Joe Auricchio

I get a lot of spam comments on the blog here. You don’t see them, because I mark them as spam, a few hundred every week. They’re roughly uniformly distributed across all my posts. If fewer posts are open, I get fewer comments. So I want to minimize the number of comments I have to deal with.

I’m trying to use Mark Kenny’s Extended Comment Options plugin to automatically close comments on old posts. I used this plugin a long time ago, and it was great. But now, in WP 2.6, it seems to do exactly the inverse of what it says on the box: it closes my most recent posts and opens the oldest ones.

I don’t understand. Isn’t this just
UPDATE `wp_posts` SET `comment_status` = 'closed' WHERE `ID` IN (SELECT `ID` FROM `wp_posts` WHERE `post_status` = 'publish' AND `post_type` = 'post' ORDER BY `post_date_gmt` DESC) LIMIT 0,10

(Okay, it’s not quite that simple, because MySQL doesn’t do ORDER BY or LIMIT in subqueries… But it’s close! Temporary table?)

Has anybody got a good solution to this, better than a cron job to run that query?

Meanwhile, apologies to everyone who wanted to comment but couldn’t.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13

It upsets me how many product names other than Chrome are in there just because stupid JS tries to guess what the browser can do. Next time, we need a new way to detect browser capabilities. I suggest we detect the actual capabilities, not try to guess based on who shipped what feature first in 1997.

It’d be cool if the browser vendor cartel got together one day and decided all User-Agent strings would be simple again, like “Chrome/0.2.149.27 (Windows NT 5.1; en-US)”. And any jankety-ass copy and paste image rollover script from 1997 that breaks if the string doesn’t start with “IE” or “Mozilla” can get stuffed.

Suppose you have a tree of files and directories, and you want to pack them up into a tar archive. Here is how to find the size of the resulting archive. This is useful if you want to stream an archive out to a browser, but want to send the correct Content-Length header first.

1. let F = number of files in the tree
2. let D = number of directories in the tree, counting the root
3. if there are any non-ordinary files, stop here. results undefined.
4. let S = 0, H = 0
5. for each f in F, S += ceil(size(f)/512.0)*512, H += 512 – that’s the size of f rounded up to 512-byte blocks
6. for each d in D, H += 512
7. for each p in (F D), if the full path and name of p (as stored in the archive) is greater than 100 characters, H += 1024
8. The size of the archive is S + H + 1024 bytes of zero-fill at the end of the tar
9. Round up to (tar blocking factor) * 512 byte records. GNU tar defaults to blocking factor 20. Blocking factor 1 makes the math easier ;)

No, you cannot use ‘du’. I have tried.

Update! Added #7.

Extract the revision histories of the classes Rushi and I collaborated on out of his school repo, compress them, pipe them over the network onto my laptop, and uncompress. I was on the verge of adding the svnadmin load that would pull it into my repo, but I got lazy.

RSi:/home/svn$ svnadmin dump school | svndumpfilter --drop-empty-revs --renumber-revs include /CSE131A /CSE131B /CSE120 | gzip | ssh jauricchio@128.54.57.118 gunzip \> rushidump

Yeah yeah, DVCS, hg and git and whatever, I know…

Why are some programming languages more popular than others? If Java is so lame and (Haskell, Obj-C, Erlang, Smalltalk, whatever) is so great, why is one of them the most used language and nobody’s heard of the other?

Tamir Khason has the answer: Computer Languages and Facial Hair.

Via … somebody. Forgot who. Maybe it was Sam Larbi?

Scott liked my terminal style from yesterday, so I’ll reprise it.

heian:<<<umi-misc/pubkeys$ ssh cse125@neathat.com -p 14522 sudo ls \>/dev/null
[sudo] password for cse125: (echoed, which is unfortunate)
heian:<<<umi-misc/pubkeys$ cat djc_hmac_rsa.pub | ssh cse125@neathat.com -p 14522 sudo su -c \'cat \>\> ~djc/.ssh/authorized_keys\'
heian:<<<umi-misc/pubkeys$

Now DJ can use his key on that server.

The sudo ls is to enter the password and get the sudo authorization ticket. We can’t enter the password with the cat, because ssh sees its stdin isn’t a terminal and refuses to allocate a tty. A stupid workaround would be (echo "mypassword"; cat ... ); | ssh ..., but I like the two-phase solution more, for some reason.

I picked this up from Stephen Lau on Planet OpenSolaris, though he traces it back to Planets Mozilla and Gnome.

heian:<<<hiroi/jauricchio$ uname -a
Darwin heian.local 9.2.2 Darwin Kernel Version 9.2.2: Tue Mar  4 21:23:43 PST 2008; root:xnu-1228.4.31~1/RELEASE_PPC Power Macintosh
heian:<<<hiroi/jauricchio$ history | awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}'|sort -rn|head
95 svn
80 vi
70 make
59 cd
29 ls
18 ./build/neathat.app/Contents/MacOS/neathat
14 sudo
11 ssh
8 rm

It appears I’ve been doing a lot of CSE 125 lately. That accounts for the 18 runs of our debugging build, 95 subversion statuses, updates, and checkins, and 70 makes.

Many people who know me know that I like Ruby and DTrace very much, and I sometimes take an interest in security. This article made me very happy, by combining all three of those: Being evil with DTrace

Via Ben Rockwood.

After a grueling two days of kernel muckery, and much help from Mooneer and Mark Williamson (bless you, sir), I finally have a 2.6.24 kernel with OpenVZ and Xen domU. Things I learned along the way:

1. Never ever make your generic server in the closet do double-duty as your internet gateway/router. For one thing, internet access is a valuable resource to help diagnose why the dang thing won’t boot. And for another, your roommates hate it when the network is down all day.
2. Nobody should ever make kernel patches that start from vanilla (e.g., 2.6.24), add a large feature you can’t get anywhere else (e.g. OpenVZ), and along the way give you lots of unrelated things (e.g., 2.6.24.3). This breaks down the instant two people do it (e.g., Debian), because the unrelated things all conflict.
3. The Xen merge into mainline is a good thing, but it’s only a start. I really want: ballooning, PCI sharing, and dom0 support.
4. aptitude is actually a great thing. Anybody out there still using apt-get… change your habits. Just start using aptitude. And then, little by little, start figuring out the curses gui and how to mark packages as automatic and how to resolve conflicts and all the excellent stuff aptitude brings. I resisted at first… but it’s definitely worth it.
5. Also debian, we really need etc-update.
6. It’s very easy to use hilarious amounts of bandwidth when you’re building systems with debootstrap.
7. I did something today that made my big domU extremely slow. It seems that under very heavy I/O it just grinds to a halt. I also had very constrained memory and no swap device. So I’m not sure if it just didn’t have space to cache and had to start kicking clean pages, or whether Xen event channel unnecessarily serializes I/O (I’m afraid that it does), or what. DTrace would be sweet.
8. I need to get better discipline in system management. I’ve historically used cioppino (the Linux machine) for everything from serving web and subversion, to an irssi/shell server, to hosting my AVR cross-toolchain, to my (excessively convoluted but ultimately perfect for me) email hosting. I need to cut down on what I do with it, and I need to stop installing and building random things that seem neat. Apt makes it so easy, I know… but it becomes an N^2 problem. And I’m absolutely terrified by the number of upgrades aptitude offers… there’s just too much on this system.

Finally, a desperate plea: Can we please have a good cross-platform low-commitment network filesystem?

• NFS is difficult to run safely, hard to expose to temporary untrusted users, and still might require shared UIDs (I think?). Sucks.
• AFP hates symlinks and hardlinks within the shared area, and isn’t available for Windows. Sucks.
• Coda and AFS require lots of setup and aren’t suited for “oh just connect to the server and grab it” use case, with temporary untrusted users. Sucks.
• FTP blows.
• sshfs requires Fuse which concerns me, and requires a shell-equivalent account on the machine. Sucks.
• SMB is well-supported and cross-platform, and doesn’t specifically require an account on the machine. It’s pretty bad at non-FAT32 file properties, though. Permissions and symlinks ehhh sometimes work. Workable.
• WebDAV just seems like a bad solution designed by committee. It kinda works.

Really. That’s it. SMB and WebDAV. This is sort of like the situation with disk filesystems… FAT32 or go home. The least common denominator that Windows supports just seems to win :(

Apple just “fixed” CVE-2007-4703.

The “Set access for specific services and applications” setting for the Application Firewall allows any process running as user “root” (UID 0) to receive incoming connections, even if its executable is specifically added to the list of programs and its entry in the list is marked as “Block incoming connections”. This could result in the unexpected exposure of network services.

I am utterly speechless. Shouldn’t the firewall have been built by a security team? Not a bunch of monkeys smashing their keyboards with a femur then committing?

I’m not sorry if I’ve offended you. If you work for Apple, and the Firewall code passed through your hands, YOU DESERVE TO LOSE YOUR JOB.

Letting any root process listen no matter what is like a bank security guard letting nobody except ex-convicts in after hours. The history of Unix security from Robert Morris up to today is that a single chink in any root daemon’s armor means your entire system is laid bare to anyone who knows what Metasploit is. It is inconceivable to me that someone being paid to write security code in 2007 would turn off all firewalling for any root process—and make it impossible for users to specifically request it.

There are those who say firewalls and network security are solving the wrong problem. At DefCon 15, Bruce Potter made the compelling argument that the right way to improve security is to fix the buggy code, and that “defense in depth” is just a band-aid. That may be, but for today, we still have buggy daemons, and sometimes we want to hide them from the world.

Again: I hope someone at Apple lost his or her goddamned career for this.