August 31, 2004
@ 07:00 PM

August 30, 2004
@ 09:55 PM

Ok, ok. I've said this over and over to Microsoft people over the past year and I can finally say it out loud. Ah, no, I won't. I'll just link.

Categories: Longhorn

August 30, 2004
@ 09:08 AM
Categories: Other Stuff

August 30, 2004
@ 08:32 AM

I had the dubious pleasure to fly with Northwest to Seattle last week and for me, Northwest is now finally blacklisted. Not only do they still fly hopelessly outdated DC-10s (I am not qualified to make a judgement about the airframe, but I am qualified to make a judgement about the cabin), but I also really have a problem with the cabin crew attitude. There's nothing wrong with the cabin crew's average age being well above 50, but I do have a problem with them acting as if they're looking after a kindergarten. Point in case: "Madam, can I have a 7up please?" Answer: "Son, the galley is up there in front and you may want to stretch your legs anyways".

Categories: Other Stuff

Security expert Dominick Baier made me aware of a security vulnerability in dasBlog at the beginning of last week. Dominick will post a concrete advisory later this week for reasons of completeness, but we want to give everyone a chance to patch their systems, because exploits are embarrassingly simple to write.

The problem affects all versions of dasBlog and allows a specially crafted cross-site scripting attack that would potentially and under certain circumstances allow an attacker to gain temporary access to the blog user’s credentials. The problem does not allow an attacker to gain any further control over the server or compromise system-level security.

The suggested workaround is to install the patch that can be found here (direct link). The patch archive contains four subdirectories (named 1.3, 1.4, 1.5, and 1.6) with replacement binaries for the newtelligence.DasBlog.Runtime.dll assembly for the respective version.

1.      Back up your existing assembly from your blog’s /bin subdirectory,

2.      Replace it with the new assembly for your version from the respective directory of the patch archive

3.      Open and save “web.config” with notepad to restart the site

4.      You are again safe.

The changes are minimal and should not have any adverse effects, but if you experience any odd behavior after applying the patch, please let me know.

Spread the word!

[The GotDotNet workspace source trees for 1.3-1.6 contain the modified sources for the respective versions. The “CurrentWork” tree is not yet patched.]

Categories: dasBlog

August 19, 2004
@ 11:02 AM

I can't decide what I dislike more: IE6 randomly locking up or Firefox crashing on uncaught null pointer exceptions.

Categories: Other Stuff

(1) Policy-negotiated behavior, (2) Explicitness of Boundaries, (3) Autonomy and (4) Contract/Schema Exchange are the proclaimed tenets of service orientation. As I am getting along with the design for the services infrastructure we're working on, I find that one of the four towers the others in importance and really doesn't really fit well with them: Autonomy.

P, E and CE say things about the edge of a service. P speaks about how a service negotiates its edge behavior, guarantees and expectations with others. E speaks about how talking to another service is and must be different from talking to anything within your own service. CE speaks about how it is possible to establish a common understanding about messages and data while allowing independent evolution of internals by not sharing programming-level type constructs.

P is about creating and using techniques for metadata exchange and metadata controlled dynamic configuration of service-edges, E is about creating and using techniques for shaping service-edge communication paths and tools in a way that services don't get into each others underwear, and CE is about techniques for defining, exchanging, and implementing the flow of data across service-edges so that services can deal with each other's "stuff".

P, E and CE are guiding tenets for "Web Services" and the stack that evolves around SOAP. These are about "edge stuff". Proper tooling around SOAP, WSDL, XML Schema, WS-Policy (think ASMX, WSE, Axis, or Indigo) makes or will make it relatively easy for any programmer to do "the right thing" about these tenets.

Autonomy, on the other hand, is rather independent from the edge of a service. It describes a fundamental approach to architecture. An "autonomous digital entity" is "alive", makes independent decisions, hides its internals, and is in full control of the data it owns. An autonomous digital entity is not fully dependent on stuff happening on its edge or on inbound commands or requests. Instead, an autonomous service may routinely wake up from a self-chosen cryostasis and check whether certain data items that it is taking care of are becoming due for some actions, or it may decide that it is time to switch on the lights and lower the windows blinds to fends off burglars while its owner is on vacation. 

Autonomy is actually quite difficult to (teach and) achieve and much more a matter of discipline than a matter of tooling. If you have two "Web services" that sit on top of the very same data store and frequently touch what's supposed to be each others private (data) parts, each of them may very well fulfill the P, E, CE tenets, but they are not autonomous. If you try to scale out and host such a pair or group of Web services in separate locations and on top of separate stores, you end up with a very complicated Siamese-twins-separation surgery.  

That gets me to very clearly separate the two stories: Web Services <> Services.

A service is an autonomous digital entity that may or may not accept commands, inquiries (and data) from the outside world. If it chooses to accept such input, it can choose to do so through one or more web service edges that fulfill the P,E,CE tenets and/or may choose to accept totally different forms of input. If it communicates with the outside world from within, it may or may choose to do so via web services. A service is a program.

A web service is an implementation of a set of edge definitions (policies and contracts and channels) that fronts a service and allows services to communicate with each other. Two services may choose to communicate using multiple web services, if they wish to do so. A web service is a communication tool.

With that, I'll cite myself from three paragraphs earlier: If you have two "Web services" that sit on top of the very same data store [...] they are not autonomous. If you try to scale out [...] you end up with a very complicated Siamese-twins-separation surgery."  ... and correct myself: If you have two "Web services", they don't sit on the data store, they front a service. The service is the smallest deployable unit. The service provides the A, the web services bring P, E and CE to the table. A web service may, indeed, just be a message router, security gateway, translator or other intermediary that handles messages strictly on the wire-level and dispatches them to yet another web service fronting an actual service that does the work prescribed by the message. 

All of this, of course, causes substantial confusion about the duplicate use of the word service. The above it terribly difficult to read. I would wish it was still possible to kill the (inapproprate) term "web service" and just call it "edge", or "XML Edge", or (for the marketing people) "SOAP Edge Technology", or maybe "Service Edge XML", although I don't think the resulting acronym would go over well in the U.S.

Categories: SOA

August 6, 2004
@ 09:22 PM

This Slashdot story reminds me why I hate NBC Sports. I lived in New York in 1996 during the Olympic Games and I got to see soapy stories about which terrible obstacles athletes had overcome to end up winning whatever competition and ... NO SPORTS. And in 2000 I happened to be in the U.S. again during the Olympics and I got to see NO SPORTS. German ARD/ZDF will have literally hundreds of hours of live coverage from Athens from early in the morning  into the night each day. Olympics is about sports and it's also about the guy who comes in on 36th place in Marathon, running a record for his country. NBC dilutes the experience. too bad, America doesn't get to see the Olympics.

Categories: Other Stuff

August 6, 2004
@ 02:40 PM

I don't blog much in summer. That's mostly because I am either enjoying some time off or I am busy figuring out "new stuff".

So here's a bit of a hint what currently keeps me busy. If you read this in an RSS aggregator, you better come to the website for this explanation to make sense.

This page here is composed from several elements. There are navigation elements on the left, including a calendar, a categories tree and an archive link list that are built based on index information of the content store. The rest of the page, header and footer elements aside, contains the articles, which are composed onto the page based on a set of rules and there's some content aggregation going on to produce, for instance, the comment counter. Each of these jobs takes a little time and they are worked on sequentially, while the data is acquired from the backend, the web-site (rendering) thread sits idle.

Likewise, imagine you have an intranet web portal that's customizable and gives the user all sorts of individual information like the items on his/her task list, the unread mails, today's weather at his/her location, a list of current projects and their status, etc.  All of these are little visual components on the page that are individually requested and each data item takes some time (even if not much) to acquire. Likely more than here on this dasBlog site. And all the information comes from several, distributed services with the portal page providing the visual aggregation. Again, usually all these things are worked on sequentially. If you have a dozen of those elements on a page and it takes unusually long to get one of them, you'll still sit there and wait for the whole dozen. If the browser times out on you during the wait, you won't get anything, even if 11 out of 12 information items could be acquired.

One aspect of what I am working having all those 12 things done at the same time and allow the rendering thread to do a little bit of work whenever one of the items is ready and to allow the page to proceed whenever it loses its patience with one or more of those jobs. So all of the data acquisition work happens in parallel rather than in sequence and the results can be collected and processed in random order and as they are ready. What's really exciting about this from an SOA perspective is that I am killing request/response in the process. The model sits entirely on one-way messaging. No return values, not output parameters anywhere in sight.

In case you wondered why it is so silent around here ... that's why.

Categories: SOA