Older blog entries for gstein (starting at number 78)

21 Nov 2000 (updated 21 Nov 2000 at 08:38 UTC) »
Um... dood. I know Basic auth is (typically) evil. I know how it works. yada yada yada. And yah, I know about mod_ntlm and the others. (mod_ntlm's existence is why I mentioned that auth scheme to jmg) I've been working on Apache for nearly two years now. I've been working with HTTP for twice that length. I'm an old fart :-), and I've been working with this stuff (or crap depending on your point of view :-) for quite a while now.

And one thing that you forgot: Basic auth can be perfectly fine. Just use it with SSL. (some people could also argue that it is fine on a firewalled LAN)

That said: I'm totally happy that you posted that info in your diary entry. There is a lot of stuff in there that other people don't know, but should. :-)

Back to our regularly scheduled program...

Boy, you'd think that I'm doing nothing but responding to jmg lately :-)

I think pretty much all of today was spent dealing with mail. In particular, the DeltaV group has been discussing what happens when you check out a "collection version". Oy... details details. It is this specification stuff, down to the nitty details, that I dislike about RFCs :-)

The APR split happened today. APR is now its own project at the ASF. This is quite cool, since it means that more than just Apache HTTP Server people can work on the thing. Hopefully, it will also mean that more people will use it, too. Conceptually, it is very similar to the NSPR (used in Mozilla), but it focuses on some slightly different things, it has the years of testing based on its origins in Apache, and it has the much nicer (less restrictive) Apache license.

I think I'm off to update some of the APR web site and main docs. After that, it is time to do a bit of SVN coding. Live properties are on deck.

Oh. Wait a sec... I gotta code a PHP app tonite for dealing with gift exchanges. Ah well, so much for SVN tonite :-)

I think you need to review your HTTP security :-) Digest auth does not send the password in the clear. Please refer to RFC 2617 for more information. And client-side certificates for HTTP does have an RFC. Please refer to RFC 2246. (I haven't looked to see if Kerberos or NTLM have RFCs, but they are certainly implemented (and I presume doc'd somewhere))

Sorry about future.texi; I thought it was on the website and easily found (and thus: you had seen it). Distributed repositories are definitely in the works for post-1.0 release. It is a common request :-). And yes, I knew about future.texi (I'm one of four initial/core developers for SVN).

You mention being able to do "sc update" to fetch multiple projects. CVS can do that today. A working copy can refer to multiple repositories. However, this does mean that the user must set this up by prepping their working copy to refer to each of those disparate repositories. But once set up, it will work fine after that (as if everything in the working copy came from the same repo). With SVN, a repository can create logical links to other repositories. When the client fetches the main repository, it will automatically be redirected to the others and they will all be fetched as if they were one. Summary: CVS has can refer to multi repositories in a working copy, but the user must set it up; in SVN, the same is possible, but a repository maintainer (rather than the users) can set it all up.

When you say "inter-repository communication", I think more on the lines of a distributed/replicated repository that can automatically synchronize changes between each other. That is a bit more difficult, which why it is post-1.0. Few systems do this well; ClearCase does it, and BitKeeper might.

SVN 1.0 will probably be released around end of Q1 2001. We'll have a basic, networking-capable version which supports basic ops (add/update/commit/delete) within a couple weeks.

Just a few hilites, as this isn't a good mechanism for discussion, and I'm not interested in being defensive.

DAV is an HTTP extension. That means that it is HTTP at heart, with some new methods, headers, etc. Since is uses HTTP, it can use all of the authentication mechanisms available to HTTP. This can be as simple as Basic or Digest auth, or as complicated as client-side certificates, NTLM, or Kerberos. Encryption is handled using SSL. ACLs are handled as part of standard HTTP authorization mechanisms.

Yes, I read your design document, but it felt more like a wish list or a requirements doc than a design.

The SVN design document was written entirely before implementation began. It is actually quite a bit out of date :-). Ben did some work a couple weeks ago to update a few of the more egregious errors.

Inter-repository communication (and replicated or distributed repositories) are going to happen after the 1.0 release. We want something that can be used sooner rather than later; something that is at least as capable as CVS and can fulfill all the roles where CVS is used today.

And are we doing something new? Yup :-) We're building a version control system that kicks butt. Sure, maybe some commercial packages such as P4 or ClearCase have done this before. But they haven't released it as Open Source. Now that is something new, and quite cool.

Umm... jmg, where the heck are you coming from when you say that Subversion (SVN) "just fixes misfeatures of CVS instead of actually being a 21st [century] ... source control program" ? Ahem.

SVN has a multithreaded, robust, high performance repository based on the latest Berkeley DB (the same core used by the next rev of MySQL). The network server is Apache 2.0, providing one of the most tuned and portable network servers on the planet. The wire protocol is WebDAV, and more specifically, DeltaV. WebDAV is definitely a new, modern, and robust wire protocol (spec'd by RFC 2518); especially designed for document management and version control systems. The client side is a well-designed set of library modules, with a thin command-line client on the front. The libraries will allow for easier implementation of scripting frontends, graphic clients, and other embedded systems.

Just what part is not a modern version control system?

(and I'm not even going to get into the capabilities of the repository compared to CVS, and how the SVN repository easily fixes and handles all the things we hate about CVS)

(oh, and I'll be polite and not comment on your "design doc", but will just compare your page against the couple dozen pages of the SVN design doc)

Well, writing the code for DAV dead property support for SVN was cake. I figure getting drunk next time will make it more challenging. :-) ... Still have the live properties to deal with, though. At that point, I'll have a real DAV server against the SVN backend. It won't be a versioning server, but it will support the DAV clients out there.

I'm thinking to do the live props, then work on some client- related work. I'm unable to test the server until the backend is completed. While there is an API that I can code to, it isn't quite there yet, and it is subject to change. Not to mention there isn't a way to create and fill a repository yet. Ah well. While the server can idle in a somewhat untested state, I can begin the client work to issue a bunch of commands against the server to do an "update" or a "commit". The checkout is pretty well handled already -- it actually works against just about any DAV server since it just fetches files recursively. Of course, it will get trickier in the future when we want to fetch a specific revision or tag.

Hrm. Checking out the java.apache.org pages. Gonna go in there and make it refer to the jakarta.apache.org pages better. The java site is just too separate, and doesn't acknowledge the fact that the real work is over in the jakarta world. Of course, this peeves me greatly because I have nothing to do with Java. This is just cleanup after the Java boys who don't want to take the time to merge the two sites. Instead, they just keep tramping along with two sites. Boneheads.

Watched Titan AE tonite. Damn. A lot better than I had expected. Excellent graphics, pace, sound, etc. It really flowed, and the eye candy was awesome. Parts reminded me of Heavy Metal, the way that animation plus great backgrounds were done. But in Titan, they mixed animation, CGI, and regular cel work together into a great action movie. I'd recommend watching it. Definitely. Oh, and get yourself a subwoofer. Hoo!

Tomorrow is dinner up in the city somewhere. Dunno where... that is still pending. Tonite was a good dinner at home.

Urk. Damn CVS checkout is still going. I'm guessing the pdf that it is working on is some monster of a file, and it is just taking its sweet time to shove that over my downsized pipe. Fuck PacBell. Oh, but that's another story.

Spoke on the phone today with jimb about Subversion's "filesystem" interface. We're all sync'd up, and he'll get cranking on the updated design this weekend.

Lately, I've been spending some time dealing with the move to split APR out of Apache 2.0. It is moving smoothly, and we'll do the split in a week.

This past weekend, I was in New Orleans for a bachelor party. Oy. Talk about a lot of good drink, good food, and a ton of fun. Las Vegas is still a great place, but you can't walk the streets in Vegas with drinks in your hand. Big drinks. They both have food, drinks, strip clubs, and gambling. Apparently, New Orleans finally came to grips with the farce of riverboat gambling and allowed a Harrah's to install a casino "on land". (I hear it is losing money, though) New Orleans doesn't have the shows that Vegas has, though. Last time we were in Vegas (back in April), we went to see Mystere, a Cirque du Soleil show. It is a great show. "O" is another CdS show, at the Bellagio (Mystere is at Treasure Island). So, Vegas is probably a bit more fun because of that, because of all the big-ass hotels and sights, and there is much more variety in gambling. Although N.O. wasn't bad in that department: sat down with $100 and walked away with $209 about 45 minutes later (the $1 was a tip for the drink; I count drinks by watching those dollars; last time in Vegas when I was down $14 in dollar chips, I knew it was time to quit :-)

So... survived that, and have been trying to catch up on email. That always sucks. It seems that I can never quite do it. Ah well.

Before going to Vegas, I started working on the new "walker" concept for mod_dav. Cleaned it up drastically, and revised how mod_dav_fs does its walking. I realized that a lot of the walker design was based on some internal needs to mod_dav_fs, so there were some excellent simplifications in the public interface. This will make creating a walker for SVN much easier. (and I started on that before leaving)

Today, I'm busy reviewing a huge patch from John Vasta for the mod_dav in Apache 2.0. John works at Rational and he uses ClearCase for managing all of these projects. I tell you, that software must kick ass for comparing projects and merging changes back and forth. He took all his work against mod_dav 1.1 and forward-ported it to Apache 2.0. Didn't miss a beat, and produced a winner patch. I just committed the thing straight in, and will make extra little tweaks if needed. But this provides a great basis for building the versioning pieces for SVN. It is missing activity support, but no problem... I can easily handle that portion (and John will back-port to mod_dav 1.1).

Coming up will be continuing to flesh out mod_dav_svn in the Subversion project. I need to add the walker, add properties (live and dead), and then begin the versioning stuff. Once I get a server built, then I can drive it with some Python scripts. When it seems fine, then it will be time to do the client-side of the connection (libsvn_ra_dav).

Thanksgiving is coming up next week. Going to have four people over (six of us total). Should be great fun, and we're hoping to have our new dining room table and chairs here. The table sits six easy, but can go to ten with the extensions. (it would be great to "go to eleven", but that doesn't work well for a table)

Hoo boy. Lots of stuff since the last diary entry. ... two week vacation to Australia for the Olympics and the wine country ... a week off to London for ApacheCon ... some SVN hacking ... Apache hacking ... dealing with my DSL going out ... etc

Well, SVN passed Milestone 1. M2 is basically the same feature set, but over the network. Since I'm the network guy, that means I have a good chunk of work to do. Due on December 1. Should be doable.

Apache is breaking the APR project out. That will be cool. Subversion is using it, and I can easily see a lot of other apps having a need for it. Making it independent of the web server will make it a lot more attractive and approachable to others.

Well, that is it for now. More soon... honest :-)

Been doing a bunch of work on Subversion and Apache... getting the server side of SVN into gear. It is going okay, but the amount of work seems to be a bit larger than I had thought. No real problems that I foresee, but it won't be something banged out in a night.

Busy week with friends in town, and going out to do things. My friend Sergei came last weekend, then John Viega came by a couple nights early in the week, then our friend Z (aka Diane) came over Friday and she and Anni went for a Girl's Night Out (I stayed home and hacked on SVN), then Saturday was the Palo Alto Black and White Ball (very fun), then a brunch this morning (six of us), followed by Sergei dropping by again (motoring home this time, after a Disneyland trip). A few more days, and I'll off on vacation myself...

Gotta get my ApacheCon materials in today. I'll also be speaking at XML DevCon, but those materials have a bit more time. I'll be doing a bit more SVN hacking before taking off, but I also have some home networking issues to deal with before then (sigh), so I dunno how much SVN work will get done.

Off to sleep...

Got a bunch of Subversion (SVN) coding done. The client side now uses Neon to traverse an SVN server (just a DAV server at the moment) and fetch the most recent version. There is definitely more work to do, but having it grab the stuff is a big step.

The SVN client uses the excellent Neon library for all of its HTTP operation. Neon is a great library if you need to do any client-side HTTP code (from C). I built the SVN client stuff in just a few hours -- the HTTP stuff was brain-dead simple. Thanx Joe!

Been watching a ton of Dragonball Z lately. While we've had somebody here doing wallpaper, I've been in the family room (rather than down in my office in the basement). Well... what else to do? Turn on the TV to the Cartoon Network, watch cartoons, and hack on the laptop. DBZ comes on for an hour each day... over the past week, I've watched quite a bit and have been getting into it. Gundam Wing is just a big question mark -- it is hard to figure out what is really going on there. Sailor Moon is just dumb. Ooh! Johnny Bravo is on now... woo.

69 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!