If you live in the U.S., this is the week to gorge on turkey. I wondered out loud last night to my wife if Thanksgiving is the day of the year when the most people eat the same meal. Can any of our overseas readers add to the conversation? Is there a holiday in your country where everyone eats pretty much the same thing? Anyway, before American brains shut down from an overdose of stuffing, here’s some developer news you can use.
Oracle announces Plan B for Java
The Java language has continued to evolve over the years, adding features such as Generics. There’s an ambitious wishlist of things that developers would like to see in Java 7, but apparently not enough time to do it all and still get a timely release out. As a result, the JCP has decided to forego some of the goodies until Java 8, which is not expected to grace the world until late 2012.
As a recovering LISP-head, the item on the deferred list that catches my eye the most is Lambda expressions/closures. With even relatively “primitive: languages such as Objective-C starting to adopt these structures in the form of Blocks, Java is already behind the curve in this regard. It’s a shame it will have to wait another year.
No word if Java Plan B will require a doctor’s prescription, or be available to developers under 18 without a note from their parent.
Did we win the SCO battle, but lose the Unix War?
As someone who has 10 framed shares of SCO hanging over his toilet, I was definitely among the many who rejoiced in the sound thrashing SCO received at the hands of Novell, in regards to who owned Unix. The conventional wisdom was that Novell would be a reasonable caretaker for the Unix IP, and would be unlikely to use it against Linux or those who used it.
Life is definitely less clear now that Novell is being consumed by Attachmate. For one thing, part of the deal involves transferring a big chunk of Novell IP to a company fronting for Microsoft. Hopefully, it’s just the normal collection of garbage software patents every big company seems to end up with, and not anything that would provide an avenue of attack against Linux.
Rant of the Week: Injection Protection
I’m not sure what they’re teaching up at those new-fangled universities these days, but it sure ain’t software security. At least that’s the assumption I have to make, given the number of SQL and Shell injection attacks I hear about every month.
My whine last week was about null pointer exceptions. They’re sloppy, but usually harmless. Injection attacks can take down your entire system or reveal sensitive data to bad guys. In my misspent youth, I ran a chat system and added email support so people could send mail from inside the program. I made the mistake of appending the email address to the end of a string that got run as a shell command. It wasn’t long before some “clever” vandal used the email address “;rm -fr .” There went my entire (non-backed-up) source tree.
Open source software is particularly vulnerable to SQL injection attacks, because the SQL schema is generally known. If you’re lazy, and build queries using string concats with user-supplied data, it’s trivial to enter data that succeeds, but also inserts or deletes data, in entirely different tables. You should always use the parameterized tools to place data into queries or inserts, and probably self-sanitize the data as well.
You should also run queries with the minimum credentials required, e.g., have a database user that can only do selects and use it for any parts of the system that don’t require database updates. And have a privileged user be the only one that can update or access sensitive parts of the database.
That’s it for this week. Suggestions are always welcome, so please send tips or news here.