afongen

The chapter page on the OWASP web site seems to be strangely difficult to get updated, so let me spread the word here.

The November meeting of the Twin Cities OWASP chapter has been scheduled for next Tuesday, November 8, at the Golden Valley Library. The library is a block or two north of the intersection of Winnetka and Highway 55, at 830 Winnetka Avenue. (map) We will meet from 6 to 7:45 PM.

This month, Gunnar Peterson will head up the agenda with a report on the OWASP App Sec Conference, and a recap of his presentation there on “Integrating Identity into Web Applications: Overview of issues and risks related to identity services in web and n tier applications.”

I recently finished Bruce Tate’s Beyond Java, a book every Java programmer should read. Especially those who havent worked much with other languages. I should say right now that I probably feel this way because it validates much of what I’ve been arguing from years, from the perspective of someone deep inside the Java world.

Recent comments here should make it clear that Java and I aren’t exactly on speaking terms. It isn’t so much the language as all the deadwood that’s built up around it. A coworker and I recently spent a day reorganizing a legacy codebase so we could use Eclipse as an actual IDE instead of just a big, slow text editor. About half the day was spent figuring out the XDoclet used to build the app. And it dawned on me: we’re using XDoclet to generate all this code that doesn’t contribute meaningfully to the application, but rather is required scaffolding to maintain the EJB framework. Code generation has its point, but when you have to then maintain that code … ugh. I’m watching my team struggle to produce web apps in a timely fashion, held back not by the difficulty of business problems, but by the bulk and complexity of J2EE programming. We spend more time in care and feeding of the framework than we do writing application code. That just doesn’t seem right.

Bruce Tate makes a convincing argument that Java is at a point where it can either rally its forces and continue on with renewed vigor, or be overtaken by a new contender(s) with programming models that support more rapid development and match business and programming needs more closely. He doesn’t seem all that hopeful for Java.

Tate is almost reluctant in this. Java has been good to him. A best-selling author with a successful consultancy, he is very much at home in the Java world. So to give Java its fair due, he walks us through its history, identifying the roots of its early success: wooing C and C++ programmers to a better programming experience. But now, he argues, Java is moving away from its base, expanding in strange and poorly planned directions (e.g. generics — perhaps useful, but poorly implemented), growing an ever-larger stack of technologies necessary to even function as a Java programmer. Java is effective for system or middleware programming, but failing as a language for writing applications. Other languages — Python, Ruby — are gaining popularity because they let programmers do their jobs faster, better, writing less code to do more.

He points out what still surprises many programmers: while we discover that dynamic typing is quite effective and not that dangerous, the changes made to Java only reinforce static typing (e.g. generics). I, for one, am tired of spending my time worrying about such details that do not demonstrably contribute to the effectiveness, correctness, or functionality of my apps. Static typing ain’t it.

To supplement his own arguments, Tate includes interviews with Java luminaries who are moving away from the platform or who at least take serious issue with some of the sacred cows of the Java world. I was particularly tickled by the inclusion of James Duncan Davidson, who brought us both Tomcat and Ant — and no longer works with Java. Steve Yegge’s explanation of how he took months off from development to figure out what was slowing him down, to discover that it was Java itself.

(Elsewhere, David Geary of JSF fame identifes several Java “connectors and mavens” who have adopted Rails. Worth noting by those who would dismiss the hype.)

The concluding chapters explore what Tate thinks might characterize languages that steal Java’s thunder, paying close attention to Ruby, Ruby on Rails, and continuation servers like Seaside (which I’d never heard of but which intrigue me). He dismisses Perl and PHP for what I agree to be mostly valid reasons, though I think he’s a bit harsh on PHP and has misconceptions about best practices in PHP programming models.

I devoured this book and immediately reread it. I am serious: if you are a Java programmer, you should read it. Obviously Java will not disappear from the landscape anytime soon, but I believe that it’s important to understand its limitations and frustrations, and why other languages are starting to eat away at its foundation. Otherwise you’re likely to end up like one of the cranky COBOL programmers, wondering what all the fuss is about this upstart 10-year-old. :)

That didn’t take long. Just a few days after I decided to learn Python before Ruby, I changed my mind and went with Ruby. Garrick told me that a Ruby user group was starting up in town, and that happy news pushed me over the edge. I’ve spent odd moments and bus rides in the past week reading the PickAxe book, and my gut feeling was right: Ruby feels right to me, like meeting an old friend, like coming home. I’m excited to dig into it with gusto, and anxious to try Ruby on Rails.

Rails is easy enough to set up, but the usual way of doing so is to use RubyGems — which doesn’t work right on my iBook running Jaguar (OS X 10.2). No, compiling a new ruby hasn’t helped, though the problem does seem to be at the ruby core level. The obvious choices are either to get Tiger (OS X 10.4), which I’ve been putting off until I buy a new laptop, or to install Rails by hand. I’m not sure right now which way I’ll go.

To celebrate my introduction to Ruby, on Wednesday night I went to the inaugural meeting of the Twin Cities Ruby user group (still working on a name. People were enthused about “MSP Ruby Brigade”). The organizers expected maybe a half-dozen people. Three times that showed up. Not bad for last-minute word-of-mouth! Easily half the people in attendance work with Java in their day job; most of us are less than thrilled about it. At least two there contribute to JRuby, working to get a ruby interpreter in the JVM. A really sharp group of people. I walked away from the meeting even more excited about Ruby than when I arrived.

What about Python? I’ll get back to it. I still do want to try Django, and the few days that I spent with Python whetted my appetite. I’m just more excited about Ruby right now.

I’ve taken up Python again. I quickly taught myself Python a few years ago, learning just enough to become enamored with the language before neglect drove it from my brain. I love its brevity, its elegance. I once fooled myself into thinking that Jython would be handy, offering the complete Java API through Python, but right now Java and I aren’t getting along, so that’s not too interesting anymore. So what brings me back to Python? Django and TurboGears, two Python web frameworks that stand to make me more productive with less code. Even if it’s just for fun and I never get the chance to use this stuff at work, I don’t care. I want to hack again.

What about Ruby on Rails? Don’t worry, that’s coming. I like what I see in Ruby — a lot — and it’s just become too hard to ignore Rails. I tried for a while, mostly because the hype factor turned me off, but a closer look at Ruby and a better understanding of what Rails is all about helped me get over that particular prejudice. RubyRails certainly reflects some worthwhile ideas, and I just can’t argue with the productivity it offers.

I wrestled with deciding whether to take up Ruby before Python, but opted for Python because I was afraid that if I started with Ruby it would be months before I returned to Python. My gut is telling me that I’m going to be much more at home in Ruby. Since part of why I’m learning these languages is to expose myself to different ways of thinking, I decided first to learn Python and see how that takes.

Still, Ruby beckons. I figure I’ll pick up the Pickaxe in a couple weeks.

Microsoft have released a beta version of an Internet Explorer Developer Toolbar. A very nice complement to the ever-essential Mozilla DOM inspector and Chris Pederick’s Web Developer extension. I’ve often wanted something like this when I’m working in IE, now it’s here.

When we bought our house last fall, we chose Comcast for phone and internet service. At first we weren’t even going to get a land line and just rely on our cell phones, but after Kiara locked her phone in the garage, we decided that for safety’s sake we should have a land line. We would have gone with Qwest, since it’s a bit cheaper and DSL is fast enough for our needs, but no one we talked to at Qwest could find our address in the system, so they couldn’t even provide phone service. Never mind that the house has been there fifty years and Qwest provided service to the previous owners, we weren’t in the system and that’s that.

So Comcast seemed the obvious choice, both for phone and internet (we didn’t want cable TV). A few dollars more expensive, but faster — and they acknowledge the presence of our house. And tech support was phenomenal the few times I needed to call it, even when they were obviously disappointed and confused by my using a Mac. Really, I felt upbeat after every call. How often does that happen with tech support?

And we were pleased. For a few months, at any rate. Then small annoyances started to add up. We would be without internet service for hours, sometimes days with neither notice nor explanation. No, that’s not entirely true: whenever I called, I’d be told it was scheduled downtime. That lasted for days. Downtime happens, I know, but there was an awful lot of it “scheduled.” And although I never used the Comcast email address, we got a lot of spam sent to it.

We were also disappointed with the phone number we’d been given. Whoever had had it before, apparently just a few weeks before we inherited it, left a lot of unpaid debts. I kid you not, easily 90% of the phone calls we got were not for us, they were collection agencies after this guy. We just stopped answering the phone. Had we stayed with Comcast, we would have a new phone number, no question, but is it just a coincidence that a coworker who also used Comcast for phone service had the same problem? Probably, but it’s an odd one.

This spring, Qwest found our house in their system, and we dropped Comcast right away. We didn’t and don’t expect that Qwest service will be that much better, but so far it’s been fine. No unexpected — excuse me, scheduled outages. My coworkers are aghast that I’d go with DSL over cable modem because it’s slower, but I’ve rarely found that to be a problem. Right now I’m more hampered by the flaky wireless on the laptop than anything else. We’re content with Qwest, and we’ll stick with ’em for a while. I’m in no hurry to change my phone number again, and now the phone works even if we lose power. :-)

A few days ago, Comcast nailed the lid on the coffin. They sent a bill for long distance calls made in late July and August. There are two problems with this:

1. We never had long distance service with them. Our cell phone plans offer that for “free”, so we chose only local service with Comcast.
2. We cancelled our service on April 27!

Billed for calls we obviously never made. The guy I talked to at Comcast was as confused as I. He couldn’t even see that I’d been billed at all, or had any charges on my account. Great. So I’m ignoring the bill for now, and hoping that the customer service guy really did make notes on my account. With my luck, I can just see this going to collections because their accounting system is frelled.

Not that these two events are even remotely equivalent, but I don’t want to miss them this year: Talk Like a Pirate Day on September 19, and Banned Books Week, September 24 – October 1.

I’ve had a rant building inside me for some months but amazingly it hasn’t come out here. It’s starting to surface elsewhere, though, such as this message that I wrote to the TCPHP list recently:

After working with dynamic languages like PHP, Perl, and Python, Java feels like a slow-moving behemoth.

My primary complaint against Java is not the language itself, but that the culture of the Java world so strongly favors large, heavy, overburdened frameworks. Frameworks largely developed by companies that would be more than happy to sell you hardware to run your resource-intensive applications. And as much as Java developers talk about testing (the xUnit testing frameworks started with JUnit, remember), trying to test applications running in a servlet container or an EJB contaner is still difficult. Possible, but difficult.

There are signs that some Java communities are waking up and trying to inject sanity and simplicity into developers’ lives. Spring is gaining popularity, and even EJB 3.0 looks to be taking a cue from lightweight persistence frameworks like Hibernate. If you have to work with Java, I cannot recommend strongly enough that you read Better, Faster, Lighter Java. In fact, I recommend it even if you’re not a Java developer, as it explores important ideas of simplicity that are important for any programmer’s work.

As PHP 5 takes many of its cues from Java, we are benefitting from things such as a cleaner object model, a decent exception mechanism, and broader enterprise acceptance. Note, however, that “enterprise” acceptance comes in part as a result of support from companies like Oracle, IBM, and Sun, those same companies that are selling heavyweight application servers and frameworks. In such company, I expect that PHP will always play second fiddle to Java — running PHP inside a servlet container is very cool, but Java is clearly king.

And maybe that’s okay. There’s no reason to stick with one language throughout the entire application stack. PHP is excellent for rapidly developing web applications; I don’t really like to use it for anything else, although I know that some on this list like its CLI capabilities (for that, I’m still a Perl devotee, many of my coworkers are sed and awk diehards :). I still hold out hope that at work I’ll be allowed to develop a web front end in PHP, talking to a Java backend — be it through web services (hopefully RESTian where appropriate) or through more direct means enabled by an app server. There may well be benefit to choosing Java over PHP for certain areas of legacy app integration, although I’d be inclined to want to look at using dynamic languages with strong Java integration like Groovy or Jython to take advantage of faster development time.

With interest in PHP from IBM et al, we’re also getting some very interesting R & D that builds on work done in Java. A PHP implementation of Service Data Objects, for instance, which is certainly intriguing reading but will likely be applicable only to a limited set of scenarios. I’ve seen strangely complex Iterators used in PHP code when a simple foreach() would have been enough. I fear that developers will use these tools and techniques in an effort to be more “enterprise-friendly” or Java-like, when they don’t really make sense in PHP. Much as has happened in the Java world.

That about sums up how I feel. The more I work with Java, the more I appreciate how productive I am in other environments and dynamic languages.

Expect more on this from me soon.

A few people at work are experimenting with using blogs to connect with customers/users or whatever you want to call the people that our IT division serves. It’s a worthwhile experiment, but so far it has languished. After some asking around, I figured out who was responsible for the effort and sent a few suggestions, including this:

It would help to have a more clearly human voice. If weblogs are ever effective communication tools, it’s because they engage people in conversation, punching through a corporate-speak firewall and connecting individuals. I don’t sense this happening in the training feedback blog. The same was true of the ISRS Admissions blog, too: everything is posted by “ITS Support.” Who’s that? I suggest that you use people’s names, to put an actual human being behind the words. People are not inclined to trust or even be interested in something written by an unnamed entity. You can’t make an organization more transparent by hiding behind walls. That may not be what you intended, but frankly I think it’s the result.

Ironically, not half an hour later someone in HR sent an event invitation to everyone. I don’t know who in HR because it was sent by “HR Office.”

Sigh.

Update: I like what the folks at Technical Careers @ Microsoft have done, adding personalized icons for each of the blog posters. I even like that they’re not real photos. I don’t have to read the poster’s name to know who wrote what, I just passively identify the words with the picture and over time build a sense for that person’s unique voice. Awesome.

Kiara and I are taking Owen to Corn Days in Long Lake this weekend. Growing up, there was only one reason to go: corn. Lots and lots of hot, buttered corn on the cob. I don’t know what an all-you-can-eat ticket costs, but it’s worth it. Now that I have a kid, I have two reasons to go:

• Corn. Lots and lots of corn.
• Fun stuff for Owen. There’s a parade, there’s a petting zoo. And he does like the corn.

A coworker heard me mention Corn Days and got all excited. “Ooh, are there all sorts of different foods made from corn?” No. Just corn. “Is there…?” No, just corn. She looked disappointed.

I wasn’t being fair. There might be something else, but I don’t care. As far as I know, unless you like corn on the cob or have young kids, there’s not much reason to go. I’ll report back anyway.