Braydix v0.2

Well, I got some time, and I upgraded my laptop to 4GB, and I finished copying stuff from various other machines I’ve been using, so I got a chance to poke around my Braydix CD project. I was able to clean out a decent number of megs, and fix two…rather crushing bugs.

Bug #1 – reported by Bryan – it doesn’t actually work, at all. So I figured I’d make it work. That seems like a good fix.
Bug #2 – discovered by me, once I made the CD thing work. It uses static nameservers that only work in my house. For people who aren’t in my house, this is probably a good fix.

Issue #1 was actually the stupid VMWare install getting its filthy tendrils into my systems, so it tried to always use vmxnet drivers for the ethernet card. That only works in VMware, not in real life.

I still have some ideas for this thing to make it more ‘interesting’, hopefully nothing so complicated or difficult so that I won’t end up doing it…

So it’s here, I’m still throwing these up on this mediafire thingee because it’s free.

Recent Acquisitions

First off, my MacBook Air was not really mine. It was my prior company’s. That, plus the various thermal issues it had were getting to be too much for me. It’s performance was…well, a little laggy, and it had no hard drive space. That’s a whole bunch of bullshit I used to justify my company buying me a new MacBook Pro – I convinced the president to get it for me. Since said person is also me, that was not too hard.

And going from MBA to MBP – wow. The weight difference is enormous. This new bad boy is heavy. And the performance differences are pretty striking too (so much faster); but I think a lot of that is just the graphics card. I can’t really max out the CPU’s now, by doing anything ‘conventional’. The bigger display ‘feels’ more subjectively comfortable – more spacious, not so cramped. And not having to worry about hard drive storage for a while will be nice too. I can feel it getting pretty warm on my knees right now, as it’s been busy installing lots of stuff. Gonna have to be careful; don’t want to fry the Boys. edit – I think this is Spotlight doing indexing shit. ‘mds’ seems very busy. Perhaps it’s running across all the various files I’ve been installing. I wanted to get the RAM boosted to 4GB, which I think I will still do, but we’ll have to wait until it shows up at the Shop.

And thanks to everyone who staged a near-intervention to prevent me from getting a 17-inch MacBook Pro. I tend to pretty much go whichever way I’ve decided to go regardless of what anyone says; but when, like, 5 people all tell you “don’t do that, it’s stupid” even I have a hard time ignoring that advice. I got the 15, as advised, and am quite happy with it.

My iPhone’s battery life has gotten to the point now where I can yank it from the cradle around 8am or so, and by 6pm it’s run out of juice. That, plus not being able to power it down (stuck power button) meant that it was starting to be that time. 3G time. I tried as long as I could to avoid it – this will cost me another $10/mo, and I’m already miffed at having to pay so much and use so little. And I assume something new and wonderful and such will come out next June to make me feel stupid for having gotten this one. But I could wait no longer. Another conversation with The Big Cheese (still me) and my company got me an iPhone 3G. Now, I can’t say if this is my imagination or not…but it feels faster in operation – like, clicking stuff and so on. And, Apple – dudes – it is *not* cool to move my application icons around on restore. Put them back. I have like 6 or 7 pages of applications, and I’ve moved the icons around ‘just so’ in a way that is convenient for me. Moving them makes me unable to use my phone, for the most part. And the whole backup/restore process felt really…creaky to me. I didn’t feel comfortable and happy that all my data was going to get from old phone to new. I was actually surprised when it seemed to have. Of course, I have to reinit the prefs in a lot of my apps – but not all. And that’s at least something.

Rails on OS X. Don’t use the built-in Ruby (/usr/bin/ruby). Don’t go and install ports and use their ruby either (/opt/local/bin/port, /opt/local/bin/ruby). Go and get Ruby Enterprise Edition, install that, and then tell it to install mod_rails with /opt/ruby-enterprise-1.8.6-20080810/bin/gem install passenger . You can hook that into the built-in copy of apache, and it will work really well and use 33% less memory (or so ‘they’ claim…), and fork little worker thread thingees at will, and so on. I’m using it on my personal server and I find it to be pretty great – where I used to manually have to watch little mongrel thingees run and die and then go and restart them. And I have to watch memory usage balloon out for whatever the worst-case scenario is on how many requests will run. And I don’t have to put in funny Apache configs to proxy or tunnel or some other crap I don’t remember. I used the setting on my server months ago, so I don’t remember the awfulness of it, but I remember the sense of relief when I made the switch. Those Passenger dudes keep good care of their little fork of Ruby and their passenger package. It is good. If you get annoyed with those stupid long paths, symlink them to something more acceptable. Also if you want to get rid of it I think you just fling that one silly directory and you’re good to go.

Renouncing Libertarianism

My dad taught me a long time ago that blindly following any ideology to it’s final, inevitable, conclusion ends up in failure. He used the example of Communism, and the various forms of starvation that were caused by blind following of its tenets. I mean, Communism sounds really nice when you first hear about it, “From each according to ability, to each according to need.” Isn’t that nice? Of course it is! It just never works out that way.

I think I’m forced to say the same thing happens with my sorta-political-philosophy – Libertarianism. I think it has some nice things going for it too – an idea of minimal government, and the efficiencies of markets. Those are things not to be abandoned, for certain. But the failures of the banks and the fact that the government cannot allow them to fail makes me despair for true Laissez-faire capitalism.

I think the best system is probably a sorta Hagelian ‘Synthesis’ of the various opposing philosophies – Communism: FAIL. Pure Republican-style Laissez-faire capitalism:FAIL. Effective systems will be somewhere…in the middle.

I think the problem is this – true Libertarianism requires the government to play “chicken” with its people. Somebody says, “Hey! I’m going to do something stupid and awful! HAHAHAAH!” And the government has to say, “OK, do whatever you want, as long as you don’t screw with anyone else…” and in the end – somebody’s got to blink. And the government does, and I don’t blame it. Got no health insurance? Well, the hospitals will catch you. Forgot to save for retirement? Social security. Whoops! You invested all your money in stupid, stupid horrible things that are now worthless? OK, let’s see what we can do to shore up prices. Oh, you bought a house you cannot afford? We’ll fix the mortgage for you.

And actually typing these things makes me sad – but I think the government has to act in many, if not all, of these cases. It simply has no other alternative. If it let the banks fail, we could have a full on depression on our hands. Sure, then everyone who botched pays the price – good, fuck ’em – but too many innocents do too. I made sure not to buy a house, even as banks were screaming at me to take their money – why? Because it made no financial sense for me to do so. Good for me. But not good for me, because the government woulda bailed me out anyways.

Maybe you could blame everything on the Fed…I know, I place a lot of blame on them – my standard argument is that they react quickly to lower rates, but never to raise them. We could’ve avoided a lot of this (hindsight being 20/20 of course) by doing some serious bumping up of some rates when we started to see the real estate market go nuts. Only a few people would’ve gotten hurt, and much of this might have been prevented.

But I did some research – and even without Central Banks, various bank failures and credit crunches occurred in the past, just driven by private investors and such. So you can’t say “well, abolish central banking and then you have your libertarian paradise…” Still no. Though my argument, in the end, would be that if your central bank can’t prevent depressions, and neither can no central bank, then maybe you might as well have none.

My problem now is I would like to figure out some heuristic or algorithm or something for where the government should stop – once you have them crossing that line, when does it end? Guns? You can’t have ’em, you might hurt yourself. Alcohol (my precious BEER!) – no more for you. Etc. What’s the rule of thumb to say where government will ‘blink’ and step in, and where it won’t? What’s to keep us from just having it grow and grow and grow and never end? And I don’t know the answer. And that bugs me.

Maybe the model is “government’s job is regulation.” E.g., don’t have the government directly doing stuff, just have it regulating the doing of the stuff. What does that mean – private police forces? Private armies? I don’t like that. Ugh. It’s all muddled. Or perhaps, it’s not any more muddled than it was before, and I just see the muddledness more than I did? I don’t know.

I really don’t know!

Horrifically bad technology

A few years ago, I was kinda into XML. Sure, it’s bloated, but the idea that you could arbitrarily represent any kind of data in it seemed cool to me. And then – if you were to try and compose two types of data that no one had ever thought of before – you could support even that, with namespaces. You could even have two conflicting elements <foo> – by specifying which one is in which namespace – <a:foo> vs. <b:foo>. Neat. Now you can really have some nuance and power in your document. Mind you, I’ve never seen this feature used – and yet it bloats the XML specifications and implementations horribly – but it seems like it could be important. Right? Never mind the fact that just about any time you grab an XML document you probably already know exactly what it’s going to look like. Shh. You’re not thinking big enough. Here’s even an article I wrote in 2005, sad that Web Pundits were going to start moving away from XML. And here’s another one from early 2007, again complaining about the inevitable HTML5. I was totally and completely wrong. I mean, I’d like to say something like “while I still believe that blah, I have to admit that I may have been mistaken…” No. Totally. Dead. Fucking. Wrong. Maybe XML’s heart was in the right place (there! I did it! some sort of backpedaling statement!), but the devil’s in the details, and XML’s details have more devils than you can shake a stick at. Several sticks.

You see my friends (you can tell I watched the debate last night, right?), I just finished working like, maybe 10 hours straight on writing a SAML receiver in PHP for my former employer. That wouldn’t be so bad, except – I’d already written one. It worked fine. For SAML 1.0. Now I had to make it read SAML 1.1. Easy, right? Read the spec on SAML 1.1, implement the changes, all done. No. SAML assertions are XML documents. XML documents that need some kind of security thingee so that people can’t forge them or tweak them. So you need XML Digital Signatures. But XML is so crazy and fluid – you could have two documents that logically mean the same thing, but their bytes don’t match! How do you compare them? Easy, my friends! You canonicalize them using the XML Canonicalization spec(s), then you sign them. SAML 1.1 “improves” this process using a “better” method of canonicalization. If you read lots of sarcasm in my angry sarcasm-quotes, you read correctly. Back to canonicalization in a moment.

Now if we’re going to sign a document that’s XML, and since everything that has ever been of any merit at all is XML and must be XML, then our signature should be XML too. But if we’re injecting bits of XML into our document to sign it, doesn’t that change the document that we’re signing? We need some way to indicate which subset of the document corresponds to the signature, and which way corresponds to what-you’re-signing. I know, I know! How about a nice simple regex to do that! Or just a straight subset of the document – cut from here… here? Hahahahaha…just kidding! That’s not XML! No, we have to use XPath, a way to query for arbitrary “node-sets”. And it’s, of course, XML.

So this is the ridiculous technology stack I have to go through in order to implement this relatively simple request – “let us accept SAML assertions to do single sign-on stuff.” So of course PHP doesn’t support any of this crap – because this crap is crap. Only IBM and Sun and other Big Company Weenies implement this garbage. PHP’s a working-man’s language, it supports things that are useful or interesting. There’s some sun-sponsored SAML 2.0 stuff in the works in PHP, but we need 1.1. PHP’s XML support has historically been spotty – and I don’t blame it, the XML-approved API’s are the worst API’s ever. Ever. Well, I think I had looked once at a PHP library for DNS that may have been worse. But still, very bad. So I had to cook a lot of this stuff up myself. It sucked. And the specs are, quite frankly, just wrong. Or so grossly unclear that they could never be right. And I’m no moron – I’m a big freakin’ super genius type, and I can’t implement whatever the hell they’re talking about. So there’s no chance for lesser programmers. And because people are abandoning it in droves, there’s tons of half-implemented xml packages, and digital signature packages, and XML canonicalization packages sitting out there, in various states of disrepair and malfunction. All in different languages. I had to learn bits of Python and was on track to start trying to learn Java if I hadn’t gotten myself out of some serious holes.

Here’s some fun notes: Here’s the default XPath (make sure to capitalize that P!) that should extract a signature: <XPath xmlns:dsig="&dsig;"> count(ancestor-or-self::dsig:Signature | here()/ancestor::dsig:Signature[1]) > count(ancestor-or-self::dsig:Signature)</XPath> Oh, whoops! Except that doesn’t work. That’s just what’s in the spec. No reason it should work. Let’s expand the dsig entity – <XPath xmlns:dsig=""> count(ancestor-or-self::dsig:Signature | here()/ancestor::dsig:Signature[1]) > count(ancestor-or-self::dsig:Signature)</XPath> Uhm, nope. That “here()” function doesn’t actually exist, you see. So I gotta make my own. Fast-forward two hours or so – hell, probably more – and many, many iterations, to get: <XPath xmlns:ds=""> (//. | //@* | //namespace::*)[not(ancestor-or-self::ds:Signature)] </XPath> Now, shit, that *was* pretty obvious – I don’t know how I missed it. Say, though – maybe it’s just me, but maybe we’re using XPath in a way that wasn’t intended? You can tell by the fact that we have to grab all attributes, namespaces and tags at the start, unioning them together, then…doing I don’t really know what to them to ensure…something about their ancestry. Horrible. Really, really horrible.

XML Canonicalization was the bane of my existence when I made the SAML 1.0 receiver, and it returned with a vengeance this time. The concern is that some XML processors may shove nodes around and do stuff to your document that doesn’t change its meaning, but changes its bytestream. So we want to be able to transform the document in such a way as to make it always look the same, no matter how mangled it gets. XML Canonicalization actually fails at this, in that you can compare two logically identical douments: <a:foo xmlns:a=””/> vs. <b:foo xmlns:b=””/> – they don’t compare identical, but should. Even after canonicalization. But! Heaven forbid we say “screw it, let’s just say don’t muck with the data, and call it a day!” No no, that’s not the XML way! Instead you have to do all kinds of stuff. Turn empty tags into tag pairs, reorder attributes in each node, expand entities, strip some stuff, etc. And with “Exclusive XML Canonicalization” – the new-and-improved XML Canonicalization method used in SAML 1.1 – it gets even more confusing when you talk about your subset of the document and the namespace nodes that go with it. And then the spec’s wrong. And it turns out your test SAML assertion is canonicalizing using the method you already built 6 months ago, but is just calling it something else.

Sometimes the comedy of errors around all of this stuff makes me think that someone or something deliberately torpedoed it all. Perhaps Microsoft was concerned about some kind of interoperability utopia coming about, and they sent their agents to agitate for namespaces and xpath and xml signatures and enveloping and so on. Who knows.

If you ever find yourself in this unenviable position, first off, get xmlstarlet. If you don’t, you’ll never have anything to compare your own work to. I only got it late on in the process, and most of my real progress was after I got it. It requires libxml2, and libxslt. They’re handy to have around, though you may already have them. Once you’ve got that, read the specs very fuzzily. They’re not quite right, and Real Life trumps specs anytime. The end result is that it was not fun, at all. Very fulfilling in the end, when I finally see the message that the assertion’s digest and signature are ok, but not at all fun. And not code you want to show your mom. I don’t imagine myself working with this awful crap for quite a while again – or so I hope.

It’s funny (and It’s 2am, and I’ve drunk some Pepsi MAX, so I’m a little wired, so please indulge me) that you can see that there are any number of New Hip Cool technologies that start getting pushed really hard by companies, and end up being useful for some things, but not the panacea that they’re supposed to be. And you know how you can tell which technologies will end up being snake-oil? Look for the ones that claim they’ll end up powering a refrigerator that can automatically order milk when you’re running low. They’ve been saying that shit since “HTTP Push technology” was the exciting hip technology that was going to change the world. Let’s see, I’m sure I’m missing some, but the ‘hip technology that isn’t actually good’ list that I can remember would be…remote procedure calls…object oriented programming…then remote method invokes…client-server…Web 0.9 (everyone needs a single, static web page! Hosted on…Push Technology…Web 1.0 is around there, oh I know B2C….B2B…Java…XML…Web 2.0…Y’know what it is now? Virtualization. It’s got its uses, sure. But having one big box and virtualizing a whole bunch of little boxes in it means you still have to manage a whole bunch of little boxes – they just live in a big one. Actual consolidation is better – moving a whole bunch of related functions onto one big box. The idea that you can move around the images is definitely neat, and over time, we always reduce our attachment to the bare metal of our computers – virtual memory, virtual volumes (logical volumes in Windows and Linux), why not virtualize the machine too? I just don’t see it as a cure for all ailments, and it does increase single points of failure (unless you do it right, but most don’t). Okay, now I’m getting legitimately tired, I’m going to bed.

disconnected notes

#1) Job is going great. I’m really digging working for myself, and I’m making a very comfortable living, and I’ve even been able to carve out time for my own projects. Things are busier than I expected – but I’m sure that it’s “feast or famine,” so I’m trying to stay disciplined and keep taking the work as it comes in. The work is almost all consulting, very little programming. Lucky I didn’t buy that 17 inch Macbook Pro, that would’ve been pretty stupid.

#2) Excercise is….not going so great. My weight sorta hovers around the exact same place, no matter what I do. I’m getting really discouraged. I can try to move from cardio to strength training, but it’s all guesswork, and I have no clue what I’m doing. I think I’m going to have to really try and dig deeper into this one. Do some research. Actually track what I eat. Cut out the beer. Oh, the beer….what will I do without you? Sigh. At least with the new gig I almost never drink beer at home now, which is good. I do know the last time I stopped drinking beer for a few months, I did end up dropping a few pounds.

#3) There’s a mac browser called ‘stainless‘ which uses the same multiprocess model that Google Chrome does. They say it’s a “technology demo only” but I’m actually using it as my day-to-day browser. I like it. We’ll see how much I like it once I’ve crashed it and lost some work.

#4) Veep debate. Palin didn’t do as bad as she could’ve. She said some ‘homey’ things which I thought was a good touch. I still feel like the Obama camp has this one in the bag, but you never know…

#5) Republicans vs. Democrats – or, more accurately, any partisanship – Democrats are fucking idiots for not properly looking at why they lost in ’04. They love to use the ‘go have a beer with’ theory – that polls say that people would rather have a beer with Bush than Kerry. That may be true, but that’s *not* why they lost. That’s just embedding liberal elite thinking in more palatable container – “The bulk of us in America are dumb, that’s why we lost.” No, that’s not why we lost. We lost because Kerry seemed not genuine, and Bush, though wrongheaded, seemed genuine. Genuine-ness is more important to people who aren’t jaded like us New Yorker Liberal Elites. Kerry seemed like he was the product of a focus group. Obama does not. McCain is starting to look that way. Too bad, the ‘maverick’ McCain (long dead, it seems) was interesting. I don’t think I would’ve voted for him, but definitely, more interesting.

#6) Words. With the mainstreaming of net-speak, some words that used to be no-no’s – that I was taught when I was, like, 10 years old not to use because they were derogatory – are coming back. Specifically ones referring to diminished mental facilities, and sexual orientation. And everyone I’ve met who uses them does so with a wink and a nudge, like they’re in on the ‘joke’, and they know what they’re doing, and don’t really believe the kinds of things that can be (simply) inferred from what they’re saying. But words have power. In your own brain, and other people’s. And if you keep allowing the association between <slang word> and <negative connotation>, you just may end up, subconsciously, reinforcing <slang word meaning> and <negative connotation>. And no matter how clever or smart or enlightened or…whatever you are, even if you can avoid that aforementioned trap, you could still inadvertently drop <slang word> in front of someone who is, or knows someone who is <slang meaning>. Is your vocabulary so limited that you must refer to things as ‘retarded’, or ‘gay’, or ‘fags’? You really can’t come up with anything else? I think you can. So stop it. It’s still offensive. Unless there was some memo passed around that I hadn’t read. And c’mon, there’s still cursing. There’s tons of milage left in that – fuck shit motherfucker. Cock. See?