Codepope's Development Hell

JavaFX on Android and iOS: One of Oracle’s ongoing projects is getting JavaFX onto the two big smartphone platforms. An update from Richard Bair (Chief Architect Client Java at Oracle) says the work is now at “a good prototype stage”. There’s “funky” code swapping JavaFX text fields for native components and the plan is to build a more layered system for better native look and feel without Swing style theming.

The Node developers have pushed out Node 0.10.21 and saying it “contains a security fix for the http server implementation” but gave no further details in the announcement, only asking people to upgrade as soon as possible. Elsewhere though, the problem was identified as a trivial-to-trigger denial of service vulnerability. It was explained by “meritt” in a Hacker News posting that a memory leak in the HTTP Pipelining code could make systems run out of memory if flooded with requests which were never read.

Hadoop 2 goes official: The Apache Software Foundation have officially announced Apache Hadoop 2. The new milestone version of Hadoop is a major rework which brings YARN, an overhauled MapReduce engine which splits resource management and job scheduling into two separate operations with their own daemons. There’s also high availability, data snapshots, NFS3 access and federation for Hadoop HDFS along with Windows support. Hadoop 2 started out in alpha way back in May 2012 as version 2.

At the opening of the conference day at Cassandra Summit Europe 2013, Johnathan Ellis, Datastax CTO, made a point of positioning Apache Cassandra as an enterprise scalable database and one that scales in a linear fashion to massive scales. Datastax is the leading developer of, and commercial vendor of Apache Cassandra in the form of DataStax enterprise. MongoDB was very much in the company’s sights as it showed benchmarks with Cassandra running 20 times faster than MongoDB – the reason was simple though the dataset for the benchmark was bigger than the available memory on the nodes.

Talend go Apache: Talend, makers of integration, ETL and other data management products, have long been proponents of the GPL license for their products. I’ve asked them about this in the past and they’ve been robust in their reasoning about why the GPL is right for them. It appears though that that era has come to an end with an announcement that the company will be stepping towards more permissive licensing.

It seems to be all going on with the developers of Rubinus, the LLVM JIT-powered Ruby implementation which recently hit version 2.0.0. First came the news that Engine Yard had ended their sponsorship for the project saying that “we no longer feel like the project needs any help from us to accelerate” - the ending of sponsorship will, they say, let them invest more in other emerging projects. With that announcement made, Rubinus lead Brian Shirai said “I have been working to simplify and focus the project”; funding changes do tend to allow projects to step back and look at their goals.

Android’s Cipher Downgrade: According to this blog posting, Android’s Cipher suite – that is the list of ciphers it uses in order when it is establishing a secure connection – changes in late 2010 and saw AES256-SHA removed and RC4-MD5 put in its place. This means Android 2.2.1 has a better default cipher than Android 2.3.4 and everything that follows. The analysis shows that Google were apparently following Java’s cipher list changes, but that in 2011, Java 7 got a better cipher list and Android, being based on Java 6, didn’t.

Debian update: Debian’s second update of Wheezy, 7.2, is now with us. As usual, if you are updating your Debian regularly, you’ll have most if not all of this, but now there are new ISOs to install from to make fresh installs faster. Further details on the update on the Debian site. Debian’s long freeze: Meanwhile, Debian 8 “Jessie” is starting on the long trajectory to release with a date set for a freeze of 5 November… next year, 2014.

This morning I was reading this blog posting about reverse engineering backdoors in routers. The punch line is a shocker though - a number of D-link routers have a backdoor which can be triggered by setting the browser’s user agent to backdoor (plus xmlset and a credit to the person who set up the backdoor). Read the posting and if you have any of the affected gear, consider your options. The D in D-Link seems to stand for Derp.

Vintage bugs: Back in 1993, a use after free bug when handling ImageText wriggled its way into the X.org server and settled into what is believed to be every X.org server release that came after. Just over 20 years later, a security advisory and patch have been published for the bug. So look out for updates to your Linux distribution’s (or other Unix’s) X.org server in the near future. To many eyes, all bugs are eventually shallow.