Local branches and patch queues

A colleague just showed me stacked git, which I understand is similar to patch queues in mercurial. At first I was struggling to understand why this was even created, but then I think the answer became clear.

It seems to me that patch queues are like having just one local git branch, that always rebases against the original branch. Or coming from the other way, if you've only used patch queues, git provides an arbitrary number of named "patch queues" that you can merge between, which naturally provides more flexibility and power.

Update: we've now had a look at topgit, which seems to be a small set of metadata on top of git, managed by a simple tool, that manages dependancies of branches. This means you have a normal git branch for each patch, and you work with git in the usual way and keep full history for each patch, but topgit makes it very easy to apply the final result of each of those branches, in the correct order, as a single commit per branch on top of the base branch. So it's like a very well managed patch queue that retains full history for each patch. Very nice.

Food with attitude

A really great attitude that is.

I swear, I took the lid off a sealed jar and this is exactly what I found (see pic). When my toast starts sniggering at me, it's all on.

A fix for password prompts when using SharePoint from Office 2007 on Windows Vista

If you're using Windows Vista with Office 2007, when you open an Office file from SharePoint you'll see lots of dialog boxes asking for your password. You might notice that you can click cancel (possibly many times) and you'll still get access to the file. You might also notice it's very slow.

The solution is simple, just stop and disable the WebClient service.

The best Mac Terminal services (remote desktop) client

I've just found the absolute best Mac client for Microsoft RDP (remote desktop protocol) or terminal services, an app called CoRD (http://cord.sourceforge.net/). The clipboard works both ways, it's a native universal binary app, and the keyboard just works, even ctrl+alt+delete gets through. Much better than X11 wrappers around rdesktop. It looks like it imports saved files from the Microsoft Remote Desktop connection app as well.

Safety warning for copy protection

I borrowed my sister's car last week, and put a CD in the player as I left the house. What I noticed as I drove off was a really distracting flashing from the CD player - it was complaining about something to do with the CD, and it was flashing the error message continually. It was actually a bit dangerous because it was distracting from the driving.

But it wasn't until later that I realised what the problem was - it was a copy protected CD, and therefore not a compliant audio CD. It seemed to have a broken data portion of the disk that the car CD player didn't like and so was complaining about.

I can't believe that with all the safety efforts that go into cars, a broken CD can cause such a problem, and that music labels are still ok shipping broken CDs.

Making Plone work with Apache and Active Directory on Mac OS X

I posted a comment at http://plone.org/documentation/how-to/singlesignonwindowsdomains updating the instructions there to work with mod_rewrite, since zope's fastcgi support is on the way out. Here's the post:

As of December 2006, Plone is at 2.5.1, Zope is 2.9.6 and Apache is 2.2.3. Zope 2.9 has depreciated fastcgi altogether, and apache 2.2 won't work nicely with mod_fastcgi (mod_fcgid works, but doesn't support the FastCgiExternalServer needed for zope with fastcgi). So I needed to keep using mod_ntlm, but use it with mod_rewrite rather than fastcgi. And I've made it work!

Assuming a plone site in zope called /plone, here is some apache 2.2 config that works with mod_rewrite, mod_proxy (and mod_proxy_http) and mod_headers.


# Use this line instead (with the lines below) to have plone at the web site root.
#
AuthName "Active Directory Domain"
AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain domain
NTLMServer domain-controller-1
NTLMBackup domain-controller-2
require valid-user


LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule ^/zope/(.*) \
http://localhost:8080/VirtualHostBase/http/%{SERVER_NAME}:80/VirtualHostRoot/_vh_zope/$1 \
[L,P,E=RU:%1]
# Use these alternatives with the alternative Location above to put plone at the root.
#RewriteRule ^/(.*) \
#http://localhost:8080/VirtualHostBase/http/%{SERVER_NAME}:80/VirtualHostRoot/$1 \
#[L,P,E=RU:%1]
RequestHeader set X_REMOTE_USER %{RU}e

To make mod_ntlm work correctly with this reverse proxy config, I had to make some changes, which are now in the trunk of subversion at the source forge project. svn co https://modntlm.svn.sourceforge.net/svnroot/modntlm/trunk - this is the same code as found at http://modntlm.jamiekerwick.co.uk/ with a patch to fix reverse proxy auth.

On the zope/plone side, I had to install apachepas (http://dev.plone.org/collective/browser/PASPlugins/apachepas, svn co http://svn.plone.org/svn/collective/PASPlugins/apachepas) into the products folder and add it to the acl_users folder for the plone instance. Make sure you put the contents of the trunk folder into a folder called "apachepas" in the products folder. I also needed LDAPMultiPlugins (http://www.dataflake.org/software/ldapmultiplugins) which might depend on LDAPUserFolder (http://www.dataflake.org/software/ldapuserfolder) - both just need to be copied into the products folder and then LDAPMultiPlugins added to the acl_users folder in the plone instance. Configuring the LDAPUserFolder within LDAPMultiPlugins is up to you, since it depends on your directory layout. I suggest talking to an (Active, e-, Open) Directory expert, and using an LDAP browser to get the settings right before going to the LDAPUserFolder.

As a starting point, here's the schema I used for Active Directory:
LDAP, Friendly name, maps to, multi
-----------------------------------
objectGUID, AD Object GUID, objectGUID, No
cn, Canonical Name, , No
dn, Distinguished Name, dn, No
givenName, First Name, first_name, No
memberOf, Group DNs, memberOf, Yes
sn, Last Name, last_name, No
sAMAccountName, Windows Login Name, windows_login_name, No
mail, Email address, email, No
displayName, Full Name, fullname, No

Then make Login Name Attribute and User ID Attribute use sAMAccountName.
Match all the Zope groups with LDAP groups, if required.
Activate all the plugins for all the types (Authentication, Extraction, etc)
Now you can search for users and add them to groups.
That was it.



For reference, I also made the fastcgi method work before I attempted this, using SharkbyteSSOPlugin (http://plone.org/products/single-sign-on-plugin/releases/0.5/sharkbytessoplugin-0-5-tar.gz) in place of apachepas. I had to set SharkbyteSSOPlugin to use REMOTE_USER, rather than X_REMOTE_USER, but all the other setup was the same. This was with Apache 1.3.37 and mod_fastcgi SNAP-0404142202 and my patched mod_ntlm, and patched FCGIServer.py for Zope.

--- /usr/local/zope/lib/python/ZServer/FCGIServer.py 2006-10-03 01:53:27.000000000 +1000
+++ ./FCGIServer.py 2006-11-22 23:01:19.000000000 +1100
@@ -466,6 +466,11 @@
user_name = '-'
else:
user_name = t[0]
+ if string.lower(http_authorization[:5]) == 'ntlm ':
+ # The user_name is set elsewhere
+ user_name = "ntlm user"
+ else:
+ user_name = "Unsupported HTTP Auth type"
else:
user_name='-'
if self.addr:

Save the above to zope-fcgi-ntlm.patch then run:
patch -p0 $PREFIX/zope/lib/python/ZServer/FCGIServer.py zope-fcgi-ntlm.patch

Windows 2000 full cpu load issue

Compaq Evo D510 SFF with Microsoft Windows 2000 was not working, investigation showed cpu maxed out - all in the System process. Process Explorer showed 100% cpu split between System and DPCs, which seemed to indicate a device driver problem. A bit of internet searching led me to try disabling the USB drivers, but in the end I only had to disable "Intel PCI to USB Enhanced Host Controller" in the Device Manager to fix the problem, leaving USB still working.

Initial help

MS Knowledge base (similar issue)

More help

FreeBSD ports via authenticated proxy firewall

If you need to use the FreeBSD ports system from behind a proxy, you may have found these articles outlining how to make fetch(1) work over a proxy, and how to replace fetch(1) with wget(1). What you might be interested in if you are using FreeBSD 4.10 (I think 4.x since 4.7) with an authenticated proxy server (that requires you to give a name and password to access web sites) is that you need to add DISABLE_SIZE=1 to /etc/make.conf under the FETCH_CMD line to make these versions of FreeBSD ports work with wget.
Hope that helps someone.

Lessons learned in error handling

Error messages, user feedback, status reporting, etc.

Can the operator understand this message?
Can they do anything about it?

First, it needs to be determined what the operator must do in this event. Then that instruction needs to be clearly relayed to them, and potentially logged as well, perhaps via email. The message to the operator needs to be unmissable - for the desktop apps we're using in our system the message appears in big red letters in a separate modal box with a warning sound, nothing but deliberately using the mouse to hit the close button will allow things to proceed. The message is worded in clear language and contains no unnecessary software/database/network jargon or error codes.

If there is nothing for the operator to do, the message is logged and send to the engineers, without even notifying (read disrupting) the operator.

This follows on to the next principle: if the software can make an effort at recovery from any given issue, then it should do so.

The desktop apps in our system call COM+ components to do work, and those components call stored procedures in the database that is the heart of the system. Originally the apps just tried to call the component method, and put up a tiny message box if there was an error. The error code and the standard error messages were put first, then maybe some kind of explanation was included, perhaps a general one or an easy explanation.

Thus, quite often the operators would suddenly discover a little box they could not understand and had no idea of what to do with, and would call the engineers. For all kinds of reasons.

I implemented a simple idea - if the call to the COM+ application server failed, try again before bailing. This means that temporary network outages, or application server restarts, etc, have little to no impact on the operators, where once they would bring the factory to a halt.

The system was originally designed in the Microsoft culture of software design - users are stupid, and they should learn how to use this system better. This involves just putting up little boxes with confusing messages whenever something goes wrong.

I've tried to use the Apple culture of software design - users are experts in their field, but not in this software system. This means it is up to the software team to make it easy for the experts to do what they do, and my job to keep the software out of their way.

For comparison, the Unix culture of software development simply does not have users - Unix is designed for programmers, which is why we love it.

Users and software - clicking dialogs

There is a concept in software UI that users just click whatever they can to get the software to go away and let them get on with their work. When a dialog pops up users will click the buttons to get rid of it without so much as glancing at what the message says.

Why do they do this? They have been well trained to work this way.

Who trained them? Thousands of poorly designed applications that throw up meaningless dialogs constantly that poor users just have to click to get rid of.

The first 100 times each user saw a dialog they might have read what it said, maybe even written it down on paper to try and work out what was happening. After they realise that these messages are useless, and even mostly harmless, they just ignore them. When you have a culture like that you'll never get a user to read anything.