Developer Catchup: Synchronous Node, Serviced Polyfills, Sparks Sparked, Tangrams Mapped and SHAaaaaaa!

Node.js synchronously: Node.js is sweet if you can adapt to the asynchronous model of start thing, say what you want to do when its done, do everything else anyway. Good for web request handling but bleh for trying to emulate a shellscript. Turns out that in Node.js 0.12 (coming soon? anyone? Bueller?) we get synchronous child processes to now you can run that curl or find or whatever and just wait till its returned with its results. The folks at Strongloop have written about these synchronous child process methods and how they make writing command line utilities in Node easier. Check it out Noders.

Serviced Polyfills: Polyfills fill gaps in browser functionality and standards compliance. The older the browser, the more Polyfill you need to fill the gaps and the newer, the less. But it gets hard working out how much Polyfill you are going to need. Fear not, as Samuel Giles at FT Labs has an answer, “Polyfills as a Service“. Add a simple script tag pointing at a source from the polyfill.io content delivery network to your pages and whatever browser views your page, it gets the polyfill it needs. This is because the system sniffs the browser agent and works out the best set of polyfill based on that. Neat idea, potentially very handy – and you can run your own private version if you need to.

Spark sparks: Apache Spark just got a 1.1 release. Spark is Hadoop data processing engine which can run on YARN-based Hadoop clusters or in standalone mode. Spark 1.1 improves the performance (and they already say they are up to 100 times faster than Hadoop MapReduce) and has SQL layer enhancements. 1.1 also adds more statistical functions, can take steaming data fromAmazon Kinesis and pull data from Apache Flume and more. If your into clusters and data crunching and haven’t looked at Spark, you might want to look into it.

Tangram Mapping: Do you want to render cool 2D and 3D maps? Check out Tangram, a Mapping Library then as it is building out from a WebGL implementation to other OpenGL platforms to make oodly cool dynamic map renders. Very slick.

SHAaaaaaa!: We mention the Google sunsetting of SHA-1 the other week. If you were unsure why this was important, can we send you off to Why Google is Hurrying the Web to Kill SHA-1 which explains why it all and includes a brief history of collision attacks in the wild.

Just released: Socket.IO 1.0, Git 2.0 and OrientDB 1.7 – Snippets

Socket.IO 1.0: Socket.IO has hit version 1.0 – the Node.js and browser library which started life as an implementation of the WebSockets interface and has gone on to “become the EventEmitter of the web”. The 1.0 release and changes are broken down in a blog posting, the first on a newly redesigned, and much more useful, Socket.IO website. In brief, modularisation, tighter code, binary support (so you can emit blobs and buffers), automated testing, better scalability using redis, more integration (including PHP support), better debugging support (and silence by default), sleeker APIs and CDN delivery. And the future plans include handling Node.js streams, Socket.IO support in Web Inspector and Firefox Dev Tools and more language and framework support. A splendid tool to have in your arsenal.

Git 2.0: The distributed version control system which made distributed version control systems cool before even version control could be cool, Git, has reached version 2.0. In the announcement of the new release, there’s a long list of all the changes and notes on backward compatibility. The 2.0 release has been anticipated by the developers for a while so a lot of ground work had already been done in previous 1.x versions making the 2.0 release look more like a minor release than a major version bump but there’s still plenty of changes and a foundation prepared for future changes. On that subject, there’s a promise of a shorter release cycle for the next release as delays have meant a number of features ‘cooking’ for longer in the ‘next’ branch.

OrientDB 1.7: Version 1.7 of the Document/Graph/Sql/NoSQL database OrientDB is available. The announcement for 1.7 notes better perforamnce, new clustering options, support for SSL and sharding, simplified configuration, new SQL commands including parallel queries, plugins for Lucene-based full text searching and more. There’s an Apache 2 licensed community edition of the database and commercially sold and supported professional and enterprise editions.

Scientific Linux, Bootstrap and all your base methods belong to Base – Snippets

Scientific Linux 6.5: Scientific Linux has announced an update to version 6.5. SL, as it is also known, is a Linux distro based on the sources distributed by Red Hat for their Red Hat Enterprise Linux produced at Fermilab and CERN. With CentOS being brought closer into Red Hat’s ecosystem, SL may be the new barometer for the health of the Red Hat code outside the company. Anyway, the release notes mostly point you to a copy of the “Upstream Vendors” version 6.5 notes, though they aren’t on the SL servers yet. (The original notes are here).

Bootstrap 3.1: Bootstrap, the responsive mobile-first framework which also makes it easier to get a site or web application up and running, has celebrated the release of version 3.1. It comes with new documentation, an official SASS port (in a separate package), new examples and everything now under an MIT licence.

All your base methods belong to Base: It’s a sick and twisted world out there and Base is my kind of sick and twisted: there’s lots of great Ruby base classes so Base.rb includes all their methods. The best part is the license – “Distributed under the union of the terms specified by all current OSI-approved licenses. In the event of a conflict, a die is to be rolled.”

Node-RED’s cool GUI for the Internet of Things

Node-RED and a quick IRC bot flow

The latest version, 0.5.0 of IBM’s Apache licensed, incredibly useful and very cool Node-RED has landed but before going further, I suspect a lot of readers will want to know what Node-RED is.

There’s usually a lot of connecting of things involved with making the Internet of Things do something useful. Whether it be detecting messages on Twitter, listening to IRC, watching a Websocket or grabbing a web page, each source then needs to be processed and if required make something happen. Now, you can write a lot of code to do that or you can check out Node-RED. Billing itself as a “Visual tool for connecting the Internet of Things”, Node-RED is built atop of Node.js and offers a graphical world of IoT building blocks in the browser for you to wire up as needed and test.

Those building blocks, nodes in Node-RED, start with the simple, inject to send something, function to process it using JavaScript and debug to see what is being sent. They then build up to more powerful capabilities such as Http requests, MQTT subscription and publication, WebSocket listening and writing, tcp and udp comms and sentiment analysis. To connect up to social networks, nodes for Twitter and IRC listening and publishing are included. There’s also file storage, logical switches, data manipulation and delay nodes and, for the brave, even a node which will exec a process on the system.

Each node can be placed, configured and its outputs connected to other nodes inputs in the Node-RED GUI, and with the click of the Deploy button, put into action. New nodes can be created and plugged into the system too and there’s a repository of user created extra nodes available.

But, you say, where’s the Internet of Things in this? Well, Node-RED is able to work with Arduinos (connected via USB to host computers over serial or Firmata protocols) or run directly on Raspberry Pi (with GPIO and wiring-Pi modules) and the BeagleBone Black (with BoneScript access). And, obviously, you can write your own plugin nodes to connect up whatever hardware or devices you need to access.

Node-RED is a very capable tool and worth adding to your toolkit. For example, while writing this I was also prototyping an IRC bot which did basic sentiment analysis and commented in the channel. Why not give it a go over the coming holidays? You can download Node-RED from the website or you can find it on GitHub. Documentation including a quick tutorial on creating flows, along with instructions on writing function nodes, creating new nodes, embedding Node-RED into existing applications and running it with Arduino, Raspberry Pi and BeagleBone Black.

The latest version, which we mentioned at the start, has new visuals for showing the deployment state of nodes and handles the idea of “unknown nodes” visually when importing a flow from someone who’s used nodes you haven’t got yet. There’s also new user and direct message tracking in the Twitter node, session aware TCP and WebSocket nodes, enhancements to the MQTT node for authentication and client ID, an “otherwise” option in the Switch node, selectable data delimiters for the serial node and a HTTP Request node that follows 301s. The contributed nodes now include a Snapchat node and a Phillips Hue mode.

The Node-RED developers are now looking at making new nodes installable with npm, Node.js’s package manager, and tackling the separation of the administration UI from the runtime so it’s more easily deployed into future production scenarios.

Fedora 20, Meteor 0.7.0 and hacked Linux servers examined – Snippets

• Fedora 20 arrives: The latest Fedora has arrived, making it into 2013 and looking pretty good. There’s oodles of changes too. Desktop users will find GNOME 3.10 is the default desktop but there’s also Cinnamon 2.0 and Enlightment available, along with the latest KDE 4.11, MATE and others. Under the hood, system administrators will find syslog gone, replaced by journald, and experimental SSD caches, while developers are getting a GUI on Fedora’s DevAssistant, updated Perl, boost, glibc and Ruby 2 with Rails 4. The full release notes will guide you around. We’ve been tracking 20 since alpha, running it on machines here and its been working well – the one thing we haven’t checked out is Fedora 20 on ARM given ARM is now a primary architecture for the distribution. Download Fedora 20 in all its forms from the project’s download page.

• Meteor gets update smarts: The latest release of the https://www.meteor.com/ platform for web applications has moved to a smarter way of working out database changes. Meteor 0.7 changes how changes in the database are discovered, away from polling the db and creating a diff and to a technique called oplog tailing – consuming the underlying MongoDB operations log and using it to reduce the queries that have to go to the database. There are caveats, most notably, in production you’ll need a MongoDB server configured as a replica. More details on this and other changes in 0.7.0 are in the release notes.

• Hacking Linux Servers: Ars Technica has an article on how a security researcher documented the exploitation of a Linux server with PHP holes and a perlbot. It’s a reminder that attack tools for taking on Linux servers are no longer obscure or complex things and even a script kiddie can do real damage. Old holes do persist in the wild and every old, fixed hole is ready for exploiting. Now, more than ever, keeping your servers up to date with security fixes is essential.

H.264 is heading to Firefox… is it an EME dry run?

Cisco and Mozilla have made an announcement – Cisco will open source an H.264 implementation and Mozilla will incorporate support for a binary version of that open source code in Firefox in 2014. But what’s behind this move…

Firefox has wrestled with the H.264 video bear for some time now. Initially Mozilla took the position that there’d be no patented royalty-bearing standards implemented in Firefox and eschewed H.264 support in HTML5’s <video> tag for Google’s VP8-based WebM. This idealised position didn’t really get traction though and slowly the resistance to H.264 dropped, first on Android and then on Windows, with the removal of blocks which stopped system-level H.264 codecs that were already installed on the host operating system being used to play H.264 content. But on Linux, for example, where there was no system-level codec for playing H.264 by default and design, there was still no way to play H.264…

So that left Mozilla in an odd position of having a browser that may or may not be able to decode H.264 depending on platform. What would work is if Mozilla could lay its hands on an open source implementation of H.264 and then incorporate that into Mozilla. But that would trigger MPEG LA’s royalty gathering. And so Mozilla was at an impasse.

Until today, when in the synchronised “dance of the contribution”, Cisco first announced that it was releasing an open source (BSD licence) implementation of H.264 called OpenH264. Cisco’s motivation here is to get H.264 as the standard for interoperable web video in WebRTC for conferencing, which is dear to Cisco’s heart and business. Open source gets you so far, but Cisco needs H.264 in browsers like Firefox without passing on the costs. Cisco has said it will do that work by releasing binary modules of the OpenH264 codec and it will take the royalty cost on.

Ah, but how will it know how much distributing those modules will cost it when the MPEG LA chaps turn up for an audit? Brendan Eich, Mozilla CTO, explained that Mozilla won’t be bundling this binary module with the code. When Firefox needs the module, it will download it from Cisco and save it. Other apps will also apparently be able to make use of this downloadable module too. Eich does note that Firefox will still need AAC codecs on similar terms to the H.264 codec to complete the “industry de facto” stack for video and audio.

But here’s an interesting point. The debate about EME, the Encrypted Media Extensions for HTML5, has centred around the idea that the open web, and open web browsers, would be harmed by the presence of possible patent bearing, definitely closed source modules to perform encrypted video decoding. Now, here’s Mozilla, albeit with a different area of technology, working on how to include a platform-appropriate binary module into Firefox at runtime, as needed. It’s almost like a dry run for how EME decoders could be transparently downloaded and run. And that would be one less road-block for EME. Of course, this could also be the last thing on Mozilla’s collective mind, but the incorporation of an automatically downloaded binary module into Firefox will be a landmark in the history of the staunchly open source browser.

EOL for Python 2.6, Docker Inc and more iconic fonts – Snippets

• Python 2.6 signs out: Python 2.6.9 is the last source-only security fix release for the Python 2.6 family. The 2.6.9 release sees 2.6 officially retired after five years in the field. If you are still running 2.6, UPDATE! At the other end of the scale, Python 3.3.3 got its first release candidate with full support for Mac OS X 10.9 Mavericks.

• dotCloud becomes Docker Inc: Acknowledging how important its Docker container software has become, dotCloud has announced it is becoming Docker Inc. The platform-as-a-service business of dotCloud will be maintained, but the company’s resources are going into Docker, Docker services and building out the Docker ecosystem.

• More icon fontage: Bootstrap is not alone in having a fine icon font for its graphical imagery. Say hi to Ionicons, created for the Ionic front-end framework. Very stylish, and MIT licensed open source.

MongoHQ’s security breach holes others

If you were using MongoHQ‘s SSD backed MongoDB hosting, be prepared for them to be in touch as they’ve been at the sharp end of a security breach. But it’s not just direct users of MongoHQ’s services that should be concerned – users of services which make use of MongoHQ need to put on their worrying hat too. For example, MongoHQ hosted Buffer‘s databases and that has been cited as the cause of the  social media connector’s security breach. Another company, cloud based continuous integration specialists CircleCI, has also been compromised and issued its own security advice (through a statuspage.io supplied status page which as I write, has fallen over). They probably won’t be the only ones either.

With an interconnected set of reliant services, the services at the bottom of the stack are often the ones which have the biggest target on them. To draw a parallel, if you want to make the Jenga stack fall over going for the bricks at the bottom is a good strategy. Hitting popular data-service providers in the cloud pays big for an attacker; an original target may come with many bonus victims and the ripple out of awareness of the compromise can provide a bigger window for the attack to fill its swag bag and make out through the window. Which is why, when you are looking at a service provider in the cloud, you need to make sure they have good defences, an effective monitoring system and a notification system which lets clients react quickly… and that’s not a “service status page which updates regularly”. It’s the same list you should have for your in-house and condensate* systems too.

* systems that use cloud technology but aren’t actually up in the cloud.

Beta Ceylon, VLC 2.1 released, Whois research and Retro-browsing – Snippets

• Ceylon goes beta: Red Hat’s own JVM-hosted language, Ceylon, has been declared feature-complete and released as a 1.0 beta. There’s a formal language spec, command line tools, SDK and a beta of an Eclipse based IDE for Ceylon too. Lots of language features have been added coming up to beta, including annotations, static methods, try for resources, switch statements that know strings and characters and more.
• VLC 2.1 debuts: Every coder needs a video player that can handle any format. Thats my excuse anyway and here’s the newly released VLC 2.1 arriving to fill in the latest gaps in my playback capability. A new audio rendering pipeline, OpenGL ES support, new ports (Android from 2.1 to 4.3 for ARM, x86 and MIPS and iOS 5 to 7), a partial WinRT port, Microsoft Smoorth Streaming, support for VNC/rfb and remote desktop view-only modes, lots of new hardware decoding support on OS X, Android, Linux with VDPAU and Windows QuickSyncVideo. Oh yes and there’s the foundations for UltraHD support. And developers will find the code is amenable to integration with more software due to libVLC (and most of the modules) being under the LGPL2.1+.
• Whois Privacy: An interesting study of whois and the identity proxies used to cover the identity of owners. Interesting in that the idea that only those with something nefarious to hide may use the obfuscating services is blown out of the water – “for example banks use privacy and proxy services almost as often as the registrants of domains used in the hosting of child sexual abuse images; and the registrants of domains used to host (legal) adult pornography use privacy and proxy services more often than most (but not all) of the different types of malicious activity that we studied”. Fixing Whois is going to be harder than we thought.
• Browse like its 1992: Cern have launched [Line Mode Browser 2013], an emulation of 1992’s line mode browser, using Node.js and modern browser technology to recreate the glow green matrix of terminals of that era. You can find the code on GitHub.

Mozilla’s font, Fedora’s alpha, Java’s fixes and Gstreamer’s flow – Snippets

• Mozilla’s Fira font: Mozilla has released a new open source (SIL Open Font Licence) font called Fira Sans. This is the Firefox OS typeface and comes in light, regular, medium and bold weights. There’s also a monospaced variant in regular and bold. Source for the font is available on GitHub.

• Fedora 20 Alpha: On schedule for the revised schedule, the alpha of Fedora 20 has been released. As previously mentioned, and in the announcement, there’s lots of updates and enhancements including ARM as a primary architecture, latest GNOME and KDE, the undefaulting of SendMail and Syslog and a better NetworkManager. It’s ready to test and you can download the Alpha images but don’t press them into production for the worst that could happen will probably happen. Or not. Next stop, the beta release at the end of October.

• Java Fixes and Pitfalls: Will Dormann,the author of the CERT Blog posting Don’t Sign that Applet has returned to the subject pointing out, in Signed Java Applet Security Improvements, that although applets running on Java7 before update 25 could be repurposed, that problem was addressed in Java 7 Update 25. In Update 25 though an applet can declare it must be executed in a sandbox and can be made to restrict where it loads code from. But you do need to be running update 25 or later (the current update version is 40) and Dormann does point out some gotchas which a developer needs to dodge for this change to be useful.

• GStreamer 1.2.0 flows: The developers of the LGPL-licensed multimedia framework GStreamer have released version 1.2.0 of the framework with new API features, plugins for Microsoft Smooth Streaming, DASH adaptive streaming, bluez interation, openjpeg for JPEG2000 support, experimental VP9 encoding and decoding and many others.