30 Jan 2015

feedPlanet Grep

Frank Goossens: Music from Our Tube: Uncle Tupelo – Sandusky

Before Jeff Tweedy went solo he was at Wilco and even before that he was in Uncle Tupelo. This is a nice little gem of an instrumental from back in those days:

YouTube Video
Watch this video on YouTube or on Easy Youtube.

Possibly related twitterless twaddle:

30 Jan 2015 5:54am GMT

29 Jan 2015

feedPlanet Grep

Mattias Geniar: My Fosdem 2015 Schedule

The post My Fosdem 2015 Schedule appeared first on ma.ttias.be.

Next weekend there's FOSDEM, a huge Open Source conference in Brussels, Belgium. And like every year, the schedule is both insanely large and scary. So this year, I've decided to take my picks beforehand, instead of trying to figure things out when I get there.

The FOSDEM schedule is available online and you can view it in different styles: by room or by track/time. Both views are confusing and hard to work with. I personally prefer the dayviews of saturday or the dayview of sunday. It surely shows the scale of Fosdem!

fosdem_schedule_snippet

I couldn't do a better job at the layout myself. After all, there are 25 (!!) rooms where tracks are going on. How the heck do you make a clear overview of that? Quite the challenge, indeed.

Saturday, January 31th 2015

Here are my picks for Saturday. Since it's weekend after all, I won't start too early.

10:30h -- 11:30h: How to have a constructive conversation about awful infrastructure code (H.1309 (Van Rijn))

11:30 h -12:30h: Better Devops through Thievery (H.1309 (Van Rijn))

*food!*

13:00h -- 13:55h: How CoreOS is built, modified, and updated (H.1302 (Depage))

14:00h -- 14:55h: Are distributions really boring and a solved problem? (H.1302 (Depage))

15:20h -- 15:50h: Puppet Plus Parentheses (H.2214)

16:00h -- 17:00h: Orchestration of Services with Juju (H.1309 (Van Rijn))

And then I'll call it a day.

Sunday, February 1st

This'll hurt, as I'm starting the day quite early.

09:00h -- 09:40h: Under the hood of Docker (UD2.120 (Chavanne))

09:40h -- 10:20h: Docker Integration in oVirt and IaaS (UD2.120 (Chavanne))

10:00h -- 10:50h: PHP Package Design (H.1301 (Cornil))

11:00h -- 11:40h: Provision and manage Docker containers with Foreman (UD2.120 (Chavanne))

11:30h -- 12:25: What's new in systemd, 2015 Edition (H.1302 (Depage))

*food!*

13:00h -- 13:50h: The state of PHPUnit (H.1301 (Cornil))

14:00h -- 14:50h: PHP7 (H.1301 (Cornil))

15:00h -- 15:50h: Ntimed an NTPD replacement (PHK!) (K.1.105 (La Fontaine))

16:00h -- 16:50h: (re)Discovering SPL (H.1301 (Cornil))

*home*

Missed opportunities

I'm sorry to see so little "beginner" talks this year, especially in the devrooms. For instance, with all the languages having their own room (PHP, Ruby, Python, Go, ...) I would have loved a "getting started with X" talk. I could only find a getting started with Ada talk, but I'm not that into embedded systems programming.

More introductory talks would be a great opportunity to get to know a language a little better and have someone guide you through the first steps. Sure, there's the internet, blogs and guides -- but a motivated speaker that can explain things in a clear and focussed manner? That's what can get people excited about a new language.

Maybe next year? I just might submit a beginner talk or two on some subjects as well then.

The post My Fosdem 2015 Schedule appeared first on ma.ttias.be.

Related posts:

  1. Ground rules for when compiling applications from source Today I got thinking about a few rules that I...
  2. Replacing Software Stacks Is Never The Solution Blindly replacing ntpd with an alternative, that you have no...

29 Jan 2015 7:47pm GMT

FOSDEM organizers: BoF rooms and Announcement + Job corner

Just like previous editions, we will have two freely bookable rooms for open source communities to use (BoF rooms), as well as an announcement corner and job corner. See below for the details. Announcement and job corner There will also be an announcement corner and a job corner again in the H building. Any announcement regarding open source software, communities or events around FOSDEM can be put there. At the job corner, you can put job offers assuming they involve open source software (no active flyering/recruiting allowed). BoF rooms The BoF room concept is simple: any project or community舰

29 Jan 2015 3:00pm GMT

Dieter Plaetinck: Practical fault detection & alerting. You don't need to be a data scientist


As we try to retain visibility into our increasingly complicated applications and infrastructure, we're building out more advanced monitoring systems. Specifically, a lot of work is being done on alerting via fault and anomaly detection. This post covers some common notions around these new approaches, debunks some of the myths that ask for over-complicated solutions, and provides some practical pointers that any programmer or sysadmin can implement that don't require becoming a data scientist.
read more

29 Jan 2015 2:08pm GMT

Mattias Geniar: Quick tests for GHOST gethostbyname () vulnerability (CVE-2015-0235)

The post Quick tests for GHOST gethostbyname () vulnerability (CVE-2015-0235) appeared first on ma.ttias.be.

If you're looking to test if your system is still vulnerable to GHOST (CVE-2015-0235), here are some simple one-liners. These can quickly be used in scripts to run tests.

One-liners

In python:

$ /usr/sbin/clockdiff `python -c "print '0' * $((0x10000 - 16 * 1 - 2 * 4 - 1 - 4))" `
Segmentation fault

$ echo $?
139

In PHP:

$ php -r '$e = "0";for($i = 0; $i < 2500; $i++){ $e = "0$e"; } gethostbyname($e);'
Segmentation fault 

$ echo $?
139

Both scripts will return a Segmentation Fault if the system is vulnerable. The PHP script can be run as a non-privileged user, for the Python example you'll need root privileges to run the clockdiff tool. You can use the exit/return code in scripts (should be 139) to test if your system is still vulnerable.

Red Hat bash script

Red Hat also offers a GHOST shell-script you can run, which verifies the changelog of the glibc packages in the RPM database.

#!/bin/bash
#Version 3

echo "Installed glibc version(s)"

rv=0
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
    glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
    glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
    glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')
    
    echo -n "- $glibc_nvr: "
    if [ "$glibc_maj" -gt 2   -o  \
        \( "$glibc_maj" -eq 2  -a  "$glibc_min" -ge 18 \) ]; then
        # fixed upstream version
        echo 'not vulnerable'
    else
        # all RHEL updates include CVE in rpm %changelog
        if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
            echo "not vulnerable"
        else
            echo "vulnerable"
            rv=1
        fi
    fi
done

if [ $rv -ne 0 ]; then
    cat <<EOF

This system is vulnerable to CVE-2015-0235. 
Please refer to  for remediation steps
EOF
fi

exit $rv

Save the script somewhere, make it executable and run it.

$ ./ghost.sh
Installed glibc version(s)
- glibc-2.12-1.149.el6_6.4.x86_64: vulnerable

This system is vulnerable to CVE-2015-0235.
Please refer to  for remediation steps

Happy patching!

The post Quick tests for GHOST gethostbyname () vulnerability (CVE-2015-0235) appeared first on ma.ttias.be.

Related posts:

  1. GHOST: critical glibc update (CVE-2015-0235) in gethostbyname() calls A very serious security issue has been found and patched:...
  2. Scan your network for Heartbleed vulnerabilities with Nmap Nmap now has an NSE script (Nmap Scripting Engine) to...
  3. Patch your webservers for the SSLv3 POODLE vulnerability (CVE­-2014­-3566) First, read this: CVE­-2014­-3566. Next: realise that the SSL vulnerability...

29 Jan 2015 11:13am GMT

28 Jan 2015

feedPlanet Grep

FOSDEM organizers: BoF rooms and announcement corner

Just like previous editions, we will have two rooms for birds of a feather sessions. We will also provide some space for announcements and job openings. The concept is simple: any project or community can reserve a timeslot (fifteen minutes to an hour), during which they have the room just to themselves. These rooms are intended for ad-hoc discussions, meet-ups or brainstorming sessions. They are not a replacement for a developer room and they are certainly not intended for talks. The rooms are deliberately not equipped with projectors. The rooms are small and cosy. There are seats for approximately舰

28 Jan 2015 3:00pm GMT

27 Jan 2015

feedPlanet Grep

Mattias Geniar: Modeling Package Manager Dependencies In Config Management

The post Modeling Package Manager Dependencies In Config Management appeared first on ma.ttias.be.

The recent glibc (CVE-2015-0235) and heartbleed OpenSSL (CVE-2014-0160 ) patches have given me and other sysadmins quite a bit of work. Which makes me wonder, what can we do to ease our pains?

Package Managers Are Smart

I'm an avid Puppet user as it's my Config Management tool of choice. So I've been thinking about making these kind of CVE's and software patches less painful. Here's what I'm currently thinking of, but I don't think it's a viable strategy in the long run.

For starters, it would be too time consuming to manage and keep this in sync with reality. It'll also make Puppet intolerably slow. But it's a thought, and I'll see where it takes me -- perhaps it'll spark a discussion or two and get me on the right track.

So here's the thing: package manager have dependencies built-in on their package format (in the SPEC files for RPM and the debian build-files). Those package managers know that in order to install, say, httpd, the OS also needs glibc, apr, openssl (if mod_ssl is requested), ...

(example RPM SPEC code)
...
Requires(post): openssl >= 0.9.7f-4, /bin/cat
Requires(post): systemd-units
...

The OS' Package Manager has all these details. Our config management does not.

It would have been very easy in the case of the Heartbleed bug to simply put this down in our Puppet code.

package { 'openssl':
  ensure => latest,
}

And be done with it.

But that's not how it works. Many services depend on that package and load those library files on start, once. If the library gets updated, the service needs to restart in order to read those new libraries.

Modeling The Package Manager in Config Management

So what if we "rebuilt" the Yum or Apt package managers into our config management? If we could import the entire dependency tree into our configs and have the above actually work?

It can be done.

In a simplistic version, it would look like this.

service { 'httpd':
  ensure    => running,
  subscribe => Package [ 'openssl', 'abr', 'glibc' ],
}

service { 'mysqld':
  ensure    => running,
  subscribe => Package [ 'openssl', 'glibc' ],
}

...

If we can model the package dependencies this way, fixing the Heartbleed bug would have been as easy as just updating OpenSSL.

# This will trigger a reload of the httpd and mysqld service,
# with the subscribes above.
package { 'openssl':
  ensure => latest,
}

But it just isn't maintainable.

Debian has a tool to help with this, called "checkrestart" in the debian-goodies package. It can help list all services that are still using old version of upgraded files. It's basically a prettier version of the following one-liner.

$ lsof | grep libssl | awk '{print $1}' | sort | uniq

To my knowledge, only Debian has such a tool to help find old usages of libraries. There's no such tool for Red Hat/CentOS or Ubuntu?

Thanks to the comments, I've learned Red Hat / CentOS have a tool in the yum-utils package called needs-restarting that lists all services that need a restart to load the newly installed libraries.

What if ...

I think there are 2 possible solutions to this -- at least, that I can see now.

One, is to actually rebuild the Package Manager dependencies in config management (as in my example above, by actually writing it in config management DSL), but in an automated way. We won't be able to correctly set all dependencies by hand, so it would have to be automated.

But how do you fit it in to your current modules? Do you let a script modify your puppet code? Seems unlikely.

Alternatively, a tool like checkrestart can be ported and built into our config management toolset. Sure, we can build hacky workarounds with tools like mcollective, writing custom agents and have them perform the task for us (before you say "that's probably the best solution": I consider that a hack and a limitation of the CMS).

Wouldn't this be better suited in the config management tools themselves?

Granted, you can't blindly update libraries and have the config management tool restart services whenever it wants to. For some servers, it's just not an option. But the restart of those services had to happen anyway, to resolve the vulnerability -- so why not make it a little easier for us?

The post Modeling Package Manager Dependencies In Config Management appeared first on ma.ttias.be.

27 Jan 2015 7:23pm GMT

Frank Goossens: WP YouTube Lyte and YouTube API v2 end of life

The YouTube API v2 is now officially to be shut down soon after April 20th. That's bad news for WP YouTube Lyte, which uses this version of the API to perform unauthenticated read-only requests to fetch a.o. video title and thumbnail information (example here). The v3 API is supposed to simpler yet more powerful and migrating should not be a big problem, except for that little detail that v3 doesn't allow unauthenticated requests at all. So I'll need to add authentication (via an API key) to the mix, leaving me with the dilemma of having to choose between these approaches, none of which I really like:

  1. Tell WP YouTube Lyte users to get their own API key and have them enter it in the plugin's settings-page. Risk: upsetting users who all of a sudden have to get an API key ("huh, what key?")
  2. Get an API key myself and hardcode that in WP YouTube Lyte. Risk: abuse of that key (and neither a server key nor a browser key is applicable really), reaching limits, being denied access.
  3. Create and operate a proxy application that sits between the v3 API and each and every WP YouTube Lyte instance, taking care of authentication with an API key. Risk: having to write & install that proxy application, making sure it is available 24/7 (it's a single point of failure) + obviously the same abuse-risk as in (2).

No, I'm definitively not happy … :-(

Possibly related twitterless twaddle:

27 Jan 2015 5:25pm GMT

Mattias Geniar: GHOST: critical glibc update (CVE-2015-0235) in gethostbyname() calls

The post GHOST: critical glibc update (CVE-2015-0235) in gethostbyname() calls appeared first on ma.ttias.be.

A very serious security issue has been found and patched: CVE-2015-0235 nicknamed "Ghost".

The security bug

A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.

This is major. The gethostbyname() calls can often be triggered remotely for applications that do any kind of DNS resolving within the code.

GHOST is a 'buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker to execute arbitrary code with the permissions of the user running the application.

The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that then calls gethostbyname().

Red Hat announcement of Ghost

The patch shows the updated files in the nss library (Name Service Switch). The bug was first disclosed on a French mailing list, but it may have been an accident --- the bug probably wasn't meant to be disclosed already, as no distro's had updated packages available.

This bug is present in all versions of Red Hat Enterprise Linux and variants (CentOS etc.) as well as debian systems.

Qualys, who discovered the bug during a code audit, wrote a mailing-list entry with more details, including a more in-depth analysis and exploit vectors.

Fixing CVE-2015-0235

Just like the recent OpenSSL heartbleed bug, this will be an annoying one to fix. The update is in the glibc package, but that's a set of libraries that are being used by a lot of running services. After the update, each of these services needs to be restarted ...

To find all the services that rely on the glibc libraries, run the following command. It will list all open files (lsof) and find the files that refer to the glibc libraries.

$ lsof | grep libc | awk '{print $1}' | sort | uniq

The updates are now available for RHEL 5, 6 and 7 as well as CentOS 5, 6 and 7 (all architectures).

GLibc update for CentOS-7 http://t.co/jeLhte0Upu ;; CentOS-6 http://t.co/4FRQQP0B7S ;; CentOS-5 http://t.co/Nq5drHAGyz

- Karanbir Singh (@CentOS) January 28, 2015

Debian and Ubuntu have the updated packages available already so you can upgrade those.

Once the packages are updated and available for your distro, update your box.

For CentOS, Red Hat, Fedora, Scientific Linux, ...

$ yum clean all && yum update

For Debian, Ubuntu and derivatives:

$ apt-get clean && apt-get update && apt-get upgrade

Afterwards, restart every service you found with the lsof command above. It's probably easiest to just reboot your entire server, since pretty much everything depends on glibc ... If you can't reboot the entire system, at least restart all public-facing services like webservers, mailservers, etc.

Until the updates are available to all distributions, it's a waiting game. And until that time, every DNS name being resolved is a potential security threat ...

Possible attack vectors

The gethostbyname() call is probably among the most used ones on a server. That means any kind of DNS resolve can be used to trigger the CVE. The only catch is, you need to control whatever DNS is being resolved.

That could mean;

For a more in-depth look, including code examples, have a look at the Qualys mailing list entry which covers the situation more in-depth.

Any kind of DNS lookup can potentially trigger this. The only "positive" thing is that the exploit doesn't immediately escalate privileges, you're still the same user that ran the command. But there are ways of doing privilege escalation of course. And non-privileged users are still valuable assets for DDoS attacks, making server inventories, ...

Update: I've been thinking about ways to automate these patches using config management, and I'd love to hear thoughts!

If you're looking for scripts to test GHOST / CVE-2015-0235 vulnerability, check out this post.

The post GHOST: critical glibc update (CVE-2015-0235) in gethostbyname() calls appeared first on ma.ttias.be.

Related posts:

  1. Quick tests for GHOST gethostbyname () vulnerability (CVE-2015-0235) If you're looking to test if your system is still...
  2. Patch against the heartbleed OpenSSL bug (CVE-2014-0160) A very unfortunate and dangerous bug has been discovered in...
  3. Don't Upgrade OpenSSL If You're Using Plesk (= Broken Controlpanel) If you're using Plesk 9.x on a CentOS system, don't...

27 Jan 2015 3:32pm GMT

FOSDEM organizers: Call for volunteers

With FOSDEM just around the corner, it is time for us to enlist your help. Every year, an enthusiastic band of volunteers helps us make FOSDEM a fun and safe place for all our attendees. We could not do this without you. This year we again need as many hands as possible, especially during the buildup (starting Friday at noon) and teardown (Sunday evening). No need to worry about missing lunch. Food will be provided. If you have some spare time during the weekend and would like to be a part of the team that makes FOSDEM tick: We need舰

27 Jan 2015 3:00pm GMT

Mattias Geniar: Google Directly Embedding Stack Overflow Responses in SERPs

The post Google Directly Embedding Stack Overflow Responses in SERPs appeared first on ma.ttias.be.

I'm not sure how they decide which search queries get a direct response, and which don't, but this was an interesting finding.

If I search for "php how long are sessions kept", I get a Stack Overflow response embedded in my search results.

google_search_results_stack_overflow

Some observations

This is the first time I've seen this, but if it continues this would surely harm Stack Overflow's pageviews and ad revenue? Are they doing this to other sites as well?

Update 13:00h: this appears to be with "consent" of Stack Overflow

Enter schema.org, structured data

Google offers the "answer box" (the excerpt shown right under the search query) as an optional tool to sites. For instance, that particular post on Stack Overflow has structured data that allow Google to filter the results and embed them.

By embedding schema.org structured data, you basically give Google the freedom to do whatever it wants with your data.

Search engines are using on-page markup in a variety of ways-for example, Google uses it to create rich snippets in search results. Not every type of information in schema.org will be surfaced in search results but over time you can expect that more data will be used in more ways.

In addition, since the markup is publicly accessible from your web pages, other organizations may find interesting new ways to make use of it as well.

schema.org FAQ

So it appears this is happening with Stack Overflow knowing about it and approving it, after all -- they implemented schema.org. But at the cost of pageviews?

Could this eventually lead to schema.org's open format being abandoned? I know it's contradictory to the "open data" movement but ...

<wishful-thinking> Maybe it'll lead to new business models, no longer based on pageviews and ad impressions. </wishful-thinking>

The post Google Directly Embedding Stack Overflow Responses in SERPs appeared first on ma.ttias.be.

27 Jan 2015 11:13am GMT

26 Jan 2015

feedPlanet Grep

Dries Buytaert: On the hard choices we make every day

Every morning when I wake up, I have choices to make. While I want to turn Acquia into a billion dollar company, I also want to grow Drupal to be the leading digital experience platform. Both are connected and some of the work overlaps, but it still requires me to decide how much of my energy to focus on my duties as the CTO of Acquia as well as my duties as the project lead of Drupal.

It has been a few years since I wrote a good amount of code and I miss the thrill of programming -- both roles with Drupal and Acquia have evolved into management positions. Going back to writing software is a choice too, and one that I would undoubtedly enjoy. I think about it almost daily, and every time I decide not to.

At the same time, I also want to say 'yes' to the many invitations to travel the world, to speak at conferences, or to spend time with people I look up to. I also want to reply to all the emails I receive; I don't like it when emails fall through the cracks. I want to use my network and experience to advise other startups and Open Source projects. I'd love to increase my responsibilities as a Young Global Leader at the World Economic Forum (I'm bummed I couldn't attend Davos last week) and contribute to solving some of humanity's biggest problems. Other times I ask myself; why not kick back and have more time with friends and family? That is really important too.

When I push open the drapes in the morning, I have choices to make. The choices looked simpler when I was younger - most days I don't remember having to make choices at all. But as my work has grown in reach and impact, the choices in front of me have expanded as well. Every day, I struggle with these choices and ask myself how to spread my energy. I realize I'm not alone, as I know many others that have tough choices to make.

My guiding principle is to optimize for impact, purpose and passion - it is a delicate and personal balance based on the belief that somehow all the dots will connect.

My deep-wired desire to optimize for impact has not been without challenges. It has been an extremely strong force pulling me away from other relative priorities involving family, friends and personal health. Recently, I've gotten better at making time for family, friends, eating well and exercising. There is no denying that every decision has trade-offs: when I choose to do one thing it means I choose not do something else. Not doing something means I let people down, and as more and more choices present itself over time, it means letting down more and more people as well. If I let you down, I hope you understand. And one of the people I let down is myself, as I may never write software myself again -- it may never be the most impactful to do.

The best thing a human being can do is to help another human being. The organizations I'm building, the things I'm passionate about, the things I read about and the decisions I make will hopefully all lead to helping many more people. In turn, I hope that some of the people I have coached and worked with will pay it forward. Making choices is difficult but all in all, it's a wonderful feeling to see how many people I've touched by doing what I enjoy and love.

26 Jan 2015 7:41pm GMT

FOSDEM organizers: Last set of FOSDEM 2015 speaker interviews

Our collection of interviews with the FOSDEM 2015 main track speakers is now complete. We proudly present the last set of speaker interviews: David Chisnall: The CHERI CPU. RISC in the age of risk Holger Levsen: Stretching out for trustworthy reproducible builds. The status of reproducing byte-for-byte identical binary packages from a given source Jonathan Woodruff: BERI. An open RISC softcore for research and experimentation Karen Sandler: Identity Crisis: Are we who we say we are? Lukas Berk: Ubiquitous Performance Analysis and System Introspection. An introduction to Performance Co-Pilot and Systemtap Ryan MacDonald: Living on Mars: A Beginner's Guide. Can舰

26 Jan 2015 3:00pm GMT

Frederic Descamps: NetworkManager, OpenVPN on Fedora 21

On openvpn setups where MD5 is still in use with the SSL certificate, it's now impossible to connect when you are in Fedora 21.

To allow openvpn client to connect to such VPN using NetworkManager, you need to modify /usr/lib/systemd/system/NetworkManager.service and add the following two lines in [Service] section:

Environment="NSS_HASH_ALG_SUPPORT=+MD5"
Environment="OPENSSL_ENABLE_MD5_VERIFY=1"

Restart the service and it will work ;)

26 Jan 2015 12:36pm GMT

25 Jan 2015

feedPlanet Grep

LOADays Organizers: Loadays Call for Sponsors

For the upcoming Loadays we are again looking for sponsors to make this event happen. We rely on sponsoring to help cover costs to accommodate speakers, infrastructure, provide food at affordable prices, etc..

This way we can keep the event free

Levels of sponsorship

In case you are interested in one of the options above, please drop us an email at info@loadays.org.

25 Jan 2015 11:00pm GMT

Mattias Geniar: The PHP Paradox

The post The PHP Paradox appeared first on ma.ttias.be.

I was at PHP Benelux, the annual PHP conference for Belgium, the Netherlands and Luxembourg, and I realized 2 things about PHP that I hadn't really thought of before. I call them the PHParadoxes (or PHP Paradoxes).

The Job Hunt

In most industries, it's the employee that convinces the employer he/she is worthy to work at the company.

In the PHP-world, it's the employer (aka the companies) that needs to convince the employee (aka the developer) that their company is worthy of their time and devotion.

In tech, it's the companies that persuade the developers to work for them. In any other business, it's the other way around.

I didn't actually pay much attention to this thought. But looking back, I spent the entire weekend, with everyone I talked to, mentioning that we are looking for PHP developers. What a cool place it is to work at. How we have remote workers. How we have nerf-gun wars and stress-ball battles. How we use Neo4j as our graph database. How we have really smart developers in our team.

But in many other places, it's vica versa. It's the developer that claims their knowledge on frameworks, design patterns, multiple languages, ...

Not in PHP. In PHP land, the companies put in way more efforts than the PHP developers to get them on board.

Why isn't every industry like this? It's not just the shortage on PHP developers. Most of the tech industry works like this.

But the health sector has a shortage of nurses and general staff, do you see them being this actively recruited? I don't. What makes the tech sector so different?

You Know Nothing, John Snow

The closing keynote was brought by @SaraMG, mostly known for her hard work at HHVM and PHP core. She was going over the new tools in the pipeline for PHP and what the PHP7 landscape could, theoretically, be. It mostly covered features of Hack, that could make their way into PHP core.

And then she mentioned static code analysis "on the fly".

php_hack_static_analysis

As soon as the file you're working on is saved, it's analysed and type errors (wrong casts, character conversions, ...) could be shown. I loved this. The room loved this.

I loved it, right up until the point my colleague next to me, with no PHP background, said:

I don't get all this excitement ... this has been in Visual Basic for years, and it wasn't even in PHP yet?

And he was right.

I'm working mostly in PHP and it has blinded me. My small efforts into Ruby and side languages like JavaScript don't really count. PHP has been my dominant language.

But if I look at other languages, mostly languages away from the web, we can see an entire ecosystem of IDE's, debug tools, compilers, standard libraries, ... that help those languages. Think Visual Basic, C#, Java, .NET, ... They all have tools that PHP, even after all these years, doesn't have. And I don't mean just IDE's.

There are no complaints from PHP developers. I don't think anyone feels they're missing something. But maybe that's just because we don't know any better?

Either way, it made me think about other languages. About other development ecosystems that we can learn from, as the PHP community. I'd like to give a few other languages a try this year and see if some of those good bits can be ported back to PHP.

For many, PHP is the entry language into becoming a developer. Don't let it be the exit.

The post The PHP Paradox appeared first on ma.ttias.be.

Related posts:

  1. Web 2.0 Doesn't Exist, You Schmuck The Web 2.0 is wrongfully used all too often. Besides...
  2. A plea for backwards compatibility breaks in PHP7 Now that the naming debacle of PHP 6 vs PHP...
  3. Get Upgraded, Or Get Lost (For IE6 Support) As a developer, it's one of the most frustrating things...

25 Jan 2015 9:24pm GMT