Subversion + SSH – Close but no banana

29 03 2007

About a year ago, I switched my primary source code control system from the venerable old CVS to the (relatively) new kid on the block, Subversion. On the whole, I’ve been ecstatically happy with the system. It patched many of the ridiculous problems with CVS, and added on things that opensource community has been asking for for ages (like ‘rename’), but never made it into CVS.
Now I have all my projects stored in SVN, and my main client is using it as well for their code (they’ve chosen to go with SVN and are planning to End Of Life their VSS server – to the dismay of no one).
Subclipse
One of the best tools that made this switchover workable (aside from SVN’s similarity CVS in many respects, particularly on the command line) is the Subclipse plugin for Eclipse. Subclipse provides a great easy to use interface into SVN servers, giving all the functionaly one would have on the command line via a very simple, tightly integrated GUI.
One thing that had been bugging me, however, was the access methodology I was using to get to my (remote) SVN server. It involved setting up a tunnel in SecureCRT (though Putty can do it as well), and then telling subclipse to use my ‘svn://localhost/stonekeep’ repository.
SVN+SSH configuration under EclipseWhile doing some surfing, I found that Subclipse supports the svn+ssh syntax for specifying the repository. “Great!” says I, “I won’t need to set up the tunnel each time!”
A few more fiddles, a pleasant discovery of a configuration screen in Subclipse, and I had an SVN over SSH connection to my repository, even using my ssh key pair.
Danger, Will Robinson!
But wait! All is not well. When I tried to browse the repository from Subclipse, I quickly hit this error:

Could not open file system at /var/lib/svn/stonekeep
(13)Permission Denied: Berkley DB Error while opening environment for file
system /var/lib/svn/stonekeep/db:

This vexed me, because I had been having no problems accessing the repository locally on the server, and over my ssh tunnel. Both used the locally running ‘svnserve’ on the repository host, so why wasn’t the svn+ssh connection using it?
The answer comes in the SVN documentation, and via a little research:

What’s happening here is that the Subversion client is invoking a local ssh process, connecting to host.example.com, authenticating as the user harry, then spawning a private svnserve process on the remote machine, running as the user harry. The svnserve command is being invoked in tunnel mode (-t) and all network protocol is being “tunneledâ€? over the encrypted connection by ssh, the tunnel-agent. svnserve is aware that it’s running as the user harry, and if the client performs a commit, the authenticated username will be attributed as the author of the new revision.
When running over a tunnel, authorization is primarily controlled by operating system permissions to the repository’s database files; it’s very much the same as if Harry were accessing the repository directly via a file:/// URL.

The Problem With This
I’m really unhappy with this model. The problem is that now the user must have read/write access to the entire repository tree. When using a local socket connection (or one over ssh via a normal tunnel), the Subclipse client connects directly to the svnserve process running on the repository box, and interactions with the server happen under that processes ownership.
The svn+ssh protocol does not use the svnserver on the target machine. It tunnels the command to a user-invoked svnserve process, and that process must have read-write access to the repository.
“Well gosh, that doesn’t seem too bad. What’s the issue?”
The issue is that to make this methodology work, I have to give the user read/write access to the repository tree. Meaning, they could happily type ‘rm -rf /var/lib/svn’ and destroy the entire repository. Even worse, the configuration files (including the password / access file, which has passwords in plaintext) must be made available to the general users.
Why svn+ssh doesn’t simply make a local socket connection to the svnserve process already running, I don’t know. But I can find no way to make that happen.
The fix?
As far as I can tell, there really is no direct fix for this. There are various workarounds, which the SVN documentation discusses, including setting up an ‘svn user’ for the svn+ssh logins, and the possibility of using unix groups for permissions, but I feel that if you have a listening socket server on your repository host, you should use it, not introduce a second methodology and have to jump through hoops to implement it.
For now, I have to abandon the svn+ssh possibility, and go back to my hand-configured socket tunnels. There’s no real loss here – they work remarkably well, are very secure, and quite stable. The slight annoyance of having to open up a SecureCRT session before doing work in Eclipse is just that – a slight annoyance. I’ve dealt up until now, and I’ll just continue to deal.

Advertisements




Something Terrible Happened to my Headphones

27 03 2007

The other night I decided to go out to dinner at the local CPK, and brought my MZ-RH1 along to listen to tunes while reading.

“Odd,” thought I, “why am I not getting any sound out? The player is running, the display is showing levels, dang, I wonder if I blew out the internal amp during the recording session the othernight? Nah, couldn’t be.” I resigned myself to a musicless evening, and went on with my dinner.

When I pulled the player out again the next day to see what was wrong, I plugged it into my desktop speakers, lo, it worked! Something odd with my headphones, I gu… oh dear. Oh my.

Apparently Lila decided that my headphone cable would make a tasty snack, and gnawed away on them for a bit. Fortunately, she chose the ‘headphone’ segment of the wire, so I can replace them with any generic mini-stereo jack equipped ‘phones. I was rather fond of the Sony headphones (which had the ‘one long, one short’ wiring arrangement that let one earpiece have a wire around the back, thereby leaving only one wire going from the unit to the ‘phones). They had great sound and were reasonably comfortable for ‘earbud’ style phones.

Ah well, I’ll haul out a pair of iPod headphones I have lying around and assume the mild-mannered demeanor of an Apple drone until I can replace my chewed up set.





Strictly Hamburger Coding

25 03 2007

I ended up with a sort of special bonus afternoon today as Cat is off in town, and Zach is over his friends house. The basic idea was to make up for a very interrupted week of work and try to get some long-neglected work out of the way.
Mostly, it worked quite well. I got caught up on a couple things that had been nagging, and that’s good. But what really got me grooving was working on… well, a project that a couple folks know about, but I’m not -quite- ready to release to the public. I’ve been referring to it simply as the “Secret Squirrel” app, or just ‘The Squirrel’ for short.
What’s been good about this has been the basicness of the design and implementation. I’ve been spending SO much time delving into the deep complexities of EJB3, JBoss, Hibernate, and more recently Terracotta, I don’t get much of a chance to just sit down and whack out simple code.
Today had 2-3 hours of basic grunt ‘hamburger’ coding, to borrow a phrase from MASH. No fancy libraries, environments, or oddities. Well, okay, one new library that handles OpenGL rendering, but everything else was basic data application coding and design.
It felt good! It sort of underlined where I’ve gotten with Java programming over the last 2 years or so, and now basic coding is second nature. Eclipse has become my environment of comfort, whether it’s running on Windows or Linux (in fact I’m leaning toward moving back to Linux full time soon – with both machines up and running cleanly on my desk, I find myself doing more on the Linux box than on Windows… but I digress…) , and the Java OOP approach to program development Just Plain Makes Sense. It’s nice.
Tomorrow it’ll be back to EJB3 and Terracotta land, and all the mysteries therein, but for now, I can look at what I did today and do a “That felt good!” happy dance.
And the code even worked.





A successful geocache find!

23 03 2007



Photo_032307_002

Originally uploaded by eidolon.

Zach and I took some time this afternoon to haul the bikes out and go on a geocache hunt. I had been trying to do more of this last fall, but various problems with my receiver got in the way, and we weren’t able to find anything.

I’m really frustrated with how poorly my Mobile Crossing Waypoint 200 works (or, in many cases, doesn’t work at all). It’s been back for repair 3 times now, and even in it’s best mode, it ‘only sorta works’. The Windows Pocket PC is woefully underpowered for the task at hand, and frankly, the software sucks. Navigating around it is too similar to working on a desktop machine, and I guess Microsoft -still- hasn’t gotten the hint that a handheld device is NOT just a smaller screen for Windows. The interface is completely different, and 14 different ‘start’ mechanisms just add to the confusion.

At any rate, with the weakness of the platform, combined with the poor software from Mobile Crossing, I never quite got any navigation system working to my comfort.

For this trip, though, I downloaded GeoNiche, a Palm application that worked fine on my Treo. It had it’s own interface problems, to be sure, but it did happily connect with the Bluetooth GPS ‘brick’ from the Mobile Crossing device, and I was able to carry both in my pocket. Once I got my target defined (a Cochituate Lake View cache), we were able to do the normal “Walk around and get closer with hints, and yay, we found it!” path that most geocachers are used to.

This was the first ‘new’ cache Zach and I had found together, and it was pretty exciting on all fronts. It was challenging because my assumptions of the first location were wrong, and we ended up on the wrong side of the lake. “The arrow keeps poinging .2 miles that way. But… that’s the other side of the lake! Alright, back on the bike!”

A nice hike up into the woods, and GeoNiche got us within about 10′ of the final location. A little rummaging around, and lo, we found a wonderful old ammo box under some wood, with lots of little toys and notebooks and the like.

This particular cache had not been visited for over 2 months, but everything was nice and dry inside. We signed the book, didn’t take anything because we hadn’t brought anything, and tucked it back in it’s hiding place.

A really nice day out. We’re going to do more this summer, now that I -think- I’ve ironed the bugs out of the process.





I tried, I really tried.

21 03 2007

While working on yawl this morning, I finally had had enough. I just can’t get my head around Gnome and what to me are very poor design decisions. Without much fanfare, I installed the Kubuntu KDE packages on yawl, restarted X, and was happily back in KDE land. For those curious on how to install KDE on Ubuntu:

sudo aptitude update
sudo aptitude install kubuntu-desktop

I completely replaced the GDM login system with KDM, and after a restart, all was restored.

Why did I make this choice? I’ll freely admit I’m a lot more comfortable with KDE than I am with Gnome, but in the interest of learning, and that it seems most folks are defaulting to Gnome in their installs nowadays, I decided to try it. I lasted about 2 months before the frustration level got to be too much.

Here’s a brief summary of why I switched back.

  • Dumbed-Down interface
    Gnome has made many decisions to ‘dumb down’ it’s interface, so it is not as ‘intimidating’ to new users. In doing so, however, it’s made the interface too sparse, too simplistic, and frankly dull.

  • Audience targeting is wrong
    The choices that Gnome has made in their interface seem to fall into two categories. The first is the aformentioned ‘dumb’ mode. Make the interface simplistic and boring to avoid confusing users. The second set of choices is ‘make it not look like Windows’. My question here is “WHY?” The number of ‘new’ users on the planet right now who have never touched windows is incredibly small. Of those that fit into this category, many are Mac users. So building an interface that deliberately avoids any of the ‘existing’ UI designs is a ridiculous approach. What audience is trying to be targeted by making those choices?

  • Deliberately limiting power users
    I’m a power user, I admit it. I will tweak, update, and modify my desktop the way I want to. I enjoy doing it within the paradigm of the environment, to understand the design philosophies that went into it. The Gnome interface appears to either be “Dumb dumb dumb, it looks like this, maybe in a shade of blue”, or it is “Edit the gnome registry to get what you want.” The entire desktop experience seems to have been shoved into “We make a pretty window manager, everything else is up to you to hack.” KDE’s desktop, applet, toolbar, and UI tuning is vastly superior, with mature, stable, and complete tools for doing whatever you’d like. These tools also stay out of the way unless you need them. Another bonus.

  • Konqueror
    I can’t say enough about Konqueror. Gnome’s equivelent to the filesystem browser, Nautilus, is a sham. It looks like something dragged out of the Amiga days, and never updated since. I would never even remotely consider doing serious file manipulation work with Nautilus. Konqueror has a long history of stability and growth and expansion. Nautilus appears to change with every gnome release.

  • KIOSLAVES
    And this is the final win. Because KDE is truly an integrated desktop environment, it’s quite possible to define alternative IO methods. An excellent example is the ‘fish’ kioslave plugin. It allows urls within file open/save dialogs that reference a remote SSH server, just as if it were part of the local filesystem. When I do a screenshot with ksnapshot, I save it to a bookmarked location called “fish://boomer.homeport.org/home/dbs/public_html” – which pops up in my Save as… dialog, as if it were a local filesystem. This occurs in all KDE applications. Bookmarks, kioslave pointers, links I’ve defined – they’re all there in the file save/load dialog.

I recently had a conversation with an old friend of mine who, while his wife’s computer was down, decided to give her a try on Ubuntu linux, running Gnome. They set up Thunderbird and Firefox, and let her work on it. She was intensely frustrated and annoyed at the environment, because it was totally UNLIKE windows, which she had worked on for years. This deliberate ‘breaking’ of paradigms that users are used to, for no other reason than “We don’t want to be like windows”, is, I believe, one of the major reasons Linux desktops do not have more widespread use. The interface is TOO different, and too hard to understand, despite the ‘dumbing down’. The intuitiveness level is non-existent, so people will not want to use it.

Gnome folks, sit down with the KDE people and start learning about UI design. Shut down your emacs editors and bash prompts and learn how the rest of the world has advanced beyond these poor outdated models. Perhaps you’ll begin to understand that a desktop is not just pretty graphics on top of shell prompts, and start designing accordingly.





On being without an office, and shades of things to come?

19 03 2007

Today was a great example of the ups and downs of being without an office. I’m sure most folks realize that, being a fulltime consultant has it’s positives and negatives.
I’ve been on the job with this client for over 2 years now, and things don’t look like they’re going to slow down any time soon. My job description can best be summed up as “Platform Architect” – designing this company’s next generation architecture. The work involves a lot of research, tinkering, exploring, and learning – the deliverables are rarely better defined than “Come up with a way we can do X”
On the one hand, I get a very open and free schedule, with no hard deliverable deadlines, no “What? You’re leaving at 4:55?”, and all the long lunches I could want. On the other hand, I don’t get the typical office interactiveness most folks take for granted. My ‘office’ at home is an L shaped desk with all my computers on it, which is all of 3′ from my bed. A ‘break’ is walking from there to the kitchen to make coffee. It can get a little lonely.
Fortunately I have lots of folks I chat with on IRC and interesting stuff to research, but sometimes I just Gotta Get Out.
My current favorite watering hole is Panera Bread in Framingham, MA. It’s all of 3 miles from the house, conveniently on the way to Zach’s school, and they provide free wireless. That, combined with a $1.50 cup of coffee that can be infinitely refilled and a set of comfy chairs by a fireplace, makes for my Office Away from Home for the times I just need to get out.
This evening had me settled into said Comfy Chairs[tm] working on long and vexing problem trying to… (if you’re averse to long strings of corporate buzzwords, technology references, and other geeky-hoi-palloi, you might want to skip to the next paragraph)… trying to get JBoss AS, running under EasyEclipse to fire up in a standard configuration, allowing for a Terracotta server to act as a DSO cluster server for instrumented classes as distributed in an EJB3 based SOA. The twitch was getting JVM versions to match so the boot-class wrapper for the JVM would allow for the Terracotta cluster to come up, and be accessible remotely from the JBoss hosted app.
Got that? Okay – the nutshell of this was – I got it working. With not a little help from the Terracotta folks on IRC. The baselien concept for this stuff is fascinating, but implementation, when much of this is still in ‘beta’ form, can be maddeningly difficult to get working. In the end, it’s all running, and now I have enough structure in place to actually learn the system.
What made this interesting was about halfway through this intense mishmash of XML configuration files, crashing applications, and “wait, what version of what is where?”, I heard a familiar voice in the background… after a few minutes I looked around, and chanced to run into Dwight, who was picking up some edibles for his family. It’s unusual for me to see someone I recognize during my ‘work day’ (even though it was in fact about 6pm), but I found myself sort of pleased at the interaction.
What does this have to do with my future? A lot, since sometime in the next 3 months, Mosaic will be breaking ground. This means that soon my home office will include our common house, where I’ll happily be able to sit in front of a fireplace on a comfy couch, and pretty much everyone I see wandering by will be someone I know very well.
How wonderful.





Kids Programming?

18 03 2007

There’s been a lot of chatter around the net lately about trying to find programming and introduction to computers-type software for kids to learn on. I mean, we all know where we started, right? TRS-80 and a READY prompt, or the wonderful ] prompt. 5 1/4″ floppies, simple programs, and tinkering through the weekends were how we learned.
But how do you get a young one into these environments nowadays?
There’s been various attempts at a ‘kids’ software environment, things like Logo and the like. The problem is nowadays finding implementations that are either free or useful. The only real Logo environment I’ve been happy with is KTurtle, a Logo implemention for the KDE desktop. On the one hand, I’m terribly amused that by far the best Logo setup I’ve seen REQUIRES Linux to run, and at the moment, Zach doesn’t have a Linux desktop to work with. This sorely tempts me to set it up for him, I have to admit.
But Logo has limitations as a fully useful programming environment. In the modern age of “games a click away”, kids really want to start writing adventures and excitement right off the bat. We all remember spending weeks debugging “PICK A NUMBER FROM 1 TO 10” programs. How do you code Tetris in a few weeks when you’re still learning your multiplication tables?
A long time ago I read an article on SmallTalk in BYTE magazine (yes, a REALLY long time ago, like 1980). It was a discussion about object oriented languages and environments, and described the model of “Everything is an object”. At the time, it was somewhat of an intellectual oddity, though many folks really got into it.
Apparently there is an outstanding opensource project to build a comfortable Smalltalk based environment that can be geared toward kids. It’s called Squeak, and I first learned about it associated with the One Laptop Per Child project, which incorporates some of the Squeak environment. Once I got past some of the initial environment oddities, I found that Squeak provides a platform independent runtime environment, where object-oriented programs can be run compeltely independent of the OS they’re running under. This means apps written on a Mac will work fine on a PC or a Linux box.
Squeak really isn’t something ready to take on the Windows desktop or an environment to write accounting packages in. However, in educational circles, distributions in Squeak have really gotten quite a following. The Squeakland site is designed for educators who are looking for Squeak based information.
I’ll be writing more about Squeak as I get more and more comfortable with it, but unless someone else tells me about another educational / intro to programming environment that’s available for kids, that does NOT require a commercial license, Squeak is where I’m going to put my energy.