28 Feb 2015

feedPlanet Grep

Frank Goossens: More goodness in wordpress.org plugin repo updates

Seems like the wordpress.org plugin pages, after recent improvements to the ratings-logic, now got an even more important update. They now use "active installations" as most important metric (as has been done on drupal.org module pages for years), with total number of downloads having been relegated to the stats page.

That stats page got a face-lift as well, featuring a graph of the active versions:

autoptimize wp.org plugin page

In case you're wondering what the source of that "active installations" data is, I was too and reached out to plugin-master Otto (Samuel Wood, who replied;

[The source data comes from] plugin update checks. Every WP install asks for update checks every 12 hours or so. We store a count of that info.

Possibly related twitterless twaddle:

28 Feb 2015 8:51am GMT

26 Feb 2015

feedPlanet Grep

Xavier Mertens: The Evil CVE: CVE-666-666 – “Report Not Read”

That Escalated QuicklyI had an interesting discussion with a friend this morning. He explained that, when he is conducting a pentest, he does not hesitate to add sometimes in his report a specific finding regarding the lack of attention given to the previous reports. If some companies are motivated by good intentions and ask for regular pentests against their infrastructure or a specific application, what if they even don't seem to read the report and take it into account to improve their security level? What if the same security issues are discovered during the next tests? This does not motivate the pentester and costs a lot of money for nothing.

The idea of the "evil" CVE popped up in our mind during our chat. What about a specific CVE number to report the issue of non-reading previous reports? As defined by Wikipedia, the "Common Vulnerabilities and Exposures" (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. And a vulnerability can be defined as a weakness in a product or infrastructure that could allow an attacker to compromise the integrity, availability of confidentiality of that product or infrastructure.

Based on this definition, the fact to not read and take appropriate the corrective actions listed in the previous pentest report is a new vulnerability! A good pentest report should contain vulnerabilities and mitigations to remove (or reduce) the associated risks. It is stupid to not read the report and apply the mitigations. Even more if some of them are quickly (and sometimes cheaply) implemented. Think about the evil CVE-666-666 while writing your future reports! Note that the goal is not to blame the customer (who also pays you!) but to educate him.

26 Feb 2015 8:41pm GMT

Wouter Verhelst: Dear non-Belgian web developer,

Localization in the web context is hard, I know. To make things easier, it may seem like a good idea to use GeoIP to detect what country an IP is coming from and default your localization based on that. While I disagree with that premise, this blog post isn't about that.

Instead, it's about the fact that most of you get something wrong about this little country. I know, I know. If you're not from here, it's difficult to understand. But please get this through your head: Belgium is not a French-speaking country.

That is, not entirely. Yes, there is a large group of French-speaking people who live here. Mostly in the south. But if you check the numbers, you'll find that there are, in fact, more people in Belgium who speak Dutch rather than French. Not by a very wide margin, mind you, but still by a wide enough margin to be significant. Wikipedia claims the split is 59%/41% Dutch/French; I don't know how accurate those numbers are, but they don't seem too wrong.

So please, pretty please, with sugar on top: next time you're going to do a localized website, don't assume my French is better than my English. And if you (incorrectly) do, then at the very least make it painfully obvious to me where the "switch the interface to a different language" option in your website is. Because while it's annoying to be greeted in a language that I'm not very good at, it's even more annoying to not be able to find out how to get the correctly-localized version.

Thanks.

26 Feb 2015 9:22am GMT

Frank Goossens: wordpress.org plugin repo: ratings changed

autoptimize ratings on feb 26th 2015Yesterday the average rating of all plugins on the wordpress.org repository changed; ratings that were not linked to a review, were removed. That means that ratings dating from before approximately November 2012, when reviews were introduced, are not being taken into account any more.

This had a positive impact on the average rating of my own plugins, but especially so for Autoptimize. That plugin was largely unsupported before I took over in January 2013 and got some low ratings as a consequence (the average was 4.2 at the time, if I'm not mistaking). With those old numbers now out of the way, the average went from 4.6 to 4.8 overnight. Yay!

Possibly related twitterless twaddle:

26 Feb 2015 6:36am GMT

25 Feb 2015

feedPlanet Grep

Mattias Geniar: Up And Close With PHP 7’s New RFCs

The post Up And Close With PHP 7's New RFCs appeared first on ma.ttias.be.

If you're following the development of PHP 7, you'll notice a lot of new RFCs (and some old ones that have been revived) are popping up again. How do you keep track of them and test their functionality?

The answer always used to be: compile PHP from the latest sources and test it yourself. But that's not very handy, is it?

RFC Watch

Enter the PHP RFC Watch, a very cool side-project of Benjamin Eberlei.

php_rfc_watch

It keeps tracks of the difference PHP RFCs, who voted and what they actually voted. You can filter on the open RFCs at the right-hand side.

Testing new RFC functionality

The PHP community has been really fortunate to have a tool like 3v4l.org, that allows you to spin up a PHP/HHVM shell to test some PHP code -- free of charge!.

And as of a few days, there is also support for RFC branches of PHP that you can test!

For instance, want to try out the new Scalar Type hints in PHP7? It includes the strict_mode option and you can test it out in an online shell!

<?php
declare(strict_types=1);
 
foo(); // strictly type-checked function call
 
function foobar() {
    foo(); // strictly type-checked function call
}
 
class baz {
    function foobar() {
        foo(); // strictly type-checked function call
    }
}

This is a really cool resource, I hope more RFC branches make their way to it.

Props to @3v4l_org!

The post Up And Close With PHP 7's New RFCs appeared first on ma.ttias.be.

Related posts:

  1. PHP7 To Remove Deprecated Functionality I'm sure this must have been quite an internal-mailinglist-battle, but...
  2. PHP6: The Missing Version Number For those active in the PHP community for a while,...

25 Feb 2015 9:27pm GMT

Frank Goossens: Dat de staat innovatie in de weg staat?

In de hippe wereld van startups en zelfverklaarde innovatoren wordt de staat nogal makkelijk weggezet als dé grote hinderpaal voor échte innovatie. En dan lees je dit;

Wezenlijke innovatie kost minstens tien tot vijftien jaar, schrijft Mazzucato, maar de spanningsboog van private durfkapitalisten is hoogstens een jaar of vijf. Zij gaan pas een rol spelen als de grootste risico's al zijn genomen door de staat. […] Maar als je de staat voortdurend wegzet als logge sukkel, dan kom je nooit ergens. Aanvankelijk is het niet de onzichtbare hand van de markt, maar de zichtbare hand van de staat die de weg wijst. De overheid is er niet alleen om het falen van de markt te voorkomen. Zonder de staat zou er in veel gevallen niet eens een markt zijn.

Het volledige artikel (opgebouwd rond onderzoek van de Italiaanse econome Mariana Mazzucato en toegepast op Silicon Valley maar ook dichter bij huis ASML) kun je lezen op De Correspondent.

Possibly related twitterless twaddle:

25 Feb 2015 12:00pm GMT

Sébastien Wains: Samba integrated to Active Directory on RHEL7

Tested with Active Directory 2003 and RHEL 7.0

For RHEL 6.0 see here

I consider that the server is correctly set up, its hostname should be set accordingly to the Active Directory domain. It should also be synchronised with NTP. A clock drift could cause issues because of Kerberos.

I assume an AD domain "EXAMPLE" (long name: intranet.example.org)

# host -t srv _kerberos._tcp.intranet.example.org
_kerberos._tcp.intranet.example.org has SRV record 0 100 88 srv00a.intranet.example.org.
_kerberos._tcp.intranet.example.org has SRV record 0 100 88 srv00c.intranet.example.org.
_kerberos._tcp.intranet.example.org has SRV record 0 100 88 srv00b.intranet.example.org.

Install the packages:

# yum -y install authconfig samba samba-winbind samba-winbind-clients pam_krb5 krb5-workstation oddjob-mkhomedir nscd adcli ntp

Enable the services at boot:

# systemctl start smb
# systemctl enable smb
# systemctl start winbind
# systemctl enable winbind
# systemctl start oddjobd 
# systemctl enable oddjobd
# systemctl start dbus

Edit /etc/krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = INTRANET.EXAMPLE.ORG
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
 }

 INTRANET.EXAMPLE.ORG = {
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 intranet.example.org = INTRANET.EXAMPLE.ORG
 .intranet.example.org = INTRANET.EXAMPLE.ORG

Test Kerberos:

# kinit username@INTRANET.EXAMPLE.ORG
# klist

username should be domain admin in the Active Directory.

klist should gives this kind of output:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: username@INTRANET.EXAMPLE.ORG

Valid starting       Expires              Service principal
02/25/2015 15:23:30  02/26/2015 01:23:30  krbtgt/INTRANET.EXAMPLE.ORG@INTRANET.EXAMPLE.ORG
    renew until 03/04/2015 15:23:28

Delete the Kerberos ticket you just initialized:

# kdestroy

Edit /etc/samba/smb.conf:

[global]
workgroup = EXAMPLE
realm = INTRANET.EXAMPLE.ORG
security = ads
idmap uid = 10000-19999
idmap gid = 10000-19999
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:range = 10000000-19999999
;winbind enum users = no
;winbind enum groups = no
;winbind separator = +
winbind use default domain = yes
winbind offline logon = false
template homedir = /home/EXAMPLE/%U
template shell = /bin/bash

    server string = Samba Server Version %v

    log file = /var/log/samba/log.%m
    log level = 10
    max log size = 50
    passdb backend = tdbsam

[share]
    path = /home/share
    comment = Some cool directory
    writable = yes
    browseable = yes
    # there's a trust between EXAMPLE and EXAMPLE2
    valid users = username EXAMPLE2\username
    directory mask = 0777
    create mask = 0777

Restart Samba:

# systemctl restart smb

Join the domain:

# net join -S EXAMPLE -U username

It should work and you can then get information regarding the join:

# net ads info
LDAP server: 192.168.0.1
LDAP server name: SRV00C.intranet.example.org
Realm: INTRANET.EXAMPLE.ORG
Bind Path: dc=INTRANET,dc=EXAMPLE,dc=ORG
LDAP port: 389
Server time: Wed, 25 Feb 2015 15:27:05 CET
KDC server: 192.168.0.1
Server time offset: 0

Create the directory for AD users:

# mkdir /home/EXAMPLE/
# chmod 0777 /home/EXAMPLE/

Restart Winbind:

# systemctl restart winbind

Sources:

redhat.com

25 Feb 2015 5:00am GMT

24 Feb 2015

feedPlanet Grep

Xavier Mertens: OWASP Belgium Chapter Meeting February 2015 Wrap-Up

Jim on stageTonight the first Belgium OWASP chapter meeting of the year 2015 was organized in Leuven. Next to the SecAppDev event also organised in Belgium last week, many nice speakers were present in Belgium. It was a good opportunity to ask them to present a talk at a chapter meeting. As usual, Seba opened the event and reviewed the latest OWASP Belgium news before giving the word to the speakers.

The first speaker was Jim DelGrosso from Cigital. Jim talked about "Why code review and pentests are not enough?". His key message was the following: penetration tests are useful but they can't find all types of vulnerabilities. That's why other checks are required. So how to improve our security tests? Before conducting a penetration test, a good idea is just to check the design of the target application and some flaws can already be found! At this point, it is very important to make a difference between a "bug" and a "flaw". Bugs are related to implementation and flaws are "by design". The ratio between bugs and flaws is almost 50/50. Jim reviewed some examples of bugs: XSS or buffer overflows are nice ones. To resume, a bug is related to "coding problems". And the flaws? Examples are weak, missing or wrong security controls (ex: if a security feature can be bypassed by the user). But practically, how to find them? Are they tools available? To find bugs, the classic code review process is used (we look at patterns). Pentests can also find bugs but overlaps with findings flaws. Finally, a good analysis of the architecture will focus on flows. Jim reviewed more examples just to be sure that the audience made the difference between the two problems:

Then Jim asked the question: "How are we doing?" regarding software security. The OWASP Top-10 is a good reference for almost ten years now for most of us. Jim compared the different versions across years and demonstrated that the same attacks remain but their severity level change regularly. Also, seven out of them have been the same for ten years! Does it mean that they are very hard to solve? Do we need new tools? Some vulnerabilities dropped or disappeared because developers use today's frameworks which are more protected. Others are properly detected and blocked. A good example are XSS attacks blocked by modern browsers. Something new raised in 2013: The usage of components with known vulnerabilities (dependencies in apps).

So practically, how to find flaws? Jim recommends to perform code review. Penetration tests will find less flaws and will require more time. But we need something else: A new type of analysis focusing on how we design a system and a different set of checklists. That's why the IEEE Computer Society started a project to expand their presence in security. They started with an initial group of contributors and built a list of points to avoid the classic top-10 security flaws:

Heartbleed is a nice example to demonstrate how integrating external components may increase your surface attack. In this case, the openssl library is used to implement new features (cryptography) but also introduced a bug. To conclude his presentation, Jim explained three ways to find flaws:

A very interesting approach to a new way to test your applications! After a short break, the second speaker, Aurélien Francillon from EURECOM, presented "An analysis of exploitation behaviours on the web and the role of web hosting providers in detecting them". To be more precise, the talk was about "web honeypots". Today, most companies have a coporate website or web applications. Often they are hosted on a shared platform maintained by a hosting provider. How do they handle the huge amount of malicious traffic sent and received by their servers? The first part was dedicated to the description of the web honeypot built by EURECOM. The goal was to understand what were the motivations of web attackers, what they do while and after they exploited a vulnerability on a website and to understand why attacks are carried out (for fun, profit, damage, etc). There was previous studies but they lack of such details.
Aurélien on stage

How to deploy the honeypot? Aurélien explained that 500 vulnerable websites were deployed on the Internet using 100 domains registered with five subdomains each. They were hosted on nice of the biggest hosting providers. Each websites had five common CMS with classic vulnerabilities. Once deployed, the data collection occurred for 100 days. Each website acted as a proxy and its traffic was redirected to the real web apps running on virtual machines. Why? It's easy to reinstall, they allow full logging and it's easy to tailor and limit the attackers privileges. About the collection data, it was impressive:

Aurélien gave some facts about the different phases of an attack:

Based on the statistics, some trends were confirmed:

The second part of the presentation focused on hosting providers. Do they complain? How do they detect malicious activity (if they detect it)? Do they care about security? Today hosting solutions are cheap, there are millions of websites maintained by inexperienced owners. This make the attack surface very large. Hosting providers should play a key role in help users. Is it the case? Hélas, according to Aurélien, no! To perform the tests, EURECOM registered multiple shared hosting accounts at multiple providers, they deployed web apps and simulated attacks:

In a first phase 1, they just observed the provider's reaction. The second one was to take contact with it to report an abuse (one real and one illegitimate). Twelve providers were tested from the top US-based and ten from other regions (Europe, Asia, …). What were the results?
  • At registration time, some did some screening (like phone calls), some verified the provided data and only three performed a 1-click registration (no check at all).
  • Some have URL blacklisting in place.
  • Filtering occurs at OS level (ex: to prevent callbacks on suspicious ports) but the detection rate is low in general.
  • About the abuse reports: 50% never replied, amongst the others, 64% replied in one day. Wide variety of reactions
  • Some providers offers (read: sell) security add-ons. Five out of six did not detect anything. One detected but never notified the customer.
To conclude the research: most providers fail to provide correct security services, services are cheap so do not expect good services. Note that the providers names were not disclosed by Aurélien!
It was a very nice event to start the year 2015! Good topics and good speakers!

24 Feb 2015 10:28pm GMT

Mattias Geniar: Firefox 36 Fully Supports HTTP/2 Standard

The post Firefox 36 Fully Supports HTTP/2 Standard appeared first on ma.ttias.be.

Now that's fast.

Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web.

Just 2 weeks after the HTTP/2 spec was declared final, Firefox 36 ships with the updated HTTP/2 protocol. Well played, Mozilla.

The post Firefox 36 Fully Supports HTTP/2 Standard appeared first on ma.ttias.be.

Related posts:

  1. View the HTTP/SPDY/HTTP2 Protocol in Google Chrome A cool little improvement just landed in Chrome Canary (the...
  2. HTTP/2 Specification Is Final February 18th, 2015. A day that, for better or worse,...
  3. Service Side Push in HTTP/2 With nghttp2 At this pace of development, nghttp2 is a project to...

24 Feb 2015 9:28pm GMT

Wim Coekaerts: Oracle Linux and Database Smart Flash Cache

One, sometimes overlooked, cool feature of the Oracle Database running on Oracle Linux is called Database Smart Flash Cache.

You can find an overview of the feature in the Oracle Database Administrator's Guide. Basically, if you have flash devices attached to your server, you can use this flash memory to increase the size of the buffer cache. So instead of aging blocks out of the buffer cache and having to go back to reading them from disk, they move to the much, much faster flash storage as a secondary fast buffer cache (for reads, not writes).

Some scenarios where this is very useful : you have huge tables and huge amounts of data, a very, very large database with tons of query activity (let's say many TB) and your server is limited to a relatively small amount of main RAM - (let's say 128 or 256G). In this case, if you were to purchase and add a flash storage device of 256G or 512G (example), you can attach this device to the database with the Database Smart Flash Cache feature and increase the buffercache of your database from like 100G or 200G to 300-700G on that same server. In a good number of cases this will give you a significant performance improvement without having to purchase a new server that handles more memory or purchase flash storage that can handle your many TB of storage to live in flash instead of rotational storage.

It is also incredibly easy to configure.

-1 install Oracle Linux (I installed Oracle Linux 6 with UEK3)
-2 install Oracle Database 12c (this would also work with 11g - I installed 12.1.0.2.0 EE)
-3 add a flash device to your system (for the example I just added a 1GB device showing up as /dev/sdb)
-4 attach the storage to the database in sqlplus
Done.

$ ls /dev/sdb
/dev/sdb

$ sqlplus '/ as sysdba'

SQL*Plus: Release 12.1.0.2.0 Production on Tue Feb 24 05:46:08 2015

Copyright (c) 1982, 2014, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL>  alter system set db_flash_cache_file='/dev/sdb' scope=spfile;

System altered.

SQL> alter system set db_flash_cache_size=1G scope=spfile;

System altered.

SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.

SQL> startup
ORACLE instance started.

Total System Global Area 4932501504 bytes
Fixed Size                  2934456 bytes
Variable Size            1023412552 bytes
Database Buffers         3892314112 bytes
Redo Buffers               13840384 bytes
Database mounted.
Database opened.

SQL> show parameters flash

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
db_flash_cache_file                  string      /dev/sdb
db_flash_cache_size                  big integer 1G
db_flashback_retention_target        integer     1440

SQL> select * from v$flashfilestat; 

FLASHFILE#
----------
NAME
--------------------------------------------------------------------------------
     BYTES    ENABLED SINGLEBLKRDS SINGLEBLKRDTIM_MICRO     CON_ID
---------- ---------- ------------ -------------------- ----------
         1
/dev/sdb
1073741824          1            0                    0          0

You can get more information on configuration and guidelines/tuning here. If you want selective control of which tables can use or will use the Database Smart Flash Cache, you can use the ALTER TABLE command. See here. Specifically the STORAGE clause. By default, the tables are aged out into the flash cache but if you don't want certain tables to be cached you can use the NONE option.

alter table foo storage (flash_cache none);

This feature can really make a big difference in a number of database environments and I highly recommend taking a look at how Oracle Linux and Oracle Database 12c can help you enhance your setup. It's included with the database running on Oracle Linux.

Here is a link to a white paper that gives a bit of a performance overview.

24 Feb 2015 8:07pm GMT

Dries Buytaert: 5 things a government can do to grow its startup ecosystem

Building a successful company is really hard. It is hard no matter where you are in the world, but the difficulty is magnified in Europe, where people are divided by geography, regulation, language and cultural prejudice. If governments can provide European startups a competitive advantage, that could come a long way in helping to offset some of the disadvantages. In this post, I'm sharing some rough ideas for what governments could do to encourage a thriving startups ecosystem. It's my contribution to the Belgian startup manifesto (#bestartupmanifesto).

  1. Governments shouldn't obsess too much about making it easier to incorporate a company; while it is certainly nice when governments cut red tape, great entrepreneurs aren't going to be held back by some extra paperwork. Getting a company off the ground is by no means the most difficult part of the journey.
  2. Governments shouldn't decide what companies deserve funding or don't deserve funding. They will never be the best investors. Governments should play towards their strength, which is creating leverage for all instead for just a few.
  3. Governments can do quite a bit to extend a startup's runway (to compensate for the lack of funding available in Belgium). Relatively simple tax benefits result in less need for venture capital:
    • No corporate income taxes on your company for the first 3 years or until 1 million EUR in annual revenue.
    • No employee income tax or social security contributions for the first 3 years or until you hit 10 employees. Make hiring talent as cheap as possible; two employees for the price of one. (The cost of hiring an employee would effectively be the net income for the employee. The employee would still get a regular salary and social benefits.)
    • Loosen regulations on hiring and firing employees. Three months notice periods shackle the growth of startups. Governments can provide more flexibility for startups to hire and fire fast; two week notice periods for both incoming and outgoing employees. Employees who join a startup are comfortable with this level of job insecurity.
  4. Create "innovation hubs" that make neighborhoods more attractive to early-stage technology companies. Concentrate as many technology startups as possible in fun neighborhoods. Provide rent subsidies, free wifi and make sure there are great coffee shops.
  5. Build a culture of entrepreneurship. The biggest thing holding back a thriving startup community is not regulation, language, or geography, but a cultural prejudice against both failure and success. Governments can play a critical role in shaping the country's culture and creating an entrepreneurial environment where both failures and successes are celebrated, and where people are encouraged to better oneself economically through hard work and risk taking. In the end, entrepreneurship is a state of mind.

24 Feb 2015 7:15pm GMT

Les Jeudis du Libre: Mons, le 19 mars – SonarQube : une autre vision de votre logiciel

Logo SonarQubeCe jeudi 19 mars 2015 à 19h se déroulera la 37ième séance montoise des Jeudis du Libre de Belgique.

Le sujet de cette séance : SonarQube : une autre vision de votre logiciel

Thématique : Qualité|Développement|Outils|Visualisation

Public : Tout public

L'animateur conférencier : Dimitri Durieux (CETIC)

Lieu de cette séance : Campus technique (ISIMs) de la Haute Ecole en Hainaut, Avenue V. Maistriau, 8a, Salle Académique, 2e bâtiment (cf. ce plan sur le site de l'ISIMs, et ici sur la carte Openstreetmap).

La participation sera gratuite et ne nécessitera que votre inscription nominative, de préférence préalable, ou à l'entrée de la séance. Merci d'indiquer votre intention en vous inscrivant via la page http://jeudisdulibre.fikket.com/. La séance sera suivie d'un verre de l'amitié.

Les Jeudis du Libre à Mons bénéficient aussi du soutien de nos partenaires : CETIC, Normation, OpenSides, MeaWeb, NextLab, Phonoid et Creative Monkeys.

Si vous êtes intéressé(e) par ce cycle mensuel, n'hésitez pas à consulter l'agenda et à vous inscrire sur la liste de diffusion afin de recevoir systématiquement les annonces.

Pour rappel, les Jeudis du Libre se veulent des espaces d'échanges autour de thématiques des Logiciels Libres. Les rencontres montoises se déroulent chaque troisième jeudi du mois, et sont organisées dans des locaux et en collaboration avec des Hautes Écoles et Facultés Universitaires montoises impliquées dans les formations d'informaticiens (UMONS, HEH et Condorcet), et avec le concours de l'A.S.B.L. LoLiGrUB, active dans la promotion des logiciels libres.

Description : La qualité d'un logiciel est un sujet qui divise : certains pensent qu'il s'agit d'un surcoût et la voient comme une contrainte, d'autres au contraire pensent qu'il s'agit d'une opportunité et voient la qualité comme un guide de travail. La qualité en général c'est le fait de mettre en place les conditions (organisation, outils, règles, équipe) qui permettront de répondre aux besoins exprimés. Dans le cas d'un développement logiciel, il s'agit de développer les besoins fonctionnels et non-fonctionnels du client. Nous distinguons donc la qualité fonctionnelle (répondre aux besoins fonctionnels) et la qualité non-fonctionnelle (répondre aux besoins non-fonctionnels). On préfère donc opposer au surcoût induit par la qualité le coût induit par le manque de qualité d'un logiciel. On appelle ce manque de qualité logicielle la dette technique.

SonarQube (anciennement Sonar) est un projet open-source qui permet de suivre la qualité des développements logiciels. SonarQube est donc un projet open-source pour l'open-source. En effet, des écosystèmes open-source tels qu'OW2 et Polarsys (Eclipse) l'utilisent pour évaluer la maturité de leurs projets. Contrairement à des analyseurs classiques (par exemple : PMD ou Checkstyle), SonarQube se positionne comme un tableau de bord intégrant d'autres analyseurs et aidant à l'interprétation de leurs résultats.

SonarQube propose un ensemble de vues sur un portefeuille d'applications afin de gérer l'évolution de la dette technique de celles-ci. Pour alimenter ces vues, il s'appuie sur une architecture orientée plugins qui lui permet de supporter plus d'une vingtaine de langage du COBOL au Java en passant par le C# ou encore le PHP. L'API pour le développement de plugin est open-source. Il est donc possible d'ajouter des plugins particuliers pour supporter des nouveaux langages, avoir de nouvelles vues ou encore s'interfacer avec des outils existants.

24 Feb 2015 8:16am GMT

23 Feb 2015

feedPlanet Grep

Frank Goossens: User Agent Madness

Just found this one in my http logfile;

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36 OPR/27.0.1689.69

So one User Agent string mentioning 4 browsers (Mozilla, Safari, Chrome and finally Opera 27, which is the actual browser) and 3 rendering engines (Applewebkit, KHTML and Gecko)? There is a lot of web-history in those 127 characters.

Possibly related twitterless twaddle:

23 Feb 2015 6:27am GMT

22 Feb 2015

feedPlanet Grep

Dieter Adriaenssens: Buildtime Trend v0.2 released!

Visualise what's trending in your build process

Buildtime Trend Logo

What started as a few scripts to gain some insight in the duration of stages in a build process, has evolved into project Buildtime Trend, that generates and gathers timing data of build processes. The aggregated data is used to create charts to visualise trends of a build process.

The major new futures are the support for parsing Travis CI build log files to retrieve timing data and the introduction of the project as a service that gathers Travis CI generated timing data, hosts a dashboard with different charts and offers shield badges with different metrics.

Try it out!

The hosted service supports Open Source projects (public on GitHub) running their builds on Travis CI. Thanks to the kind people of Keen.io hosting the aggregated data, the hosted service is currently available for free for Open Source projects.
Get started! It's easy to set up in a few steps.

A bit more about Buildtime Trend

Dashboard example
Dashboard example

Buildtime Trend is an Open Source project that generates and gathers timing data of build processes. The aggregated data is used to create charts to visualise trends of the build process.
These trends can help you gain insight in your build process : which stages take most time? Which stages are stable or have a fluctuating duration? Is there a decrease or increase in average build duration over time?
With these insights you can improve the stability of your build process and make it more efficient.

The generation of timing data is done with either a client or using Buildtime Trend as a Service.
The Python based client generates custom timing tags for any shell based build process and can easily be integrated. A script processes the generated timing tags when the build is finished, and stores the results.
Buildtime Trend as a Service gets timing and build related data by parsing the logfiles of a buildprocess. Currently, Travis CI is supported. Simply trigger the service at the end of a Travis CI build and the parsing, aggregating and storing of the data is done automatically.

The aggregated build data is used to generate a dashboard with charts powered by the Keen.io API and data store.

Check out the website for more information about the project, follow us on Twitter, or subscribe to the community mailing list.

22 Feb 2015 8:35pm GMT

20 Feb 2015

feedPlanet Grep

Frank Goossens: Music from Our Tube; Ala.ni

Ala.ni appears to be

a London-based singer/songwriter, producer & video director who already worked with such artists as Mary J Blige, Damon Albarn and Andrea Bocelli

While that may sound a lot like your typical name-dropping in a press release of the next would-be-star, her music has a distinct jazzy forties-yet-modern feel to it and above all it's really beautiful;

YouTube Video
Watch this video on YouTube or on Easy Youtube.

Ala.ni will issue an EP in March and the first song from that, Cherry Blossom, is well worth a listen too!

Possibly related twitterless twaddle:

20 Feb 2015 4:03pm GMT

Wouter Verhelst: LOADays 2015

Looks like I'll be speaking at LOADays again. This time around, at the suggestion of one of the organisers, I'll be speaking about the Belgian electronic ID card, for which I'm currently employed as a contractor to help maintain the end-user software. While this hasn't been officially confirmed yet, I've been hearing some positive signals from some of the organisers.

So, under the assumption that my talk will be accepted, I've started working on my slides. The intent is to explain how the eID middleware works (in general terms), how the Linux support is supposed to work, and what to do when things fail.

If my talk doesn't get rejected at the final hour, I will continue my uninterrupted "speaker at loadays" streak, which has started since loadays' first edition...

20 Feb 2015 10:47am GMT