July 10th, 2005

belize

Hacking update

After my nap(s) yesterday, I headed over to btrott's for Zante's and hacking. Lots of commits both before and after midnight.

We double-teamed Gearman, documenting it, rearranging it, and writing a mostly comprehensive test suite for the combination of client, worker, and server. Test suites that vary with timing are fun. And ones that involve forking off a bunch of processes, making them all talk, killing some at the right times, etc.

So overall, very productive.

It's just kinda sad that I have to hack on the weekend to really get in the groove and have a couple straight hours to focus without interruptions.
belize

Programming error

If you look at security.debian.org's recent advisories:
[10 Jul 2005] DSA-745 drupal
    input validation errors
[08 Jul 2005] DSA-744 fuse
    programming error          <-------- heh
[08 Jul 2005] DSA-743 ht
    buffer overflows, integer overflows
[07 Jul 2005] DSA-742 cvs
    buffer overflow
[07 Jul 2005] DSA-741 bzip2
    infinite loop 

Aren't input validation errors, buffer/integer overflows, and infinite loops also programming errors?

I'm really curious exactly what fuse's problem is. The detailed view just says:

Sven Tantau discovered a security problem in fuse, a filesystem in userspace, that can be exploited by malicious, local users to disclose potentially sensitive information.

(the diff, for those curious)
belize

Bugs, Meetings, Testing

So the combination of like four of us teamed up to contribute seemingly benign patches which in combination produced a bug that was caught and fixed within hours of release.

It was suggested that we have a post-mortem to discuss it, but I, being stubborn, said I wouldn't be attending, since we'd already had a suitable (I thought) post-mortem with the developers involved the night of the bug, and we'd recently had a long post-mortem for another unrelated issue that ended up covering tons of stuff, so I thought nothing new could come of this 3rd post-mortem that wasn't already covered in the first two, short of playing the blame game or something.

Ah, but I was wrong.

While I wanted to avoid a meeting and perhaps hack, it appears my time savings argument was fruitless as I've likely spent more time reading/writing emails about the meeting and the issue than the proposed meeting would've taken had I just attended.

So I admit defeat, and in addition to having spent time and my precious wrists/fingers writing emails, I will also be attending the meeting, if only to cut my losses and not type anymore.

But it might be fun as I'd love to discuss writing a test suite to cover the entirety of LiveJournal. Historically I've shunned tests, mostly because anything non-trivial I work with is distributed on lots of machines, deals with timing, and is just generally a bitch to test accurately. Lately, however, I've had success writing test suites of pretty complicated things, like LWPx::ParanoidAgent, OpenID, and just this weekend with Ben, Gearman (which Ben pretty much did).

So I'm warming up to automated testing, especially considering it'd be something the sysadmins could run first to feel better about code being pushed, and there'd be proof in the code repo that a test was or was not written. (which there would then be policy to include)

In conclusion: fun, fun.