/code - Brian Slesinsky

Russ Cox explained a while ago how interface types work in the original implementation of the Go language. But reading about an implementation when your grasp of the language is shaky is sometimes more confusing than helpful.

For example, I happened to see the beginning of a dispute on the mailing list [edit: which turned out to be just a misunderstanding] about whether interface values are copied by value or by reference. I had forgotten and couldn't find an answer in the Go spec, so I wrote a test program. See if you can guess what this program does without running it:

Sunday, 01 Mar 2009

Seems like browsers are doing a lot of things already to manage vendor relationships, where "vendors" are websites:

However, the major browser projects tend to have a tough balancing act between users' and vendors' interests, because they need to be compatible with as many vendors as possible. Features like ad blocking are "controversial" for this reason, which is why they're often an extension.

Client-side programs (Javascript embedded in web pages) are a rather odd thing. A Javascript application is written by the vendor, but once downloaded, the vendor cannot trust it anymore because it's in the user's control and the user could modify it. So vendors only trust these programs they wrote themselves to represent the intentions of the user identified by the auth cookie. On the other hand, as a user you cannot fully trust one of these programs either, except to display information from one vendor and to relay your intentions back to that vendor's server when you're using a particular website. In particular, you don't want programs from different vendors to talk to each other about you, unless you specifically allow it, and you don't want a program from one vendor to gain control over a program from another vendor.

These programs are like agents that all live within different jail cells in your browser. The agents aren't fully trusted by either side, and yet each agent is the primary way that you communicate with one vendor. The major client-side security bugs come from letting these agents escape their cells or spy on each other. And there are millions of these agents out there, one for each website, of widely varying quality.

Perhaps Greasemonkey scripts are the closest thing we have to turning these agents into true fourth-party software. However, they're a hack. They have to be rewritten for each agent, they have to be updated each time the vendor changes the website, and vendors sometimes write terms that forbid you from using them.

Can someone do better? I suspect an in-browser evolutionary approach is most likely to succeed. Users need better control over these agents and standard, automatic ways of communicating with multiple agents at once. I'm imagining browser extensions whose purpose is to start up a bunch of web sites (agents) and send them bids, and gather information from these agents and store it in a standard way outside of any agent's control. The standard API's for websites to communicate with browser extensions needs to become richer.

On the other hand, there needs to be a way to get your favorite browser extensions back when using a different browser. This suggests that the "extension" is just another agent that lives in its own cell and is downloadable by vising a website. So maybe they all talk to each other using Google Gears, and it's just that you've designated certain more-trusted agents to administer the other less-trusted agents?

Perhaps there could be a cells-within-cells model, where visiting one website creates an agent in a cell, who creates more cells and downloads agents from other websites into them. We'd need a standard for creating "headless" agents that have no UI but are just used by another website. As the user you'd want to be able to see when this happens and decide whether to allow it. Probably the closest thing we have now are hidden frames, but communication between them is a hack and the user doesn't get any visibility.

Update 2: and of course Facebook Apps and OpenSocial containers allow similar things, with the difference that the "more trusted" agent lives on someone else's server and therefore can do things on your behalf when you're not logged in. Also, it's questionable how much they deserve our trust. Open source client-side software (such as browsers and extensions) can theoretically be reviewed and given more trust than someone else's server, assuming you're using them on a secure client.

Then again, this is only a matter of degree in the usual case where you download client-side software from a website without reviewing it yourself.

Saturday, 21 Feb 2009

"Ownership means that I have something to lose. If you're a banker, it means that you've got collateral. It also means that I'm credible, so you can give me credit. When you think about it, whether it's ownership, whether it's credit, whether it's capital, whether it's identification, none of the things that make a modern economy are possible without property." [emphasis added]

- Hernando De Soto

Online property might be considered as owning accounts in various online systems. "Having something to lose" means having control over an account that's valuable to you and other people you know (that is, not a throwaway account). Could an identity system be based on this? Someone with control over an account should be able to prove that they are the same person who owns other accounts as well. Once we have that, there are likely to be some systems that tie online identity to offline identity, which can be used to associate other online accounts to an offline identity when that's what you want.

The fundamental transaction of proving that two accounts are owned by the same person could be done with OAuth. Note that this isn't a permanent relationship; if one of your accounts is hacked, you should be able to log into all your other accounts and attest that you no longer wish to be associated with the hacked account. When an identity splits in two like this, your friends might not know which identity to trust, but they would know something is up and to be careful.

This is distinct from single sign-on; in fact, an identity created this way is more robust if you use an independent method of authentication for each account. In practice, some groups of accounts will probably share an authentication system for ease of use, but using a single auth system for everything is probably a bad idea even if it were possible. Even if you managed to tie most of your accounts to a single OpenID provider, keeping a few accounts separate (like your bank) would be a very good idea.

Friday, 02 May 2008

With the launch of Google App Engine, I decided to give it a spin by rewriting PixelToy, a Java Applet (and backend server) that I wrote more than a decade ago to learn Java. This time, the technologies I'm trying out are jQuery, Ajax, and Python.

PixelToy is a simple paint program where everyone who visits paints on the same canvas. The new Pixeltoy also lets you take a snapshot of your painting and see a gallery of pictures others have made; the gallery also has a feed.

How it works: the PixelToy web page sends each brush stroke to the server when you release the mouse button and polls the server for updates. The polling gets slower for inactive users.

(Warning: since anyone can paint anything they like and painting is anonymous, you never know what you'll find when you visit. I ask that visitors keep things generally "safe for work," but can't monitor it all the time.)

Sunday, 17 Feb 2008

Guice is easy to use when you want to build a web of objects based on a static configuration. However, it gets awkward when you want to create multiple, similar webs of objects, where only a few nodes vary.

This is because Guice has no direct support for callbacks that take parameters. The only callback that's built into Guice is Provider.get().

I would like to see full support for callbacks with parameters in the next version of Guice. In this article, I'll sketch out how we could do it.

Wednesday, 23 Jan 2008

I've written before about how Guice works, but didn't explain why you would want to use it. Here's one way to think about it.

Saturday, 20 Oct 2007

No, I didn't fall off the face of the earth. I haven't posted because I've been busy, and also had a case of the blog migration blues. If everything has gone smoothly, the website should look exactly the same. (Attention conservation notice: lots of boring tech detail below.)

Sunday, 17 Jun 2007

It turns out that a few others have written poetry in Inform 7. Here's what I've found so far:

Sunday, 10 Jun 2007

There's a Java design pattern that shows up in Guice, TestNG, and JUnit 4 that seems common enough to need a name. I'm calling it an annotated callback method, and I'll describe it here, in the format popularized by the Design Patterns book.

Tuesday, 29 May 2007

I previously explained how Guice works, but not how it changes your application's archiecture when you use it. Now that I've had some practical experience, I can explain a little more about that.

While refactoring my 20% project to use Guice for creating objects, I found myself adding factory classes where previously the code would call constructors directly. This seemed odd because up until now, I've generally thought that factories are overused and best avoided. Later in this article I'll explain why this happens. But first, a digression into functional programming languages...

Thursday, 10 May 2007

I recently finished reading Le Ton beau de Marot, an excellent book about translation by Douglas Hofstadter, whom you might know as the author of Gödel, Escher, Bach. The book includes dozens of translations of "A une Damoyselle malade," a short poem written by Clément Marot in 1537 as a sort of get-well card to the daughter of Marguerite de Navarre. The translations vary from literal glosses to very loose and playful ones that might better be called adaptations. It looked like fun, so I thought I'd try doing an adaptation to Inform 7. Here it is:

Sunday, 08 Apr 2007

Sunday, 25 Feb 2007

OpenID is a new way of logging in to websites that's been getting a lot of attention lately. After discussing it with some folks at work and reading Tim Bray's post, it seems likely that lots of people are trying to figure out whether it's any good. So am I. Since I haven't read the OpenID standards very closely and OpenID 2.0 is still in development, I'll concentrate on the big picture. Hopefully I won't get too many of the details wrong.

Thursday, 19 Oct 2006

A decision that comes up fairly often when writing server software is whether to hard-code a value or make it configurable. It's easy to conclude that more configuration is better, because when you hard code something, you'll have to recompile and deploy a new version of the server when you want to change it. But resorting to configuration parameters too frequently has a cost that adds up after a while.

Thursday, 05 Oct 2006

Forgetting to validate user input is an increasingly common security hole in web applications. Here's an elegant way to fix a hole and make your code more understandable at the same time.

The problem here is that we haven't validated the id parameter, and this string came from the network, so it could contain just about anything. The security holes caused by this can be somewhat surprising. For example, suppose we go on to do a redirect:

Tuesday, 03 Oct 2006

Wow, it looks like even the academics are getting into test-first coding. Here's a paper on writing a compiler from scratch, in steps small enough to do in one sitting. After each step, the compiler can translate an increasingly large subset of Scheme into x86 assembly.

It's like two courses in one: learn compilers and modern software development practices at the same time:

Sunday, 20 Aug 2006

I investigated Ruby on Rails a little bit and found that it's easy to introduce security holes into a Rails application. (If you don't care about Ruby on Rails, you can skip this entry.)

Sunday, 28 May 2006

After a few months of experience with traditional code reviews at my new employer, I don't see any reason to recommend them over pair programming. They create a great deal of inefficiency with very little benefit.

Tuesday, 09 May 2006

Even though it might be what Mr. Nelson intended, I don't really believe that Inform 7 is essentially about making programming easy for non-programmers. Or at least, it seems like a rather roundabout way to go about it. I also agree with those who say that, technically, Inform 7 isn't about natural language at all. Its real significance, at least to me, is that it is the latest experiment in writing for two audiences simultaneously: humans and computers.

Saturday, 06 May 2006

It's been over a month since my previous entry on adding auto variables to Java. Unlike most of my blog posts, I actually got a few responses, so at least I wrote something interesting. But surprisingly, most responses were negative.

Saturday, 25 Mar 2006

Type inference is finally getting into mainstream languages. The next version of the C++ standard will very likely allow you to do this:

The auto keyword indicates that foo is a local variable whose type is automatically inferred from the type of the expression on the right side of the equal sign, in this case compute_foo()'s return type.

(For the search engines, this is called "implicitly typed local variables" in C-sharp-land.)

Tuesday, 08 Nov 2005

XPath Checker is a Firefox Extension I wrote for testing XPath expressions interactively. You might find it useful if you use xpaths or want to learn how.

If you haven't used xpaths before, they are sort of like regular expressions for web pages. XPaths make it easy to extract content from deeply nested markup in a web page or an XML document. I find them most useful for unit-testing code that generates XML or HTML. They're also used in XSLT and by Firefox extensions such as Greasemonkey.

Saturday, 16 Jul 2005

Programmers have been using macros since the early days of computing to make writing code more convenient. Sometimes the macros are part of the language (such as the C preprocessor, C++ templates, or Lisp macros), sometimes they're part of the editor (such as IntelliJ's live templates), or code might be generated by a wizard.

Macros that are built into the language can be very powerful and concise, but they're often difficult to write, understand, and debug, because you're working at a higher level of abstraction. Code that's generated by the IDE is very transparent and customizable (you see the generated code immediately and can edit all of it), but the duplication leads to maintenance problems.

I've found that IDE's that support "inline method" can be used in a way that combines some of the advantages of both types of macros. Here's a simple example from a class that generates HTML. (There many ways to generate HTML and this is probably not your favorite, but bear with me.)

Tuesday, 21 Dec 2004

My friend and co-worker William Pietri posted a description of our working environment for our most recent contract. (This was the job where I learned Extreme Programming. I've written about it before.) It just goes to show that you don't need fancy offices or a nice view to have a pleasant and efficient place to work.

Saturday, 20 Nov 2004

Sergey Dmitriev (CEO of JetBrains) recently wrote an article arguing that it should be easier to write computer programs in domain-specific languages. I have great respect for the developers of IntelliJ IDEA and look forward to seeing new tools from them, but I think his justification for writing these new tools doesn't really hold water.

Friday, 23 Jul 2004

Fow a while now, I've been experimenting with concepts from functional programming in Java, immutable objects in particular. Advocates of functional programming claim that it makes programs easier to write, debug, and understand. (See Why Functional Programming Matters.) After getting a bit more experience with it, I'm not so sure about that. Functional programming can be error-prone in its own way.

Saturday, 15 May 2004

A couple of months ago, I quit my job at a big software company and started working for a tiny Internet startup. One thing I found attractive about the new job was that we would be doing Extreme Programming, the latest trend in software development. I'd been reading about it for years, but never had a chance to try it until now. Here's what it's been like.

Tuesday, 16 Mar 2004

As far as I can tell, the "You Aren't Gonna Need It" principle (abbreviated YAGNI) advocated by the Extreme Programming crowd isn't really a principle at all, but rather a catch-phrase to end an argument. It actually means, "we should do that later. Don't argue." I think the test-first folks have good reasons for implementing things in a certain order, but the real reasons are not necessarily the ones they use to justify it.

Tuesday, 24 Feb 2004

I came up with another technique for constructing immutable objects that I like better than Half-Beans and Struct Arguments. By writing a copy constructor that takes an interface rather than a class, I can then put constructor methods for the class in any package.

Saturday, 22 Nov 2003

Here's a trick I used to avoid depending on a particular logging library in Java: instead of calling the logger directly, I wrote an adapter class. For example, suppose you're writing a library that's implemented in terms of commands, and you want to log a message whenever a command is run. The logger might look like this:

This solved my original problem by moving the dependency to a subclass of MyEventLogger, and the subclass was actually defined outside the library, resulting in one less jar needed to compile.

The new class opens up some other nice possibilities. It's a convenient place to put methods for application-specific events like startCommand(). These are often more useful than generic events like debug() and error(). For example, if the client is a Swing application, it's fairly easy to rig things up so the name of the currently-running command is displayed on a status line. Or a unit test might use a special-case logger to verify that a particular event occured. Application-specific methods can also be a convenient place to put breakpoints when in a debugger.

I'm not sure yet how it scales. If I added new features to the library and thought of more new things to monitor, the number of event methods might get too big for one class. Also, there's the potential for reduced performance whenever adding a layer like this. But I do think it's a better idea than using something like Apache's commons-logging component, which replaces one outside dependency with another, rather than removing one.

Monday, 27 Oct 2003

Did you know Windows has symbolic links? I didn't. They're called Junctions. (Found via Erik's weblog.)

Sunday, 12 Oct 2003

In an interview on Artima, Bjarne Stroustrup has this to say about classes and invariants:

Friday, 03 Oct 2003

After thinking about it a while, I've decided that main thing wrong with my Half-Bean design pattern is that it's over-engineered. I had some additional considerations in mind (such as validating web forms) that most classes are Not Going To Need.

Wednesday, 01 Oct 2003

Thanks to Cedric Beust for being the first one to respond to my article about Half-Beans. Apparently I've glossed over some important points, so let me expand on them a bit.

Monday, 29 Sep 2003

In my previous article, I gave a simple example of an immutable class called Album. You might have noticed that all of Album's properties have to be passed to the constructor, since there are no setter methods on an immutable class. That works okay for an class with four properties, but what about one with twenty? A programmer who uses your class and accidentally swaps the fifteenth and sixteenth String arguments in the constructor isn't going to like your design much. Some languages solve this problem with keyword arguments, but Java doesn't have them, so we need another solution. The Builder pattern comes to the rescue.

Saturday, 27 Sep 2003

Launch Fever, noun: An unwillingness to miss an important deadline despite known problems. Example:

Wednesday, 24 Sep 2003

Functional programming is (in part, to oversimplify) a way of writing programs using only immutable variables and objects. This eliminates certain kinds of bugs that happen when objects change unexpectedly. Normally, functional programming is done in specialized languages like ML and Haskell that aren't very popular. I believe this is because the programs tend to be rather mathematical and use special, hard-to-understand tricks to get work done despite the illusion that nothing actually changes. They also don't have the vast libraries and tools that mainstream programmers are used to.

However, it's possible to apply some of the lessons from functional programming to Java (and similar languages), and I believe it results in a pretty good coding style that can be easier to debug than your average JavaBean.

Tuesday, 23 Sep 2003

"Specifically the flaw was that you can get at the central vote-counting database through Microsoft Access. They have the security disabled. And when you get in that way, you are able to overwrite the audit log, which is supposed to log the transactions, and this [audit log] is one of the key things they cite as a security measure when they sell the system."

They suspect the security flaws could have been used to cause some upset victories in Georgia in 2002.

Saturday, 13 Sep 2003

Back in 1996 I wrote a little Java applet called PixelToy for HotWired's WebMonkey site.

Visitors to the PixelToy web page would see an 18x18 canvas of fat pixels where they could paint. Brush strokes would be transmitted to everyone else visiting the same page, so you could see other people drawing. It was pretty fun.

PixelToy was written for Java 1.0.2 and ran acceptably over a 28.8Kbps modem on my Mac Quadra. The client is a single 12K Java class file. Unfortunately it requires a server (written in Java) that is no longer running, so it's no longer online. But I keep the source code available for old time's sake:

Saturday, 07 Aug 2010