http://stefan.samaflost.de/blog Mixed Content en http://stefan.samaflost.de/blog/en/oss/QMQP/java_client_lib_for_qmqp.html <p>In a project at <a href="http://www.innoq.com/">innoQ</a> we're using <a href="http://cr.yp.to/proto/qmqp.html">QMQP</a> to quickly queue mail to an MTA for delivery.</p> <p>Even though - or maybe because - the protocol looks rather simple, we didn't find any open source library for this. We've decided to open source our own implementation <a href="https://github.com/innoq/QMQP-Java">QMQP Java</a>, version 0.1 is available from Maven central (com.innoq.qmqp:qmqp-client:0.1) under the Apache License 2.0.</p> <p>This initial release is strongly tailored to our project's needs. If you want to use it and find it lacking anything, don't hesitate and use a pull request or open an issue at github.</p> http://stefan.samaflost.de/blog/en/Apache/Ant/184_dos_release.html <p>In case you have missed it, there is a flaw in the code that writes bzip2 archives in both Ant and Commons Compress. There are new releases for both of them, so go grab them: <a href="http://ant.apache.org/bindownload.cgi">Ant</a>, <a href="http://commons.apache.org/compress/download_compress.cgi">Commons Compress</a>.</p> <p>As part of the process of creating bzip2 compressed blocks the input data (usually in chunks of 900kb) is sorted (during the Burrows-Wheeler transformation, if you want to know). The only sorting algorithm present in the bzip2 classes prior to the security release is very efficient for the average case but shows extraordinarily bad performance for very repetitive inputs. For certain inputs the bzip2 task took two hours on my really fast work notebook (at 100% CPU for a single core) while it finishes in less than two seconds with Ant 1.8.4.</p> <p>These inputs have to be specially crafted, it is very unlikely you will face them in the wild. The flaw turns into a security issue if you are providing a public service that compresses input created by arbitrary users - maybe a public build server or an archiving solution.</p> <p>The bzip2 code in Ant (and all forks that stem from it, like Commons Compress) was derived from an early version of <a href="http://www.bzip.org/index.html">Julian Seward's libbzip2</a>. Starting with 0.9.5 libbzip2 detects if sorting is taking too long because of bad inputs and switches to a different sorting strategy in such cases. The fix in the two releases now consists of porting this fallback sorting algorithm from C to Java.</p> <p>While porting this I learned a lot. I read several academic papers in order to understand what was actually going on. It felt like I was back in University again and it felt good.</p> <p>Many thanks to David Jorm of the Redhat Security Team who uncovered the issue.</p> http://stefan.samaflost.de/blog/en/unsorted/roca.html <p>Some of my colleagues at <a href="http://www.innoq.com/">innoQ</a> have put together a bunch of rules about what makes up a web application that actually uses the web rather than hides it.</p> <p>There is more on <a href="http://www.innoq.com/blog/st/2012/03/announcing-roca/">Stefan Tilkov's blog</a> and the <a href="http://roca-style.org/">ROCA website</a>. Discussion (<a href="http://roca-style.org/discussion.html">there</a>, not here) is more than welcome.</p> http://stefan.samaflost.de/blog/en/Apache/Ant/183.html <p>yesterday we released Ant 1.8.3, go grab it from <a href="http://ant.apache.org/bindownload.cgi">the download page</a>. By pure coincidence it was released on a leap-day.</p> <p>This release really mostly is a bug fix release, see the <a href="http://www.apache.org/dist/ant/RELEASE-NOTES-1.8.3.html">release notes</a> for a complete list. There isnt anything major sticking out to me, but I know people have been bitten by some of the bugs - like forked Java processes hanging when they read from System.in - so for them the new release was important.</p> <p>The dev team has decided to drop Java 1.4 support (as Ant's runtime) for trunk, so this may likely be the last release supporting Java 1.4. We have prepared a branch so we may be able to create more 1.8.x releases if a major bug raises its head. For trunk this means we'll be able to start using "modern" features like generics. It also means I can merge some improvements like Zip64 support from Commons Compress into Ant.</p> <p>One of the fixes introduced a new class in order to better multiplex between System.out and System.err when forking a new process. This allows Ant 1.8.3 to be detected by either</p> <pre class="code"> &lt;antversion property="Ant-1.8.3-or-later" atleast="1.8.3"/> </pre> <p>or</p> <pre class="code"> &lt;available property="Ant-1.8.3-or-later" classname="org.apache.tools.ant.util.LineOrientedOutputStreamRedirector"/> </pre> <p>It's been the first time I acted as Ant's release manager since Ant 1.1 more than eleven years ago, quite a bit has changed WRT process but also automation since then. It wasn't as painful as I feared it to be, largely because we no longer ship optional tasks that require third party jars that cannot be downloaded freely.</p> http://stefan.samaflost.de/blog/en/unsorted/moved_oss_libs_to_github.html <p>I've been keeping a small <a href="http://stefan.samaflost.de/blog/en/Java/GWT/gwt_ant_tasks.html">Antlib</a> for GWT and a <a href="http://stefan.samaflost.de/blog/en/dotNet/anttask_for_netbuildtools_1.0.1.html">DLL with NAnt and MSBuild tasks to run Ant</a> in a local darcs repository. Now I've decided to not maintain them here anymore but rather move them to github, so they now are at <a href="https://github.com/bodewig/gwttasks">https://github.com/bodewig/gwttasks</a> and <a href="https://github.com/bodewig/Ant4NantAndMSBuild">https://github.com/bodewig/Ant4NantAndMSBuild</a> respectively.</p> <p>For the migration of my - trivial - darcs repos I used <a href="https://github.com/purcell/darcs-to-git">https://github.com/purcell/darcs-to-git</a> and it worked like a charm.</p>