Developer Catchup: ECMAScript 6, Scala Policy, JSON’d Postgresql and SHA-1 sunset

developercatchupECMAScript 6: It’s coming, for mid 2015, and its full of features. In this (https://www.youtube.com/watch?v=G21rdWfa_as), Alex Rauschmayer talks about all those features. If you prefer slides they are available too. It covers most of the language features (skipping promises and proxies), outlines the timetable for standardisation and how you can use ES6 features now. Bonus link, do checkout his blog.

Policy and Scala: Scala has been forked, and forked by one of its most active contributors. The fork, called Policy, is one of those forks which hopes to be folded back into the original because “The leadership of scala has shown itself unfit stewards of the core technologies and the total price paid by scala programmers (actual and potential) is too high. I failed for half a decade to change that from the inside. Now I’ll try from the outside”. The initial reception seems positive and the Hacker News thread is full of background. One to watch.

More JSON in Postgresql: Postgresql has some neat JSON support built into the database, but one developer wanted it somewhere else – in the logs. Michael Paquier shows how to make Postgresql emit JSON logs hooking in a JSON log function at runtime. The code can be found on GitHub in a repo of other plugins. Why JSON logs? Well, it does make it easy for a JSON aware system like Elasticsearch to analyse and search those logs.

SHA-1 Sunset Now: Back in 2005, SHA-1 was tagged as “weaker than it should be” as a crypto algorithm and its only got worse since them. So people are slowly stopping its use. Google has just announced its SHA-1 sunset which begins this month with Chrome 39 flagging sites with SHA-1 signatures that expire in 2017 and beyond as ‘secure with minor errors’. By end of 2014 that window will expand into 2016 and in 2015 those sites will come up with an straight error. Of course, thats just the Chrome and Chromium browsers… Google will have plenty of engineering to do to completely remove SHA-1 from their systems. Next time your doing crypto work, remember to have un-SHA1-ing on your todo list.

Facebook’s Conceal, Callback hell and a listening Pi – Snippets

Snippets

Facebook’s Conceal revealed: Facebook have open sourced Conceal, a library for encrypting files on Android devices. The company uses the library for encrypting data that its apps store on SD cards. It uses pre-selected OpenSSL algorithms, picked for efficient memory management and speed, and gets the library down to 85KB by not trying to be a general purpose crypto kit. An interesting bit of pragmatism which means Facebook’s apps can happily encrypt on low-end Android devices, Conceal is available under a BSD licence with its source on GitHub.

Callback hell: Callbacks in Node.js can get pretty gnarly if you do everything with inline anonymous functions. This blog posting from Strongloop is a handy summary of some of the ways, from nesting, modularisation, async, promises and (soon to come to Node) ES6 generators. So callback, much techniques.

A Pi that listens: Meanwhile, a nice little Instructable covers converting an old bakelite Televox intercom into a voice controlled personal assistant by popping a Raspberry Pi inside.. and a sound board… and some software of course… It’ll probably be quite hard to find another fine bakelite intercom, but the rest of the projects a good starting point for assembling your own style of smart box…

IDEA 13, Java crypto, FreeBSD 10 beta 4, Rails update, Go 1.2 – Snippets

snippets03

  • IntelliJ IDEA 13: Jetbrains has rolled out the latest version of its IntelliJ IDEA Java IDE. Version 13 gets a big refresh on the user interface with new light look and feel on Windows and Linux and toolbars hidden by default, better visualisation of errors and warnings with “lens mode”, comment/string only searching, built in SSH terminal, Java 8 support and a presentation mode for talking about coding. All those features, along with enhancements to Android, Gradle, Groovy, Scala and version control support are in the community version. The commercial Ultimate edition includes JSF 2.2 support, batch job code assistance, JAX-RS 2.0 annotation handling, more app server support, Spring context configuration and MVC view, improved JavaScript debugger, CSS extract refactorings, DART support and many enhancements to the database viewing and support. Full details are in the What’s New page for the new release. The open source Community version and a 30 day trial of the commercial version are both available to download.

  • Bouncy Castle Crypto update: Adding support for client side TLS 1.2 and DTLS 1.2, along with ECDH and ECDSA for the OpenPGP library and many other cryptography options, the splendidly named Legion of the Bouncy Castle have updated their Java Crypto libraries to version 1.5.0 – further details in the release notes.

  • FreeBSD 10 beta 4: The announcement of FreeBSD 10 Beta 4 has also seen the gentle push of the scheduled release date to 2 January 2014 with a December full of release candidates. The in-development release notes give an idea of what to expect as will this article from September.

  • Rails updates for security: There’s updated Rails with the release of 3.2.16 and 4.0.2 which address four or five CVE-numbered vulnerabilities. The problems fixed include various XSS vulnerabilities, a denial of service hole and fixes for a previous incomplete security fix.

  • Go 1.2 is go: Go 1.2 is now official with the announcement that, after 7 months, the latest modifications to the language, library and toolchain are now available. Full details in the release notes. Updates are expected to come on something closer to the 7 month cycle in future.

Slackware 14.1, MariaDB 10.0.5, Glassfish and Android Crypto – Snippets

Snippets.png

  • Slackware updated: The venerable Slackware Linux has had its annual update for 2013 announced by Patrick Volkerding and a fine update it appears to be. A 3.10.17 Linux kernel, X11R7.7 X Windows, 64-bit UEFI installation support and updates across the board for dev tools, applications, desktops (Xfce 4.10.1 and KDE 4.10.5) and more. And Slackware ARM 14.1 is also available.
  • MariaDB 10.0 goes Beta: As MariaDB, the community-supported and developed MySQL fork, branches away from MySQL with version 10.0, the first 10.0 Beta has been released with enhanced replication, more storage engines supported, engine independent query statistics, regexps with PCRE, admin improvements with roles and more. Google sponsored one enhancement (parallel replication) and blogged about the release noting it is already deploying 10.0 into non-production MySQL instances to aid the MariaDB debugging and development process. In beta, the focus should be on stabilising the 10.x feature set, so if you are considering MariaDB 10.x for future use, now is a good time to check it out.
  • Glassfish goes open only: Oracle have pulled commercial support from the Glassfish server for future releases and are pointing users over at their commercial WebLogic Server. They are carrying on development of the server as the reference implementation of future Java EE platforms, but the fear is the quality of the RI will suffer with no commercial imperative to keep quality and performance high. Oracle may well have backed the wrong Java EE web server from a community point of view – I know no one who goes “Hey, lets do that on Weblogic” – but now the competitive field is wide open. The X-EE Factor auditions for series… One other takeaway comes from Tomitribe – Open source isn’t free and if we want it to be industrially healthy, then the industry needs to make sure some money ends up in the open source communities.
  • Android Crypto Misuse: Develop for Android (or Java in general)? Write code that uses cryptography? Then read this paper – An Empirical Study of Cryptographic Misuse in Android Applications(pdf). From the abstract, “We develop program analysis techniques to automatically check programs on the Google Play marketplace, and find that 10,327 out of 11,748 applications that use cryptographic APIs – 88% overall – make at least one mistake”. Scary eh. Very worth a read though.