Codescaling catchup: Android L, MapReduce, Paho, Eclipse IDE, Bootstrap, MacDown, Moment.js, Runtime.js, Dart, Security Notes

CodescalingCatchupAnd catching up with the week just past at Codescaling….

Android L, MapReduce

Google I/O brought us a beta version of Android Studio and a developer preview of Android L with images for emulators and the Nexus 5 and Nexus 7 (Wifi only). A new look and feel, lots more APIs and a general feeling that Google’s pulling their various efforts back into one cohesive while (for good or bad and for who is another discussion). At the other end of the scale though, a more interesting, if obvious, reveal was Urs Hölze, SVP at Google who during the Google I/O keynote pointed out the company has stopped using Map-Reduce based systems for analytics – “It’s great for simple jobs but it gets too cumbersome”. This of course was on the back of announcing Cloud Dataflow, a new pipelined analytics service, but It seems Google are drawing a line where Map-Reduce ends and a self-scheduling and organising analytics system is the future. We shall see if that line holds… Hadoop isn’t endangered despite what some may say mainly because its grown into its own ecosystem and platform for more than Map Reduce work… but the entire analytics world is ripe for disruption, especially on its hardest problem – analysis discovery.

Paho 1.0 for MQTT

Over at Eclipse there’s been a few announcements, like the Paho MQTT project reaching version 1.0. That includes implementations for a C, Python, JavaScript (in the browser) and Java MQTT client. MQTT is one of the protocols in the running to fill the numerous niches in the internet of things and Paho is Eclipse’s umbrella project to make sure it has an open source implementation for all.

Moonrise for Eclipse Luna

The Eclipse release train also turned up for the synonymous IDE with the release of Eclipse Luna – Paho was on the release train along – which also brought us full Eclipse support for Java 8, a workspace with dark themes, split editors and default line numbering (to keep up with the hip editors), updated Equinox, a Java 8 capable memory analyser and a standalone C/C++ debugger. If you like Eclipse, you’ll love the improvements. A couple of bits have been dropped (Agent Modelling, EclipseLink persistence and SCA Tools) but lots more has been added including XWT (a declarative UI project) , Eclipse Sirius for modelling, Business Process Model and Notation (BPMN2) modelling and EMF clients and repositories for modelling.

Bootstrap restrapped

Bootstrap keeps evolving – The latest version of the HTML/CSS framework, Bootstrap 3.2.- has scaling embeds, responsive utility classes, more tools and more bots. You can download it or pull it with npm. It does make for a quick way to get a clean modern looking site or app together.

Markdown on Mac

Love Markdown? You might well have liked Mou, a markdown editor on the Mac. But development on that has stalled. Now in its place comes the open source MacDown which is already in heavy development and already looking quite feature rich. So, check it out. Of course, everyone does Markdown these days; I’m using various editors including WriteDown (very simple with a nice preview toggle) and Atom (good MarkDown preview plugin).

Time for a Moment.js

Moment.js was recently updated to version 2.7.0. The very useful date and time manipulation library for JavaScript has got itself four new languages, configurable relative times and various bug fixes both in general and for specific languages.

Time for a Run…time.js

Maybe you will run it on Runtime.js an OS kernel thats being built in JavaScript only running on a V8 engine. A curious little bit of research – everything runs in ring 0 and relies on software for isolation, has sandboxed and limited resources for apps and V8 to build trusted native code – it also runs one V8 instance per core. You won’t be running it tomorrow, but it does feel like its an idea worth pursuing.

Darting to Mobile

You’re probably more likely to be running Google’s JavaScript alternative Dart. That got an update too with Dart 1.5 which is focussed on mobile devices, bringing better debugging, and an update to the Polymer web components package. Full details in the release notes.

Security Notes

Of course the broken world of security rolls on. An IBM team found a stack buffer overflow in Android’s KeyStore. Thats probably the worst place to find a hole – a bit like finding the clasp on your keyring is faulty. A more controversial bug is the LZO/LZ4 hole. It’s an integer overflow in compression code and yes it could lead to code execution… if you are on a 32-bit system… and you are processing 16MB or greater blocks… and you’ve crafted the exploit to the particular implementation of LZO/LZ4 on the system. It’s a high barrier to jump but there’ll still be plenty of updates to numerous packages to close the door before there’s an exploit crafted to jump the high bar.

And thats it for this week…. thats quite a bit. Do let us know how you are finding the catchups in the comments.

XBMC 13, OpenElec 4.0, JavaScriptCore and Android stats

snippets03
XBMC and OpenElec updated: The XBMC Media Centre app has been updated to version 13.0 with hardware decoding support for Android, performance improvements on Raspberry Pi and Android, support for stereoscopic 3D rendering and better touchscreen, UPnP and Audio Engine handling including “real pulseaudio support”. And with the release of a new XBMC comes an update to OpenElec, the small Linux distro built to turn machines into XBMC boxes. With OpenElec 4.0 there’s an updated kernel and refreshed toolchain, UEFI boot support, general package updates and first support for TTS (text-to-speech).

JavaScriptCore heats up: The JavaScriptCore project takes care of building Safari and WebKit’s JavaScript component. Currently they are working on FTL, a JIT engine which plugs exisiting code into the LLVM optimisation pipeline. Hows that working out for them? Pretty well according to Are We Fast Yet where its winning out over Chrome on asm.js benchmarks. But there’s still a long way to go – if we step back to the wider benchmark view, it’s only holding a lead in the super-synthetic Sunspider benchmark. Its still one to watch and reminds us that JavaScript optimisation is far from a two horse race.

Android 4.1 the new GingerBread?: For a long time, Android 2.3.3-2.3.7 aka Gingerbread, dominated the Android devices out there. The Google statistics put it down at 16.2% now, well down from its peak with 82% of Android devices running version 4 or later. There’s only one fly in the ointment there though – nearly half of that – 33.5% – is devices running Android 4.1, the first “JellyBean” release from way back in July 2012. It seems to have become the new minimally acceptable Android version for vendors. It’ll be interesting to see if it becomes as sticky as Gingerbread became. On the upside, at least Android 4.4, Kitkat, is matching its 4.3 predecessor in share after jumping to 8.5% from 5.3%. That indicates a healthy uptake over time, at least until the next Android version announcement.

Facebook’s Conceal, Callback hell and a listening Pi – Snippets

Snippets

Facebook’s Conceal revealed: Facebook have open sourced Conceal, a library for encrypting files on Android devices. The company uses the library for encrypting data that its apps store on SD cards. It uses pre-selected OpenSSL algorithms, picked for efficient memory management and speed, and gets the library down to 85KB by not trying to be a general purpose crypto kit. An interesting bit of pragmatism which means Facebook’s apps can happily encrypt on low-end Android devices, Conceal is available under a BSD licence with its source on GitHub.

Callback hell: Callbacks in Node.js can get pretty gnarly if you do everything with inline anonymous functions. This blog posting from Strongloop is a handy summary of some of the ways, from nesting, modularisation, async, promises and (soon to come to Node) ES6 generators. So callback, much techniques.

A Pi that listens: Meanwhile, a nice little Instructable covers converting an old bakelite Televox intercom into a voice controlled personal assistant by popping a Raspberry Pi inside.. and a sound board… and some software of course… It’ll probably be quite hard to find another fine bakelite intercom, but the rest of the projects a good starting point for assembling your own style of smart box…

FreeBSD 10.0 so close, Ruboto goes 1.0, ODroid U3 coming – Snippets

snippets03

  • FreeBSD 10.0 RC3 – so close: It’s so close, FreeBSD 10.0 that it, with the third release candidate for 10.0 being made available from the various FreeBSD mirrors. And while you are looking, remember that the FreeBSD Foundation is in the final part of 2013’s fund raising drive looking to get a million dollars (currently at $648,622 with 1499 donors) to power the group through 2014.

  • Ruboto – JRuby on Android 1.0.0: The developers of Ruboto have, with the release of 1.0, declared their port of JRuby on Android “ready for general consumption” with all the “important parts” of the Android API available and stabalised and performing reasonably and enough documentation to work with.

  • ODroid U3 powers up: LinuxGizmos.com notes the upcoming availablity of Hardkernel’s Odroid U3, a quad core Exynos 4412 ARM based board which looks to pack a lot of power into a $59 board. It’s already been added to Codepope’s shopping list, especially with the option to use 8-64GB of faster eMMC memory to host either Linux (Xubuntu) or Android. Stay tuned for when it arrives here for a close look… in the meantime, we have an Xmos StartKIT which is pining for attention.

  • Readables: About Obfuscator-LLVM, Dual-Use tools and Acdemic Ethics – one of the elements of the fall out of the evasi0n iOS7 jailbreak clown-car-crash…

Slackware 14.1, MariaDB 10.0.5, Glassfish and Android Crypto – Snippets

Snippets.png

  • Slackware updated: The venerable Slackware Linux has had its annual update for 2013 announced by Patrick Volkerding and a fine update it appears to be. A 3.10.17 Linux kernel, X11R7.7 X Windows, 64-bit UEFI installation support and updates across the board for dev tools, applications, desktops (Xfce 4.10.1 and KDE 4.10.5) and more. And Slackware ARM 14.1 is also available.
  • MariaDB 10.0 goes Beta: As MariaDB, the community-supported and developed MySQL fork, branches away from MySQL with version 10.0, the first 10.0 Beta has been released with enhanced replication, more storage engines supported, engine independent query statistics, regexps with PCRE, admin improvements with roles and more. Google sponsored one enhancement (parallel replication) and blogged about the release noting it is already deploying 10.0 into non-production MySQL instances to aid the MariaDB debugging and development process. In beta, the focus should be on stabilising the 10.x feature set, so if you are considering MariaDB 10.x for future use, now is a good time to check it out.
  • Glassfish goes open only: Oracle have pulled commercial support from the Glassfish server for future releases and are pointing users over at their commercial WebLogic Server. They are carrying on development of the server as the reference implementation of future Java EE platforms, but the fear is the quality of the RI will suffer with no commercial imperative to keep quality and performance high. Oracle may well have backed the wrong Java EE web server from a community point of view – I know no one who goes “Hey, lets do that on Weblogic” – but now the competitive field is wide open. The X-EE Factor auditions for series… One other takeaway comes from Tomitribe – Open source isn’t free and if we want it to be industrially healthy, then the industry needs to make sure some money ends up in the open source communities.
  • Android Crypto Misuse: Develop for Android (or Java in general)? Write code that uses cryptography? Then read this paper – An Empirical Study of Cryptographic Misuse in Android Applications(pdf). From the abstract, “We develop program analysis techniques to automatically check programs on the Google Play marketplace, and find that 10,327 out of 11,748 applications that use cryptographic APIs – 88% overall – make at least one mistake”. Scary eh. Very worth a read though.

Android’s SSL downgrade, Mozilla’s SSL, Linux PRNG and SafeCurves – Security Snippets

SecuritySnippets

  • Android’s Cipher Downgrade: According to this blog posting, Android’s Cipher suite – that is the list of ciphers it uses in order when it is establishing a secure connection – changes in late 2010 and saw AES256-SHA removed and RC4-MD5 put in its place. This means Android 2.2.1 has a better default cipher than Android 2.3.4 and everything that follows. The analysis shows that Google were apparently following Java’s cipher list changes, but that in 2011, Java 7 got a better cipher list and Android, being based on Java 6, didn’t. There’s details in the post of how to fix that and the comments touch on some of the reasons for the oddness.
  • Mozilla SSL: Looking for a place to start when coming up with how to configure your secure server’s SSL/TLS? Check out Mozilla’s Server Side TLS Wiki page which gives their recommended ciphersuites, priorities, forward secrecy hints, OCSP stapling info and a number of recommended server configurations. NGINX gets rated for “best TLS support at the moment” and the page finishes up with a how-to on building with OpenSSL and a run down of all the configuration parameters.
  • SafeCurves: As you may know, Elliptic Curve crypto got a knock in the recent NSA reveals when it appears that the NIST standard curve in use had been believed to be manipulated, probably to make it easier to crack. At safecurves.cr.yp.to research is ongoing into a range of curves from various standards in a quest to find a safe and secure curve. Crypto-wonks will love this paper and there’s code to let folks independently verify the results.
  • Extra: Red Hat’s Security Update: A small reminder came my way that the recent RHEL 6.5 beta release includes lashing of crypto updates as part of the wider refresh of Red Hat’s OS. OpenSSL and NSS are updated and get TLS 1.1 and 1.2 support now.