From george at ceetonetechnology.com Mon Jul 2 13:29:07 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Mon, 02 Jul 2007 13:29:07 -0400 Subject: [nycbug-talk] This week's meeting Message-ID: <468935E3.8010006@ceetonetechnology.com> For those who are not on announce or see the www site, we've moved this month's meeting to July 5, Thursday. . . But then again, you'd know that already if you were on announce :) Here's the meeting spiel anyway: July 05, 2007 Isaac `Ike` Levy on the Real Unix Tradition *Please note that we moved the meeting from Wednesday, July 4 to Thursday, July 5* 6:30pm, Suspenders Restaurant http://www.suspendersbar.com/location.php "The Real Unix Tradition" !!Please wear your your best shirt, a group photo-op will follow this month`s lecture!! UNIX hackers, all standing on the shoulders of giants. "...the number of UNIX installations has grown to 10, with more expected..." Dennis Ritchie and Ken Thompson, June 1972 "Well, it was all Open Source, before anybody really called it that." Brian Redman, 2003 UNIX is the oldest active and growing computing culture alive today. From it`s humble roots in the back room at Bell Laboratories, to today`s global internet infrastructure - UNIX has consistently been at the core of major advances in computing. Today, the BSD legacy is the most direct continuation of the most successful principles in UNIX, and continues to lead major advances in computing. Why? What`s so great about UNIX? This lecture aims to prove that UNIX history is surprisingly useful (and fun) - for developers, sysadmins, and anyone working with BSD systems. About the Speaker Isaac Levy, (ike) is a freelance BSD hacker based in NYC. He runs Diversaform Inc. as an engine to make his hacking feed itself, (and ike). Diversaform specializes in *BSD based solutions, providing `IT special weapons and tactics` for various sized business clients, as well as running a small high-availability datacenter operation from lower Manhattan. With regard to FreeBSD jail(8), ike was a partner in the first jail (8)-based web hosting ISP in America, iMeme, and has been developing internet applications in and out of jails since 1999. Isaac is a proud member of NYC*BUG (the New York City *BSD Users Group), and a long time member of LESMUUG, (the Lower East Side Mac Unix Users Group). From pete at nomadlogic.org Mon Jul 2 18:45:18 2007 From: pete at nomadlogic.org (Peter Wright) Date: Mon, 2 Jul 2007 15:45:18 -0700 (PDT) Subject: [nycbug-talk] Django Web Framework Message-ID: <9319.160.33.20.11.1183416318.squirrel@webmail.nomadlogic.org> hey all - we are evaluating some web frameworks and have come across Django (for which I hope they are not referencing Django Reinhardt's virtuoso talent despite being being severely crippled ;) But I digress.... http://www.djangoproject.com/ anyone have experience using this framework in production? we already use ruby on rails for some apps, not to mention mod_perl, mod_python, JSP etc.... the department in question does not see the need to start training on yet another scripting language since they already standardized on python for pretty much everything else. any good experiences, bad experiences? this bit kinda really scares me: http://www.djangoproject.com/documentation/api_stability/ That, and the fact that apparently you have to restart apache if any code changes are made ?!? -pete ps -> Ike, I did lobby for Zope - sorry! I guess it's not new and unstable enough for them ;p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From dave at donnerjack.com Mon Jul 2 18:58:07 2007 From: dave at donnerjack.com (David Lawson) Date: Mon, 2 Jul 2007 18:58:07 -0400 Subject: [nycbug-talk] Django Web Framework In-Reply-To: <9319.160.33.20.11.1183416318.squirrel@webmail.nomadlogic.org> References: <9319.160.33.20.11.1183416318.squirrel@webmail.nomadlogic.org> Message-ID: <1D535FA0-33BD-412F-8994-5CFD7E819179@donnerjack.com> I've actually used it for some simple CRUD apps for friends/family members. Nothing I would consider a serious deployment, but I've been reasonably impressed with it. Frameworks of this kind have some inherent limitations, the more complex you make the applications and the further you stray from their intended use cases, the harder you have to work to make the framework do what you want, but my experience with it, as I said with just simple apps, has been universally extremely pleasant. It really depends heavily on what your needs are going to be. Y ou do have to restart Apache to load code changes if you're running with mod_python. There are other methods of doing it, primarily intended for development, where you run a pure Django server that Apache (or whatever) proxies to, but you'd still have to reload that Django server to make code changes live. Ideally, this shouldn't be a problem, code changes should be vetted in a staging environment and rolled out to production boxes once they're stable, an Apache reload doesn't even drop connections, no big deal. --Dave On Jul 2, 2007, at 6:45 PM, Peter Wright wrote: > hey all - we are evaluating some web frameworks and have come across > Django (for which I hope they are not referencing Django Reinhardt's > virtuoso talent despite being being severely crippled ;) But I > digress.... > > http://www.djangoproject.com/ > > anyone have experience using this framework in production? we > already use > ruby on rails for some apps, not to mention mod_perl, mod_python, JSP > etc.... > > the department in question does not see the need to start training > on yet > another scripting language since they already standardized on > python for > pretty much everything else. any good experiences, bad > experiences? this > bit kinda really scares me: > > http://www.djangoproject.com/documentation/api_stability/ > > That, and the fact that apparently you have to restart apache if > any code > changes are made ?!? > > -pete > > ps -> Ike, I did lobby for Zope - sorry! I guess it's not new and > unstable enough for them ;p > > > > -- > ~~oO00Oo~~ > Peter Wright > pete at nomadlogic.org > www.nomadlogic.org/~pete > 310.869.9459 > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > From lists at genoverly.net Mon Jul 2 20:15:39 2007 From: lists at genoverly.net (michael) Date: Mon, 2 Jul 2007 20:15:39 -0400 Subject: [nycbug-talk] Django Web Framework In-Reply-To: <9319.160.33.20.11.1183416318.squirrel@webmail.nomadlogic.org> References: <9319.160.33.20.11.1183416318.squirrel@webmail.nomadlogic.org> Message-ID: <20070702201539.4a900596@dt.genoverly.com> On Mon, 2 Jul 2007 15:45:18 -0700 (PDT) "Peter Wright" wrote: > the department in question does not see the need to start training on > yet another scripting language since they already standardized on > python for pretty much everything else. While this is a little off topic for this list.. I'll stab at it. First.. what happened to good 'ol Perl? [grin] If Python is the in house standard and web framework is the question.. Django, Turbogears, and Pylons are *some* of the top choices. There is a *LOT* of discussion about web frameworks in the python community. You will also find the inevitable comparison to Ruby on Rails (mixed opinions) and PHP (negative opinions). When deciding on python frameworks, there is some discussion among the camps along the lines of: "Full-stack vs. glue vs. coupling". Make sure you read up on the opinions on each before deciding. Also.. reading up on WSGI, python's "Web Server Gateway Interface" is suggested. And.. there is a lot of flexibility when running a python web. You can build it as an idependent entity, possibly listening on 127.0.0.1:5000 (or whatever port you choose) and have Apache proxypass requests. This is REALLY flexible when scaling. Apache can do what it is good at: handling traffic. One could see redundant Apaches, passing to redundant webapp servers behind the firewall.. with potentially redundant database servers. Or you could deploy *within* each Apache process with any of the CGI family (SCGI, FCGI, etc) Of course you could remove Apache all together and go lighty! While I am no expert (bob ipolito and ike can probably claim that) on Python, I looked at all of the frameworks some time ago. Each has a story and a philosphy that you may like or dislike. The common description of Django is that because of its roots in the newpaper business, it is suited for content delivery. It also is know to cater to newbies, has strong documentation, and has attracted a large following. Oh, python creator, GvR, has blessed the project. But the buzz and enthusiasm has been whithering with some. Opponents dislike the restrictive feel of the full-stack approach.. and disagree with some of the core decisions made by the project. You can read all everyone's opinion when you do research. Turbogears is in a rewrite and will probably be going in a similar direction as Pylons. There have been unconfirmed whispers of a merger, but I will not speculate, rather, leave it to the reader to decide. Pylons, while newer, is a vibrant project and building nicely. I like their BSD-ish approach.. a set of tools that does each job well and works nicely together. These are loosely coupled so you can swap them out easily. The 'defaults' where chosen by cherry picking what they deemed to be the best of breed in each area. If you do not agree.. swap. The documentation is behind Django, but it is still good. The community is active with mailing lists and a crowd on IRC. My choice... Pylons. Some quick links.. but not nearly all of them. Python web development and frameworks in 2007: http://jesusphreak.infogami.com/blog/vrp1 Turbogears to be based on Pylons: http://compoundthinking.com/blog/ Comparison of python web frameworks (watch the email wrapping) http://nxsy.org/blog/archives/2007/06/19/ unscientific-and-biased-comparison-of-django-pylons-and-turbogears Comparisons to Pylons (by Pylons): http://wiki.pylonshq.com/display/pylonscookbook/Concepts+of+Pylons WSGI http://www.wsgi.org/wsgi -- michael From pete at nomadlogic.org Tue Jul 3 12:34:27 2007 From: pete at nomadlogic.org (Peter Wright) Date: Tue, 3 Jul 2007 09:34:27 -0700 (PDT) Subject: [nycbug-talk] Django Web Framework In-Reply-To: <9319.160.33.20.11.1183416318.squirrel@webmail.nomadlogic.org> References: <9319.160.33.20.11.1183416318.squirrel@webmail.nomadlogic.org> Message-ID: <14249.160.33.20.11.1183480467.squirrel@webmail.nomadlogic.org> (ugg! deleted message some how, sorry about messing up formatiing, threading etc! bad day already for peety) >> the department in question does not see the need to start training on >> yet another scripting language since they already standardized on >> python for pretty much everything else. > >While this is a little off topic for this list.. I'll stab at it. > >First.. what happened to good 'ol Perl? [grin] oh we got some perl here ;) actually, we have a pretty impressive internal CPAN going on here and use it for a lot of things. ends up though maintaining OOP-Perl and TK-Perl is kinda a pain in the ass when you got PyQT and Python sitting there taunting you :) >If Python is the in house standard and web framework is the question.. >Django, Turbogears, and Pylons are *some* of the top choices. There is .>a *LOT* of discussion about web frameworks in the python community. You >will also find the inevitable comparison to Ruby on Rails (mixed >opinions) and PHP (negative opinions). yea, that's the tricky bit. %99 of our code is for internal use only, and a large chunk of that code is written to interface with either our SOAP application servers (written in java) or to interface with binaries we have little control over (Renderman, Maya, etc.). now people are trying to push Ruby on Rails as the great saviour of web frameworks here - but it's a hard sell when you have to re-write all our python libraries in ruby when all you want to do is quickly throw up a web GUI for an artist or producer (read non-technical user). >Also.. reading up on WSGI, python's "Web Server Gateway Interface" is >suggested. hmm...interesting. just read the abstract quickly. >... >My choice... Pylons. I guess my main concern is mod_python and not the framework in itself. although that's coming from someone who is building the infrastructure for the programmers to use. I'm looking for something that is stable, will be easily adopted by programmers - and gives the performance of mod_python w/o the inherent drawbacks (yes i fully understand the whole dev -> staging -> live architecture so I shouldn't care about having to restart apache to recompile code....but I do care and it still presents maintenance/support issues). one thing that scares me (if I was a coder) is the fact that Django is not stable, and they admit API breakage will happen before the 1.0 release. although i'm not a coder so I shouldn't care right ;) thanks for the info mike, i'm going to check pylons out for sure! -pete -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From nycbug-list at 2xlp.com Tue Jul 3 12:54:27 2007 From: nycbug-list at 2xlp.com (Jonathan Vanasco) Date: Tue, 3 Jul 2007 12:54:27 -0400 Subject: [nycbug-talk] Django Web Framework In-Reply-To: <20070702201539.4a900596@dt.genoverly.com> References: <9319.160.33.20.11.1183416318.squirrel@webmail.nomadlogic.org> <20070702201539.4a900596@dt.genoverly.com> Message-ID: On Jul 2, 2007, at 8:15 PM, michael wrote: > First.. what happened to good 'ol Perl? [grin] > still very active. mod_perl still dominates the ecommerce enterprise market and many of the top visted sites. and to be nycbug related... all the IAC properties ( ticketmaster, evite, etc ) run perl on a freebsd server farm. freebsd is actually the only quasi-officially supported platform for mod-perl/libapreq -- one of the core devs ports new releases to the ports tree as soon as they're released. none of the other operating systems get that :) i think the closest is CentOS which is only 2 versions behind the current. > Django, Turbogears, and Pylons are *some* of the top choices. > There is > .... > Also.. reading up on WSGI, python's "Web Server Gateway Interface" > is suggested. > all those apps were migrating to WSGI middleware spec last time i touched them... > 127.0.0.1:5000 (or whatever port you choose) and have Apache proxypass > requests. This is REALLY flexible when scaling. Apache can do what > it is good at: handling traffic. One could see redundant Apaches, > passing to redundant webapp servers behind the firewall.. with > potentially redundant database servers. > thats wrong. apache is f***ing awful at handling traffic. you'll hit a huge bottleneck in your system if apache is proxypassing to everything else. run something like nginx , lighttpd , squid, or any of the other micro-servers / proxy servers. they're built for handling traffic. apache is built for getting http done right -- no one comes close to it being correct and stable like that, but it does so at the cost of speed and memory. apache dies under high concurrency though. there have been tons of keepalive issues too. unless you're using apache for a specific apache feature, you're best off staying away. > Of course you could remove Apache all together and go lighty! > not if you're proxying. unless they fixed that damn memory leak finally-- i was reporting it every day for 2 months, and it never got fixed. i recall bob was leaking 60mb an hour on mochimedia or something stupid big like that. i just don't trust lighty-- i mean its written by a mysql dev in his spare time ! (though jan might be the smartest person at mysql) I don't know pylons well, so I won't speak to it... but my experience with Django & TurboGears was this: Django worked very well, but was so engrained to a publishing model that i couldn't use it. That's apparently changed a lot -- its way more flexible now. that new site pownce is running it ( which amazed me, it has a very twisted python feature set ) TurboGears seems like a good idea... But its honestly a mess. i don't want to go into details, but I learned my lesson trying to use it and be active on the development. unless its been rewritten from scratch and svn privs from the bulk of committers revoked, i would not run it at all. whatever you choose, i strongly suggest using sqlalchemy or whatever its sucessor is. there were a lot of neat orms in python, but they were like the rails ones -- they created and required mindless not- scalable database schemas. sqlalchemy was nice, because you can quickly change the schema or map it to an existing db. if i had to choose a python framework, i'd go for pylons or django -- they have the more impressive projects built with them out of all the frameworks, and they have the most varied. the other systems all seem to limit what you can do. on a side note... TAL is the best thing ever. you can jump between frameworks and languages , while keeping the same templates. some of the newer python templating toolkits are even better featured, but they lack the portability of tal. i'd strongly look into using it. // Jonathan Vanasco From skreuzer at exit2shell.com Tue Jul 3 15:54:21 2007 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Tue, 3 Jul 2007 12:54:21 -0700 Subject: [nycbug-talk] Google tech talk: "How the FreeBSD Project Work" Message-ID: <20070703195414.GA28844@clamps.exit2shell.com> Robert Watson posted this to FreeBSD Advocacy mailing list. I figured I would pass it along to this list, since its a rather interesting talk. SK ----- Forwarded message from Robert Watson ----- Date: Tue, 3 Jul 2007 20:15:23 +0100 (BST) From: Robert Watson To: advocacy at freebsd.org Cc: Subject: Google tech talk: "How the FreeBSD Project Works" While at Google a couple of weeks ago, I gave my "How the FreeBSD Project Works" talk. The video from that is now online: http://video.google.co.uk/videoplay?docid=-4400856579609253323 This is the same talk I've given previously at EuroBSDCon, AsiaBSDCon, UKUUG, and LinuxForum in the last six motnhs; it's significantly enhanced from the version that I gave at BSDCan last year (the first time I gave it). Robert N M Watson Computer Laboratory University of Cambridge _______________________________________________ freebsd-advocacy at freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-advocacy To unsubscribe, send any mail to "freebsd-advocacy-unsubscribe at freebsd.org" ----- End forwarded message ----- -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From pete at nomadlogic.org Tue Jul 3 16:48:46 2007 From: pete at nomadlogic.org (Peter Wright) Date: Tue, 3 Jul 2007 13:48:46 -0700 (PDT) Subject: [nycbug-talk] Google tech talk: "How the FreeBSD Project Work" In-Reply-To: <20070703195414.GA28844@clamps.exit2shell.com> References: <20070703195414.GA28844@clamps.exit2shell.com> Message-ID: <62446.160.33.20.11.1183495726.squirrel@webmail.nomadlogic.org> > Robert Watson posted this to FreeBSD Advocacy mailing list. > > I figured I would pass it along to this list, since its a rather > interesting talk. > nice thanks steven! at usenix this year Kirk gave a similarly themed talk regarding FreeBSD's structure. i can't wait until i get a chance to hear robert's talk. -p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From george at ceetonetechnology.com Tue Jul 3 17:03:02 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 03 Jul 2007 17:03:02 -0400 Subject: [nycbug-talk] Google tech talk: "How the FreeBSD Project Work" In-Reply-To: <62446.160.33.20.11.1183495726.squirrel@webmail.nomadlogic.org> References: <20070703195414.GA28844@clamps.exit2shell.com> <62446.160.33.20.11.1183495726.squirrel@webmail.nomadlogic.org> Message-ID: <468AB986.6020401@ceetonetechnology.com> Peter Wright wrote: >> Robert Watson posted this to FreeBSD Advocacy mailing list. >> >> I figured I would pass it along to this list, since its a rather >> interesting talk. >> > > nice thanks steven! at usenix this year Kirk gave a similarly themed talk > regarding FreeBSD's structure. i can't wait until i get a chance to hear > robert's talk. > > -p > ditto. . . Heard this talk a while back, and it's useful for insight about more than just running an open source project. . . As I'm sure Ike will note at Thursday's meeting, there's some common things in successful projects, going back to the days pre-Unix. (yeah, we were just discussing on the phone. . .) George From ike at lesmuug.org Tue Jul 3 17:23:22 2007 From: ike at lesmuug.org (Isaac Levy) Date: Tue, 3 Jul 2007 17:23:22 -0400 Subject: [nycbug-talk] Google tech talk: "How the FreeBSD Project Work" In-Reply-To: <468AB986.6020401@ceetonetechnology.com> References: <20070703195414.GA28844@clamps.exit2shell.com> <62446.160.33.20.11.1183495726.squirrel@webmail.nomadlogic.org> <468AB986.6020401@ceetonetechnology.com> Message-ID: <7DD3C47F-136B-41BA-8D95-52F0CC34B5D5@lesmuug.org> Hey All, On Jul 3, 2007, at 5:03 PM, George Rosamond wrote: > Heard this talk a while back, and it's useful for insight about more > than just running an open source project. . . Yeah! Well worth watching... From AsiaBSDCon, Robert Watson gave this talk right next to Ryan McBride speaking about the structure of the OpenBSD project. They all had a lot of cross-pollination and good stuff to discuss after the meeting: http://diversaform.com/asiabsdcon2007/index-Pages/Image163.html http://diversaform.com/asiabsdcon2007/index-Pages/Image164.html > As I'm sure Ike will note at Thursday's meeting, there's some common > things in successful projects, going back to the days pre-Unix. Well, there's common things with failed projects too... :) A big point I took from this lecture is that it's ALL ABOUT PEOPLE. Rocket- .ike From kacanski_s at yahoo.com Wed Jul 4 22:50:48 2007 From: kacanski_s at yahoo.com (Aleksandar Kacanski) Date: Wed, 4 Jul 2007 19:50:48 -0700 (PDT) Subject: [nycbug-talk] Django Web Framework Message-ID: <383264.50681.qm@web53608.mail.re2.yahoo.com> I found personally that apache if configured properly proxy_pass just fine python and java applications within high load. There are issues, but depending on the app business logic and infrastructure architecture you might be better with different lighter implementations of the http/proxy app stack. I also used apache with and without "keep alive" and again ran it just fine under both light, simulated high and prod concurrent traffic. Aleksandar (Sasha) Kacanski ----- Original Message ---- From: Jonathan Vanasco To: NYCBUG List Sent: Tuesday, July 3, 2007 12:54:27 PM Subject: Re: [nycbug-talk] Django Web Framework On Jul 2, 2007, at 8:15 PM, michael wrote: > First.. what happened to good 'ol Perl? [grin] > still very active. mod_perl still dominates the ecommerce enterprise market and many of the top visted sites. and to be nycbug related... all the IAC properties ( ticketmaster, evite, etc ) run perl on a freebsd server farm. freebsd is actually the only quasi-officially supported platform for mod-perl/libapreq -- one of the core devs ports new releases to the ports tree as soon as they're released. none of the other operating systems get that :) i think the closest is CentOS which is only 2 versions behind the current. > Django, Turbogears, and Pylons are *some* of the top choices. > There is > .... > Also.. reading up on WSGI, python's "Web Server Gateway Interface" > is suggested. > all those apps were migrating to WSGI middleware spec last time i touched them... > 127.0.0.1:5000 (or whatever port you choose) and have Apache proxypass > requests. This is REALLY flexible when scaling. Apache can do what > it is good at: handling traffic. One could see redundant Apaches, > passing to redundant webapp servers behind the firewall.. with > potentially redundant database servers. > thats wrong. apache is f***ing awful at handling traffic. you'll hit a huge bottleneck in your system if apache is proxypassing to everything else. run something like nginx , lighttpd , squid, or any of the other micro-servers / proxy servers. they're built for handling traffic. apache is built for getting http done right -- no one comes close to it being correct and stable like that, but it does so at the cost of speed and memory. apache dies under high concurrency though. there have been tons of keepalive issues too. unless you're using apache for a specific apache feature, you're best off staying away. > Of course you could remove Apache all together and go lighty! > not if you're proxying. unless they fixed that damn memory leak finally-- i was reporting it every day for 2 months, and it never got fixed. i recall bob was leaking 60mb an hour on mochimedia or something stupid big like that. i just don't trust lighty-- i mean its written by a mysql dev in his spare time ! (though jan might be the smartest person at mysql) I don't know pylons well, so I won't speak to it... but my experience with Django & TurboGears was this: Django worked very well, but was so engrained to a publishing model that i couldn't use it. That's apparently changed a lot -- its way more flexible now. that new site pownce is running it ( which amazed me, it has a very twisted python feature set ) TurboGears seems like a good idea... But its honestly a mess. i don't want to go into details, but I learned my lesson trying to use it and be active on the development. unless its been rewritten from scratch and svn privs from the bulk of committers revoked, i would not run it at all. whatever you choose, i strongly suggest using sqlalchemy or whatever its sucessor is. there were a lot of neat orms in python, but they were like the rails ones -- they created and required mindless not- scalable database schemas. sqlalchemy was nice, because you can quickly change the schema or map it to an existing db. if i had to choose a python framework, i'd go for pylons or django -- they have the more impressive projects built with them out of all the frameworks, and they have the most varied. the other systems all seem to limit what you can do. on a side note... TAL is the best thing ever. you can jump between frameworks and languages , while keeping the same templates. some of the newer python templating toolkits are even better featured, but they lack the portability of tal. i'd strongly look into using it. // Jonathan Vanasco _______________________________________________ % NYC*BUG talk mailing list http://lists.nycbug.org/mailman/listinfo/talk %Be sure to check out our Jobs and NYCBUG-announce lists %We meet the first Wednesday of the month ____________________________________________________________________________________ Got a little couch potato? Check out fun summer activities for kids. http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+kids&cs=bz -------------- next part -------------- An HTML attachment was scrubbed... URL: From pete at nomadlogic.org Thu Jul 5 11:21:54 2007 From: pete at nomadlogic.org (Peter Wright) Date: Thu, 5 Jul 2007 08:21:54 -0700 (PDT) Subject: [nycbug-talk] Mailing List Etiquette Message-ID: <25399.160.33.20.11.1183648914.squirrel@webmail.nomadlogic.org> Ahh - it's time once again for my Mailing List Etiquette email. Sorry folks, but top posting, taking topics OT etc is considered rude to some - and makes our archives hard to read and follow. Here's our guidelines, please review them: http://www.nycbug.org/index.php?NAV=MailingLists Thanks! -pete -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From nikolai at fetissov.org Fri Jul 6 11:25:27 2007 From: nikolai at fetissov.org (nikolai) Date: Fri, 6 Jul 2007 11:25:27 -0400 (EDT) Subject: [nycbug-talk] July 2007 meeting audio Message-ID: <3805.63.66.6.15.1183735527.squirrel@www.geekisp.com> Folks, Audio of Ike's presentation is online at http://www.fetissov.org/public/nycbug/ Cheers. -- Nikolai From bonsaime at gmail.com Fri Jul 6 14:25:55 2007 From: bonsaime at gmail.com (Jesse Callaway) Date: Fri, 6 Jul 2007 14:25:55 -0400 Subject: [nycbug-talk] July 2007 meeting audio In-Reply-To: <3805.63.66.6.15.1183735527.squirrel@www.geekisp.com> References: <3805.63.66.6.15.1183735527.squirrel@www.geekisp.com> Message-ID: > Folks, > > Audio of Ike's presentation is online at > http://www.fetissov.org/public/nycbug/ > > Cheers. > -- > Nikolai Thanks -jesse From ike at lesmuug.org Sat Jul 7 19:11:27 2007 From: ike at lesmuug.org (Isaac Levy) Date: Sat, 7 Jul 2007 19:11:27 -0400 Subject: [nycbug-talk] Mailing List Etiquette In-Reply-To: <25399.160.33.20.11.1183648914.squirrel@webmail.nomadlogic.org> References: <25399.160.33.20.11.1183648914.squirrel@webmail.nomadlogic.org> Message-ID: Word, On Jul 5, 2007, at 11:21 AM, Peter Wright wrote: -snip- > Sorry folks, but top posting, taking topics OT etc is considered > rude to some - > and makes our archives hard to read and follow. -snip- > http://www.nycbug.org/index.php?NAV=MailingLists > > Thanks! > -pete No need to apologize Pete, thanks for posting the link again. The rules are truly a sanity thing! Rocket- .ike From george at ceetonetechnology.com Mon Jul 9 15:46:49 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Mon, 09 Jul 2007 15:46:49 -0400 Subject: [nycbug-talk] NYCBSDCon 2007 status Message-ID: <469290A9.3070801@ceetonetechnology.com> After a few years of massive successes, we have received many on and off line queries about the status of NYCBSDCon for 2007. As usual, we started working on space for the conference early in the spring. Unfortunately, Columbia University is *not* available this year. We have been dealing with multiple locations, with no success. We were confident a month and more back that New York University would be ideal, but their fees and restrctions are exceedingly high. If we were holding some $800/a day conference, it would have been fine, but that's not what NYCBSDCon is about. For anyone who's attended, this should be clear. Many people have assisted us in this quest for a space. . . particularly some NYU people who we had previously not known. New York is a difficult place to find inexpensive space, particularly after 9/11 and the real estate boom. Manhattan real estate continues to boom and conference space fees do not soften. We have one more university that we are waiting on for a response to our application. . . We should know the answer by the end of the month. However, if that space does *not* work out, we will be postponing NYCBSDCon to 2008. We already to have push the conference further to the end of the year. Any longer would be too long. We can't even do a call for papers until we have a space, so it just wouldn't be plausible to have the conference this year. And now it comes to *your* role. If anyone has any leads to decent conference space that would work for NYCBSDCon, please let me know offlist. But if we don't find the right space at the decent fees and reasonable restrictions, then we'll have to put off the con until next year. Thanks. . . George From spork at bway.net Mon Jul 9 18:14:56 2007 From: spork at bway.net (Charles Sprickman) Date: Mon, 9 Jul 2007 18:14:56 -0400 (EDT) Subject: [nycbug-talk] NYCBSDCon 2007 status In-Reply-To: <469290A9.3070801@ceetonetechnology.com> References: <469290A9.3070801@ceetonetechnology.com> Message-ID: I am blatantly violating the top-posting rule with this word: Jersey! :) On Mon, 9 Jul 2007, George Rosamond wrote: > After a few years of massive successes, we have received many on and off > line queries about the status of NYCBSDCon for 2007. > > As usual, we started working on space for the conference early in the > spring. Unfortunately, Columbia University is *not* available this year. > > We have been dealing with multiple locations, with no success. We were > confident a month and more back that New York University would be ideal, > but their fees and restrctions are exceedingly high. If we were holding > some $800/a day conference, it would have been fine, but that's not what > NYCBSDCon is about. For anyone who's attended, this should be clear. > > Many people have assisted us in this quest for a space. . . particularly > some NYU people who we had previously not known. > > New York is a difficult place to find inexpensive space, particularly > after 9/11 and the real estate boom. Manhattan real estate continues to > boom and conference space fees do not soften. > > We have one more university that we are waiting on for a response to our > application. . . We should know the answer by the end of the month. > > However, if that space does *not* work out, we will be postponing > NYCBSDCon to 2008. We already to have push the conference further to > the end of the year. Any longer would be too long. We can't even do a > call for papers until we have a space, so it just wouldn't be plausible > to have the conference this year. > > And now it comes to *your* role. > > If anyone has any leads to decent conference space that would work for > NYCBSDCon, please let me know offlist. > > But if we don't find the right space at the decent fees and reasonable > restrictions, then we'll have to put off the con until next year. > > Thanks. . . > > George > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > From pete at nomadlogic.org Tue Jul 10 13:11:11 2007 From: pete at nomadlogic.org (Peter Wright) Date: Tue, 10 Jul 2007 10:11:11 -0700 (PDT) Subject: [nycbug-talk] NYCBSDCon 2007 status In-Reply-To: References: <469290A9.3070801@ceetonetechnology.com> Message-ID: <32853.24.187.125.146.1184087471.squirrel@webmail.nomadlogic.org> > I am blatantly violating the top-posting rule with this word: > > Jersey! > lol - so it'd be NJBSDCon. seriously though - it may be cheaper, but the main perk for me attending nycbsdcon is the fact that it's in the city (as i'm an out of towner these days). -p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From jkeen at verizon.net Tue Jul 10 20:52:41 2007 From: jkeen at verizon.net (James Keenan) Date: Tue, 10 Jul 2007 20:52:41 -0400 Subject: [nycbug-talk] NYCBSDCon 2007 status In-Reply-To: References: Message-ID: <2077FD82-5C18-4CBC-9949-8D16F010181F@verizon.net> In reply to: > Date: Mon, 09 Jul 2007 15:46:49 -0400 > From: George Rosamond > Subject: [nycbug-talk] NYCBSDCon 2007 status > To: NYCBUG > > [snip] > New York is a difficult place to find inexpensive space, particularly > after 9/11 and the real estate boom. Manhattan real estate > continues to > boom and conference space fees do not soften. > > We have one more university that we are waiting on for a response > to our > application. . . We should know the answer by the end of the month. > > However, if that space does *not* work out, we will be postponing > NYCBSDCon to 2008. We already to have push the conference further to > the end of the year. Any longer would be too long. We can't even > do a > call for papers until we have a space, so it just wouldn't be > plausible > to have the conference this year. > > And now it comes to *your* role. > > If anyone has any leads to decent conference space that would work for > NYCBSDCon, please let me know offlist. > I will be very eager to hear of any success on your part in this matter. For several years I've been trying to think about how the local Perl community might stage YAPC (Yet Another Perl Conference) here -- or even a more modest affair like a weekend hackathon. No bright ideas so far! In any event, I enjoyed the 2005 NYCBSDCon and hope to attend the next one, whenever/wherever that might be. Jim Keenan From george at ceetonetechnology.com Wed Jul 11 20:51:22 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 11 Jul 2007 20:51:22 -0400 Subject: [nycbug-talk] Ike on BSDTalk Message-ID: Last night Will of BSDTalk interviewed Ike on his last meeting about "The Real Unix Tradition". . . The audio is now up at http://cisx1.uma.maine.edu/~wbackman/bsdtalk/bsdtalk120.mp3 I'm so happy he didn't even mention jails. . . . ;-' g From kacanski_s at yahoo.com Sat Jul 14 14:15:24 2007 From: kacanski_s at yahoo.com (Aleksandar Kacanski) Date: Sat, 14 Jul 2007 11:15:24 -0700 (PDT) Subject: [nycbug-talk] (no subject) Message-ID: <594368.56475.qm@web53604.mail.re2.yahoo.com> Hello, I have been heaving interesting discussions regarding security implementation of the multi tier web architecture. Long ago I used to be proponent of the fw per layer approach. This would boil down to fw before and between web tier and application and one between db or any other back end form of meta data silo(s). Through experience and lengthly troubleshooting sessions I am weary of FW and persistent connections and work around with socket_keepalive properties. I am specifically referring to apache and ajp proxy plugin but I saw number of production issues with real proxy servers and fw. These days I prefer to have a fw fronting some sort of load balancer on the unsecure subnet and to move web tier to private network without fw between it and app stack. Second instance of the fw I add between application portal and meta data silo. I see no gain in heaving web servers in the DMZ just to terminate http traffic on the DMZ zone. In my opinion possible exploits will be executed against business logic and application content and/or "database layer" . The web tier is strictly being used to "proxy" dynamic content at this point via binary protocol. Any views or comments? Regards, Aleksandar (Sasha) Kacanski (NYUMC) ____________________________________________________________________________________ It's here! Your new message! Get new email alerts with the free Yahoo! Toolbar. http://tools.search.yahoo.com/toolbar/features/mail/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From mspitzer at gmail.com Sat Jul 14 16:45:54 2007 From: mspitzer at gmail.com (Marc Spitzer) Date: Sat, 14 Jul 2007 16:45:54 -0400 Subject: [nycbug-talk] (no subject) In-Reply-To: <594368.56475.qm@web53604.mail.re2.yahoo.com> References: <594368.56475.qm@web53604.mail.re2.yahoo.com> Message-ID: <8c50a3c30707141345o77786a98t2b46e680cef646f@mail.gmail.com> On 7/14/07, Aleksandar Kacanski wrote: > > > Hello, > I have been heaving interesting discussions regarding security > implementation of the multi tier web architecture. Long ago I used to be > proponent of the fw per layer approach. This would boil down to fw before > and between web tier and application and one between db or any other back > end form of meta data silo(s). Through experience and lengthly > troubleshooting sessions I am weary of FW and persistent connections and > work around with socket_keepalive properties. I am specifically referring to > apache and ajp proxy plugin but I saw number of production issues with real > proxy servers and fw. These days I prefer to have a fw fronting some sort of > load balancer on the unsecure subnet and to move web tier to private network > without fw between it and app stack. Second instance of the fw I add between > application portal and meta data silo. I see no gain in heaving web servers > in the DMZ just to terminate http traffic on the DMZ zone. In my opinion > possible exploits will be executed against business logic and application > content and/or "database layer" . The web tier is strictly being used > to "proxy" dynamic content at this point via binary protocol. > > Any views or comments? > Regards, > > Aleksandar (Sasha) Kacanski (NYUMC) Well not that all that much of an expert on this stuff, and being in love with the sound of my own voice, here is my take on it: Looks reasonable. The only thing is you need to also have a application level firewall in the mix. A proxy firewall to inspect all inbound http/s traffic for bad things , buffer overflows, sql injection and out of bounds values(ie what happens when I order -3 TVs) come to mind. From what I read I think you are talking about stateful packet filters as your firewalls. The thing about proxies is that to truly use them you need a lot of information about how the app behaves, good urls, form vars with acceptable values etc. This is time consuming and also may require more money to be spent on hardware/licenses. I won't talk about unicode, its evil. marc -- Freedom is nothing but a chance to be better. Albert Camus From nycbug-list at 2xlp.com Sat Jul 14 20:37:31 2007 From: nycbug-list at 2xlp.com (Jonathan Vanasco) Date: Sat, 14 Jul 2007 20:37:31 -0400 Subject: [nycbug-talk] (no subject) In-Reply-To: <8c50a3c30707141345o77786a98t2b46e680cef646f@mail.gmail.com> References: <594368.56475.qm@web53604.mail.re2.yahoo.com> <8c50a3c30707141345o77786a98t2b46e680cef646f@mail.gmail.com> Message-ID: <24949F7C-FE43-4946-932C-C852C3949E00@2xlp.com> On Jul 14, 2007, at 4:45 PM, Marc Spitzer wrote: > Looks reasonable. The only thing is you need to also have a > application level firewall in the mix. A proxy firewall to inspect > all inbound http/s traffic for bad things , that's always good. > sql injection and out of bounds values(ie what happens when I > order -3 > TVs) come to mind. that is really really bad. it creates a false sense of security. its a good thing to have, but your underlying webapp should be able to handle that ( ie, always use bind with sql, escape / validate input, etc ). if you're an admin, and you do that to safeguard yourself against bad programmers -- great. but if you're a programmer, you shouldn't know/expect any of that to exist. thats just a sore spot for me. On Jul 14, 2007, at 2:15 PM, Aleksandar Kacanski wrote: > Through experience and lengthly troubleshooting sessions I am weary > of FW and persistent connections and work around with > socket_keepalive properties. I am specifically referring to apache > and ajp proxy plugin but I saw number of production issues with > real proxy servers and fw. i don't know about the ajp proxy plugin. apache + keepalive can create lots of issues though. i do a lot of mod_perl programming, and keepalive can often jam the whole damn server , which makes me want to FOI)(@*#@#* break apache. to combat that, i run nginx on port 80 and then proxy to apache when needed. nginx can handle the keepalive requests without blocking, and a keepalive between apache & nginx makes stuff run even faster. // Jonathan Vanasco | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | CEO/Founder SyndiClick Networks | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | Founder/CTO/CVO | FindMeOn.com - The cure for Multiple Web Personality Disorder | Web Identity Management and 3D Social Networking | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | RoadSound.com - Tools For Bands, Stuff For Fans | Collaborative Online Management And Syndication Tools | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From mspitzer at gmail.com Sat Jul 14 21:56:52 2007 From: mspitzer at gmail.com (Marc Spitzer) Date: Sat, 14 Jul 2007 21:56:52 -0400 Subject: [nycbug-talk] (no subject) In-Reply-To: <24949F7C-FE43-4946-932C-C852C3949E00@2xlp.com> References: <594368.56475.qm@web53604.mail.re2.yahoo.com> <8c50a3c30707141345o77786a98t2b46e680cef646f@mail.gmail.com> <24949F7C-FE43-4946-932C-C852C3949E00@2xlp.com> Message-ID: <8c50a3c30707141856y3dff5d32g9f6d815681718f26@mail.gmail.com> On 7/14/07, Jonathan Vanasco wrote: > > On Jul 14, 2007, at 4:45 PM, Marc Spitzer wrote: > > Looks reasonable. The only thing is you need to also have a > > application level firewall in the mix. A proxy firewall to inspect > > all inbound http/s traffic for bad things , > > that's always good. > > > > sql injection and out of bounds values(ie what happens when I > > order -3 > > TVs) come to mind. > > that is really really bad. it creates a false sense of security. > its a good thing to have, but your underlying webapp should be able > to handle that ( ie, always use bind with sql, escape / validate > input, etc ). if you're an admin, and you do that to safeguard > yourself against bad programmers -- great. but if you're a > programmer, you shouldn't know/expect any of that to exist. > > thats just a sore spot for me. It is part of defense in depth. Face it people screw up all the time, myself included, and having having 2 ways to be "safe" is better then 1. Also things like -3 TV's should be checked by unit tests before it ever gets to production. I think that most problems are caused by a lack of discipline not ignorance or malice. Especially when deadline loom people can be pressured into doing things that may be less then good. > > On Jul 14, 2007, at 2:15 PM, Aleksandar Kacanski wrote: > > > Through experience and lengthly troubleshooting sessions I am weary > > of FW and persistent connections and work around with > > socket_keepalive properties. I am specifically referring to apache > > and ajp proxy plugin but I saw number of production issues with > > real proxy servers and fw. > > i don't know about the ajp proxy plugin. apache + keepalive can > create lots of issues though. > > i do a lot of mod_perl programming, and keepalive can often jam the > whole damn server , which makes me want to FOI)(@*#@#* break > apache. to combat that, i run nginx on port 80 and then proxy to > apache when needed. nginx can handle the keepalive requests without > blocking, and a keepalive between apache & nginx makes stuff run even > faster. That is good to know marc -- Freedom is nothing but a chance to be better. Albert Camus From kacanski_s at yahoo.com Sun Jul 15 09:48:33 2007 From: kacanski_s at yahoo.com (Aleksandar Kacanski) Date: Sun, 15 Jul 2007 06:48:33 -0700 (PDT) Subject: [nycbug-talk] (no subject) In-Reply-To: <8c50a3c30707141856y3dff5d32g9f6d815681718f26@mail.gmail.com> Message-ID: <423338.7862.qm@web53605.mail.re2.yahoo.com> --- Marc Spitzer wrote: > On 7/14/07, Jonathan Vanasco > wrote: > > > > On Jul 14, 2007, at 4:45 PM, Marc Spitzer wrote: > > > Looks reasonable. The only thing is you need to > also have a > > > application level firewall in the mix. A proxy > firewall to inspect > > > all inbound http/s traffic for bad things , > > > > that's always good. > > I am counting on the application level firewall, specifically between apps and database sources. What concerns me is web to app layer. Using specialized bridges to pass through dynamic content is something that I prefer to leave it to run without being inspected by the fw. > > > > > sql injection and out of bounds values(ie what > happens when I > > > order -3 > > > TVs) come to mind. > > > > that is really really bad. it creates a false > sense of security. > > its a good thing to have, but your underlying > webapp should be able > > to handle that ( ie, always use bind with sql, > escape / validate > > input, etc ). if you're an admin, and you do that > to safeguard > > yourself against bad programmers -- great. but > if you're a > > programmer, you shouldn't know/expect any of that > to exist. > > > > thats just a sore spot for me. > I am firm believer that you need to do a good job on the app stack and solid amount of profiling and regression testing. I also like to audit application stack, instead of terminating http protocol in the DMZ and declaring that web tier is isolated and we are "now" protected. Ignorance is a bless, but I do not need to deal with folks like that on the daily basis, specially when they represent security policies. > It is part of defense in depth. Face it people > screw up all the time, > myself included, and having having 2 ways to be > "safe" is better then > 1. Also things like -3 TV's should be checked by > unit tests before it > ever gets to production. I think that most problems > are caused by a > lack of discipline not ignorance or malice. > Especially when deadline > loom people can be pressured into doing things that > may be less then > good. > A side from some fancy filtering appliance that can detect signatures of possible malicious attack by expecting a packet, again I see no benefit of heaving packets going through the stateful appliance between web and app tier. > > > > On Jul 14, 2007, at 2:15 PM, Aleksandar Kacanski > wrote: > > > > > Through experience and lengthly troubleshooting > sessions I am weary > > > of FW and persistent connections and work > around with > > > socket_keepalive properties. I am specifically > referring to apache > > > and ajp proxy plugin but I saw number of > production issues with > > > real proxy servers and fw. > > > > i don't know about the ajp proxy plugin. apache + > keepalive can > > create lots of issues though. > > > > i do a lot of mod_perl programming, and keepalive > can often jam the > > whole damn server , which makes me want to > FOI)(@*#@#* break > > apache. to combat that, i run nginx on port 80 > and then proxy to > > apache when needed. nginx can handle the > keepalive requests without > > blocking, and a keepalive between apache & nginx > makes stuff run even > > faster. > > That is good to know > > marc > -- > Freedom is nothing but a chance to be better. > Albert Camus > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce > lists > %We meet the first Wednesday of the month > --Aleksandar (Sasha) Kacanski ____________________________________________________________________________________ Need Mail bonding? Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users. http://answers.yahoo.com/dir/?link=list&sid=396546091 From nycbug-list at 2xlp.com Sun Jul 15 12:54:11 2007 From: nycbug-list at 2xlp.com (Jonathan Vanasco) Date: Sun, 15 Jul 2007 12:54:11 -0400 Subject: [nycbug-talk] (no subject) In-Reply-To: <8c50a3c30707141856y3dff5d32g9f6d815681718f26@mail.gmail.com> References: <594368.56475.qm@web53604.mail.re2.yahoo.com> <8c50a3c30707141345o77786a98t2b46e680cef646f@mail.gmail.com> <24949F7C-FE43-4946-932C-C852C3949E00@2xlp.com> <8c50a3c30707141856y3dff5d32g9f6d815681718f26@mail.gmail.com> Message-ID: <7FFBCF5D-AC32-47B9-A81C-76B4E488BB27@2xlp.com> On Jul 14, 2007, at 9:56 PM, Marc Spitzer wrote: > It is part of defense in depth. Face it people screw up all the time, > myself included, and having having 2 ways to be "safe" is better then > 1. Also things like -3 TV's should be checked by unit tests before it > ever gets to production. I think that most problems are caused by a > lack of discipline not ignorance or malice. Especially when deadline > loom people can be pressured into doing things that may be less then > good. As long as it is a backup, and not relied upon, its fine. once you introduce it as something peopel rely on, it makes for bad coding. since you're also introducing something that is standardized here, you also start opening yourself up to new security holes-- and you have hackers not only looking to exploit your webapp, but mod_sec or whatever other standard firewall app they figure you're running and can look for known exploits on. those apps are great to bolster a strong defense, but as the only defense its irresponsible. // Jonathan Vanasco | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | CEO/Founder SyndiClick Networks | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | Founder/CTO/CVO | FindMeOn.com - The cure for Multiple Web Personality Disorder | Web Identity Management and 3D Social Networking | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | RoadSound.com - Tools For Bands, Stuff For Fans | Collaborative Online Management And Syndication Tools | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From mspitzer at gmail.com Mon Jul 16 02:20:43 2007 From: mspitzer at gmail.com (Marc Spitzer) Date: Mon, 16 Jul 2007 02:20:43 -0400 Subject: [nycbug-talk] (no subject) In-Reply-To: <7FFBCF5D-AC32-47B9-A81C-76B4E488BB27@2xlp.com> References: <594368.56475.qm@web53604.mail.re2.yahoo.com> <8c50a3c30707141345o77786a98t2b46e680cef646f@mail.gmail.com> <24949F7C-FE43-4946-932C-C852C3949E00@2xlp.com> <8c50a3c30707141856y3dff5d32g9f6d815681718f26@mail.gmail.com> <7FFBCF5D-AC32-47B9-A81C-76B4E488BB27@2xlp.com> Message-ID: <8c50a3c30707152320w6b8c781amcfc6dfdd9e599c66@mail.gmail.com> On 7/15/07, Jonathan Vanasco wrote: > > On Jul 14, 2007, at 9:56 PM, Marc Spitzer wrote: > > > It is part of defense in depth. Face it people screw up all the time, > > myself included, and having having 2 ways to be "safe" is better then > > 1. Also things like -3 TV's should be checked by unit tests before it > > ever gets to production. I think that most problems are caused by a > > lack of discipline not ignorance or malice. Especially when deadline > > loom people can be pressured into doing things that may be less then > > good. > > > As long as it is a backup, and not relied upon, its fine. once you > introduce it as something peopel rely on, it makes for bad coding. > > since you're also introducing something that is standardized here, > you also start opening yourself up to new security holes-- and you > have hackers not only looking to exploit your webapp, but mod_sec or > whatever other standard firewall app they figure you're running and > can look for known exploits on. > > those apps are great to bolster a strong defense, but as the only > defense its irresponsible. > I think I did mention unit tests. But you only test, and code for, things you think can happen. And things that can not happen happen all the time in computers. The question is how much paranoia is prudent and that is something that changes from person to person and project to project. I also did not say they were the only defense just that it should be added to the existing defenses. The idea that you will not have exploitable code in your system is foolish, web servers have bugs after all. What you will have is code that you think is safe, good code/app/webserver *and* properly configured, but sooner or later you will find out you were wrong or you wont find out which could be much worse. And yes firewalls have had exploitable code also. But the Idea is to have a layered defense here and I have just recommended adding a layer not lessing the other layers. marc -- Freedom is nothing but a chance to be better. Albert Camus From george at ceetonetechnology.com Fri Jul 20 11:02:24 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Fri, 20 Jul 2007 11:02:24 -0400 Subject: [nycbug-talk] BSD Cert beta exam Message-ID: As many of you know, BSD Certification has been holding a number of beta tests at various events around the world. It's free to take the beta, and while you won't be "BSD Certified," you will receive a discount on the real thing. The need for feedback is vital for the full launch. http://tinyurl.com/2hvsvv So, as a quick non-scientific poll. . . Who would be interested in taking a beta test on August 4, a Saturday, in downtown Manhattan? More details to come, but the above URL will give you enough info on the exam length, etc. A LOT of work has gone into this effort, including from a wide variety of NYCBUG people, and this is a huge step toward the end goal. George From nycbug at cyth.net Fri Jul 20 11:18:35 2007 From: nycbug at cyth.net (Ray Lai) Date: Fri, 20 Jul 2007 11:18:35 -0400 Subject: [nycbug-talk] BSD Cert beta exam In-Reply-To: References: Message-ID: <20070720151858.GI28890@cybertron.cyth.net> On Fri, Jul 20, 2007 at 11:02:24AM -0400, George Rosamond wrote: > Who would be interested in taking a beta test on August 4, a > Saturday, in downtown Manhattan? I am. -Ray- From bonsaime at gmail.com Sat Jul 21 10:45:07 2007 From: bonsaime at gmail.com (Jesse Callaway) Date: Sat, 21 Jul 2007 10:45:07 -0400 Subject: [nycbug-talk] BSD Cert beta exam In-Reply-To: References: Message-ID: On 7/20/07, George Rosamond wrote: > As many of you know, BSD Certification has been holding a number of > beta tests at various events around the world. It's free to take the > beta, and while you won't be "BSD Certified," you will receive a > discount on the real thing. > > The need for feedback is vital for the full launch. > > http://tinyurl.com/2hvsvv > > So, as a quick non-scientific poll. . . > > Who would be interested in taking a beta test on August 4, a > Saturday, in downtown Manhattan? > ... I'll do that... how many people do you need to make it an event? +1 -jesse From george at ceetonetechnology.com Sat Jul 21 10:48:31 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Sat, 21 Jul 2007 10:48:31 -0400 Subject: [nycbug-talk] BSD Cert beta exam In-Reply-To: References: Message-ID: <46A21CBF.4060701@ceetonetechnology.com> Jesse Callaway wrote: > On 7/20/07, George Rosamond wrote: >> As many of you know, BSD Certification has been holding a number of >> beta tests at various events around the world. It's free to take the >> beta, and while you won't be "BSD Certified," you will receive a >> discount on the real thing. >> >> The need for feedback is vital for the full launch. >> >> http://tinyurl.com/2hvsvv >> >> So, as a quick non-scientific poll. . . >> >> Who would be interested in taking a beta test on August 4, a >> Saturday, in downtown Manhattan? >> > > ... > > I'll do that... how many people do you need to make it an event? > > +1 > > -jesse At least a dozen or so. . . but we should aim for more. . . We're on our way. . . George From njt at ayvali.org Wed Jul 25 17:55:52 2007 From: njt at ayvali.org (N.J. Thomas) Date: Wed, 25 Jul 2007 17:55:52 -0400 Subject: [nycbug-talk] OT: cheap usenet Message-ID: <20070725215550.GG30757@ayvali.org> I canceled my old university account some time back and along with that went my last access to a proper Usenet server. I have a great provider here in NYC providing me with shell access, email, web hosting, etc. for a great price, but they don't provide any newsfeeds. Can someone recommend a service/site that provides Usenet access? My requirements: - cheap: I don't mind paying monthly/yearly charges, but I don't want to pay an arm and a leg for what is more or less non-essential for me - groups: no alt.binaries.* needed, I only read rec.humor.funny and the comp.* groups. - access: I must be able to access it via FreeBSD/slrn -- I don't want to jump through any proprietary-OS authentication schemes. I've heard good things about Giganews, but I think they market themselves towards people who want to download binaries and their pricing plans reflect that. Their cheapest plan (Bronze) is $8 per month. This is what I am thinking of going with. Usenet.com offers a $4.95/month service, which sounds about right, but I only found them through a web search -- I've not heard anything about them yet. Any advice appreciated. Thomas From mspitzer at gmail.com Wed Jul 25 18:08:26 2007 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 25 Jul 2007 18:08:26 -0400 Subject: [nycbug-talk] OT: cheap usenet In-Reply-To: <20070725215550.GG30757@ayvali.org> References: <20070725215550.GG30757@ayvali.org> Message-ID: <8c50a3c30707251508t62f04c71l1fba121ed0cc6133@mail.gmail.com> On 7/25/07, N.J. Thomas wrote: > I canceled my old university account some time back and along with that > went my last access to a proper Usenet server. > > I have a great provider here in NYC providing me with shell access, > email, web hosting, etc. for a great price, but they don't provide any > newsfeeds. > > Can someone recommend a service/site that provides Usenet access? > > My requirements: > > - cheap: I don't mind paying monthly/yearly charges, but I don't > want to pay an arm and a leg for what is more or less > non-essential for me > > - groups: no alt.binaries.* needed, I only read rec.humor.funny and > the comp.* groups. > > - access: I must be able to access it via FreeBSD/slrn -- I don't > want to jump through any proprietary-OS authentication schemes. > > I've heard good things about Giganews, but I think they market > themselves towards people who want to download binaries and their > pricing plans reflect that. Their cheapest plan (Bronze) is $8 per > month. This is what I am thinking of going with. > > Usenet.com offers a $4.95/month service, which sounds about right, but I > only found them through a web search -- I've not heard anything about > them yet. > > Any advice appreciated. I use lonestar.org, http://sdf.lonestar.org/index.cgi can not beat the price. marc > > Thomas > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > -- Freedom is nothing but a chance to be better. Albert Camus From pete at nomadlogic.org Wed Jul 25 18:17:18 2007 From: pete at nomadlogic.org (Peter Wright) Date: Wed, 25 Jul 2007 15:17:18 -0700 (PDT) Subject: [nycbug-talk] OT: cheap usenet In-Reply-To: <8c50a3c30707251508t62f04c71l1fba121ed0cc6133@mail.gmail.com> References: <20070725215550.GG30757@ayvali.org> <8c50a3c30707251508t62f04c71l1fba121ed0cc6133@mail.gmail.com> Message-ID: <18212.160.33.20.11.1185401838.squirrel@webmail.nomadlogic.org> > On 7/25/07, N.J. Thomas wrote: >> I canceled my old university account some time back and along with that >> went my last access to a proper Usenet server. >> >> I have a great provider here in NYC providing me with shell access, >> email, web hosting, etc. for a great price, but they don't provide any >> newsfeeds. >> >> Can someone recommend a service/site that provides Usenet access? >> >> My requirements: >> >> - cheap: I don't mind paying monthly/yearly charges, but I don't >> want to pay an arm and a leg for what is more or less >> non-essential for me >> >> - groups: no alt.binaries.* needed, I only read rec.humor.funny and >> the comp.* groups. >> >> - access: I must be able to access it via FreeBSD/slrn -- I don't >> want to jump through any proprietary-OS authentication schemes. >> >> I've heard good things about Giganews, but I think they market >> themselves towards people who want to download binaries and their >> pricing plans reflect that. Their cheapest plan (Bronze) is $8 per >> month. This is what I am thinking of going with. >> >> Usenet.com offers a $4.95/month service, which sounds about right, but I >> only found them through a web search -- I've not heard anything about >> them yet. >> >> Any advice appreciated. > > I use lonestar.org, http://sdf.lonestar.org/index.cgi can not beat the > price. > big +1 for SDF. i do not use their nttp services, but for what i do use them for it's been a lifesaver (i.e. a remote shell on a box i don't manage ;). -p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From njt at ayvali.org Wed Jul 25 18:20:40 2007 From: njt at ayvali.org (N.J. Thomas) Date: Wed, 25 Jul 2007 18:20:40 -0400 Subject: [nycbug-talk] OT: cheap usenet In-Reply-To: <8c50a3c30707251508t62f04c71l1fba121ed0cc6133@mail.gmail.com> References: <20070725215550.GG30757@ayvali.org> <8c50a3c30707251508t62f04c71l1fba121ed0cc6133@mail.gmail.com> Message-ID: <20070725222040.GH30757@ayvali.org> * Marc Spitzer [2007-07-25 18:08:26 -0400]: > > access: I must be able to access it via FreeBSD/slrn -- I don't want > > to jump through any proprietary-OS authentication schemes. > > I use lonestar.org, http://sdf.lonestar.org/index.cgi can not beat the > price. Hi Marc, thanks for the info. Does SDF allow access to their NNTP server from the outside? Their (possibly dated) online documentation seems to indicate that you can only use tin/trn from within their system or access their server via Pine from a host within SDF. Is this correct? thanks, Thomas From mspitzer at gmail.com Wed Jul 25 21:59:38 2007 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 25 Jul 2007 21:59:38 -0400 Subject: [nycbug-talk] OT: cheap usenet In-Reply-To: <20070725222040.GH30757@ayvali.org> References: <20070725215550.GG30757@ayvali.org> <8c50a3c30707251508t62f04c71l1fba121ed0cc6133@mail.gmail.com> <20070725222040.GH30757@ayvali.org> Message-ID: <8c50a3c30707251859q55d986dh61f197339e718d4e@mail.gmail.com> On 7/25/07, N.J. Thomas wrote: > * Marc Spitzer [2007-07-25 18:08:26 -0400]: > > > access: I must be able to access it via FreeBSD/slrn -- I don't want > > > to jump through any proprietary-OS authentication schemes. > > > > I use lonestar.org, http://sdf.lonestar.org/index.cgi can not beat the > > price. > > Hi Marc, thanks for the info. > > Does SDF allow access to their NNTP server from the outside? Their > (possibly dated) online documentation seems to indicate that you can > only use tin/trn from within their system or access their server via Pine > from a host within SDF. Is this correct? > > thanks, > Thomas > I just ssh in and type slrn, so I have no idea. If I was to guess I would say probably not. You could ask them. marc -- Freedom is nothing but a chance to be better. Albert Camus From tillman at seekingfire.com Fri Jul 27 10:58:09 2007 From: tillman at seekingfire.com (Tillman Hodgson) Date: Fri, 27 Jul 2007 08:58:09 -0600 Subject: [nycbug-talk] OT: cheap usenet In-Reply-To: <18212.160.33.20.11.1185401838.squirrel@webmail.nomadlogic.org> References: <20070725215550.GG30757@ayvali.org> <8c50a3c30707251508t62f04c71l1fba121ed0cc6133@mail.gmail.com> <18212.160.33.20.11.1185401838.squirrel@webmail.nomadlogic.org> Message-ID: <20070727145809.GE57739@seekingfire.com> On Wed, Jul 25, 2007 at 03:17:18PM -0700, Peter Wright wrote: > big +1 for SDF. i do not use their nttp services, but for what i do use > them for it's been a lifesaver (i.e. a remote shell on a box i don't > manage ;). SDF++ I'm in the same boat, I love their remote shell but didn't even know they had an nntp service. I'm checking into right now. I run my own leafnode installation (so articles are archived forever! Bwahahaa! Ahem), but my current feed sucks and may go away soon. -T -- "Art is the final cunning of the human soul which would rather do anything than face the gods." -- Iris Murdoch From dlavigne6 at sympatico.ca Mon Jul 30 22:38:12 2007 From: dlavigne6 at sympatico.ca (Dru) Date: Mon, 30 Jul 2007 22:38:12 -0400 (EDT) Subject: [nycbug-talk] bsd beta exam this Sat. in NYC Message-ID: <20070730223417.A634@dru.domain.org> Hi everyone, We've finally sorted the date, time and location for the BSDA beta exam. Details and registration info are here: http://ezine.daemonnews.org/200707/bsdcert_beta_exam.html Ike and I will be proctoring. The psychometrician has requested at least 30 more beta testers for her analysis. If you're available Saturday morning and would like to assist the BSD certification effort, consider taking the beta exam. If you're reading this email, you probably are a good beta testing candidate for this exam :-) Cheers, Dru