Hacking Log 4.0 Andrew C. Oliver describes his geeky interests

I waited 2 weeks to see if I really wanted to do this post. In a discussion list that is not public but should be X decided to insult me rather than the position I was advocating.

• My opinions are "BS, heaping steaming" BS
• I'm a "moron" or at least my congressman thinks so
• I do not know or understand anything about the organization and require "teaching" and to "empty my cup"
• I need to "buy a clue"
• My perceptions exist in an "alternate universe"
• I'm "uniformed"
• I'm "clueless"
• I'm "ignorant"
• I'm "lying" a/o a liar

From me:

• Your position speaks of arrogance ("arrogant")*
• You're "REALLY arrogant"
• Discussion with you is pointless so long as you begin every message with an insult

* the first one wasn't really aimed at him but the position that a self elected board speaks for the community because of "who" they "are". I regard that position as arrogant-sounding and elitest, but had not addressed X in the conversation at this point (don't take "elitest" in context of the election reporting).

To the final set of insults I replied "you win". X thinks (or chose to think) that "you win" means that I now agree with him. Actually, I recognized that X "scores points" rather than have a discussion. This is a disfunctional communication pattern that I used to fall into myself because I find email discussions prone to frustration. One day I woke up from this misbehavior because I realized how silly it was to attack the person I was trying to convince and that no one kept score anyhow. So I decided to keep score and at 9-2 (or 3 depending), X WINS! Congrats X! You won my disrepect. Previously, you had the opposite.

A post from Sam Ramji from Microsoft on dev@poi.apache.org.

But elsewhere we have two steps back... (more later)

When I founded Apache POI with Marc Johnson, I did so because "I didn't get it". I love open source and prefer open platforms, and viewed Java as more open than the alternatives and was naieve enough to believe Sun that it would be "any day now" many years before it made any motion in that direction. So I wanted to use Java on a reporting system running on a UNIX distribution. I was told "but we have to see the reports in Excel!" and there was only one very expensive solution to do that which also was bound to AWT which at the time was bound to X with only very poor solutions to work around it. However in my cost analysis it would take a lot of effort and more money to develop an alternative. POI was born of my ideology of working my way in the real world for real money to increasing amounts of freedom. I now run Ubuntu as my full time development laptop and even write most of my documents in OpenOffice (as a result of really disliking the UI of Office 2007 and it not running under Crossover Office anyhow) which I didn't used to like. POI freed me from having to use the Microsoft platform and allowed me to get a lot of business that I wouldn't have gotten otherwise. POI went to Apache partially out of my fear that one day Microsoft was going to find a way to sue me. It was the recession after the .com bubble and I was scared. When Microsoft started referencing POI from its site, I was pleased. I thought "wow, we've finally made it all the way" and "maybe they really are never coming after me".

When Nick Burch started work on the OOXML stuff, I was tickled pink. Then I saw a bunch of articles like this one. So I started trying to understand the situation and came across Microsoft's Open Source Patent Pledge which only offers individual protection when you write software but not users of that software. I was later pointed to Microsoft's Open Specification Promise and some legal analysis of it. The analysis is well written and explains that a key issue is the language "any implementation to the extent it conforms to a Covered Specification". Which means if you have bugs or partial implementations you can run afoul. Since open source development means immediate distribution of partial and sometimes alpha-ish implementations, POI will most certainly not be covered by this promise. Moreover, users which use snapshot releases most likely won't be covered.

Microsoft's promise covers both the binary file formats that POI now implements and the new OOXML formats. That being said, we looked for patents for the binary formats and we found multiple word processor spread sheet program patents and even some with regards to code pages. POI would have a tough time running afoul of any of these unless you created Open Office in Java or something (even then I'm unsure whether Java did it or you did). Microsoft's patents cite INSIDE OLE 2 as a reference but do not reference any patent necessary to read/use/write the OLE2CDF, Biff(8 or later) and doc formats. This is not all that surprising as Microsoft wasn't very active in filing software patents until around 1995. Software Patents were also still on questionable legal ground according to Wikipedia. I also cannot find patents for OOXML other than the somewhat reaching patent objections in here which I got as another result of the "attack of the surrogates" where all sorts of people who don't really have an interest in POI but either hate Microsoft (I didn't until I was forced to use Vista for a few months) or have some vested interest come out of the woodwork to participate (or often derail) the discussion. Then they all talk "at" you through pages they feel are more authoritative and ask for a change of venue. If you keep your head, then there is the inevitable discussion about people's feelings (after seeing the ISO petition I just snip these and go back to the meat and refuse to change venue and keep it all public). Unfortunately while humans have a 50/50 chance of judging emotional content of email, one of mine is always aparrent: frustration.

I want to be clear: No I don't think OOXML should have been approved as a standard and don't support the way that it was done. The tactic of putting out a petition saying that disagreements are personal attacks is even more laughable (unless I'm missing something). Regardless of whether it had been approved, I'd have been an enthusiastic supporter of its support in POI. I do have a problem with Microsoft doing and end-run around signing the CLA-C and giving the patent grants therein and then having a "business opportunity" to patent troll their own open source contributions. If we find a way to avoid that then we can then work productively nad I'm happy.

What I've asked for, is that Microsoft to clarify that the work they're funding through Source Sense will be distributable and usable under the terms of the OSD and that "best effort" to "conform" is covered by their Open Specification Promise or as my preference sign a CLA-C for the work they're funding through Source Sense. I "don't get it" why this is such a big deal or so contentious and requires so much discussion. After that, Microsoft's contribution to POI on a productive basis will fulfill my wildest dreams for the project. THANKS for reading this far. I need your help. I want links to patents that the OSP frees POI from both the binary formats (if it is at all applicable) and the latter case of OOXML formats. Please send them to acoliver ot gmail dat com. Please only send me stuff relevant to POI which is an implementation of the file formats in Java. Please send me facts relevant to this preferrably from unbiased sources.

UPDATE: Sam Ruby has posted:

When you find them, let us know. If and when you find a valid patent, and there is any effort made to enforce said patent upon our licensees, then we would address the issue. ...

Meanwhile, you have expressed a -1 and can not provide a specific reason to back it up. I would strongly suggest that the appropriate time to bring up such an objection is when you have the data to back it up. Feel free to say "I told you so" at that time.

...

I have done some research on this and will be posting my reasons to believe that POI does not violate patents in the binary file format area but if the Microsoft Source Sense work goes forward will violate them. Unfortunately, Sam knows this is very difficult since the patents can be file for later. Microsoft is actively working to "re-define" open source. One posible re-definition would be "the source is free but you need an EULA for the patent". There is no reason to trust them disproportionately more than other firms. I've noted again that in order to override my -1 rashly as they prefer, they'll need to kick me out of the project. So I need your help if you have the info on Microsoft-owned OOXML patents that are covered by the OSP (acoliver ot gmail dat com).

UPDATE: Search on freepatents that I can use some help vetting

UPDATE: Sam moved the goal post (see his reply when it posts). They are framing the discussion so that the criteria is SO high that it can never be met. First "oh the OSP covers it" and now "oh you don't have a list of patents that OOXML requires" and now "oh you aren't addressing all of our requests because you asked to address some of them LATER because there are 5 of us and 1 of you and we made you do all of the research and inundated you with psychobabble when you tried". Needless to say, I'm a little frustrated. I miss the Gianugo that longed for a cleaner, more open version of open source, I had a nice dinner and great conversation with him. I don't know this guy.

I've been a Republican ever since I can remember. However, I voted for Bill Clinton when I was 18 and have generally voted for Democrats in national politics and increasingly fewer Republicans locally. The last Republican I voted for was running against Mike Nifong... My parents were/are Republicans and increasingly right-wing (partly because they now have the luxury of ignoring the needs of parents with children). In the area of Florida, where I grew up, you might as well register Republican if you'd like to vote in the primaries or you'll find the ballot rather vacant. When I moved to North Carolina, I didn't change mainly because I wanted to vote against Jesse Helms as many times as I possibly could. His retirement voided my chance but I was ready! Then I never got around to changing parties despite my dislike of Bush because I figured that I cared more about which Republicans won even if I didn't vote for them in the actual election; and secondly, I disagree with the mainstream of the Democratic party on many economic issues. However, the Republican party is now the party of big deficits, millitary adventurism (previously a position occupied by the Democratic party...Viet Nam was a Kennedy/Johnson project), the impending maoist-like surveillance society, bigoty, homophobia, theocracy and big government waste. So while I do hope the Democratic party sheds its "economic justice"* agenda (which I regard as socialism-lite) and protectionist economics from its platform, I can't continue to pretend to be a Republican because I believe in the separation of Church and State and that suspending constitutional protections IS letting the terrorists win.

The "action" comes from the fact that my vote may actually matter in the May 5th Democratic primary. I intend to vote for Barak Obama. That was a hard choice in that I really dislike his "hopey change" campaign. However, I respect the path he took and liked his speech on race and the honest way he handled it. I would like to hear a lot more on actual policy proposals and wouldn't mind him stepping away from the proposal to remove the cap on the social security tax. At the same time I have never been able to make myself like Hillary Clinton. Moreover, I see her as a very divisive figure that can activate the "religious right" in a way that no other candidate could. I think a vote for Hillary would be a vote for McCain. I liked McCain 2000. I read McCain's book. However, I don't like the company he keeps these days. Lastly, in this election I want to hear that the candidate will extracate us from Iraq and avoid millitary adventurism. Mr. Obama has said this in many different ways, consistantly, many different times. Mrs. Clinton has never really said this in strong and serious way. I won't say that I really really like Obama as a candidate the way some have. I won't be donating money to his primary campaign...no matter how many times a very insistant 19 year old California girl calls me at 8-9pm. However, I will vote for him in this primary.

* this is not to say that I'm against all forms of welfare economics just the extreme forms that seem to get lumped in as "economic justice" (which wikipedia lumps in with social justice but many distinguish the two, I'd suggest that needs a bit of rework).

sugested reading:

• Order of the Reich President for the Protection of People and State vs US Patriot Act

First off I respect what I know about Bruce Perens and Eric Raymond for what they have done for open source in the past. I even agree with some of Bruce's points in his petition. However, I do not think either are appropriate for OSI's board today.

I ended up as a board observer at OSI in part as a result of my criticism of the organization, but not exclusively (there is a much longer back story). It lacks transparancy, it is too top-down, it doesn't represent the working slobs of open source. Its license approval process is kind of odd and it doesn't do very much. However, I do not think Bruce Perens is the answer to that. His very view on what the organization *should* be are very different from mine at least. A healthy project grows beyond its founder, and thankfully open source as a whole is much larger than Eric or Bruce or Russ Nelson or any of the guys that started this fork of the Free Software movement.

OSI is trying to solve its problems, by becoming more grassroots and less bottom up. Meanwhile, it is trying to grow the movement by expanding its international representation. Corporations do influence OSI, in that not all of the board has a free hand to say what is on their mind publically. However, the solution is to make the OSI board what it should be: a governance board. Open source projects and non-profit foundations are really clubs. The difference between healthy clubs that I've been a part of and unhealthy clubs has been whether or not people feel that the board is where change is really enacted. In the better organizations, influential members influence the community through its forums be they electronic or geolocational.

The problem is that OSI is presently organized as more of a star chamber with a forum to "petition the king". Until recently, partly as a result of the governance failures that Bruce was partly responsible for setting up, there weren't even public minutes. So no one knew WHAT the board was doing or WHY they were doing it. There is one big thing that Bruce has going for him, he's famous and people think that "as a founder.." but considerable progress has been made since Bruce by people who have smaller egos and lower voices. I'd like to highlight a few.

Recently, Danese Cooper lead the drive to format properly and legally all of the minutes so that they could be posted. I prodded and bitched and moaned because I frankly don't care about 2006, it is over with and wanted to see us get to thre present. However, in light of Perens charges the minutes become even more valuable, including seeing a transition. For everyone interested, I suggest looking at the minutes especially from the March face to face meetings.

Alolita Sharma and observer Zak Greant have been leading the drive to make OSIs infrastructure support a more actively engaged community. Alolita is a uniquely international person who speaks of UN meetings and such.

Nnenna who prefers not to use her last name (she is a diva, though not in the negative sense) is a major force in the free and open source software movement in Africa. Her perspective and activities in helping support open standards generally and OOXL in particular OOXML as part of (Free Software and Open Source Foundation for Africa) FOSFA and her pragmatic approach to what is important and what is not are a valuable force at OSI.

I would not be a part of OSI if it were not for Ken Coar primarily and Danese Cooper secondly. First, I'm far more comfortable (like Bruce) in pointing out the problem than coming up with a solution. For one, it is easy! Now I'm stuck helping post minutes and writing an RFP and helping gather information for posts like this. It is hard work! I so prefer just complaining and not proposing solutions! A read of the minutes reveals what I found, people who have day jobs, working to make OSI more effective, who care about open source, who aren't in it for ego graciation or self-promotion. OSI needs to change and it needs help. It needs to move past an elitest top-down organization to a much larger body of volunteers to which the board provides governance. That requires new thinking, new administration, new infrastructure, better methods of communication (license discuss is a bit of a monkey house). While I will forever make rat jokes about Ken for getting me into this :-), I'm proud to be a non-board member (I'm officially a "board observer") who is helping make OSI more effective and support Ken's vision of a membership driven organization where the board just makes sure the lawyers are happy (my characterization not his). A return to a very Amerocentric hacker culture voice with big egos is not the answer to OSI's problems. I think OSI is on the path to real fundemental change. I'd like to hear Bruce explain what he'd do differently in collaboration with others who may not always agree with him. The trick to a board or any group of people is that it is more than one person. It is fine to have a vision, but if you're after a fancy title and a bully pulpit, you're probably not going to be that effective in collaborating.

• I must eat here nearly every Saturday
• And here whenever the wife let's me (Argentinian steakhouse):
• coffee place where they don't touch the lid of my coffee when they hand me the cup (and thus don't get me sick)
• ice cream (they have soy ice cream and sorbetto...Ephram prefers lemon):
• hippy groceries for too much money
• entrance to the massive botanical garden where catfish jump out of the pond which Ephram giggles incessantly about (walking only so no google)
• our famous minor league team (Ephram sorta watches it, Billy likes the peanuts, Alec is more into it)
• This used to be the American Tobacco campus, but they turned it into shops and stuff, massive man-made river flows through it (off now due to drought)
• Plus I have this same TV (not my house just demonstrative) to watch the fights on

Microsoft has a new campaign That's a hero. Apparently, a hero is someone who helps support Microsoft's business plan and ties themselves and pays for Microsoft's beta tools. Gosh, I think I'd rather be free and support multiple platforms than be a hero...

Get the tools that make these heroes successful. Order your own Hero Hack Pack.

Each Pack contains free evaluation editions of Windows Server 2008, Visual Studio 2008, and the essentials for getting started with open source. Plus, randomly hidden in the Packs are 10 vouchers for free passes to the Open Source Convention (OSCON) this summer.

PS I think that I just vomited in my own mouth.

Look at this InfoWeek article "Five Most Overlooked Open Source Vulnerabilities Found By Audits". This is probably vendor-funded FUD. One obvious inaccuracy is that it implies that people actually deploy Geronimo in production. That is a joke. Long after JBoss I think Geronimo is/was a silly silly joke. However:

      Symantec discovered a flaw in the DeploymentFileRepository 

        class of the JBoss application server. A remote attacker who 

        is able to access the console manager could read or write to 

        files with the permissions of the JBoss user. This could 

        potentially lead to arbitrary code execution as the JBoss 

        user. (CVE-2006-5750) 



        Please note that the JBoss console manager should always be 


	        secured prior to deployment. By default, the JBoss installer 

	        gives users the ability to password protect the console 

	        manager, limiting an attack using this vulnerability to 

	        authorised users. These steps can also be performed manually. 

	        http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss

	

	        This vulnerability afffects all JBoss releases from v3.2.4 to v.4.0.5

Oh so if you run a completely un-secured version of JBoss then people can do bad things? "arbitrary code execution..." How about this: the deployment scanner or the BSH deployer or that I can shut down your whole freaking server. I have a fun idea! Why don't you follow instructions and not allow remote access to JBossAS administrative functions?

Seriously this is a stupid game these "security firms" play. As a vendor you have to play along because if they generate an advisory no matter how stupid or obvious (like gee if you run an unsecured admin tool...like anyone can admin your server), if you don't "fix" it then you look like you're an irresponsible vendor that doesn't care about security. If you say "it isn't real" then you look defensive. So you "fix" the "insecurity" and the scam continues.

On the other hand since JBoss continues to distribute primarily without the installer (that asks if you'd like to secure it and for a PW), the SecureJBoss page should umm...like make it into the official documentation and not just a wiki page that any registered user can edit (that is the real CERT advisory). My original plan was that developers and users would gen stuff in the wiki. Stuff would be filed in JIRA as doco features. Writers would write the doco. I guess you'd have to have writers writing doco to do that though :-).

Whenever I leave Germany, I always forget about the thing that annoys me most about the place... Everyone has the same hours. This means that if you want to buy groceries or wash your clothes you have to rush right after work during the week before the thing closes. This is a slight exaggeration, but only slight. For the record, I'll be wearing today's underwear tomorrow as well. TMI, I know. Okay enough whining...back to work.

While I still have my reservations about JBoss's Seam despite my love and respect for Gavin King (despite his criticism of my fashion sense), I think I'm using it to refactor a cleint's application. My issue with it is mainly in that I think it is a bit 2005. I'd like to see more in it for pushing the state to the client and less of the really big posts of what looks like uuencoded stuff. However, Gavin has done a masterful job in leading this project. Go to the Apache Struts 2 site, try and actually find a tutorial that doesn't 404. The documentation is crappy too. Now, assume that YOU aren't the person coding this, but that you need to bring someone up quickly. Choose based on online "getting started" material (this is the most important cost consideration). Gavin can be a bit of a control freak and a bit anal on details, this is a wonderful thing in that he even has a roadmap. Michael Yaun was a key force in this (I recognize the writing), but has since left Red Hat. Kudos to them both.

As much as people consider me an expert in scaling enterprise apps on Linux particularly Java, I must say, sometimes my desktop skills are questionable. I'd never bothered to even try and print from my laptop because it never seemed to work properly before. My >10 year old HP LJ 6L, hooked up to my wife's Windows box died. It had seen nearly industrial use between her school and my stepson's Billy's obsession with printing the lyrics to every song ever written... So we bought a new 2605dn from Staples (needed it quickly) and WOW! It prints great color. Best of all, after setting it up as a Postscript printer via the friendly menu and instructions -- It prints WONDERFULLY from Linux. I'm quite pleased. You gotta love Ubuntu (still on Feisty ATM)!

Several people have pointed out that IE 7 renders my blog incorrectly. It is not my fault that Microsoft has released a broken browser that broke half of the CSS on the internet (again). I'm sure I'll inadvertantly fix it one day, but today I think...upgrade your browser sucker.

I'd been pretty albeit privately dubious as to the future of POI, a little project I founded a few years back to traverse Microsoft file formats from Java. This dubiousness seems to have been proven unfounded given Nick Burch's recent work on office XML support. Interestingly enough it uses XMLBeans which I had long ago thought about doing a Office->XML converter in. Note that he's committed some initial stuff to this effect. Nick is now the POI PMC chair and is really the backbone of the project these days.

I leave for Heidelberg, Germany on January 6th (arrive on the 7th). Aside from the work I have to do I plan on gourgeing myself on Wiener schnitzel and find a mass or two of Schneider Aventinus. Would love to catch up/hang out with some folks. (acoliver ot buni dat org)

Peeps have been dissing my blog lately. From Bill Burke's saying that it reads like a hypochondriac to Roy's implying it sucked. That being said, my blog still accomplishes showing up in various searches such that press and others doing research find it which was part of what Hacking Log 1.0-3.0 indended to prove. This month I got another request to use pictures from my India trip as a book cover. The first such request was from a band. This reminds me, I'm available to do consulting/training to anyone who wants to send me on another trip to India :-).

We've finally gotten rain here, but I keep meaning to take a picture of our normally gushing Eno river which is nearly dried up. However, I guess I find it a little depressing to be honest. Of course I hate the rain, I always feel drained but I'll sacrifice some energy for it.