OSCON 2008 — Day 1

Last night was a late night. I was too amped up to get to sleep at a decent hour, but I finally managed to crawl into the fairly comfortable bed a little after Midnight. The day started at 7:30, and the excitement was still going, so I actually leaped out of bed as soon as the alarm went off. Of course, I forgot to close the curtains in the room, so the beam of sunlight helped as well.

A short walk later brought me to the continental breakfast, and then into my first tutorial.

Testing with PHPUnit and Selenium
Presenter: Sebastian Bergmann

This talk was wonderful. It really helped me get a firm grasp on unit testing with PHP. I’ve done it a bit in a couple of Java classes, and I hated it because it was contrived and mostly worthless. The class didn’t explain to me why unit testing was valuable, so I missed the point. Perhaps the class and/or instructor just assumed the brilliance of the idea was self obvious. This presentation really helped me realize the value, power and importance of unit testing. The approach for using PHPUnit is quite easy, and when it is combined with Selenium, and a few other tools, the burden of cross-platform and cross-browser web testing becomes less onerous.

While learning about Selenium and PHPUnit, I had an epiphany regarding doing XSS pen-testing at work. My boss had given me the fun, yet daunting, task of developing provable, extensible and reliable XSS test cases. I think — hope — that combining PHPUnit, Selenium, some virtual machines, and different browsers, I’ll be able to produce some quality XSS pen-tests. If my idea works out, I’m wondering if a white paper (or longer document or OSCON 2009 presentation) could be written regarding how to combine these technologies to help secure an enterprise level, PHP-driven web application. This has made me even more excited to tackle this project when I get back to the office.

Sebastian was recovering from losing his voice a few weeks back at another conference, but even with this problem his speech was very clear and well projected. He did a great job of working through the presentation even though it was obvious that he was having issues near the end of the tutorial.

Links from this presentation:

After this tutorial, I had a quick lunch with a couple of people. One guy (don’t remember his name) worked for an IT government contractor that had 16 billion in revenue. I’m in the wrong business!!! The other was a fun woman to talk to who was a freelance IT journalist, and we talked Web 2.0, mashup, and other hot topics of the World Wide Web. I dropped a favorite phrase of mine during the conversation, and she really loved it. We swapped cards in case she wanted to quote me on it in an article. The phrase that I dropped was, “After the user makes a request, the web server ‘upchucks’ the page.” She loved the usage of “upchuck” in the sentence. Her name was Sandi Jerome, and I hope she’ll get in touch in the future. It’ll be neat to be quoted in an article.

Why do I call it “upchuck”? Well, I see it like this. The browser feeds a request to the web server, the server eats the request, digests it as much as it needs to, and upchucks the results back to the browser where it splatters on the screen of the user. Sometimes you get ugly looking stuff, sometimes you get things that look like a Rorschach test, and sometimes you get a beautiful work of art. Regardless of what the result is, I still use “upchuck” to describe the action of serving a page to a user (and I think I’ve been using that phrase for at least 14 years now.)

We were so busy talking that we lost track of time, and had to cut our conversations short in order to have time to get a drink and get to the second tutorial of the day.

PHP Extension Writing
Presenters: Marcus Boerger (Google), Wez Furlong (Message Systems)

This was a great tutorial for me since I’m a “semi-retired” C programmer that moved into full-time PHP/Perl/JavaScript. PHP is written in C along with all of its extensions, and this tutorial was all about writing modules (static or dynamically loaded) to extend the PHP language itself. I had a really great time in this tutorial, and I was a little down when it ended. I wasn’t down because I didn’t learn enough during the time. I was down because there wasn’t enough time for me to learn it all.

I’m going to have to do much more research down the road on this to see what more there is to it. (I can already hear the laughter at this next statement…) If I get the time, I’d love to find a PECL project in need of assistance, and see if I can knock the rust off my C skills by pitching in. Ok. You can stop laughing now.

Will this help me at work? Maybe. We have extensive PHP applications that are customer facing with huge APIs. With some well-targeted profiling (which I learned how to do last year at OSCON), there may be some (or lots) of these PHP APIs that could be moved into an extension rather than a “require()” statement in the code. Having the APIs loaded up in the PHP memory space, and running as C might improve the back-end performance of our customer-facing portal… or it might not. That’s why the profiling needs to be done first. A great quote from Donald Knuth is, “”We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil.” Of course, he was talking about optimizing routines at the start of a design/engineering cycle instead of at the end where they belong when the functionality is working properly. The principle still applies here, though.

Links from this presentation:

Books mentioned during this presentation:

After the presentation, I approached Marcus and Wez to see what I could do to help out with writing extensions and maybe improving existing PECL projects. They told me to subscribe to the PHP internals list, and monitor the bug tracking system for things that I may be able to pitch in on. They seemed pretty excited to have someone that knows C and PHP as well as I do to pitch in and help. Again, this is a thing to do if I have the time (Hey! Stop laughing!) but could be really fun.

Once I was done pestering the experts on helping them do something that they can do in their sleep (hey, they need to sleep sometime, which is why they need help!) I had an hour and a half to kill before the Birds of a Feather (BoF) meetings started up for the evening. I spent some of that time typing up what you’re reading now, and then I ran out to get some food.

While down the block at Burgerville, I pulled out my freshly-purchased copy of Practices of an Agile Developer. I wasn’t far into it when someone asked if they could take drinks on to the MAX light rail. I told them that I had taken drinks on board without an issue, but I wasn’t sure if there was a policy against it. It turns out that it was a family that was attending OSCON, and the father saw my book, and about that time the son asked me where I got my OSI shirt. I told him that I had bought it at last year’s OSCON in the Expo Hall. He said that he would check them out and see if they were here this year. I didn’t have my Expo Hall Passport on me, so I couldn’t check at the moment to confirm. We talked for a few minutes about technology and such, and it turns out that mom and dad were there with their teenage son, Andrew. Andrew is the founder of Teens on Linux, which is a fairly new (about a year old) social networking site specifically for teens using Linux. I think it’s a great idea, and I went to the site just a few minutes ago to see about joining up to help teens figure out things about Linux and open source in general. However, the site says that teens are welcome to join, and I’m little beyond those years. Andrew has a session on Thursday, and I think I’ll be able to get to it. I’ll talk to him then, and see if he minds me joining. If he doesn’t want a non-teen on his social site, I fully understand. He doesn’t know me from Adam, and there are lots of creepy folks out there.

Once I finished eating, I headed back to the convention center for the Birds of a Feather (BoF) meetings. The one that I wanted to go to didn’t happen because the organizer didn’t show up. I ended up wandering into a demo for a CMS called Concrete5 that is a fresh-from-the-womb FLOSS application. It’s very snazzy, and has some good looking features. I was the only person there asking the hard questions. Things like security, database support, security, themes, security, extensibility and more security. They had good answers for everything, but there were a few things that they stumbled on when it came to security. I did raise some awareness with them, which is a good thing. From the demo, I think I may use the system for another site that I’ve been trying to find the time to build (hey, sense a time-based theme here?) If I do put it to use, I’m going to hammer it with my ever-growing web-centric security skills, and make sure that the software is stable and secure. If not, I’ll find the holes, close them, and submit a patch like any good Open-Sourcer would. That’s what it’s all about, right? I know I may sound a little harsh on the Concrete5 guys in the security arena, but I’m that way with every web app. I know I also sound a little harsh on their answers to the security aspects of things, but it’s a fresh project (not even out of beta yet) so there are issues to be expected. It’s just a matter of finding the right people to do the right things, and release the right code before declaring the project non-beta. The Concrete5 guys are in the right place to find those right kind of people and ideas. The CEO of Concrete5 did tell me that if I found a hole in their system, that he’d throw a six pack my way. I think I’m going to take him up on his offer.

It was not late, but there wasn’t anything else going on that day that I knew of and I made sure to keep my ear to the ground for free booze. I decided to head back to the hotel, and finish up this blog writing. Once it’s done, I may download/installl Concrete5 on my server, and beat on it for a bit to see what sorts of breakage I can find to earn that six pack.

Schwag Count (Not much, but that’s normal for a Monday.):

  • 1 Cincom Smalltalk non-commercial version CD.
  • 1 GLASS Virtual Appliance DVD.
  • 11 Concrete5 stickers.
  • 5 Concrete5 multi-screwdrivers. They’re pretty neat. They are about 5 inches long, and rectangular along the “tube length.” The rectangle is about 3/4″ x 1/2″. Each end has a screwdriver bit in it that is reversible from small-tip to large-tip. One is is flat-head, and the other is phillips-head. Each end is also covered in a snap-on plastic covering that is clear, and one of the covers has a clip on it to allow it to hang from a belt or pocket. It’s pretty nice. I’m not sure who I’ll give them out to, but I’m keeping one for myself, and I’m going to give Shinto and my boss first dibs on the remaining four.

Schwag of the Day: The Concrete5 multi-screwdrivers are by far the best schwag. Yeah. They had weak competition today, but even on a good day, the Concrete5 schwag would have probably been the best.

Most Interesting/Unusual Person: I saw a fella walking around with three large-gauge piercings in each ear, a lip piercing, and wearing Converse shoes like the ones I wore when I was a high-school-skater-punk. Not too odd so far, but the fact that he was wearing a nice power suit along with the rest of the adornments was just too funny. I wished I could have gotten a picture of him, but there was no way to sneak one in with my cell phone inconspicuously.

Best Quote of the Day: Right at the start of Sebastian’s presentation there was a minor typo on a slide. The tutorial was about the testing framework PHPUnit, so his quip of, “There is no test framework for slides.” was quite funny. I got a good laugh out of it. Yeah. I’m that much of a geek.

July 21st, 2008 | Beosig | Categories: OSCON 2008 | Comments: Comments Off