March 2011 Archives

You won't find this news spread gloriously across the newswires, or even on Adobe's official newsroom. But tucked away lovingly inside Adobe's developer blog you can read comment posted Antonio Flores detailing the fact that Flash Player 10.2 is now available for download on Android Market.

This is what is known as a production GA (General Availability) release for Android 2.2 (Froyo) and 2.3 (Gingerbread) devices. It joins an initial beta release for Android 3.x (Honeycomb) tablets that includes Google's 3.0.1 system update.

Adobe has provided a helpful little link for us to check whether our device is certified for Flash Player 10.2 here: http://www.adobe.com/go/cd1

Adobe's Flores says that, "The beta of Flash Player 10.2 for Android 3.x is an exciting release that brings a full web browsing experience, including video, games and other interactive content, to the latest Android tablets. We have been working very closely with Google through the development of this beta to ensure tight integration and optimisation between Flash Player 10.2 and new OS and browser capabilities."

Performance enhancements are said to include:

• improved scrolling of web pages
• automatic soft keyboard support to simplify text entry for rich mobile and multi-screen experiences
• better "embedded" in-browser experiences
• improved playback of many 720p high definition videos (including full screen)

NB: The new release does include the security update addressing the Flash Player vulnerability announced on March 14.

This week I've been challenged with the task of producing the annual software industry salary survey for a large US publisher known for its weekly title themed around the word Information.

Although this data is US based, the 4,581 staffers and managers who responded to the questionnaire evidence what I would describe as fairly global trends. In the open source area, I have noted the following:

- after yet another year of glowing press reports detailing the additional flexibility and enhancements that arise from the community approach to development, open source software usage has climbed from 27% to 32% in 2011 -- a trend that will no doubt continue over the next 18 months at least.

NB: that's the first time I have ever quoted myself, shame on me ☺

OK so serious point, this led me to start thinking about who really commits code that finds its way into open source projects. When I was at the Nokia Qt Developer Days conference in Munich last autumn I got speaking to the guys who work for The Linux Foundation itself and they were a little woolly in some areas.

Let me explain.

Without quoting anyone directly, it does appear that the large percentage of committed code appears to come from customers who take up commercially licenced versions of open sourced project code. This may be because these customers have to work with statically linked (as opposed to dynamically linked) libraries for the code they use, due to security, compliance and mission critical issues -- and therefore commit a different "kind" of code contribution when they do.

I do not want to suggest for one second that this is always the case; this is simply what I heard at one event, from one set of (possibly ill informed) spokespeople.

This is an interesting subject to analyse surely? Or should I be committed?

Camino is an open source web browser for Mac OS X users that requires Mac OS X 10.4 or later. If you've never heard of it, then you should at least know that it has been around since 2002 and it has a special 'Safari migration' area on its website to encourage users to make the switch.

So what, you ask?

But I hear you say, Safari (or Opera, or IE9, or Chrome or Firefox) works just fine on my Mac thanks - so why would I bother?

Well aside from Camino being named after the Spanish word for "path" (a pathway to the web! see what they did there?), the latest iteration of the browser is pretty multilingual with support for 15 languages including Norwegian (Bokmål) and Spanish (Castellano) just in case that tops your browser want list.

Although Camino is arguably behind most of the aforementioned browsers, it does have a nice tabbing overview function accessible by hitting CTRL-APPLE. This throws up all open tabs in one screen view. There's also some respectable phishing and malware protection -- and, according to the browser's home page it is a, "GUI-based browser based on Mozilla's Gecko layout engine and specifically designed for the Mac OS X operating system."

It's hard to see a really strong reason for wanting this browser on your Mac, perhaps if want to be seen as an open source Mac purist?

If you're going to San Francisco, be sure to wear your Android and Linux conference badge this April. It's going to be a busy month over on the US West coast with four developer symposia scheduled.

Given that this four-in-a-row developer-fest all falls within the same month, I think it's worth a quick blog to bring them all into focus and mention dates, names and links so you can plan for one, all or none.

In no particular order, here goes:

The Linux Collaboration Summit holds its fifth annual get together from April 6 - 8 at Hotel Kabuki in San Francisco, CA. This is an invitation-only summit gathering of core kernel developers, distribution maintainers, ISVs, end users, system vendors and other community organisations.

Also at Hotel Kabuki the following week from April 13 - 14, the Android Builder Summit is described as a technical summit for OEMs, their device manufacturers, integrators, custom builders and the growing Android and Linux Kernel developer communities.

Also in Hotel Kabuki and running right next to the above Android summit is the Embedded Linux Conference from April 11 - 13. This listed as the premier vendor-neutral technical conference for companies and developers using Linux in embedded products.

Last but not least is SugarCon '11 held from April 4 -6 at San Francisco's Palace Hotel. Described as "more than just a CRM conference" (but then they would say that wouldn't they) - the company says that attendees consist of a mix of customer, developer, partners, community members, and prospects.

As readers of Computer Weekly's Open Source Insider blog stream may well already know, the new version of Mozilla's free and open source browser Firebox 4 has been designed to up the ante in its tabbing and syncing functionality.

Today sees the official launch of the product itself, with six times (claimed) faster performance than the last version. What Mozilla specifies as improved start-up and page load times -- and speedy web app performance and hardware accelerated graphics.

But enough of all these words, you've heard most if not all of this before. What does this beast look like? Here's a few screenshots.

The (not cheesy at all) so-called "Awesome Bar"

Instant Website ID

Support for WebGL - Web-based Graphics Library

If you, like me, bought an Acer Aspire One and have been suffering with the ultra stripped down Linpus Linux Lite for your sins; then you've probably (also like me) only dreamed lazily of the heavenly possibility of having a "proper" operating system on your machine.

After all, Ubuntu 11.04 is due to drop (in both server and desktop edition) on 28th of April - so you'll be looking forward to that right?

The trouble is that most of the instructions on the web simply tell you to do this:

•  install an .ISO file (basically a disk image) onto a USB stick
•  restart your machine
•  hit F2 upon start up
•  go to your boot screen menu
•  change the boot order to direct the system to the USB first
•  go and make a cuppa and put your feet up

The trouble is, it's not "always" that easy and my home office set up can pay testimony to that fact.

Firstly there's the potential need to use a Win 32 installer as well. This in itself is not a major issue - although it just doesn't seem to work if you use a Mac to download it. Now I know that might sound obvious, but not everyone has five PCs at home all running different OSs.

You might also need to edit the BIOS on your netbook to change the boot order. You might also need to work with FAT (file allocation table) technologies too.

Once you do get your install of Ubuntu (or any of flavour Linux distro) running, it should just be plain sailing from there right?

Well, not quite.

Getting your network centre tool to log in to the web is not a two-minute job. Go and find your Ethernet cable and hard wire yourself to the router and make another cup of tea.

OK, this was just my experience. It could well be easier depending on machine and OS and your other set up parameters. I say my experience; my wife (Mrs B) actually took charge, as she's a highly competent Java developer in her own right.

So just some leveling words of information and advice for you here I hope.

One final note, Ubuntu on an Acer netbook is sweet, but it is slower than Linpus, so balance that factor too before you go diving in.

Right at the end of last year, Linux developer Mike Galbraith created a patch just 233 lines long that was designed to improve the scheduler inside the Linux kernel. The result of this patch is intended to produce a reduction in latency for desktop versions of Linux.

The superzapping effect of these tweaks and refinements are generally believed to lead to what will be a 10x speed boost for desktop Linux.

Even Linus Torvals was excited, "BTW, let me say that I think the patch is great," he said, also commenting that he thought it looked clean and it seems to perform very much as advertised.

Well, it was his idea in the first place.

Although reports detailing the onward implementation and wider deployment of this patch are more limited, the justification for addressing latency in desktop Linux is very reasonable and makes interesting reading.

Linux itself has often been criticised for being so server-centric with a large proportion of the new innovations being directed at enterprise level requirements and issues.

This is argued to be down to the fact that the Linux kernel is optimised for throughput and this is a good thing if in server land - but not so integral to the needs of the desktop.

Desktop environments on the other hand love latency (needed for scrolling web pages, moving windows around etc.) and Linux has never been as tuned for latency as it has for throughput and - and here is the bad news - latency and throughput are relatively mutually exclusive.

Mike Galbraith's patch has been heralded as being capable of cutting desktop latency by a factor of ten. So if you have been balking at the thought of desktop Linux for your home or work PC, now may be the time to think again.

Linux is evolving. Linux is developing tiers, so that so-called "top tier" Linux distributions such as Ubuntu, Fedora, openSUSE, Debian, Mandriva and others have been grabbing more of the headlines than some of the lesser known beasts in this Unix-like operating system ecosphere.

Of course this is not quite true and not at all fair -- some distributions will always be better suited to server-side deployment and then there is the whole parallel universe of mobile Linux.

So as the Linux ecosphere expands, are the smaller-scale distributions not getting the recognition they deserve?

Today's distro du jour is Puppy Linux. A tiny little thing requiring only 100MB of space with a boot time of only 30 seconds or so, due to the fact that it loads into RAM. This slim little dog might be well suited to older hardware or within environments where resources are limited or restricted. Even if your machine has no hard disk (or a broken hard disk), you can still boot Puppy from a CD or USB stick.

According to PuppyLinux.org, the OS allows the user to "do magic" by recovering data from destroyed PCs or by removing malware from Windows.

Puppy is well behaved and does not require anti-virus software support. But the USP might just be that you don't have to install Puppy to your hard disk to use it.

"Simply burn the ISO to CD/DVD and boot the PC or laptop with it. Once booted, you can then install it to USB flash (see the Setup menu), so you can use it for booting the PC when a CD is not available," says the site's Getting Started pages.

This pup also comes with a nice set of apps including a word processor, spreadsheet, browser, games, an image editing app and all the utilities you'd typically want to find in the dog pound. The site says that most hardware is automatically detected too.

Puppy Linux born on June 2003, delivered by Barry Kauler. The community that has developed is completely open, without any formal agenda or structure - and the product is completely free.

One word of balance, it sounds like this is a good dog doesn't it? But Jollicloud appears to be more popular so I hope to look at that soon.

News has been circulating this month of steps being taken by Google to remove malicious applications from the Android Market webstore. Reports have suggested that "dozens" of malicious rootkit-bearing apps were circulating until Google removed them "within minutes" of becoming aware of the problem.

The company has now taken steps to arm its so-called remote kill switch to "forcibly uninstall" any of the infected apps from the 260,000 handsets that were apparently compromised by the attack.

Google is further fortifying the Android Market with an update to reverse the exploit itself, as well as taking action to send emails to users who will have been affected.

The search giant was initially quiet on the whole subject, presumably spending its initial focus on examining the compromise itself. Google's Android security lead Rich Cannings later clarified the situation saying that that no personal data or individual user account information was transferred.

"The Android team was made aware of a number of malicious applications published to Android Market. Within minutes of becoming aware, we identified and removed the malicious applications. The applications took advantage of known vulnerabilities which don't affect Android versions 2.2.2 or higher. For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device). But given the nature of the exploits, the attacker(s) could access other data, which is why we've taken a number of steps to protect those who downloaded a malicious application," said Cannings.

For more on this, and a link to the Android Market Help Center, visit the Google Mobile Blog itself.

There's nothing worse than yet another contrived technology survey is there? But how about a "scan and license compliance assessment", is that fresh enough for you?

OpenLogic has used its position as a scanning and governance provider to release the results of a scan and license compliance assessment of 635 leading mobile applications.

The company says that 71% of Android, iPhone and iPad apps were found to contain open source code that failed to comply with basic open source license requirements.

Using its scanner technology, OSS Deep Discovery, OpenLogic says it scanned compiled binaries and source code (where available) for 635 mobile applications to identify open source under GPL, LGPL and Apache licenses.

For the 66 applications scanned that contained Apache or GPL/LPGL licenses, 71% failed to comply with four key obligations including the GPL/LGPL license requirements to provide developers with source code or openly offer an opportunity to get the source code when needed. For Apache licensed software, equally poor infringements were listed including a failure to provide a copy of the license and provide notices and attributions for the software.

"Many mobile and tablet developers may not have a complete picture of the open source they are using and the requirements of the open source licenses. This has real-world implications. For example, the Free Software Foundation has stated that GPL and iTunes license are not compatible and Apple has already pulled several apps from the store that were determined to be under the GPL," said Kim Weins, senior vice president of products and marketing at OpenLogic. "Google has also received takedown requests for Android market apps that violated the GPL. App developers need to pay attention to open source license compliance to ensure their apps are not impacted by legal actions."

Open source cloud computing organisations deploying OpenStack, the open source cloud operating system, have this week been given the option to receive formal service and support offerings from Rackspace Hosting.

This new programme, which was announced this week, is called Rackspace Cloud Builders. In essence it is a new business that offers training and certification, deployment services and ongoing support to enterprises and service providers in the cloud space.

This move represents one of the first extensions by Rackspace to its customer service offering, known as Fanatical Support, beyond the company's data centres to stand behind any OpenStack cloud deployment.

"Customers want to realise the benefits of cloud computing in many locations depending on their requirements and needs. The promise of being open, flexible and compatible makes OpenStack the ideal platform; however, they also want the assurance that a partner like Rackspace is standing behind them when deploying it in their own datacenters," said Jim Curry, general manager of Rackspace Cloud Builders.

Rackspace is clearly hedging its bets on the training and support requirements of software developers who have moved into roles with new and/or additional cloud computing responsibilities.

As well as training and certification for developing and administering OpenStack Clouds, Rackspace Cloud Builders will provide design and deployment services as well as support and escalation assistance from the OpenStack experts, including proactive monitoring and fixes.

Here and now in 2011, most of us will agree that today's software stacks generally combine elements of open source, commercial and other third party code, as well as contributions from internal developers and outsourced developers. By the time all of this software is integrated, tested and pushed towards a product release, it can be difficult to understand exactly what is in the final software being used by the business function.

Protecode has put together a list of steps to follow during the open source software adoption process, from establishing a software licensing policy to the pre-shipment software assessment.

"Increasingly, organisations are viewing open source and third party software license management as part of their software quality development process. Quality checklists may be evolved to include all or part of our following blueprint, which is based on Protecode's experience gained by carrying out numerous software IP audits for technology organisations on the verge of a merger and acquisition activity, or before their software product is shipped out of the organization (into the end-market or to a client)," said Mahshad Koohgoli, CEO of Protecode.

Establishing a Software Licensing Policy - this step involves creating a license compliance policy acceptable to the organisation. The policy addresses questions such as what license terms are acceptable and unacceptable, what vendors are approved and what software products or packages are authorised for use.

Existing Portfolio Assessment - this step involves auditing the existing portfolio and establishing a baseline of what already exists in the organisation. Protecode says that establishing a baseline is best done with an automated tool, ideally linked to a digitally-captured licensing policy.

Regular Software Assessment - this stage, although popular, could be bypassed if automated library check-in or real-time preventive assessment steps are practiced.

Real-Time Library Check-in Assessment - this optional step ensures that any content committed to the organisation's Source Control Management system is well understood from a licensing obligations viewpoint.

Pre-shipment Software Assessment - this necessary step ensures there is a full understanding of the content and obligations associated with the product before it is released to the market.

NB: This is a cut down version of Protecode's original "eight" steps to open source software assessment.

Open source software gets a lot of positive press. Along with death and taxes we can say that this is a fair certainty. But are there hidden and very blatant flaws that we should be looking out for and be aware of?

The Coverity Scan 2010 Open Source Integrity Report was launched at the end of last year to examine open source software integrity and was originally initiated between the company itself and the U.S. Department of Homeland Security.

The process for this report involved analysing more than 61 million lines of open source community-submitted code (using the Coverity Static Analysis tool) from 291 widely-used open source projects such as Android, Linux, Apache, Samba and PHP among others.

Android: 359 software defects found

The Android kernel, when tested by Coverity, revealed 359 software defects says the company. A total of 25 percent of the Android defects found (in Android kernel 2.6.32 "Froyo") were listed as 'high risk' with the potential to cause security breaches and crashes. Further, nearly half of the defects discovered in all open source projects were also classified as high risk.

It sounds worrying yes -- but how do these defects manifest themselves?

Coverity points to common flaws such as memory corruptions (or segmentation faults), null-pointer dereferences (or exceptions) and resource (or memory) leaks, which can cause system crashes and security vulnerabilities in products.

NB: That all sounds pretty technical, so for an easy-to-grasp explanation -- the Open Web Application Security Project (OWASP) defines a null-pointer dereference as the moment when a pointer (a reference to a location in memory) with a value of NULL is used as though it pointed to a valid memory area.

... and this is the kind of thing actually happening in Android devices that have shipped and are shipping.

According to Google, more than 65,000 Android devices ship each day. Android is also expected to become the second-largest smartphone operating system by 2012, capturing 18% of global smartphone sales1.

"Open source software, like Android, is cemented into the software supply chain of OEMs in the mobile device industry. This creates heavy demand for visibility into the integrity of open source code shipping in modern mobile devices," said Andy Chou, Coverity chief scientist and co-founder. "The Coverity Scan results for the Android kernel we tested show a better than average defect density, meaning this specific kernel is shipping with fewer defects than the industry average for software of this size. However, a significant number of these defects are the high risk types that our customers typically fix before shipping their products to market. We believe that highlighting these risks proactively provides developers and OEMs with an opportunity to fix these defects before they become a problem."

Open source web application frameworks specialist Sencha has been examining the new Motorola Xoom "Android Smart Tablet" from a developer's point of view. The company says that although the tablet has only been available for a short time, developers and publishers want to know how it measures up to other tablets as a way to deliver rich content via web apps.

Or in other words -- is it an iPad killer?

Sencha has taken the plunge and put the Xoom through its battery of HTML5 tests with specific thought for contemporary HTML5 web developer.

The below notes are taken from the Sencha analysis blog which you can read in full here.

"The Xoom scores an impressive 100/100 on the Acid3 tests. This is the first Android tablet that has given a 100 score, which means a couple of things have gotten better, most notably the addition of SVG (Scalable Vector Graphics) support. But, the Xoom has two noticeable rendering bugs -- first, the letters "Acid3" are the wrong colour and are missing the drop shadow. Second, in the top right there's a small red box, which is an obvious rendering bug. The Xoom has a perfect numeric score, but it still fails Acid3."

"To make things worse, the CSS3 animations are almost completely broken. We often found even for the most basic animations the browser skipped frames, incorrectly rendered elements, or didn't run the animation to completion."

"It's been nearly a year since Apple shipped the iPad and we're still incredibly surprised that Google and Motorola have yet to build a mobile browser that has a correct and high-performance CSS3 implementation. The silicon power is definitely present to support it."

So what's the long-term upshot of all this? Well the sensible money is on watching the Xoom, watching the market and waiting for the version 2.0 patch(es) as they must inevitably come.