Coffee|Code : Dan Scott

One of my favourite online publications, the Linux Weekly News, recently published an article called The state of PHP security. Given Stefan's departure, the great taint debate, the addition of ext/filter in 5.2.0 and all of the associated security changes in both the 5.2.x and the 6 branches, I settled down to enjoy a nice pre-Christmas read. I was hoping for some provocative thoughts about the direction that PHP has been taking for the last six months or so in the arena of security.

Unfortunately, I was greatly disappointed. Beyond using Stefan's departure as a kicking-off point for the article, the author didn't even mention any of these issues. Instead, he simply rehashed the history of PHP design missteps (magic_quotes, register_globals, allowing URLs in include) and noted that many PHP tutorials rely on dangerous practices.

What bothered me the most, however, was the author's decision to paraphrase a quote Rasmus gave in an interview from 2002 without explicitly noting that the quote was from 2002. The sentence in the article, talking about register_globals, is:

It is an extremely dubious feature, but one that PHP creator, Rasmus Lerdorf, seems to think should have been left on by default.

Would it have been too much for the author to have actually asked Rasmus if he might have changed his mind in the past five years? Or perhaps the author could have done a little more research and dug up the PHP 6 planning meeting minutes that state that register_globals and magic_quotes were going to be removed entirely from the language. Instead, the author concludes with the following statement:

Security seems to fall somewhere below simplicity in the minds of the PHP language developers; that makes it more difficult to have secure PHP applications. Security is a hard problem and any attempt to 'dumb down' a language is likely to run into security issues. Encouraging amateur programmers to write web applications is unlikely to produce secure code in any language, but by providing tutorials and examples that have glaring security issues and by not concentrating on teaching secure coding, PHP makes it that much worse. A great deal of useful code has been written on the PHP platform; it would be nice to find a way to keep that code coming while simultaneously making it more secure.

The first sentence in that statement is the most damning of PHP developers, but it entirely ignores the evidence exhibited in the changes we've seen in PHP 5.2.0 and that are in the works for PHP 6. The third sentence, oddly enough, attributes the existence of "tutorials and examples that have glaring security issues" to PHP itself, as though the language itself or the core developers of the language have the ability to prevent insecure tutorials from being published.

So I launched into the fray and attempted to right those injustices, perhaps a bit too passionately -- but so be it. I've been pretty quiet in the PHP world for the past while, outside of my little PEAR projects, but I still care about the language.

If I can glean anything from this article, it suggests that it might be a good idea to revamp the php.net landing page and documentation a bit to try to highlight tutorials that teach developers how to write secure PHP applications. Right now the landing page is largely a bulletin board for events. It might benefit, say, from a prominent and permanent link to the PHP Security Consortium (if that project is actually still alive--the last posted article dates back to March 2005). We may also want to improve the visibility of the security chapter of the manual (although briefly revisiting the section on SQL injection suggests that we need to revise it to encourage the use of PDO and placeholders).

Okay, okay... I've heard the complaints (which have been streaming in over the past couple of weeks). The general tone is something like this:

So I've been checking this site that is dedicated to celebrating all of the wonder that is Amber, and all I've seen is a bunch of beep blippity boop database beep doo bloop library bip blop open source blippity bleep which I couldn't care less about. I want to see some some pictures of Amber! Where are the pictures of Amber?

May I remind my gentle readers that, should they wish to defend their fragile eggshell minds from my ruminations on the techno-info-library-drivel that fills up my working days, that there is a link on the right hand side of the page which allows you to only see blog posts about Amber. You can bookmark that link and never read another word about Apache Derby, PHP, or MARC... unless, of course, Amber decides to follow in Daddy's footsteps. Which, given her interest in bashing at the keyboard, seems entirely possible.

I'm afraid I can't do too much about the (in)frequency of postings. My natural anti-social tendencies can only be suppressed so much. And, just to implicate Lynn, I have offered to show her how she can post entries to the blog multiple times now... for some reason she prefers to send the occasional email pretending to be making up for my own lack of effort in keeping family and friends up to date on Amber.

Err, umm... I love you honey!

Anyhoo, we do happen to have one or two photos of Amber from the last couple of months that you might be interested in.

A little too adorable, don't you think? (October 2006)

Amber and Daddy kick back and enjoy the Grey Cup. (November 2006)

Zombie Amber: "Brains! BRAINS!" (December 2006)

Possessed by the spirit of Santa. (December 2006)

Sirsi Corporation merged with Dynix Corporation in June 2005. Now SirsiDynix has announced that Vista Equity Partners is investing in their company.

Let's take a look at Vista's investment philosophy:

We invest in companies that uniquely leverage technology to deliver best-of-class products or services.

I wonder if Vista confused "most market share" with "best-of-class" in their analysis. Given SirsiDynix's two flagship library systems, Unicorn and Horizon, it seems unlikely that they're talking about Unicorn here. True, you could say that Unicorn has "leveraged" decades-old proprietary technology, but it is Horizon that seems to be getting the real facelift these days based on modern technologies like Lucene.

Our investment philosophy is to enable good businesses to achieve their full potential. This starts by selecting well positioned companies with attractive market dynamics, aligning the interests of management with those of shareholders, and reducing unnecessary distractions.

Hmm - "enable good businesses to achieve their full potential". Well, at least Vista recognizes that SirsiDynix could be doing better. But wait: "attractive market dynamics" suggests that Vista sees SirsiDynix as holding the most market share in a relatively small market with institutions that are seen as having deep pockets (gee, look at all the books those libraries buy and electronic resources to which they subscribe--they can afford a 10% hike in support fees per year!) and a reluctance to face the pain of migrating to a different software platform. In short, SirsiDynix's customers are ripe for the picking. And, quite possibly, Vista sees opportunity to acquire a few more customers from shakier library products like Voyager. At least, those customers who have not already decided to join forces with an open-source solution like Evergreen.

"Aligning the interests of management with those of shareholders" suggests that SirsiDynix management hasn't been doing a good job to date of delivering profit and growth to their shareholders. Well, you can increase profit by offering a leading product that enables you to grow your market share -- or you can crank up the margin on your existing products by increasing prices and cutting overhead... overhead like customer service people, or developers. Now, it seems that SirsiDynix isn't a publicly traded company, so it doesn't really have shareholders at the moment. I can't imagine that Vista would be trying to prep SirsiDynix for an IPO -- there just isn't enough potential for growth to justify shareholder interest in this company -- so I'm going with "plump up the profit margin in preparation for a takeover". I'm basing this largely on the last bullet in the last category of Vista's investment philosophy (from Who we fund):

While our portfolio companies need not fit a specific profile, many of our prospective investments have some common characteristics including:

• Technology provider or technology-enabled business
• Recurring revenue business model
• Mission critical, "sticky" solutions
• Experienced management team
• Favorable customer characteristics
• Defensible competitive position
• Favorable market dynamics
• Strong value proposition
• Potential for high margins

The most pertinent characteristics here are probably "recurring revenue business model" (the revenue from annual support fees are certainly attractive), "favorable customer characteristics" (due to our service focus, most libraries are pretty conservative about foisting a new search interface on our users and therefore unwilling to turn to a different product simply because the fees our vendor charges will increase), and "potential for high margins" (read: charge what the market will bear, just short of extortion).

You heard it here first: expect lots of news from SirsiDynix in 2007. I'm predicting more service fees (100% confidence), increased annual support fees (100% confidence), and the beginning of the end of Unicorn with an announcement that Horizon is the strategic product for new development efforts going forward (75% confidence). I'll go out on a limb and say that a merger or acquisition of SirsiDynix in 2007 is unlikely (33% confidence), but after proving their new business strategy and the nice spikes on their revenue and profit charts, I'll say that it's quite likely in 2008 (80% confidence).

Now, if I had the deep pockets of an equity firm, I would be investing in the Evergreen team; there's a core organization with low overhead (4 developers!), a proven product, and amazing potential for growth in the library market. But alas, I'll just have to cheer them on from the sidelines

A quick little note to mention the official release of Java 6. Okay, Dan, but why do you care?, you might ask. Good question, oh person-who-does-not-read-headlines.

The reason I care is that Sun chose to bundle Apache Derby in this release -- take a peek in the /db/ subdirectory of the Java SDK. Bundling Derby is going to mean a huge boost to the visibility and usage of the little Java database that could. It will be the de facto default database for Java developers; and if they haven't already used it, I suspect they're going to be pleasantly surprised at Derby's robustness and ability to perform. I was chatting with a few of the DSpace developers a week or so ago, and mentioned my hope (in all my spare time) to port the DSpace institutional repository to Derby as a possible default database. Right now, you see, the default database for DSpace is PostgreSQL, and unfortunately correctly configuring PostgreSQL seems to be the biggest barrier new users encounter while deploying DSpace. Switch to an embedded Derby database, and those headaches go away.

On the other hand, it seems that at least one of the DSpace developers have done a bit of experimenting with Derby in the past, as he claimed its performance suffered after 500,000 rows of data or so. Well, even if that is an insurmountable limit, that's a pretty good start for most institutional repositories -- and I suspect that the Derby developers would be highly motivated to show that Derby can, in fact, scale beyond that limit.

So, if you're a Java developer or dabbler, get on out there and give Derby + Java 6 a try. You're going to have a lot of company. Oh yeah, and if you need a good book on Derby...