If you wonder why there hasn’t been an update from me for quite a while — I just returned from two months of paternal leave, in which I actually managed to stay away from the PC most of the time. In the meanwhile, I’ve officially become an Oracle employee and there is a lot of administrative things to take care of… But it feels good to be back!

As we need to finalize the schedule and inform the speakers, the voting period will close this coming Sunday, 18th of July. So don’t hesitate, cast your votes now! Based on your feedback we will compile the session schedule for this year’s camp. Thanks for your help!

One of the great things about Eclipse is that?unlike the celestial event and the unfortunately-named movie?everybody gets to see it; regardless of your location on earth, you have access to Eclipse.

But, like Linus, some people are confused as to the nature of Eclipse. To try and help people better understand Eclipse, I?ve created a ?What is Eclipse?? talk that takes an audience step-by-step from what is commonly understood through a voyage of discovery of the true greatness of Eclipse. More specifically, I start by introducing Eclipse as a Java IDE. This is generally easy for the sorts of audiences that I speak with to understand: folks in the software industry understand IDEs (though there are still a few emacs hermits out there; and I mean ?hermit? in a wholly-endearing way). I spend the next couple of slides broadening the technical horizon by introducing Eclipse as a platform for building IDEs, tools, desktop applications, server applications and runtimes, and more.

All this technology is wonderful. But technology is only part of the Eclipse not-so-secret sauce. All of that technology comes from the many open source projects at Eclipse.

We have a lot of projects at Eclipse. A lot of projects. Up to this point in the presentation, most of the discussion has been around just a small handful of projects. The ?Eclipse? Project is responsible for creating most of what people think of when they think of Eclipse. Specifically, the Eclipse Project creates what we try very hard to consistently refer to as the ?Eclipse SDK? (that is, a software development kit for building Eclipse-based applications). The Eclipse Project leverages the work of several other projects (Equinox comes immediately to mind) to provide important bits of information, but most of the bits that people think of when they think ?Eclipse is a Java IDE? comes from the Eclipse Project.

Now this is where things start to get a little weird. The Eclipse Project is what we call a ?Top-Level Project?. It is?effectively?a container for several smaller-scale projects. Each of these smaller scale projects, often referred to as simply ?projects? or ?subprojects?) is a distinct entity that contributes parts to the greater whole. The Platform Project, for example, produces the UI, workbench, and many other fundamental services and frameworks; the Java development tools (JDT) project produces the Java compiler, editors, debugger, and such; the Plugin-Development Environment (PDE) produces tools to aid in the construction of plug-ins; and more. All these Projects have distinct development teams, web sites, and other resources.

The Eclipse Project is just one of the top-level projects at Eclipse. There are currently twelve top-level projects that organize dozens of projects. Top-level projects provide more than simple organization of projects. Each top-level project has a ?Project Management Committee? (PMC) that is responsible for providing oversight and guidance to the projects in their care. Each top-level project is a little different from the others, reflecting different values and technical areas. Some top-level projects tightly organize their projects; others allow greater levels of flexibility.

The fact of the matter is that we have a heck of a lot of projects at Eclipse. At last count we had more than 250 projects (I can hear you gasp at that number). The project is the finest-grained organizational unit at Eclipse. Each project has its own group of developers (called ?committers?), its own website, forums, mailing lists, source code repositories, downloads and more. Some projects provide aggregations of other projects; a project can, for example, have subprojects of its own.

It?s left to the project teams to decide how they want to organize. Typically, mid-level projects tend to be used to provide some hierarchical organization for related projects. Very often mid-level projects (and top-level projects in some cases) provide handy aggregate builds and downloads of the software produced by the projects they contain. The Web Tools Platform Project, much like the Eclipse Project, is a good example of this. Web Tools contains multiple separate projects (e.g. Dali and EJB Tools), but distributes downloads and updates under the top-level project. As an outsider-looking-in, Web Tools comes across as a single source of software (the fact that it is really multiple projects under the covers is a bit of an implementation detail).

So anyway? we have a lot of projects. They?re organized under top-level projects that provide oversight and guidance. Chances are very good that we have something going on at Eclipse that interests you.

But Eclipse is more than just technology and projects. Eclipse is? a Community.

In my post from three weeks ago, I explained why the semantics of normal ad-hoc insertions with a primary key are expensive because they require disk seeks on large data sets. Towards the end of the post, I claimed that it would be better to use ?replace into? or ?insert ignore? over normal inserts, because the semantics of these statements do NOT require disk seeks. In my post last week, I explained how the command ?replace into? can be fast with TokuDB’s fractal trees. Today, I explain how “insert ignore” can be fast, using a strategy that is very similar to what we do with “replace into”.

While “insert ignore” can be fast, there are caveats (indexes, triggers, replication), just as there are with “replace into”. In a future posting, I will get into some of them.

This is my 2 cents in the Open Source vs. Open Code vs. Commercial debate. And it’s a long one…Maybe some of you reading this are offended already, but bear with me, I’ll get there. The way I see the Open Source model, having worked with OSS at MySQL for 6+ years now, is that this is a great way of developing software. Not brilliant, but great, but I’ll get there also.Users of OSS, in my mind, are OSS users for one or more of three reasons:It’s Open – The users using OSS for this reason believes that being open is in and of itself a great thing, enough so to use OSS even when non-OSS is less expensive and/or better.Cost – OSS is typically less expensive than non-OSS, and this is the reason these users get here. There are then 2 subgroups here, one that represents users that just aren’t funded at all, many websites are in this category, the users building Joomla and Drupal sites and the like, I think you get the point. The second group are those that have funding, but would rather spend their money on luxury items and a new car than of a software license.Technology – This is a category that many think they are in, but I don’t think this is mostly not the case. These are the users on a unique piece of software that is either not existing as non-OSS, or where the OSS variations are so much more powerful than the commercial counterparts. In all honesty, although I am aware these cases exist, I do not think that that there are THAT many. But there are those there Cost + Technology plays in, i.e. even though a commercial option exists, it is just too expensive.OK, so now we know (what I think) are the reasons that Open Source exists, is in wide use and is growing. For the first group, the ones that see Openness as a good enough reason in and of itself, I think this is a smaller group of the total number of users. But that openness is not really, in my mind, well defined.If Oracle would take the sourcecode for the Oracle database and release it under GPL, then it would be Open in most peoples mind I guess. But that piece of code is massive, and few people outside the Oracle developers would have the time, resources and knowledge to understand, extend and modify it, so what how Open is it really then? I think to an extent MySQL is case in point here, although it is GPL licenced and the sourcecode is open and free, there are few outside contributors, as compared to the large number of users. I think most users building a website using Drupal cares much about MySQL being open or closed or whatever. I think most of them care about the cost being low. And one sure could argue that low cost comes from the source being open, that is probably true to a large extent, but that doesn’t mean that commercial software or non-OSS also can be low cost (shareware for example).What this boils down to, in my mind then, is that although we all enjoy the low cost of OSS, less care about it really being open and if so how, and more about it being inexpensive. And I say that as someone who doesn’t actually mind reading sourcecode, and this is something I do on a regular basis, read and sometimes tinker with the MySQL source. But I really do not think that I am typical here.And all this is not to say that there is something wrong with OSS, quite the opposite, but often it is more about cost than actual openness. And this is worrying, but there are exceptions. Linux is one such example, although the kernel is since long ago developed by a rather small closely knit community, utilities and programs surrounding and extending the kernel, such as modules, the GNU packages and that stuff, are developed separately from this group, by individuals or groups of them with specific needs or knowledge. The key here is the open interfaces. You don’t have to understand every aspect of the Linux kernel to develop a well working and efficient utility or even kernel module.But I do not think that even Linux is developed enough in this area as I would like it to see. To me, who really believe that Open Source Software is a good thing and an excellent model for development, I would like to see an even more “contributor friendly” architecture. I think Unix got a long way here in it’s early days, with the principles of simple and easy to use APIs (like pipes) and programs could do one hing and do it well. But those days are gone now, that was 30 – 40 years ago or so, and we need to develop things, and I haven’t seen that happening. FSF and GPL and all that defines to extent the framework for distributed software in terms of legalities and many other aspects, but there is little help in how to make the software that can now in theory be read by anyone truly open. If we assume that Oracle made their sourcecode GPL, but did not provide any documentation on how the sourcecode works (which is not a requirement of GPL) and removed all the sourcecode comments (which is not a requirement either), how open would that be, really? I do not think it would help much in terms of openness, to be honest. Sure, it would be open for someone who wanted to hickjack some intricate part of the Oracle sourcecode, but that would need a large investment in investigating the code, so this would probably only be reasonable for a some other large corporate entity. But the code would really be open for the rest of us.Instead of discussing Open Source vs. Open Code vs. Commercial, I think it would be much more interesting to discuss how we develop software that truly is contributor friendly. Code that is easy to add to, code that lives in an environment where changes and additions can easily be made, reviewed and tested. Code that allows itself to be built by anyone, anywhere so that I can test my code on a 16 CPU x86 box somewhere in australia, provided by a nice person I don’t even know, although I am located in Sweden. Code that is required to have proper commenting, proper structured APIs and natural points for injecting new and changed code. And above all, code that lets someone with excellent domain knowledge (in for example indexing algorithms, GIS, text search, APIs, disk management etc., if we talk about databases) to write code and test, without being a database expert or even knowing the inner details of the system he/she writes code in, and not being brilliant developers themselves.Is this a dream? Maybe, Is Drizzle the answer (I know someone will suggest that), and I say no, it’s just not enough, it’s just more of the same (plugins), it doesn’t really provide anything new in how we develop things or how those developments are published and distributed.In short, I think the Open Source vs. Open Code debate is just nitpicking and boring. Neither model just isn’t good enough to be truly friendly and open for contribution. The difference lies more in how and with what we we can commercialize our efforts, which is a valid concern, but my main concern, as you can see, is that I believe that neither model is truly open. And I would rather see a truly contributor friendly Open Code model than the current state of affairs./Karlsson

Core Security Technologies today announced the release of CORE GRASP, which is a patch against the PHP 5.2.3 code tree that adds a tainted mode to PHP to protect the mysql_query() function. Their implementation adds a tainted or not flag for every byte so that it is possible on invocation of mysql_query() to determine any kind of injection.

To add such a tainted mode to PHP has been discussed several times in the past. It was rejected for several reasons like the obvious huge speed impact and the danger of false positives and a false sense of security. And indeed the way CORE GRASP is implemented it looks like a huge memory and speed overhead that should be tested. In addition to that their query parser will for example wrongly detect quotes escaped by doubling as injection attack.

Aside from this there are several other possible problems in the code like a remote one byte stack overflow (that seems harmless due to memory alignment), wrong handling of the _SERVER superglobal in case of JIT and it also seems that control characters like linebreaks can be injected into the logfiles. Further analysis and a deeper look into the code is needed.

However it has to be taken into account that this is the very first public version of CORE GRASP, so maybe all these problems are gone soon and support for further database engines is added.

You might have seen this post in Chris blog about a CSRF redirector he did. This is basically nothing more than a little script that turns a GET request into a hidden formular that is then posted via JavaScript. There have always been security issues with redirector scripts, and if you provide one open to anyone, you should care about what kind of redirects you actually allow.

Two major risks happen to exists with chris example:

1. Malicious people could misuse them as bouncers to attack other sites
2. Not every URL is a web page. Some can load plugins, display information and
   some can execute JavaScript.

Here is an example URL:

http://shiflett.org/csrf.php?csrf=javascript:alert(/I_AM_A_SECURITY_EXPERT/)

In Internet Explorer (and Safari) this will give you access to the domain (cookies, etc…). In Firefox you can still do other funny things.

So if you implement (javascript) redirector scripts, make sure you do a proper
whitelisting of the user delivered urls.

UPDATE: The above example for a simple XSS does no longer work. However there are still other XSS vulnerabilities like variable-width problems in the CSRF redirector and it is still an open bouncer for malicious persons.

We have been using MySQL 5.1 on a few servers for which partitioning is a much better way to purge old data than delete. We have been working to upgrade more servers despite claims that some of us may have made in the past about using MySQL 4.0 or 5.0 forever.

I am excited about MySQL 5.1 and 5.5. With a few recent changes to the Facebook patch we have been able to increase peak QPS by more than 2X and peak IOPs by more than 3X using benchmarks. There are more improvements to be done. Whether or not we match the benchmark results in production, I much prefer an RDBMS that can exceed 100,000 QPS and IOPs than one that is saturated at 10,000. Any of the changes we make for 5.1 will look even better with MySQL 5.5 given support for multiple InnoDB buffer pool instances and some of the changes above the storage engine layer that aren’t easy to describe in a few sentences.

My closing presentation at the dedicated MySQL track at ODTUG Kaleidoscope 2010 discussed various techniques and best practices for improving the ROI of developer resources using MySQL. Included in the sections on Design, Security, Development, Testing, Implementation, Instrumentation and Support were also a number of horror stories of not what to do, combined with practical examples of improving productivity.
Increasing MySQL Productivity
View more presentations from Ronald Bradford.

Modem HSDPA Huawei E150 Pada Distro Linux OpenSUSE 11.2 , HSDPA Modem Huawey E1550? sudah Dapat dikenali dengan baik, Tentu Hal Ini akan membuat pekerjaan kita akan menjadi lebih mudah. Yang Perlu Kita Lakukan adalah tinggal mengkoneksikan modem tersebut ke Internet Provider, Pada Kasus? ini Saya akan Mengkoneksikan Modem Dengan? Telkomsel Flash, dan konfigurasinya sangat [...]

Geert made us aware that MySQL Cluster now provides the possibility to disable arbitration in order to use an external arbitration mechanism. This is a really important feature, because… well, not really, but only because I was the one who designed it
Coming up with the concept and the two parameters Arbitration=WaitExternal and ArbitrationTimeout=n took a few weeks of discussion. Once we agreed on how to do it, I think Jonas coded it in 20 minutes on the mezzanine floor of the Hyatt, Santa Clara. After that MySQL conference I soon resigned from Sun, so I had now idea what then happened to this feature.
read more