10gen 10gone – MongoDB Inc is the new name on the door

mongodbFrom the “Well, that took a while” files, 10Gen have announced they are changing name to MongoDB Inc. This is heralded in a new era of confusion between open source software and the company that develops it. MongoDB Inc says the 10gen name belonged to a time in the past (2007) when the company was going to build a open-source cloud stack and MongoDB was the data storage layer… well the rest of the stack didn’t arrive, people like MongoDB and thats why they changed. So from now on we’ll have to use clumsy postfixes like “MongoDB the software” or “MongoDB the company“.

Of course, in a couple of years time when they have a whole new product emerging internally they will be kicking themselves that they made the product name the company name, but thats the joy of rebranding. At least they remembered to put in clean redirection to the renamed site; there’s nothing worse than a rebranding which leaves the old name behind as a feast of 404s. Pity though… 10gen… 10gen… it sounded like a corporation in BladeRunner or Syndicate – I’ll miss it as a name.

Snippets: MongoDB’s Hives, Pure CSS and Inside Andy

Snippets.pngMongoDB gets Hive: 10Gen have announced that the MongoDB connector for Hadoop has been updated so it now can work with the SQL-like queries of Hive over MongoDB data sets. There’s also support for MongoDB’s BSON (Binary JSON…yes well…) on Hadoop’s Distributed File System and incremental MapReduce jobs. There’s an hour long video on the connector’s features which covers the new stuff what’s in the pipeline.

Pure Small CSS: The Yahoo UI folks have a project called Pure, which sets out to give you small (4.3K compressed and minified), 100% CSS modules of useful components extracted away from the YUI JavaScript. Most recent update was version 0.2.1 in July but of note is the plan for Pure to go mobule first (like Bootstrap 3) in version 0.3.0.

Andy’s Insides: If you liked the classic T-shirt Exploded Andy you may well contemplate its sequel Andy Inside though the shipping to the UK adds $13 and puts the entire thing into the customs charges zone (Curses! And if anyone asks, I’m a 3X kinda guy).

Nanomsg 0.1 alpha shows potential

nanomsgiconMartin Sústrik, one of the orignal developers of 0MQ, has been working on nanomsg since last year and has now announced that the project has reached its first alpha 0.1 release. Nanomsg offers a high performace implementation of a number of what are called “scalability protocols” such as one-to-one (PAIR), many-to-many (BUS), clustered stateless services (REQREP), publish and subscribe (PUBSUB), message aggregation (FANIN), balanced message distribution (FANOUT) and application state queries (SURVEY). These protocols are transported over, currently, three transport layers, within process (INPROC), within processes on a system (IPC) or over TCP networks.

Designed to look like BSD sockets C API to applications and written in C with no extra dependencies and licensed under a MIT/X11 licence, nanomsg has the potential to be an open standard within messaging. Sústrik has previously run into issues with making communication infrastructure code GPL and, in a January 2013 blog post, explains why those issues have sent him on the course of creating a permissively licensed messaging platform.

But its far from just about the licensing. The change from ZeroMQ’s C++ implementation to nanomsg’s C implementation should mean less memory allocation and fragmentation. Where ZeroMQ had no formal API for plugging in transports and protocols, which led to stagnation in adding either, nanomsg has APUs for both. Sústrik says he’s also reworked the threading model, built internal interactions as state machines for easier development, added support for IOCP on Windows, moved to level triggered polling and implemented outbound traffic priorities.

For more on these, check the release announcement which also links to various detailed blog postings on the features, explaining motivation and function. Those scalability protocols – the plan is to get them standardised at the IETF opening the way for big things. Put nanomsg on your projects to watch and check out list; something big, despite the name, could well be happening there.

Riak CS 1.4 plugs into OpenStack

riak-cs-logo2Basho have announced that the freshly available Riak CS 1.4’s highlight feature is better OpenStack integration. If you’ve heard of Riak but not Riak CS, CS stands for cloud storage and it basically builds on top of Riak’s capabilities to offer a highly available storage system with an S3 compatible API. Great if you want to get into the storage business or replace AWS S3 with your own systems.

With the latest release, you can now point Riak CS at the OpenStack Keystone authentication service where it can validate users and roles. The support  for OpenStack, tagged as preliminary in the release notes, also includes an support for the Swift API so Riak CS can take the place of OpenStack Swift storage.

There’s also some performance improvements that exploit changes made in Riak 1.4. Riak CS was open sourced earlier this year under an Apache 2 licence.  Source code is available on Github, binaries and documentation on the Riak website.

Snippets: Firefox tools, Ping’o’death and Cloud Fuel

Snippets.png

  • Firefox sharpens tools: Mozilla just detailed the new developer features for Firefox 25, just going into alpha/aurora. The ability to “black box” common libraries so that they are no longer in the stack trace, an option to edit and resend network requests in the network monitor, CSS autocompletion in the inspector (hussah!), in-frame Javascript execution and profile data import and export. Set your timers, in 12 weeks these will be in stable Firefox.
  • Retro-vulnerabilities: Remember to do your Windows updates, because one cracker in the latest Patch Tuesday is a modern version of an old classic, the Ping of Death. MS13-065 notes pretty much all versions of Windows are affected by a denial of service when hit by an specially crafted ICMPv6 packet. Some folks are suggesting disabling IPv6  if not in use to reduce exposure to this find of flaw. Details of three critical fixes and other patches are in the Microsoft monthly advisory.
  • Cloud Fuel: Mirantis just updated their Fuel deployment tool for OpenStack. Fuel 3.1 now has both its web based UI and command line tools in the one package, works with Red Hat’s OpenStack Platform and is able to run a health check on deployments. The Red Hat support was expected, what with Red Hat investing in Mirantis.

Proxies from Proxies: Did Apache really lose 5% web server share?

ApacheFeather150Yes, but no. GoDaddy didn’t swap Apache Web Server out for IIS resulting in the 5% drop observed by Netcraft and reported as a blow for the Apache Web Server elsewhere. As Netcraft say, the switch was from Apache Traffic Server (ATS), acting as a proxy, over to proxying with Microsoft IIS 7.5.  When GoDaddy turned the Apache Traffic Server proxy on in May, after apparently testing it with content delivery networks in the previous months, 28.3 million sites appeared to be using ATS, numbers that were added to the Apache total, despite it not being Apache Web Server. This also made GoDaddy the operator of 99% of the ATS served sites out there. GoDaddy have yet to comment on why they switched to IIS 7.5.

The Apache Web Server numbers do appear to be trending down, but in 2009 it was at the same 47% share in raw hostname counting before rocketing back up. The raw hostname count and share is an interesting figure, but it’s counting a lot of dead ended sites managed by registration companies like GoDaddy and other services which use a proxy server to help front-end millions of sites behind them. This is why the graph flip-flops around like it does; one change in configuration at a major user of their proxy and boom, there’s a couple of million hosts just changed server. So deriving a proxy market share while counting these proxies is going to have a margin of error of “oodles”.

Back over in the working would though, Apache still holds 54% of active sites in the survey (number 2 is Microsoft with 15%) and 57% share in the top million (number 2 there is nginx at 15%). These numbers are better indicators, as they exclude the dead zones of the web, but they still count proxies. When reading these number, keep that in mind.

Money for null things – Google hits $2million in security rewards

Google logo 120

Google has announced that it has past the $2 million mark in the total number of security rewards it has paid out. Thats a million for its Chrome/Chromium/Pwnium bug hunt and a million for its lower profile web application security programme. The former programme has been, predominantly, the headline grabber with headlines galore when the various cracking competitions kick off, but its the money paid out to the web application security programme which is more interesting as it demonstrates that a web surface is a rich seam of vulnerabilities waiting to be mined.

That should provide a wake up call for web application developers outside Google – if Google’s seams are that rich, how many vulnerabilities do you have in your own code. Don’t panic over it though, start engineering in better processes to check and test, and this about rewarding responsibly disclosed vulnerabilities yourself, if you can afford it. In the comments, Google’s Eric Grosse says that $2M is “very reasonable compared to the security value received” but does note that anyone planning reward programmes will need a well-staffed internal security team to triage and act. He also suggests that top reporters on such programmes would make top candidates for such a team.

But also remember, just because these programmes exist, like a gun amnesty only some of the guns get handed in. There are companies who will happily stockpile vulnerabilities for sale to government agencies, for example, and for the really good holes, they do pay well. That Google are upping their rewards again, by up to 5 times for Chrome/Chromium bugs, vividly indicates there is a market at work.

Snippets: SDL 2.0, Perl, PingFS

Snippets

SDL 2.0: Version 2.0 of SDL (Simple DirectMedia Layer), the widely used zlib licensed library which offers a Windows, Mac OS X, Linux, iOS and Android library for driving graphics, audio and input has just been announced. New features, and there’s a lot, include 3D hardware acceleration, support for OpenGL 3.0 and ES, support for multiple windows, displays and audio devices. The Migration Guide has all the details. You can get the source and binaries from the download page and find all the other documentation on the wiki.

Perl update: Perl 5.18.1 has been released by the developers just two months after the release of 5.18 in May of this year. The developers have December pencilled in for 5.18.2 and are aiming for May 2014 as the arrival date for Perl 5.20.0.

PingFS: Described as “like holding up the clouds by swatting the rain back up”, PingFS is a strange project which uses Linux and Python to create a filesystem which is transmitted over the network in the form of ping packet payloads which are bounced back and forth, and so the data isn’t actually stored anywhere.

Snippets: AOSP, Google Cloud, PuTTY, gNewSense and Mozilla updates

Android_Robot_100

  • AOSP – Android’s open source problem: JBQ,  , announced yesterday that he was stepping down as Technical Lead for AOSP, the Android Open Source Project. The problem appears to be a combination of Qualcomm’s desire to keep control of it’s SoC drivers and Google’s inability to shake them of that view despite building Nexus devices which use Qualcomm chips. JBQ has found himself in the middle of this and recent tweets quoted by Android Police seem to bear out that the pressure was getting to the AOSP leader who was being blamed for not getting factory restore images of various Nexus devices out of the door. If Google can’t do it for their own devices, the questions about Android’s open source credentials will come to the fore.
  • Google Cloud: The platforms of the Google Cloud have had some updates. Google Compute Engine now has layer 3 load balancing as an option, with balancing over a set of healthy Compute Engine VMs in a region. Google Cloud Datastore now has an SQL styled Google Query Language, support for metadata queries and how-tos for Ruby developers. Over on Google App Engine, the company has also made improvements to the PHP runtime’s Cloud Storage along with other more general changes.
  • gNewSense: Version 3.0 of the “Free as in freedom” (no non-free elements) GNU/Linux distribution gNewSense is now available. The big change with this release is a switch from Ubuntu to Debian as the base distribution. It supports i386, amd64 and mipsel architectures (the latter being the CPU of the Lemote Yeelong notebook as previously used by Richard Stallman until it was stolen).
  • More Mozilla updates: Firefox ESR 17.0.8 also arrived earlier this week with 2 critical and 6 high severity holes fixed. Details on the advisories page for Firefox ESR and downloads page. Same set of vulnerabilities are also fixed in Thunderbird ESR 17.0.8 (downloads here). Seamonkey, the forgotten browser suite, also got updated to version 2.20 with the same security fixes and enhancements that were applied to Firefox 23. It can be downloadable by anyone who wants to recall the heady days of the all in one browser suite.

Linux 3.10 is this year’s Long Term Stable kernel

Greg Kroah-Hartman, master of kernel stable releases, has declared Linux 3.10 to be this years long term stable kernel. That means he’ll be keeping releasing patches for it for “at least two years”, so folks putting together Linux distributions or products based on Linux can count on 3.10 for two years without a need to hop up a version or two to get a fix. Kroah-Hartman also mentions that LTSI, the project which manages a stable patchset for Linux in consumer electronics, is rebasing on 3.10 too.

What’s in 3.10? Thats where we point you to Thorsten Leemhuis’s “What’s new in 3.10” to give you some background.