I recently had an idea for a small web application, and seeing as I’ve not spent as much time as I’ve wanted to using Rails – I opted to build it the latest version of Rails. A decision that caused far more grief than I expected.
If you are using Dreamhost’s PS offering (a managed VPS for those that don’t know), the seemingly simple task of getting a Rails 3 application up and running is actually quite complex. The root cause of this is that Dreamhost’s OS image is based on Debian etch, which was released in April 2009 and has since been replaced; which means etch has become fairly outdated.
Here’s the process I used, and so far it seems to be working quite well:
Domain Setup:
When adding your domain to the Dreamhost panel, you’ll want to enable Passenger.
Once your application is uploaded to the server, you’ll be greeted with a particularly unhelpful error message (something like “uninitialized constant Bundler“) from Passenger (or perhaps just a 500 error page).
Server Updates:
This is where the work starts, and gets somewhat ugly. As a warning, it’s quite possible that you could damage your configuration doing this; though thankfully you can restore your server to a working state within a few minutes from the Dreamhost panel should something go wrong. You’ll also need to have an “admin user” for this task, as much of what needs to be done has to be done as root.
First step: Get your PS up to date; even after performing a restore on my server, there were a number of updates that are available to be installed. So let’s start off by getting those out of the way.
sudo apt-get update sudo apt-get upgrade sudo apt-get -f install
Once you get past those three commands, the next step is to update SQLite to the latest version, as the version Dreamhost uses is quite old and won’t work with Rails 3.0 (well, to be accurate it won’t work with the latest version of sqlite3-ruby, which is the default database provider for Rails 3).
wget http://www.sqlite.org/sqlite-autoconf-3070400.tar.gz tar zxvf sqlite-autoconf-3070400.tar.gz cd sqlite-autoconf-3070400 sudo ./configure --bindir=/usr/bin --libdir=/usr/lib sudo make sudo make install
If you don’t update SQLite you’ll get an error like this:
sudo gem install sqlite3 Building native extensions. This could take a while... ERROR: Error installing sqlite3: ERROR: Failed to build gem native extension. /usr/bin/ruby1.8 extconf.rb checking for sqlite3.h... yes checking for sqlite3_libversion_number() in -lsqlite3... yes checking for rb_proc_arity()... no checking for sqlite3_initialize()... no sqlite3-ruby only supports sqlite3 versions 3.6.16+, please upgrade! *** extconf.rb failed ***
or if you install the updated version, but don’t force it to /usr/lib you’ll get an error like this:
sudo gem install sqlite3 Building native extensions. This could take a while... ERROR: Error installing sqlite3: ERROR: Failed to build gem native extension. /usr/bin/ruby1.8 extconf.rb checking for sqlite3.h... yes checking for sqlite3_libversion_number() in -lsqlite3... no sqlite3 is missing. Try 'port install sqlite3 +universal' or 'yum install sqlite3-devel' *** extconf.rb failed ***
Once that is taken care of SQLite, the rest is easy.
sudo gem update
At this point if you visit your new Rails site, it should be working!
Notes:
- I’ve not tested this extensively, and I’ve no idea if this breaks anything. All I can say for certain, if that all of my sites still work, but your mileage may vary. <Disclaimer />
- I was a fairly early Dreamhost PS adopter, and part way through this process I reset my server to get it back to a clean state. After resetting, I noticed some differences with the behavior of
apt-get(404s onupdateandupgradeare gone), so for other early adopters it may be necessary to perform a reset to get your servers configuration in-sync with the latest official setup. - I can’t say for a fact that this is completely necessary, though you’ll likely need to selectively update a few packages if you skip this step. Also, for me,
gemwas broken until I ransudo apt-get -f install. - Special thanks to Matt for helping me get this working; troubleshooting the SQLite install was more than a little time consuming.
In a somewhat (but not entirely) surprising announcement, Google is removing support for H.264 video from Chrome. This change to their implementation of the often controversial HTML5 <video> tag is both a major step by Google and a furtherance of the already complicated world of video online.
… To that end, we are changing Chrome’s HTML5 support to make it consistent with the codecs already supported by the open Chromium project. Specifically, we are supporting the WebM (VP8) and Theora video codecs, and will consider adding support for other high-quality open codecs in the future. Though H.264 plays an important role in video, as our goal is to enable open innovation, support for the codec will be removed and our resources directed towards completely open codec technologies.
When Google released WebM (a royalty-free codec which Google acquired as part of On2), it was clear that the intention was to take on H.264 and with this move there seems little doubt that the gauntlet has been thrown down. Although, now that H.264 has such a strong base (it’s included in Flash, IE9, Safari, Mobile Safari, and Android), it really makes one wonder if Google has picked a fight that has long since been lost.
So why would Google do this?
Here’s my best guess: Money (specifically, patent licensing).
H.264 is heavily encumbered by numerous patents owned by companies like Microsoft, Apple, and Cisco, and controlled by MPEG LA, the consortium charged with turning these patents into profit (here’s the 70 page list of patents for those interested). While I’m sure many people recall that MPEG LA made a very public pledge that H.264 would be free forever, as is often the case, things aren’t quite that simple.
Peter Csathy wrote a fairly detailed post on the matter, pointing out some key details that many in the media skipped. Here’s the core of what wasn’t discussed after the MPEG LA announcement (but should have been):
But, you say, MPEG LA recently announced that it will no longer charge royalties for the use of H.264. Yes, it’s true – MPEG LA recently bowed to mounting pressure from, and press surrounding, WebM and announced something that kind of sounds that way. But, I caution you to read the not-too-fine print. H.264 is royalty-free only in one limited case – for Internet video that is delivered free to end users. Read again: for (1) Internet delivery that is (2) delivered free to end users. In the words of MPEG LA’s own press release, “Products and services other than [those] continue to be royalty-bearing.”
Mike Shaver, Mozilla’s VP of Engineering offer’s a somewhat similar take in “Free as in Smokescreen:”
What MPEG-LA announced is that their current moratorium on charging fees for the transmission of H.264 content, previously extended through 2015 for uses that don’t charge users, is now permanent. You still have to pay for a license for H.264 if you want to make things that create it, consume it, or your business model for distributing it is direct rather than indirect.
What they’ve made permanently free is distribution of content that people have already licensed to encode, and will need a license to decode. This is similar to Nikon announcing that they will not charge you if you put your pictures up on Flickr, or HP promising that they will never charge you additionally if you photocopy something that you printed on a LaserJet.
I’m just waiting for one of the licensors to reinterpret the license and claim that ads constitute a form of payment or some similar excuse to exclude them from the exception they granted. I’ve yet to get my hands on the latest licensing agreement to see exactly what it says about this, but I wouldn’t be surprised at all to see this card played at some point to wring extra revenue from these patents.
Given that Google owns the massive video sharing site YouTube, which uses H.264, plus whatever unknown projects relating to Google TV – it stands to reason that Google would certainly save some money by moving away from such an encumbered technology; not to mention avoid future risk should rules change. Though personally, I also have to wonder if it could be fears of a repeat of the GIF patent debacle.
Now where does this leave us?
Right now HTML5 <video> is a mess, at best. There is a war for which codec becomes the de facto standard, and there is a lot of money at stake depending on who wins. At this point there is no single codec that works across all major browsers; to get full coverage the best option now looks to be a combination of H.264, WebM, and Flash. Doesn’t really sound like the progress that was promised with HTML5 does it?
It’s worth noting though that Google isn’t the first browser developer to reject H.264; both Firefox and Opera have decided against including it in their browsers as well. As painful as the fragmentation is now in regard to who supports what, this move by Google actually does little to change the landscape. Support has been fragmented from the beginning, and all this really does it push H.264 a step away from being the de facto standard; a title that it has been very close to seizing.
Had Firefox added support for H.264, I think the fight would be over and would have made today’s announcement almost suicidal for the project. Though with such a major player holding out against it, Google’s move becomes a minor tactical shift in the short-term (though the long-term impact could be significant).
I could go on for pages about what works are where we are now, but Mark Pilgrim (an infinitely better writer than I) sums it all up here: “Dive into HTML5: Video on the Web” – well worth reading if you want to really understand what’s going on.
So in summary – video needs to be encoded to multiple formats, which today’s announcement does little to alter due to the fragmentation that was already in place. In the long run, WebM may be better for the community due to its license, though many of the internet’s biggest players have a vested interest in H.264. So when you factor in politics and propaganda between competing companies, distrust, and possible patent claims that haven’t been addressed yet; this all leads me to an even simpler summary:
Yesterday, HTML5 <video> was a mess; tomorrow it will still be a mess.
Do you use MD5 or SHA1 to store passwords? Think they are secure? Think again.
While generic hashing algorithms are certainly better than storing passwords in plain text, it’s still not as secure as it should be. Users place great trust in us to ensure that their credentials will be secure and treated with the utmost respect; it’s our responsibility to live up to these expectations.
With the simplicity and speed of these general purpose algorithms, it’s possible to generate hashes looking for collisions (or even the original value) extremely quickly. It’s this speed that introduces the fatal flaw; with a database dump containing MD5 hashed passwords, with a fairly small investment most could be recovered within a very small amount of time (mere days for a large database).
Many people are moving to bcrypt as a solution. In Coda Hale’s “How To Safely Store A Password” he covers this topic in more detail, complete with useful stats and links to implementations in languages from C# to Ruby (even Erlang is represented).
If you are looking for ways to better protect your user’s data, take a closer look at your password storage.
When you move on to your next challenge how will those that inherit your code think of you? Noble or notorious, innovator or insane? This is a question that all developers should ask themselves frequently; though too few ever do. You should always write with the assumption that someday a new developer will take over your code, and they will question every decision and assumption you’ve made. When this happens, what will they think of you?
Perhaps I’m more aware of this because I maintain an internally developed shared library that my company uses in every application; but regardless of the scope of the project you should always assume that someday you will hand the project off. Many developers think little about what happens to their code after it passes on to another; what other developers will have to deal with, or how their efforts will be perceived.
When I’m training a new developer there are a few points I try to reinforce as much as possible:
- Code is only good if other developers can work on it without extensive training. If it takes days or weeks of introduction to get a new developer up to speed, then you’ve done something wrong1.
- Clever solutions are no better than an ugly hack if it’s not clear what you are doing. If the code isn’t clear then it’s not maintainable, if it’s not maintainable then it’s junk.
- Assume you’ll be hit by a bus. Always write code with the assumption that you won’t have the opportunity to cleanly pass the code off to a new maintainer. Never assume that you’ll have time to come back and clean things up later.
- Always perform design reviews, no matter the size of the project2. Once you have a design in mind, talk it through with a at least two other developers. Just because you think it’s clean and clear doesn’t mean that others will see it that way as well.
- Be consistent, always. I’ve seen more projects ruined by people doing things “their way” than anything else. Match style and design when working on an existing project. Be careful when adding new techniques, technologies, or methodologies to an existing project; unless you are willing to update the entire code-base, you can easily create a minefield without realizing it.
If you want your work to be seen positively after you move on, start thinking about your heirs today. The opinion they have of you will be almost entirely based on what they see in your code – not the stories or memories left behind.
1 – There are always exceptions; these are generalized guidelines, not hard and fast rules.
2 – This includes “throw away” projects, many projects that are intended to have a short life end up living far longer than intended. This is the most likely place that your heirs will find code that makes them question the quality of your work.
I’ve been a fan of bbPress for quite some time; I’ve even contributed code to the project. For those that aren’t familiar with it, bbPress is an open-source forum system written in PHP. It’s fast, lightweight, easy to install and even easier to use. It also scales, quite well.
bbPress was originally written to power the support forums WordPress.org, which get quite a bit of traffic. Later, it was released as a separate project. While it doesn’t have nearly the feature set found in more popular systems such as vBulletin or phpBB; it makes up for it in simplicity. It’s designed to be conversation-centered, where the clear focus is on what people are saying, not the bells and whistles provided by the software.
I’ve used it for a couple sites and couldn’t be more pleased; though now I fear the end may be near.
Automattic, the company behind WordPress.com (and ListPress.com) has committed to supporting the project; though primarily in context to its role in the WordPress world. bbPress as a separate product has so much potential, though it seems Automattic has little interest in this; instead the interest seems to be in making bbPress just another add-on for WordPress.
At one point there was a lot of excitement and interest surrounding bbPress, though for a project like this to succeed you need input from the community, you need an open and fast paced development process. Unfortunately for bbPress, it had no such process. There were people who had the skill, time, and interest to lead the project and make it a success; but they were pushed away and the project was allowed to stagnate.
Today, there is some activity going on, and I’m glad to see that it won’t fade away completely; though I see little chance that it will live up to what it could have been. I have a lot of respect for Matt and Automattic; they’re very successful and build great products; but they could have done so much more.
bbPress will go on I’m sure; though I believe only as a shadow of what it could have been. Though maybe Matt will prove me wrong, I certainly hope so.
In December 2002 I made my first purchase from GoDaddy, since then I’ve spent $1,200 with them. Over the years I’ve seen them grow up to be a major force both in the registration and web hosting markets; I’ve also seen them go from lean and efficient to annoying and unfriendly.
Once upon a time GoDaddy had the best prices and the best search of any registrar; unfortunately things often change, and not always for the best. As time went on they added more products and adopted a very “in your face” style of marketing. For years I’ve dismissed the aggressive marketing as the cost of the low prices, but times have changed.
The aggressive marketing style, incredibly difficult to cancel subscriptions, feature lock in, and many other annoyances and issues. And why do I put up with this? It’s not the low prices, as for many things my current hosting company is far cheaper. I’m no longer locked, it’s not that. Loyalty? That it, well, that was it.
After 7 years, and $1,200 – I’ve started moving my domains over to my hosting company; and so far I couldn’t be happier. No aggressive marketing, good service, and they don’t nickel and dime me to death.
Loyalty can be a good thing, but how much is loyalty costing you? Is it worth it?
