Author: Manuel Lemos
Viewers: 13
Last month viewers: 2
Categories: PHP Security, Lately in PHP Podcast, PHP opinions
They also talked about the upcoming end of life release of PHP 5.3, getting information of parameter type hinting with reflection, using object methods on native data types, security problems of OAuth implementations, and the built-in support of Composer to access password protected repositories.
Listen to the podcast now, or watch the hangout video, or read the transcript text to know more about these interesting PHP discussions.
Contents
Introduction (0:20)
PHP Releases 5.4.29, PHP 5.5.13, PHP 5.6 RC1 (1:14)
PHP 5.3 Final Release (4:53)
Add typehint accessors to ReflectionParameter (11:23)
Methods on primitive types in PHP and Autoboxing (15:50)
Is Your OAuth 2.0 Application Secure? (21:51)
7 Reasons Why TDD Failed to become Mainstream (34:13)
PHP Composer Private Repository Automatic Access (59:20)
JavaScript Innovation Award Winners of March 2014 (1:02:08)
JavaScript Innovation Award Championship by Country Rankings of 2014 (1:09:04)
PHP Innovation Award Winners of March 2014 (1:11:00)
PHP Innovation Award Championship by Country Rankings of 2014 (1:16:40)
Conclusion (1:21:07)
Contents
Listen or download the podcast, RSS feed and subscribe in iTunes
Watch the podcast video, subscribe to the podcast YouTube channel
Read the podcast transcript
Introduction music Harbour used with explicit permission from the author Danilo Ercole, from Curitiba, Brazil
In iTunes, use the Subscribe to Podcast... item of the Advanced menu, and then enter the URL above to subscribe to this podcast.
Watch the podcast video
Note that the timestamps below in the transcript may not match the same positions in the video because they were based on the audio timestamps and the audio was compacted to truncate silence periods.
See the Lately in PHP podcast play list on YouTube and Subscribe to this channel there.
Show notes
- Extension: Methods on primitive types in PHP
- RFC: Autoboxing and Proposal
Introduction (0:20)
Manuel Lemos: Hello and welcome to the Lately in PHP podcast. This is episode 48, I think.
We have been live recording these Hangouts, talking about what had been happening lately in PHP world, for about four years. It's quite a long time. Most Hangouts or podcasts had stopped before that, because people started to get fed up. But we never got fed up.
And this time I have here with me, Arturs Sosins, from Latvia.
Hello, Arturs. How are you doing?
Arturs Sosins: I kind of got fed up of JavaScript topics so I decided to hear more about what's happening in the PHP world and that's why I'm here.
[Laughter]
Manuel Lemos: OK. You are alternating between one and the other, right?
Arturs Sosins: Yeah.
PHP Releases 5.4.29, PHP 5.5.13, PHP 5.6 RC1 (1:14)
Manuel Lemos: OK, this month, we have several interesting topics as usual, some related with the upcoming PHP releases.
And let's start reviewing what has been going on, starting precisely with the release of PHP 5.5.13. It's yet another release mostly to fix bugs. There seems to be nothing really new, so it's a maintenance release.
Along with it, there is a similar release for 5.4.29. And actually, it's practically the same bugs that were fixed. There were some security vulnerabilities fixed here and they do not seem to be very serious, so I don't think there is much to talk about this.
So let's move to comment a little about PHP 5.6, which is basically very close to final release. There is already at least one release candidate that I remember. Yes, that's the first one.
Well, there is not really nothing here to say because it's just that the 5.6 version that is getting ready for release. Most of the bugs are being fixed. There are no features being handled right now. It's just stabilizing the release. There is nothing really, really new to comment about this and the features that we are expecting, we already know.
I don't know, Arturs, are you hoping for this release or maybe you are not really following it to use in your developments?
Arturs Sosins: Well, I'm that kind of guy that always goes after the latest and the newest. Usually, if it's working, that is good for me. If it's not broken, don't mend it. But I don't know, can you tell me what could be an interesting new feature in this release?
Manuel Lemos: To tell you the truth, in my opinion, there's nothing, nothing really interesting. It's more of some features that some people think they need but if you have not followed the previous episodes, probably you're not going to miss there some things related to variadics which is a new state syntax for specifying functions that is along the... I mean, a variable number of parameters.
And few other things actually. I don't think you missed them much if have not been following this because you really do not need them. As you said, if it is not broken, you shouldn't bother to fix it. I mean, upgrade just to benefit the features that you probably do not need.
PHP 5.3 Final Release (4:53)
Manuel Lemos: Anyway, now moving to a topic related with new features which is the planned End Of Life for PHP 5.3. It is about one year since it was released and it was planned they will start stop issuing new releases.
But there will be, I would, say a final release that is being planned to be launched. I think it will happen in July sometime. Probably at the same time that PHP 5.6.0 final release is made. Well, this is just something that was planned. I don't think whoever is using 5.3 will stop using it.
Arturs, which version are you usually using in your site?
Arturs Sosins: Well, that is actually kind of interesting topic because just recently I received an email. I have a hosting account, a shared hosting account, for some personal projects, for some client work, just to show them what I made, what is the progress and stuff like that. And just recently, I received an email, "Your PHP version was upgraded to 5.3."
Manuel Lemos: Oh, all right. So, now that could be...
Arturs Sosins: Yeah, just about a month ago, I received the email.
Manuel Lemos: Now, that is end of life. So, it doesn't matter if there are three or four versions behind. And I think that is probably the very common thing, often companies do not upgrade versions of existing customers because they know that if they upgrade, the sites stop working.
And it's usually the developer's fault but the site owners do not care. They need to complain to somebody, they complain to the hosting company. That's why they avoid to upgrade. So if they upgraded it, it's probably that they have also upgraded the distribution that they are using on the server. So it's probably not just PHP, it's probably something else.
Arturs Sosins: So it was a forced upgrade for them and they had to do it because the distribution was...
Manuel Lemos: Yeah, that's probably more like it. I think that's usual and I'm sure it persuades many core developers of their having many features that they think are interesting. They improve performance, they improve security and the hosting company does not care.
Because even if they have vulnerable PHP versions running, they do not follow or even if they follow what is happening in terms of new releases in PHP world, they simply do not care and they do not comply with... I mean they just get stuck with older versions because it's less maintenance problems with their customer's broken sites than having to deal with eventual security problems. It's a bit odd but that's the way it goes now.
They already know what would be the consequences but sometimes, even if there are known vulnerability - like for instance before 5.3.11, there is a series of vulnerabilities that could simply stop the whole server with a single request and make them almost get stuck in the infinite loop, but most of the users do not care. We already talked about it, I think it was last year, but... doesn't care. If somebody stopped your server, they'll deal with it later.
OK, now people should know that PHP 5.3 I mean there will be a final release and this just means that there will be no versions with new features. Probably, there'll only be updates with security features.
And even that will end after awhile. I don't know if it is one year or so. So if you really, really care about this new versions should pay attention because of the End of Life of 5.3 is here.
And maybe you should already test your applications with a newer PHP version, because there are some backwards incompatibilities. So you may want to probably review your applications to see if they work with newer versions.
I've been doing that for awhile but I've not switched in production because I need more time to test. It is not really, really urgent.
Arturs Sosins: So what version are you using?
Manuel Lemos: In production, I'm using the latest 5.3 but in development environment, I'm using 5.4. But by the time you try the cycle, I already jump to the latest version because I don't get far behind until the next upgrade.
Add typehint accessors to ReflectionParameter (11:23)
Manuel Lemos: But OK, now, let's move on with another topic. This time related with new features that are being planned for future PHP versions.
There was a proposal here for a feature that is basically to improve the support for the recently added type hinting features in the Reflection APIs. The Reflection APIs allows you to inspect classes so you can know about each variables, functions and parameters. Using the type hinting support, you will eventually also can learn what types are expected to function parameters and so.
So this would allow those that, for instance, create text using mock classes to replicate the classes and create mock classes that you can fill in with your mock code. So you can use this for testing without much problem in rewriting the classes, copy and pasting code.
Arturs, I don't know if you create your own tests using mock classes. I don't know if you feel this would be useful for your purposes.
Arturs Sosins: Well, not in PHP maybe, but in other languages, yes, for creating unit tests that especially work with some authority service. It's the best way to create the mock class and emulate all the responses. So, that's understandable.
So, what exactly does this addition add to existing APIs is that it's easier to query the information back, right?
Manuel Lemos: From what I understood, this is to get the types of parameters that you define the type hinting. So, since PHP has type hinting for function parameters, from what I understood there was not yet support for Reflection to get those type hints.
Well, this is what I understood. But here, it talks about annotations. Maybe that's what they mean with type annotations. I confess that I have not been studying this in detail, so probably, I'm not putting it in accurate terms.
Anyway, this is just to comment about something that is planned. There is not much to say about it.
Anyway, if you talk about how to use tests in other languages, which language do you mean?
Arturs Sosins: The latest one was Java, unfortunately. I had to...
Manuel Lemos: Oh, you're programming in Java. You are not...
Arturs Sosins: No, no, no, no. No, I do not program in... Well, I do for Android a bit but I have a code assurance project for Java, so it's something different.
Manuel Lemos: Yeah, but you know, if you program in Java, you are not going to heaven when you die.
Arturs Sosins: Yes.
Manuel Lemos: You go to hell.
[Laughter]
Manuel Lemos: It's a sin.
Arturs Sosins: Does Android count as Java?
Manuel Lemos: Well, I think you have to program in Java. Although in reality, Android does not really run on Java virtual machines and anything else from Google. But I guess you have to program in Java and then it translates to whatever is the byte code that Google uses.
Arturs Sosins: That will be correct.
Manuel Lemos: Anyway, it's still Java.
[Laughter]
Arturs Sosins: Yeah.
Manuel Lemos: Well, program is still Java.
[Cross-talk]
Manuel Lemos: That's mobile applications, right?
Arturs Sosins: Yeah.
Manuel Lemos: OK, each one has to carry his own cross in the back.
[Chuckles]
Manuel Lemos: I hope it's not too heavy.
Methods on primitive types in PHP and Autoboxing (15:50)
Manuel Lemos: OK, well, anyway, now moving on to another topic, we are going to talk about something.
Actually, it was meant to be a new proposal but somebody somehow already implemented it, it would be something to have, a sort of object-like syntax for accessing objects, I mean the primitive data types like strings and arrays and booleans and whatever.
So, the interesting part is that this is supposed to be a new proposal but there was already an extension that was developed by Nikita. He sort of created this extension to implement things that can write your PHP code as if you are dealing with strings and arrays as objects.
So, instead of calling strlen(), you would call the length() of an object, I mean length function and supposedly, it would be an object but in reality, it is not an object. It's just a form of putting it as if it is an object.
I don't think this will really allow to treat it as an object. Maybe I'm mistaken, I don't think you can create sub-classes, extending the string class. But OK, I don't know if this is what they meant.
From what I understood, I don't think that is the purpose, to make it somehow let you treat these primitive data types as if they were objects. It couldn't even do some chaining because if a function returns another string, you can also treat that string as an object and chain multiple functions.
They say that they make it more readable. Well, it depends. Because if you are used to adding different syntax, I'm not sure if it is very readable. It seems readable for me, I don't know what other people think.
Arturs, what do you think about this feature, which is for now, it is not really implemented in PHP but eventually will become available in future versions.
Arturs Sosins: Well, I have a question then. If someone codes in Java, then he goes to hell. But what happens with the man who wants to make PHP more like Java?
Manuel Lemos: Well, I think he deserves the same punishment.
[Laughter]
Arturs Sosins: Not a larger one, no. Well, actually, I don't know. Even JavaScript, even Lua has the similar approach where you can handle strings, objects; probably not integers, not numbers, but strings arrays. So, it seems kind of a natural way to do it. I don't think it's bad.
Manuel Lemos: Yeah. It's because in reality, it's not really objects. I don't think the intention is to allow you to do everything that you really do as objects. But OK, if people are more comfortable with this syntax, that's fine, except that it won't be backwards compatible because there is not such feature in the past versions.
So whatever code that you write using these features will not work in past PHP versions, which probably is not the real problem for those that won't use it because they are not distributing code for others to use in different PHP versions. So, that should be fine. But you should be concerned with that in case you are developing code for sharing with others.
Also, related with this feature, there is this proposal here. They call it Autoboxing. Basically, I think it is the same thing, except it is a more formal proposal to make this available in the upcoming PHP releases, eventually PHP 5.7 or so.
Well, for now, this is just a proposal. I did not quite follow the discussions but this is not really a new thing. There were similar discussions back in 2005 and it seems to address the desire of some developers, not really important feature.
But OK, it's yet another one of those features of newer PHP that most of us will not use. At least some people will be happy because PHP is getting somehow more modern because people are benefiting features that they didn't have before. So, they feel good because they think PHP is going through some progress, although it's just syntactic sugar.
Is Your OAuth 2.0 Application Secure? (21:51)
Manuel Lemos: OK, now moving on this time, to comment about an article that actually I released it. And basically, this article wants to talk about security vulnerability that may affect somehow applications that use the OAuth 2.0 protocol and also OpenID, although OpenID is not very common in many applications.
OAuth, as you may know, it's a protocol that allows you to access APIs first obtaining the authorization of users of some sites to access those site's APIs on their behalf. So there is a protocol for exchanging keys and tokens.
And what this vulnerability is about is it can somehow fool the server to redirect the user to a page that is not really the page of the site that is requesting permission to obtain the access tokens.
So I even put here a diagram. Usually, the OAuth flow, it was like this. The user accesses a page of your site. Then, you have an application with some other site API like for instance, Facebook. And to obtain a token, you need to redirect with the user too a specific page of the Facebook site and in that page, the user is prompted to say if he allows the application to access certain aspects of the API on his behalf.
For instance, if your application wants to obtain the basic data, the name, the birth date and email address, and so, you can request those permissions. You can also request more advanced permissions like posting on your user timeline.
Whatever are those permissions, you need to pass them to Facebook, in this case. The user will see a prompt, telling "Oh, this site wants to access your profile on your behalf. Do you authorize it?" And if the user authorize it, the problems redirect back to the site to complete the process. So these are the Steps 1 and 2.
Now, with these vulnerability, it is possible that a malicious site creates a fake authorization page pretending to be your site. It redirects back the user to, for instance, Facebook, except that this time, it specifies a page in your site that happens to be a page that redirects to any other arbitrary site, because it takes some parameter with the URL.
So although the vulnerability is more on the server because the server should verify to which bases it can redirect back to your site. This vulnerability may happen with collaboration with vulnerable sites that did not take some precautions.
So, in this article, I tell what you can do to avoid having security issues because of these vulnerability. Because we should not count on the existing OAuth service to fix the way they operate because in some cases they will break many applications to fix what they need to fix.
So you can do several things like for instance avoiding having redirection pages in your site. You can also do some additional validation of destination URLs so you don't redirect to just any other site.
You can also have some verification of destination URL by having a special hash in the redirection parameters that will somehow prevent that you redirect to malicious sites.
Anyway, this is an article that I wrote as part of a blog that I have with a class for accessing APIs using the OAuth protocol. And this is first to clarify to the users about this vulnerability and second, to tell them that if they are using this class they are not vulnerable because this vulnerability is exploited in those cases that the token of OAuth is returned directly to the application, which is usually when you use, for instance, the OAuth with the JavaScript.
Anyway, Arturs, you probably been more familiar with this scenario on which you can have this type of vulnerabilities because you use mobile applications. I'm not sure of the mobile flow for OAuth, how exactly it works. Do you think it's more vulnerable or there are some precautions to take to avoid this problem?
Arturs Sosins: No, mostly built-in, as the case with Facebook, it uses the same. The PHP uses the OAuth protocol, so it's completely the same. The mobile access as client and the access needs to be authenticated.
And just recently, I was talking with another colleague working on all sorts of complications, that he need to implement really secure authentication process. And we discussed OAuth as an option on how to do it.
And he told me that he saw many possible vulnerabilities in the scenario. And I think that was one of them and there should be additional precautions. And I think in the end, he has used some kind of service that provided authentication.
Well, basically, it's a pain anywhere. It's a pain on the server side, it's a pain on the mobile. Authentication is a pain. The article is the example of it. So, it's one simple thing that you forget about or you did not think about, that the site can be redirected back and request the token and there you go.
Manuel Lemos: Yes, it's a bit a tricky, because just like you said, some people use SDKs and they are not really sure what happens when they use SDKs.
And this vulnerability affects many sites including Facebook because Facebook, from what I remember, it does not verify the return URL. It just verifies if the return URL is of a certain domain.
So if you specify a return URL that goes to a redirect page, Facebook assumes that it's valid and it can expose, it can allow malicious applications to act as if they are your applications. So this is the concern you should have. So what happens when this vulnerability is exploited is that...
Arturs Sosins: Yeah.
Manuel Lemos: Some other malicious site may pretend that is your site and if it does something with the user data, Facebook will not know if it is you or if it is some other site that may cancel your application. That's I think the worst case scenario.
Arturs Sosins: I think in Facebook case, all external links go through their special redirect script that possibly checking for something, for some malicious attempts. And that is probably how they try to control it. Not only with that. Of course, also the content where the link goes, but well, I would say they probably have something against it. I don't think that they would let it slip so easily.
Manuel Lemos: No, I think the problem is if they become more strict in verifying the URLs, many applications will break because they are not specifying URL. But I did not see any prompt.
I think in my opinion, what I would do if I were them is that they would start prompting all developers to assure that all returned URLs will be to specific pages instead of any page of their domain.
And they could probably allow different pages, different patterns of URL, but it will go through a white list. But so far, at least, I have not seen anything. It's not just Facebook. There are many, many sites and they are listed somehow.
There is a site that talks about this vulnerability. It's called Covert Redirect, the vulnerability. No, I don't know... OK, it's here. So there is a site that talks about this vulnerability. It talks about many sites that are vulnerable, and theye are not a few sites.
Well, you can check it here. If you're concern that this vulnerability may affect your applications, you should take a look deeper at this article. Although it is an article about a specific package, it was promoted as Featured, it will appear in the main PHPClasses blog, so you can take a look.
There is even a video that explains how it works. It shows the vulnerability being exploited in a live site. Well, that's it. If you are concerned, and I think you should be, you should take a look at this to evaluate the consequences if it affects your applications or not.
7 Reasons Why TDD Failed to become Mainstream (34:13)
Manuel Lemos: OK, now let's move on to another topic. This time, it is a more polemic topic. It is related with an article that I wrote. But it all started, I think it was in April that the author of Ruby on Rails framework, David Heinemeier Hansson, he has written an article basically speculating that TDD is dead.
TDD is a methodology that, in simple terms, defines that you should start developing your projects by creating first tests that will verify if your code is written, if it actually performs what it's supposed to do.
So rather than you writing codes first and then write tests to verify if that code is working, it promotes the concept that you should create tests first. Initially the test will fail because you don't have any working code. But then, implement the code and by the time you are done with the code, you already have the test ready to verify that it is working.
All is fine, it sounds awesome because the idea is to promote code quality and if you are promoting code quality there shouldn't be anything bad about except that in practice there are some down sides to apply TDD. And this article is to talk about my opinion of what are those down sides.
But in parallel to this article of David Heinemeier Hansson, there were some discussions. Actually, there are like five Hangouts that happened between David and Kent Beck, the original promoter of the Test Driven Development methodology, as well with Martin Fowler, well-known, I would say, mentor of design patterns being applied to many projects to somehow promote the quality of software development.
And the arguments were very interesting, I think. There are like five videos, they are not small. It's like three hours of videos and the discussions were really interesting. On one side, there was David telling that this, in practice, it ends up causing more harm.
There are some disadvantages, then the actual benefits at certain point. If you impose yourself to use TDD every time, on every project since the beginning, it has some costs that are not neglectable
And the argumentation is very extensive, but this article that I wrote is basically to tell about my views, not necessarily the views of David or Kent Beck or Martin Fowler.
And this raise a very heated discussion even inside the PHP community because there are some people that are very enthusiastic about Test Driven Development. And at the same time, there are certain misunderstandings they got that my article was just to discourage people to use tests which is totally not the case.
Arturs, did you follow this article and discussions about TDD that happened somehow everywhere in all communities, not just PHP?
Arturs Sosins: Well, I think a couple of years ago, maybe three years ago when I was still in university, there was talk about TDD, Test Driven Development. There are some folk that were saying that it was awesome, you should practice it.
And already then, there were folks that were smirking at them and saying, "Well, yeah, maybe in some kind of utopia, it might work, but mostly, it won't." And then, three years, now, there is a silence and nobody talks about it anymore. So, I think it's not mainstream anymore and I don't think that anyone ever really practices it.
Because nowadays, especially with all this technology startup that you have, you need to have a minimum viable product as fast as you can and you can't afford to put more time into such approach in testing that would make you write more than twice as much as code. You just need to create a product as soon as you can and then adapt it, then change it and pivot.
Manuel Lemos: Right.
Arturs Sosins: It's completely wasting a lot of your resources to use a Test Driven Development.
Manuel Lemos: Right. Arturs, you have your startup, right? Startup company.
Arturs Sosins: I participate in lots of projects.
[Laughter]
Manuel Lemos: Yeah, and you know there is no time to lose, just like you mentioned. And this is actually one of the arguments. I did not comment explicitly on the article, but there was discussions on Twitter.
And Twitter and Reddit are like time wasters but there are some people that were very fanatically defending TDD, that some are even departing to personally insult just because they do not tolerate people with different opinions.
And what I realized, most of those people are consultants. They do have their own businesses. They work for somebody else and if the business of somebody else they work for fails for some reason, they do not care. It's not their fault. And it is not really, not their fault.
But what happens is, that in business, they are dynamic, they need to change and if the code that would develop before needs to be redone or even scratched and written to address new business needs, you lose all of your tests.
There is no thing like a refactoring, Oh, let's refactor. That's when you need to do simple changes. When the projects are complex and they need to be totally rearranged, most of the code that you have done for tests is wasted.
And it's not the developer's fault that the methodology is, as you said, a bit utopic, because it aims for an ideal world, but the world is not ideal. That's the main problem.
One thing that I wanted to ask you, so you can give your opinion, it's not just my point of view because I have my own company. I know I have no time to lose but you, of course, have your own experiences regarding your company. Do they use TDD somehow or in certain instances or you do not use it at all?
Arturs Sosins: One could argue that TDD is the same as unit tests, only in one case, you write it before the code and the other case, you write it after the code.
So, in that sense, we write the unit test. Of course, we store them, we retest them, we regress the testings. And for some projects, maybe these tests are really extensive but we never write it before the code. Because, as you said, it can change like architects maybe thought it should work that way, but in the end it works a little bit different because it is more efficient or something like that. And I don't really see going to writing tests before writing a new code.
Manuel Lemos: Right. That's one of the issues that I mentioned. If we start writing test from the beginning, chances are that we have to totally rewrite those tests. So if you can retard the creation of those tests, you'll probably gain a lot of time because we did not spend writing tests slowly before your design was stable.
And I was trying to tell this to some other people that are complaining and they say, 'Oh, you are not designing your projects right. Because if you do TDD, your design will be right from the beginning'. Except they're not. That's totally unlike the real world.
Arturs Sosins: Exactly. Well, I don't know. It's quite impossible to design a large a project without really changes. Not only because maybe, well, we're not thinking about some stuff or forgets something. Because the technology changes, something new comes in and it could change everything around you.
So, I don't think that it's bad idea to design something and stick to it. You should adapt, you should be responsive to the changes. I think that it's just a bit practice.
Manuel Lemos: Right. The less you need to change, the better. It would be for maintainability because maybe you have a product that is not in an ideal format of design or implementation. But if you change it too much, if you need to refactor much code, it's already a lot of trouble.
And other than that, you really have to rewrite your tests because all of a sudden, the whole test completely breaks and your application is not broken. But if tests have broken, then you'll spend a lot of time fixing the test and your application is not broken, you spent a lot more time than you should. It's totally a waste of time.
This is not just the opinion of David Heinemeier Hansson or mine or yours, it's the opinion of people that had been developing software for many, many years. It's not that we don't know about what TDD is and it's not that we never applied it.
But in reality, most of the time, we do not write tests from the scratch. We actually, to be honest, we avoid writing tests because we know that's additional work to maintain them.
And so, we really write tests only for things that we are not confident, that they are really working probably because they have to go through some refactor process that really needs to be done. In that case, if you're going through a refactor process that you need to do because you have to, because there isn't a way to progress without that refactor, write the tests right before refactoring and then refactor and see if it works.
But you don't need to do this right from the beginning of the project, you can just do it on demand. When you really, really need to do that. Then, you take some time to write tests but at least, you did not spend three or four times, more time in developing the project and spending three or four times more money because time is money.
For instance, if you're in a startup, money is even tighter. And if you run out of money, probably you think you have to stop the project you are working on because you cannot move on without the money, and if the investor's money has ran out, you need to move to something else and stop your project and that's bad. And that happens a lot.
I don't know if you have any experience, if it happened with you or some other colleagues that you know, Arturs. What is your experience about projects that have to stop because they ran out or money, they ran out of time?
Arturs Sosins: Yeah, basically, I just had one project for which I was working, a great startup and it ran out of funds, so it ended basically. Our contract also ends. It happens, it's sad but it happens. Also, it might be a great product and have some perspective and potential, but if you can't make it while you have the initial investment, then it's done.
Manuel Lemos: And did you use TDD somehow or tests at all in the project?
Arturs Sosins: Yeah, tests certainly. But not TDD.
Manuel Lemos: Yeah, so it would be fair to say if you use TDD from the start, the project would probably have died sooner?
Arturs Sosins: Yeah, it could be.
Manuel Lemos: Yeah. That's my point. Well, there were some intensive discussions about this. For me, telling people that these things happen but they never been in a startup, they do not believe me.
Probably, they need to actually go to a real startup. Not even a startup, any business that needs to invest on the development of their own products, you need to realize the resources are scarce. You don't have an infinite money, infinite time.
And if you get stuck with doing tests, because you are perfectionist and you want to do with the maximum quality that you think it should be, your project dies sooner. That is as simple as that.
I was talking about my opinion, your opinion and David Heinemeier's opinion, but many, many people think like this because they already have gone through this time of many pressures. And they think it's fine, interesting in the ideal world, it's great, but as you said it's utopic.
One of the people that I actually mentioned in the article, actually two well-known figures of software development world are precisely the founders of StackOverflow, Joel Spolsky, a long time software developer, a veteran and nowadays is more like the CEO of the StackExchange which is the name of the company of the StackOverflow site.
And also, Jeff Atwood, one of the core developers - I don't think he's working now at StackOverflow, he has now a new project called Discourse which is a platform for forums - but they simply put it in a podcast in 2009, they simply don't use it, don't use it. TDD is crazy. It's too expensive. It takes too much time and the eventual benefits that you could have from it, they are overshadowed by the costs.
Anyway, we've been talking a lot about this and telling this to people that never had a business experience, never had their own startup, never have worked on companies on which they are also sponsor for the business of the company.
It's hard and some of them took it personally. And it was so bad, the people were so aggressive, so totally intolerant and not willing to understand what were the points that there was even a guy that compared me to Hitler, which was totally absurd.
Because I said, It's not just me, there are many other people that agreed with me. And the guy said, Oh there were many people that agreed to Hitler. There, that is low.
Arturs Sosins: Oh c'mon.
Manuel Lemos: These people are just crazy. Because they are so obsessed, but OK. Then, I also noticed that many of them are just young and inexperienced. I'm sure life will tell them that nothing is perfect and eventually you have to give up on doing TDD.
I want to say give up is not giving up totally. I personally used TDD in some very specific projects. For instance, just recently, I published a component for parsing markdown files, documents, because that is one feature that is being added to the PHPClasses site and JSClasses site that will allow to take markdown files and parse them and then render them as HTML.
So I needed to have some form of verifying that the parse is working correctly. And since the markdown has many features, some interfere with each other because some are block-oriented, other are more span-oriented, I mean character span-oriented and some features interfere with others because some constructs may be nested.
And I was not really confident that it was working well. So I created some tests before implementing some of the features, because I already knew what I would expect. Because there is the specification for markdown. If there was not such specifications, it will be something that I was making up. I would not use TDD because it would still be uncertain, undefined, and could change the design later.
But since it's not the case, markdown is there and more or less standard specifications of the format, I could write this test. But this is one of those rare cases on which I use TDD.
The other cases I also use tests but I do not use TDD. I just first developed the code and the I created, for instance, an example that is expected to take advantage to demo many features and then I capture the output and store it in a file.
Then when I add new features, I run the test and compare it with the file that was there before to see if there was any broken feature or maybe it was a new feature that added some aspect it did not have before and I still validated it. But this is not TDD.
And if I discover a bug, I need to create some tests to reproduce that bug and compare with expected result which would help me to fix, to determine if I fixed correctly that bug and it will not come back. But that's still not TDD because that's after. That's after.
Well, all this to say that TDD, unlike David Heinemeier Hansson said, it's not dead. It has its purposes but you should work only in rare case and only use it when it makes sense, at least in my opinion.
What do you think, Arturs? Do you have a criteria to decide whether to use TDD or not?
Arturs Sosins: You actually had a really great point about the markup, that it has predefined specification and yeah, that is great example where you could use it.
And for overall mainstream usage, I think maybe some kind of enterprise software which is already backed by a lot of money and they have lots of time. And they need to provide really quality code that they may use this approach. But for the mainstream like we discussed, yeah, it's not suitable.
Manuel Lemos: Right. And even for companies that have lots of money, lots of time. In reality, they don't. They may have lots of money but the time is limited.
Arturs Sosins: Right, usually.
Manuel Lemos: Or sometimes, projects have to canceled. Google has been canceling lots of projects. Sometimes the projects are not going the right direction.
They just fired the manager or the leader of Google +. It was not the development manager, it was the product manager. Because he did not go to the right direction. Probably they need to put somebody else that moves on with the project, so it goes faster to change a lot of what has been done.
OK, well, just to complete this topic. I just like to make a brief comment about something that I was talking with a local developer here, just telling me about it in the past, he was using Zend framework.
And I noticed that many people that defend TDD fanatically, they are also framework fanatics. They always go with the things with frameworks and that's the way it is. And it's interesting that one thing that I noticed that this developer is telling me, that he used to use the Zend framework and then he decided to drop it because the Zend framework from the Version 1 to Version 2, it dropped compatibility and everything that used to run with Zend framework in the past had been rewritten.
And now, imagine, if we have lots of tests written around that framework, he would have to write a lot of new tests or refactor. Then it will be a lot of work and the functionality that you want would be the same. All this to say, at the same time, they are so fanatic about certain frameworks, they also sort of do not mind this backward incompatible changes as if it was something that would not take time and money to adapt to newer versions.
And well, this is just a comment I wanted to make because I noticed there is this inconsistency of arguments among people that defend TDD heavily.
PHP Composer Private Repository Automatic Access (59:20)
Manuel Lemos: Anyway, we need to move on. We are reaching the end of the podcast. I just like to comment briefly about an article that I wrote just to let people know about an enhancement that was done on Composer.
Composer, the tool to install packages from repositories. And I posted it here because the PHP Classes and also JS Classes allow you to install packages from Composer... they actually have their each own Composer repositories. If you want to install a package from these sites, you can use the Composer tool.
And this new feature of Composer is that it allows how to make the access to repositories that are protected with passwords. Could be sites like PHP Classes and JS Classes that in most cases, most packages require the user to authenticate and identify to say that it is a specific user, so the site can keep track of which users are using each package.
But this could also be for instance private repositories that your company may have. So starting now, Composer has this built-in feature to automate authentication.
It works more or less like this. The first time that you are prompted to authenticate, to access a certain repository, you can already tell or authorize Composer to store those user name and password in a file.
So next accesses to the same repositories, you won't be prompted to enter the same username and password. This is stored in the local file and some people have shown concerns that keeping those files with username and password is not secure. So if they won't use it once or twice, they could actually leave it in a file for awhile, then remove that file later.
I think Composer also has a feature that allows you to remove the passwords or at least do not store them.
Well, OK, this is a just a brief comment. There's an article explaining more of these works.
JavaScript Innovation Award Winners of March 2014 (1:02:08)
Manuel Lemos: So now, we are going to move on to one of the final sections of the podcast on which we comment about the latest Innovation Award nominees starting this time with the nominees of March. We are going to comment first on the nominees of the JSClasses sites.
Arturs, which ones would you like to comment?
Arturs Sosins: Let me screenshare it. So what I would want to comment on is the first class by Franz Joseph Brunner from Austria. And what he created is a way to store some information encrypted in images.
Basically, how it is done is that it modifies image pixel, like some bits of it and it also visually... the course but the idea is that the modification would be not so large and only one channel per pixel is modified.
And that way, you could secure or store some information and let others retrieve it later. So, you know like what they say, I think I told you before, as I say, if you want to hide something, put it in the place where everyone can see it. So it's something like that. It's... and Franz provided a way to use it in JavaScript. So good decision.
Manuel Lemos: Yes, that's an interesting. I think it is called Steganography.
Arturs Sosins: Yeah.
Manuel Lemos: It embed some text or some data in an image and it is there but you cannot see it, because it does not affect much the image's pixel.
Ok, and then what would be other packages you want to comment?
Arturs Sosins: And the other one is the Slider. It was created by Michele Prigigallo. Basically, it's the usual slider that you have that changes some features. But the interesting part is how configuration is based on the XML file.
Basically, you can define XML file and tell the script all the information, all the images provided there, that you can define it as you see, part of the image, some title, probably dimensions and stuff like that.
So, that is the innovative part of it, that it could create some configuration from XML file. So, that seems pretty handy.
Manuel Lemos: Yeah, that's right. That's an interesting innovative way of defining slideshows.
On my behalf, I would like to comment on a couple of them. Let me open the pages here. So the first one that I would like to comment is this one called JavaScript Timed Functions.
And it somehow follows the logic of animations on which you define certain effects of animations and those effects will last a certain time, except that this is not specifically for animations. This is for calling given call back functions.
So you define some periods of time and define also call back functions that will be in use, will be called after that period of time.
This is quite interesting because this can be used for many types of purposes that you can use in JavaScript. In JavaScript, many things happen after a certain time. And then, you can use this component for that purpose.
As I was saying, this package was created by Jimmy Bo. Actually, this is an alias. This is his artistic name and he's from Canada.
And also for him, there is another package called JavaScript Pixel Plot. It is somehow also related with animation, except that instead of rendering graphics, shapes, lines or graphical objects, it just calculates the coordinates.
The points of those shapes will appear where they will be rendered, without capturing rendering, just calculates the coordinates. And this is interesting because it could be used for instance if you want to render a certain shape in some canvas or for instance, you want to draw some lines in a non-graphical environment, for instance, if you want to generate some document format that has some graphics in there, you can use this class to somehow calculate the different positions of the points without actually rendering them, just generate the document using the calculated points.
So kudos once again to Jimmy Bo from Canada for this great class, really different, really innovative.
So now, let's move on to the winners of March, but this time from PHPClasses. Arturs, which ones would you like to comment?
Arturs Sosins: Let me mention the first one. Let me just enable the screen sharing again. Here it is.
JavaScript Innovation Award Championship by Country Rankings of 2014 (1:09:04)
Manuel Lemos: Let me just comment briefly on something while you pick the classes. As you may be aware, starting this year, there is a whole competition of not just by author but also by countries.
But at least in JavaScript, in JSClasses, there are not as many classes as there are in PHPClasses. So the rankings of the Innovation Award winners do not feature many packages. The author that is ahead for now is Jimmy Bo, because he has already submitted three packages so he has earned 7 points. Then, there are several other authors with one package each with less points.
What is new this year is that there is a country ranking, accumulating, adding all the points of all authors of each country. The site computes a ranking. And so far, Canada is leading with 3 packages which are the ones from Jimmy Bo.
And it is followed by Italy with 2 packages from different authors here, Alessandro Vernassa and Michele Prigigallo. And then, there are several other countries following with just one package each which was a package submitted by individual authors.
So this is still early in the year. Let's hope that the next month, more authors will turn this ranking into a more competitive championship. OK, let's wait and see.
PHP Innovation Award Winners of March 2014 (1:11:00)
OK, now you're going to talk about the two packages that you wanted?
Arturs Sosins: The first one is PHP Backup Class and when someone says PHP Backup, my first thought is like backing in mySQL class but this class does more. It was created by Andi P. Trix from Romania and this class can not only back your mySQL databases, it can also back up PostgreSQL databases and actually back up some files from your file system using either file transfer protocol or ssh.
And you can define ini setting files, configuration files, where you can tell what you want to back up and when. And that's why I think this class is quite great and have lots of usages.
Manuel Lemos: OK, that one is from Andi P. Trix from Romania.
Arturs Sosins: Yup.
Manuel Lemos: And what about the other one that you want to comment on?
Arturs Sosins: And the other one is quite interesting. It was created by Chi Hoang from Germany. And as it states, it does some fortune telling. Basically, the idea is that you ask some kind of question, like... and it randomly, by some structure, select some kind of items or words that are rising towards... So basically, in all fortune-telling, as I think, it just tells you some abstract word and you can imagine your own future from it.
[Laughter]
Manuel Lemos: Yeah.
Arturs Sosins: But if we look at the code, then we see that the line that we get is actually not completely used in the selecting of the word, so it's completely random and does not correlate with what you are asked.
Manuel Lemos: It's like the real fortune-telling.
Arturs Sosins: It seems to be a very, very complex way of select...
Manuel Lemos: In fortune telling, we roll some dice and it has nothing related with you, but it's OK.
Arturs Sosins: Yes, same here.
Manuel Lemos: It's just an entertaining thing.
Arturs Sosins: Yeah, just an entertaining thing and we'll need a laugh and maybe there are also usages. I don't say that there is no usages, there may be also usages for this and so I just found it interesting and wanted to mention it. So thanks to Chi Hoang.
Manuel Lemos: On my behalf, I also would like to comment on a couple of classes. First, the one by the Eustaquio Rangel from Brazil, which is basically a PHP PDO OCI class which is basically to use PDO library to access Oracle databases.
And this is somewhat interesting, because supposedly PDO would be this abstract interface to access any types of databases. But for some reason, this author prefer to create his own extension. Actually, it's an emulation of the PDO library for accessing Oracle databases rather than using PDO existing drivers themselves.
So, it has a pure implementation, a pure PHP replacement for PDO Oracle driver. And I thought this is interesting because if you did this, it's because the current PDO support for Oracle is not that good so this should be useful to many other users. And kudos to Eustaquio for this submission.
And the other package that I want to comment is this PHP Indentation Tool package by Roger Baklund from Norway. He has been an author that has been nominated for several interesting packages.
And this one also does something interesting. It's not so much about indenting text but also unindenting text. And while I know indenting is sometimes useful. For instance, if you want to send an email that actually is a reply to some other email, I have already used this several times.
For instance, if a user writes a message, I can automate a reply quoting the original message so I have to indent the text with some characters that mark what is quoted and what is not quoted in text format.
But this package also does the opposite which is unindent, like removing existing indentation there. So this is very innovative and useful, from Roger, So kudos to him for his contribution.
PHP Innovation Award Championship by Country Rankings of 2014 (1:16:40)
Manuel Lemos: Now, we practically reached the end, but this is to also comment on the rankings of Innovation Award. So far, in the PHPClasses site, in terms of featured authors, Orazio Principe from Italy is leading with 2 packages and 11 points. Following right behind him, Roger Baklund, we just mentioned about him. He submitted 3 packages but he still only has 9 points.
So this championship by author is warming up. Then, they are followed by several other authors with one package each. And there is even an author from Latvia but it's not Arturs.
Arturs Sosins: Yeah.
[Laughter]
Manuel Lemos: There is Rolands Kusins. Do you name him? Is he a colleague?
Arturs Sosins: No, unfortunately, I have no idea who he is.
Manuel Lemos: I know, Latvia is a very large country, you don't know that guy.
Arturs Sosins: Yeah, very, very large.
[Laughter]
Manuel Lemos: And then now, by country, we have so far, Brazil is leading with 3 packages and 17 points. This is interesting because there are 3 packages by 3 authors but none of them is the leading author. They are well-ranked but they are not the leader. So, these three authors are contributing for Brazil to be first so far, followed right after by Italy with 14 points, also 3 packages. And Norway, with nine points with also 3 packages.
So it is not sufficient to publish many packages, you also have to publish very innovative packages so they can get voted more by the users and the authors earn more points and their respective countries rank better.
Arturs Sosins: The trouble, there won't be any packages from Brazil this month or maybe even six months.
Manuel Lemos: Yeah, because everybody's at the World Cup.
Arturs Sosins: Yeah.
Manuel Lemos: But I think the rest of the world is also paying attention to the World Cup, except for some countries that are already kicked out of the competition. Too bad, I'm not going to mention any names because it can backfire at my own country.
Arturs Sosins: Yeah, it could.
Manuel Lemos: Let's focus on this championship that will go on until the end of the year who would determine who will be country that will earn the great prize which will be this great elePHant here.
And except that the country that wins the prize, all the authors that contributed for their countries to win the prize will get their own elePHant. So, this is a symbolic trophy. Of course, it's not even the value of the plush toy, it's more a symbol of dedication and many people appreciate it.
And actually, I have some authors that weren't even nominated to the Innovation Award. They were asking, "Oh, can I get one of those elePHant?" It's simple, just be the winner of the yea and you get your own elePHant.
Or at least contribute for your country to win. So go and get your colleagues from your country that can submit innovative packages and persuade them to submit. The sooner the better, because the more nominees of your country to submit to the Innovative package, there's a greater chance for your country to win.
Also, this is a fun and encouraging initiative to promote something that is ultimately is great for everybody to have more packages for more useful purposes, rather than having the same packages for the same purposes. I hope this comes out great.
Conclusion (1:21:07)
Manuel Lemos: So with this, we practically ended this podcast. I would like to thank you again, Arturs, for coming. I don't know if you have any final remarks. Anything you wanted to comment?
Arturs Sosins: Yeah, I would stay with JavaScript, better.
[Laughter]
Manuel Lemos: OK. Well, on my behalf that is all for now. Bye.
Arturs Sosins: Bye.
[Music]
You need to be a registered user or login to post a comment
Login Immediately with your account on:
Comments:
1. Podcast - Karl (2014-06-28 05:17)
private... - 1 reply
Read the whole comment and replies