Archive for the ‘Software Development’ Category

There is a new markup language on the market. As a Wikificionado I like markup languages better than using any wordprocessor – for my own writing I haven’t used a wordprocessor in many, many years. Even at work I only use Word when I have to, and that has been a while ago (that probably means all I write are emails and code). And bug reports and documentation get dropped into JSPWiki and Trac and Joplin – all I need is simple markup.

I like markup for regular writing, and I use it daily in tools like Trac and JSPWiki. The trouble, of course, is that each of those tools (and many others!) uses a slightly different markup scheme.

And now there is a new contender on offer: Mau.

Click the image to go to the source code on Github

I can see where it comes from: the author needed more than what any simple markup could offer. I too have at times been frustrated by the lack of feature X or Y in any markup scheme. It surprised me to see that he did not check out LaTeX, which as far as I know should have covered his requirements. But it would probably have been too steep a learning curve.

Back to Mau: I haven’t yet tried it, but I can see that it would be a very nice tool for writing documentation. However, for me the system should be an extension of Markdown, let’s say a SuperMarkdown or MarkdownPlusPlus, rather than another variant markup scheme with subtle differences from what I know.

I guess I am not the only one to dislike “yet another divergent markup scheme”. So far I haven’t seen much traction for Mau… although it is, in a way, a very cool project. I applaud Mau’s author for making the effort – he clearly thought this through. And who knows: perhaps Mau becomes wildly successful in the future?

Read Full Post »

I like CFLint for its ability to assist me in writing better code. But some of the rules implemented in the “standard” version strike me as arbitrary (“standard” meaning the version without any additions). If there is some kind of master rulebook for writing CFML or CFScript, then there is no reference to that in the CFLint source code, nor on its website.

I find that CFLint conflicts with some of the code style rules that I have been applying for over a decade. Code styles are always somewhat arbitrary, of course. They depend on the experience and knowledge of its author(s), on the frameworks and code libraries used, on the styles used in other programming languages at the same company, on the quality assurance rules applied, and more.

That is why I struggle with some of the rules currently fixed in CFLint. Here’s an example. When I write scope names like “APPLICATION” and “ARGUMENTS” the “VariableNameChecker” rule in CFLint complains, telling me that scope names should never be written in capital letters. My reasoning for doing that nevertheless is simple: the names of these scopes have been reserved and fixed by Adobe, so you cannot use them for anything else. So going “allcaps” on them neatly sets them apart from variable and function names. With the current situation I have to disable the rule completely.

I would like to see this checker adapted so that I can specify whether I want scope names “allcaps” or “nocaps” (or even “camelCase” of “PascalCase”) in the CFLint configuration file. That way I could easily check whether I applied my own rule correctly, by adapting the config as needed, regardless of the default set by the CFLint developers. The same approach could be worthwhile for variable names, component names, and function names, of course.

There are probably a few more situations like that in CFLint. If I find the time I may have a look at the Java code, to see how this might be implemented (don’t hold your breath, though).



Read Full Post »

I am getting used to working with VSCodium for my development work (VSCodium is essentially the same tool as Visual Studio Code). I chose VSCodium because it is a multiplatform tool, it is very flexible and extendable, and thus it has good support for many programming languages. What’s not to like?

One of the VSCodium extensions I’m trying out is CFLint. My ColdFusion development career is still stuck at CF11, and the tools I use to help me validate my code are indeed… a bit dated: I use a slightly adapted version of ‘VarScoper‘ (see my earlier comments on this) and the ‘CFML Complexity Metric Tool‘ (see https://github.com/NathanStrutz/CFML-Complexity-Metric-Tool), as well as an extensive series of unit test running in ‘cfcUnit‘ (sorry, its homepage no longer exists). Say what you want: any helper tool, even if it’s dated, is better than no tool.

CFLint is much more recent, and it handles CFScript as well as my trusty tag-based code. It’s caught a number of inconsistencies in my code, like unused variables, which is very good – less code equals less opportunities for errors. Using CFLint also removes an obstacle to my moving to CFScript, so yes I am progressing – even if it’s just at a slow pace ;-)

But I have a few niggles with CFLint; I guess I will have to create a few tickets in the project site on Github, and/or come up with a solution that’s acceptable to all other users of the tool as well. CFLint assumes that everyone codes in the same manner, according to the same rules. That is a bit assumption, and it clashes with some of the rules that I applied to my code. Not all of the situations are easily reconfigured with the options that CFLint (currently) allows. Here are a few of things I found… disturbing, at least for my use case.

  • I can agree with the rule that .cfm/.cfml file names should not start with a capital letter. But for old-school ColdFusion developers like me there is no way to escape Adobe: ‘Application.cfm‘ absolutely has to start with a capital!
  • Worse: the file starts with three comment lines, and CFLint seems to use that fact as a reason to repeat the message “The file Application.cfm should not start with a capital letter” three times…
  • In general, I agree with the rule that variable names should be written in ‘camelCase‘ (or ‘PascalCase‘). But it would be nice to have the opportunity to list a few exceptions to that rule.
  • So far, I haven’t seen a check for double variable declarations – my bad, or is it really missing?

All in all, after a bit of tweaking I now have a fairly usable CFLint setting in my ‘.cflintrc‘ file – it’s good to have a tool looking over my shoulder to catch inconsistencies, mistakes, typos and more.

Read Full Post »

I’m a newcomer to managing TLS/SSL certificates for intranet sites and applications. Renewing all the bindings (2 per site) for dozens of sites is no fun in IIS… but I have not yet found the time to familiarise myself with PowerShell in a sufficient way to write a script to replace me ;-)

To help me nevertheless, I found and adapted a nice script, universally usable on all Windows servers running IIS to serve TLS/SSL sites:

Import-Module -Name WebAdministration

Get-ChildItem -Path IIS:SSLBindings | ForEach-Object -Process `
   if ($_.Sites)
         $certificate = Get-ChildItem -Path CERT:LocalMachine/My |
            Where-Object -Property Thumbprint -EQ -Value $_.Thumbprint

            Hostname       = $_.Host
            TLSCertificate = $certificate.FriendlyName
            ValidUntil     = $certificate.NotAfter
            Thumbprint     = $certificate.Thumbprint

This will list all the sites and the current certificate for the hostnames as well as their enddate. Nothing fancy, but very handy when trying to figure out which hostname you forget to handle!

PS. Yes, the backtick at the end of line three is essential… don’t leave it out.

Read Full Post »

The Content Management Systems (CMS) market is quite extensive: the well-known CMS Matrix website lists more than 1300 products! That doesn’t make a choice any easier, of course. Hence sometimes people say: “Let’s build our own CMS“.

Is that a good idea? What does it mean to build your own CMS? What advantages and disadvantages do you have to take into account when starting to write a CMS from scratch?

The article “Why Would You Write Your Own CMS?” is highly recommended to any developer and webmaster considering writing their own CMS. The author does not pretend to be exhaustive, but I think he manages to list the main characteristics of that process.

When all is said and done, the main reason I chose to write my own CMS is because I wanted to. The main benefit is that it’s precisely what I need, and the main drawback is that it took ages to build.

Now it is of course true that James Edwards built a system that is “precisely what he needed”: he is also the only user, so to speak. If you want to build your own CMS for the company, you have to consider additional disadvantages – and advantages, of course. I know from experience that one of those important advantages is the flexibility with which you can adapt the CMS to the inevitable changes within and around your company. And you cannot say that about many existing products …

On the other hand, a plea for “do it yourself” should not mean that you should not look at a number of content management platforms. Such a platform offers basic functionalities, and on top of that it will have one or more ways to add custom functions. The examples are well-known: Drupal, Joomla, WordPress, Typo3 and many others can be installed on your own servers; platforms such as Wix, BigCommerce, Shopify and Bitrix24 provide the hosting, so you only have to focus on the content.

Each type of solution has advantages and disadvantages, so there is no “best” solution for all possible situations. Studying, trying and comparing different solutions is the only way to find out what fits your needs!

You can read this post in dutch on the ‘innologos’ blog.

Read Full Post »

Strange how things go: the “critical security issue” Adobe reported on March 22, 2021 seems to be less critical than originally thought – the severity of the issue has been lowered to “moderate” (whatever that means).

Click the image to see the original tweet

The offending line…? (Source: Dave’s Twitter feed)

The issue, of course, is that we have no way to verify what is going on: Adobe remains mum on the exact nature of the issue, refuses to engage with the ColdFusion community on the subject (cf. the CFML workspace on Slack), and as developers we can only ask the question: is this the support we’re supposed to pay for?

Read Full Post »

Adobe has reported a “critical” security issue with the latest versions of ColdFusion, although the page titled “Security updates available for Adobe ColdFusion | APSB21-16” currently does not give many details.

At work we’re still running ColdFusion 11, and that version is not mentioned in the report (probably because it is already out of support). Nevertheless I would to know whether CF11 is also concerned by this issue – if only to tell our IT security office that we have no problem with vulnerability CVE-2021-21087 in our configuration ;-)

The only information I have found so far is unofficial: if I understand things correctly, Dave Walker is telling us that the error is an unchecked input in the CFAJAX package:

Click the image to see the original tweet

The offending line…? (Source: Dave’s Twitter feed)

I would love to see confirmation of that, and I wonder: do earlier versions of ColdFusion already contain the same error?

Read Full Post »

In Has Microsoft 365 Been Clinically Tested? James Robertson poses a few hard questions, and rightly so. I do not want to enter into the debate about the nature of AI (is it intelligent, or just algorithms?); regardless of the answer to that question what interests us here is the relevance, accuracy, usefulness, reliability and sustainability of the solutions offered – and of course, not just Microsoft but any provider of AI-based solutions should be able to provide us with clear answers to those questions.

One of the core problems with AI is bias, and in the words of Julia Powles and Helen Nissenbaum (in “The Seductive Diversion of ‘Solving’ Bias in Artificial Intelligence“) all AI “bias is social bias”. Even if we ignore the (much larger) problems AI bias can cause in society at large, there is the issue of how well an IA solution will work for company X if it was built/trained by a company on another continent, in a different culture, and even with a different company culture.

Will be be able to “Build our own AI”? What mechanisms and tools will we have to investigate the workings of an off-the-shelf AI? Should we avoid AI altogether (there is excellent SF literature that makes this point – try Frank Herbert’s “Dune”)? Or do we have to teach all AI the equivalent of Asimov’s three Laws of Robotics?

Thanks for the image, XKCD

Read Full Post »

We live in an era of rapidly increasing digitalisation. Hence it’s no surprise that digital systems, however complex they may be, are the subject of increasingly sophisticated attacks. If you want proof of that, take a few hours and read “An iOS zero-click radio proximity exploit odyssey” by Google engineer Ian Beer. He explains how he discovered – and “exploited” – a vulnerability in Apple’s iOS that made it possible to take over an iOS device remotely without the user knowing what happened.

If you like programming, like me, you’ll find the story lacking in code but rich, very rich, in debugging techniques. Plus a lot of detective work and experimenting – in soft- and hardware. That’s what “hacking” is about, of course, and this story is a good illustration of just how devious you have to be!

Read Full Post »

It had been a while, many years actually, since I needed the Windows equivalent of “touch“. You don’t know that command? All it does is change to modification date and time of a file (or a series of files) to the current date and time of the computer. I used to turn to the Cygwin toolkit to get things done, in the days when corporate Windows PC’s weren’t so closed off and you could install your own tools.

Luckily for me there is an equivalent in Windows, on the command line. You can use this somewhat strange command to get the same result:

copy /b filename.ext +,,

Yes, that’s a plus sign followed by two commas at the end. I’m writing it up here because I know I won’t remember that correctly in a few days!

Read Full Post »

Charlie Arehart is a well-known ColdFusion specialist. Two days ago, he wrote a blog post explaining why one should be careful about securing ColdFusion Archive (CAR) files. The Adobe ColdFusion team isn’t very explicit about the issue, telling us in small print that we should delete those files after using them – but does not explain why we should do so. So Charlie explains it in great detail – if you work with Adobe ColdFusion, you should check out his blog.

Now Charlie only mentions versions 2016 and 2018 of ColdFusion, and I know that there are still developers around that work with older versions – actually, I’m one of those: ColdFusion 11 is what I support (and occasionally develop for) since 2015. I have been using  .car files for installing CF servers, and I had already been looking at what they contained. But I had never seen the ‘seed’ and ‘algorithm’ strings Charlie writes about, but I could have overlooked them. So I went in again today, to verify things.

I can confirm that .car files created in CF11 do NOT contain those strings. But before you start celebrating, I must warn you that this probably means that the situation is even worse than for more recent versions. Because CF11 will write (encrypted) passwords into a .car file, and yes: those files can be used to reconfigure another server, passwords included ! Which probably means that all CF11 runtimes use the same seed and algorithm, rendering  CF11.car files containing passwords even more insecure than later versions

I did not know about all this until yesterday, but I seem to have circumvented the problem: I wrote an application to install datasource definitions on the servers rather than use CAR files. That offers multiple advantages: the code  (and hence the definitions) is under version control, and can only be accessed by authorized users; we have different definitions for different environments; etc. And the.car files I do use have no passwords in them – whew!

But it’s clear that it pays take this issue into account as a ColdFusion developer or administrator, whatever solution you choose (and Charlie has a few propositions).

Read Full Post »

Strong words, but there’s more than a grain of truth in them: “Why Kubernetes is The New Application Server“. “Classic” application servers like those for Java are no longer sufficient by themselves to build a platform that can serve big internet-applications with a large, world-wide audience. And in the world of “containers” Kubernetes seems to be king, as far as I can tell.

Container ship at sea

(Photo by GPA Photo Archive – Original on Flickr)

In order for containerisation to work, applications must be properly “documented” – in fact, the bulk of the “configuration documentation” will somehow be part of what is needed to get those containers up and running. Around the time I read up on Kubernetes I stumbled onto something called “The Twelve-Factor App” – can’t remember who pointed me there. This methodology (it’s not an app!) describes a well-documented way to build, configure and run a cloud application – a laudable objective.

At work, we have tried to describe our applications in order to migrate them to another (Windows) domain with new (better) rules about access control, database access, etc. But things aren’t working out as they should. We do have documentation, although I’m not sure how useful it is outside of the context of passing relevant information from the developers to an external partner that will implement parts of the configuration. Additionally, we have described lots of “what“s, but almost no “why“s – which might be essential in the coming months and years as the applications continue to evolve…

Ideally, I would have loved to have a decent ‘methodology’ for documenting application essentials when we were building our applications. Trying to figure out what has to be done to get things up and running again on new servers has become something of a nightmare. That is even more so when the application you’re handling was developed by someone who’s no longer available for questioning!

The Twelve-Factor app may turn out to be very useful, although I suspect it is incomplete. I don’t think there is a single method for completely describing and documenting applications and systems that extend beyond the most simple cases. Any ‘methodology’ to build software is bound to need more or less tweaking to fit your (or your company’s) way of working. Getting to know methodologies other than the one you’re using is a good way of discovering what you need to get better!

Read Full Post »

My setup has been the same since quite a few years now: I have a Keepass file on Dropbox, and I use several different applications and apps on multiple devices to access and update that file. Which applications, you ask?

On my Macs as well as on my Xubuntu machines I will use Keeweb. Despite its name, it gives you a desktop application that natively accesses (and syncs) files on Dropbox. This is the application I go to for when I want or need to reorganise the Keepass file, e.g. to rearrange groups or import lots of account data.

I would use Keeweb on a Windows PC as well – if I had one. At work, we have no free choice of which application to use to store passwords, but luckily we do have the “official” Keepass Password Safe at our disposal.

On Android my favourite Keepass app is called Keepass2Android. I will admit that I made that choice a few years ago, and haven’t checked on its competitors recently (are there competitors of note, by the way?). But it does what I need it to do; it accepts Dropbox as cloud storage and it will even merge changes from the local version and the Dropbox version when it detects differences between the two during the synchronisation process. That last one is a killer feature, and it hasn’t failed me a single time in the years I have been using it.

On iOS the situation is a little more complicated – at least, that how it feels to me. I wrote earlier about KeePassium, and that is still my app of choice. I like the interface, and it does all I need when I look for account info (you can store more than just passwords there!).

But in order to sync my central file on Dropbox, on iOS the app has to go through the “Files” app from Apple. Files-the-app is capable of showing files of all kinds on the iOS device, as well as the files on several cloud file systems, like Dropbox. What is less clear to me, however, is how quickly “Files” notices changes on Dropbox and picks up the latest version of my central KeePass file. I also have had trouble getting the latest version of my file (as changed on Android, for example) onto my iPhone. Although I must admit that the last few weeks fared better: I haven’t noticed anymore missing syncs lately. What I can’t say is whether the issue was/is with Files rather than KeePassium or even my internet connection…

Anyway, when it comes to passwords I want to be sure that I’m not missing any information – or worse: I don’t want to overwrite my updated central file with an older version on iPhone! That’s why I currently always check the “last updated on” date of my Dropbox file in Files before opening the file again. Of course my Dropbox account is protected with a password, but I don’t think that is what Andrei Popleteev means when he’s writing about “How to sync KeePassium with Dropbox“.

Manually checking the file date on iOS is not an ideal situation, I know, but to me that check is a small price to pay for the greater good of having my account data available on all the platforms I use! And for me, KeePassium is still the way to go on iOS.

Read Full Post »

Contrary to most pure hardware tools like a hammer, software tends to evolve over time. These days, software evolves faster than ever before – and at the same time most pieces of software that we use regularly are also interconnected with other software. Think of your smartphone, where the operating system updates the apps running on the device, while some – if not most – of the apps require connections to other infrastructural software and “platforms” from the likes of Google, Apple, and many others. Synchronising account and application data is getting more important every day, the more so now that more and more people have more than one device. No wonder then than sometimes things take a turn for the worst…

Case number one: I have been using a couple of home-brewed scripts to get the daily production numbers of our solar panels from the SMA monitor to an Xubuntu computer, and then transfer them to a Google Drive for storage. I used Grive2 to sync new or renewed files to Google Drive, until that failed as I reported on December 15th. Google started restricting OAuth access rights in November 2019, and that poses a problem for tools like Grive2.

My replacement solution using Jdrivesync is actually victim of the same OAuth change, although it is less evident: it can still add files to Drive but fails when reading the metadata of Drive files (and hence is incapable of replacing them as well).

Today I took the time to tackle the issue head-on, and started by re-reading the instructions on Grive2. That answered my question of a few months ago: I now know why Google changed its approach. The Grive2 site also explains how to circumvent the limitations, by creating your own Google API project and OAuth credentials. It’s not the fault of the Grive2 author, but man oh man, what a convoluted process is that. You get to answer a pleiad of questions that may be easy to understand for a seasoned Google developer, but not for an end user trying to get a simple sync script to work again! In the end, after a series of dire warnings by Google during the process, things started working again. Which is nice. But I’m still not sure for how long this will continue to work. That’s not reassuring for a solution that is supposed to work without a hitch for at least 10 more years or so.

I think the burden here is on Google: it would be nice if they could figure out a way for single end users to get a single application instance (project) up and running on a single account in an understandable process. Because that is what I needed: a way to tell Google that MY Grive2 script will sync MY data from MY computer to MY Google Drive. A simple process does not need to bother me with questions about GSuite domains, privacy declarations, consent screens, and what more. Please, Google?

Case number two: since a few weeks I’m a happy user of KeePassium. I use it on my iPhone as well as on an iPad, where both devices open the same KDBX file. Since I also still have an Android device running Keepass2Android, I store the KDBX file in DropBox. This setup seemed to work OK, until a few days ago when a new account added on the iPad did NOT show up on the iPhone nor in Keepass2Android. After a few tests and trials I ended up with saving the file explicitly to DropBox and reopening it on both the iOS devices, and later synced Keepass2Android as well. The latest changes in the file are now visible on all three machines, so that’s good.

However, I fear that I may have lost one earlier password change. I’m not in any position to blame either DropBox, Apple’s Files app, or KeePassium, since I cannot (yet?) explain what happened. So while the situation is “under (manual) control” now, I keep wondering what will happen when I apply the next changes to the KBDX file. Here, like in the case above, the synchronisation should ideally happen without any special interaction on my part. Unfortunately, as long as I’m not certain that the complete setup works “as expected” I may as well continue to sync by hand – and that is exactly what smart software is supposed to automate, no?

Conclusion? As a developer of sorts, I’m familiar with all aspects of software, good and bad alike. I know things can go awry, and I know how to try and figure out what goes wrong and how to try and resolve the issue. But I’m part of a minority, speaking globally, and I can imagine that many (most) people would just declare defeat and call the software they were using “buggy” or “bad” or “useless”. While that may true in some cases, it mostly shows that developers and publishers of software will need to take more care when building their products: no software is an island, and many if not all software tools will have to talk to others – hopefully in a polite and productive manner. Not an easy task, but possibly essential if the tool has to be around for a long time.

Read Full Post »

“Seeing” things as colors or sounds has always intrigued me, so I had to have a look at the “What Color Is Your Name?” website. Don’t expect an extensive and scientific explanation of the phenomenon; just enjoy the results. Here’s what the alphabet look s like for Bernadette:

I can see this site being used to select a color scheme by website designers!

Read Full Post »

Older Posts »