was in for a pretty big shock, although I had known what to expect of course. Just by being in the room, I must have lowered the mean age of the occupants by a year, perhaps two, and we were about fifteen people in total. The culture shock continued after the instructor came in and introduced himself, kicking off a round of introductions. Quality assistant this, manager that, chief engineer the other. All of them work in big technical companies, from producing nuclear fuel rods to surgical dressings: All of them industries in which quality standards are of utmost importance. Needless to say, I am the only college student in the room, but thankfully, no eyebrows were raised. I still felt quite isolated though, and when I had finished my introduction, I was relieved.

The next hours were spent passing information about the structure and form of the course that would follow. Our course is organized by the German Association for Quality (DGQ e.V.). It actually consists of five modules mixed into a single one; these are:

• Basic Statistics
• Statistical Process Analysis
• Data Aggregation
• Measuring Technology
• Design of Experiments

All of these modules are normally taught over several months; altogether the material we are going to learn used to cover over two years. We are going to cram it into our heads in the next two weeks.

His words stayed with me, which I am only wildly misquoting and paraphrasing : "Do you know Six Sigma? After you're through with this course, you will know twice as much about statistics as the Six Sigma Black Belts."

And so, wasting no time at all of the approximately 200-240 hours that the course will last in total, we delved right into the subject matter. A brief summary of what role statistics play in quality control, and what properties they are used on ("continuous, discrete, ordinal and nominal").

What amazed me most were the relative levels of mathematical understanding. I'd entered into the course fully expecting to be outshone in all things from age to work experience to mathematical brilliance. Yet, while we were still in the basics of the first days (when the material was still old news for me after the statistics course in college), I had many opportunities for being helpful with explanations. Take stochastics and boolean: de Morgan stated that "not (A and B)" is the same as "(not A) or (not B)" - the Distributive law of boolean operands. With this stuff fresh in my mind after only a year, it seems obvious - but evidently such theoretical things don't hold up well under long times of disuse in the industry.

I'm very lucky that this is the case, for there is nothing that breaks ice as well as mathematical explanations - especially when your colleagues are between 15-30 years older than you and you have very little in common. The first coffee break was spent very self-consciously in isolation, but by the afternoon of the next day, I was actually asked by some participants to explain a stochastical problem to them! To be sure, it is nothing like being called cute by a girl, but being asked about math by a group of engineers does give a good boost to the old self-esteem.

Lunch break rolled around, and a very pretty problem presented itself, promising to stay around for the next four weeks: Four-star Hotels are ****ing expensive, pun fully intended. Non-guests pay 22€ per day for lunch (which comes to 31$ in these days of turmoil). For reference, that is what this starving college student lives on for nearly two weeks. This meant nothing to my colleagues, who could probably put all of that on their expenses bill to their company that was paying for their qualification, but I was finding myself having to answer, with rumbling stomach, the last of those delicate philosophical questions the late Douglas Adams posed to humanity:

Where shall we have lunch?

On the first day, with no time to think the problem through and fortunately a spot of cash handy, I shelled out my two-week-sustenance and was allowed to take part in the all-you-can-eat buffet: The first time I've ever seen the economy of overselling (so common in web-hosting) applied to gastronomy, and I was among the 99% of people who only use up 1% of what they pay for, because I eat like a bird (a diabetic, anorexic bird).

The day ended several hours later, and I was anxious to get to a bed after my brain had spent about 10 hours soaking up information. And uncertain: Today had been easy if grueling. The next day was going to be tougher. And the third tougher still. I needed to be well-rested to confront them.

Location(s)

Riverbend's family has left the country.

"It was as if a million political bloggers sighed in relief and were silent."

I decided to rise early and go for a pre-sunrise walk this morning (partly inspired by a community for whose members walks just before sunrise are something of a ritual). Sacrilegiously, I took a camera, which means you can now look at a few pictures.

Unfortunately, the camera was old two years ago, so the quality isn't very high. But a few of them came out all right. What they can't capture is an almost supernatural beauty that the atmosphere has during sunrise. Even a list of adjectives - cold, bright, clear, piercing, new, silver - is only a feeble attempt to describe this. I really need to do this every day.

Oh, here are the pictures.

Google album: Walk before Sunrise

Location(s)

So I was sifting through my logs and found a well-executed, actual XSS attack on one of my pages in the Ermarian Network.

As XSS attacks go, it was fairly harmless: The attacker injected an HTML link that was displayed after the form field; the HTML link did not go anywhere. Really a proof of concept, and an (intentional?) heads up that I should secure my site better.

The code of this textbook exploit, shown below, shows that even a perfectly valid XHTML page is not proof against such attacks - the attacker merely has to ensure that XML validity is maintained (and even that only in Firefox).

For those unfamiliar with XSS: This is not a danger to the site or my account, but to its users. Anyone who follows this link lying on a (trustworthy) ermarian.net domain will see links to the attacker's website, or execute the attacker's Javascript code, which even NoScript will show as coming from the (trustworthy) ermarian.net website.



Note the text entered by the user:



The quote "closes" the value, then the code completes and closes the tag, then it prints a link. Very neat. The same function could be used to arbitrarily execute Javascript into the ermarian.net scope, which would allow that script to access any (non-existant) sensitive information such as login sessions.

Be right back, fixing my scripts to escape user input.

Yesterday I tried for several hours to build PHP, at last succeeding (at cost, because I failed to install the desired extensions Tidy, Mhash, MagickWand and IMAP).

Installing PHP is usually a big problem for me, no news there - every time I upgrade to a new version, I end up pulling out my hair for a day or two.

But at least I've isolated and solved one of the more pesky problems:



First off: I love symbolic links.

I'm pretty obsessive about keeping the files and software on my webserver nicely ordered and free of redundancies ([wiki]Stackenblochen[/wiki], unkind people might say), so I use symlinks pretty much everywhere. For example, all my Drupal sites link to the same codebase; the sites directory in said code-base in turn links somewhere else, so I can switch between codebases in moments.

No news then, that I would prefer to link the php.cgi executable on all these sites to a single installation in my software folder!

But unfortunately, this is exactly what causes the problem: CGI does not properly resolve symbolic links that point to the executable itself. If you have a link that points to php.cgi, CGI will attempt to interpret the link. Or at least, if it does find the binary, it'll interpret it as a script instead of a binary program.

The solution?

Don't link to the executable; link to the folder above it. As long as the last symbolic link in the chain points to a folder that contains the real, physical file php.cgi, it will work.

In other news, this also means the Ermarian Network is back after around 15 hours of outage, which is obvious as you are reading this now.