RailsConf - Day One

On Wednesday night I arrived in Chicago, IL for the first ever Ruby on Rails conference. My Southwest flight from Philly was delayed for two hours so I didn't get to my hotel till 2.30am on Thursday. After less sleep than I had planned for, I went along to the Rails Guidebook. This was a cut down version of the Pragmatic Pro­gram­mers course developed by Ruby legend Dave Thomas. Dave presented along with Mike Clark and they didn't disappoint. If you ever get a chance to see these guys present make an effort to go see them, they are very en­ter­tain­ing. Thanks to Chad Fowler for en­light­en­ing me on the Ruby Gems system during the 'in­stallfest'!

Day one of the real conference kicked off today with a keynote from Dave Thomas on what he feels are areas where Rails can improve. He didn't spend a long time covering it, but support for other data sources behind a model is an important addition. Having improved database key support would also be nice to have for those working with legacy systems.

The best sessions of the day were on Capistrano, a Rails deployment engine, and Asterisk. The in­te­gra­tion of VoIP with Web ap­pli­ca­tions is sur­pris­ing­ly simple with this open source platform. I felt the Open ID session was a miss because the in­for­ma­tion had been presented in a similar way to Dick Hardt's identity pre­sen­ta­tion, and there was little on the Rails specifics.

A very useful notion from the world of Rails are migrations. These help you update your database based on changes to your ap­pli­ca­tion, and are very much automated by the platform. Un­for­tu­nate­ly these are not fully trans­ac­tion­al since MySql and friends do not have support for trans­ac­tions around DDL. I wonder when they are going to catch up with SQL Server in this regard?

Tagged with rails and rubyonrails.

Review of Protect Your Windows Network : From Perimeter to Data

Protect Your Windows Network : From Perimeter to Data, by Jesper M. Johansson, Steve RileyWhen I attended TechEd Europe in July 2002 one of the most in­ter­est­ing sessions was presented by Steve Riley. This was an overflow session presented during lunch, and I thought it would be in­ter­est­ing to check out something I hadn't planned to look at. The session covered use of IPSec, and the pre­sen­ta­tion style was very engaging. Rather than discuss technology in search of a solution, Steve solicited a number of scenarios from the audience and presented the hidden power of IPSec.

Many years pass, and I spot a blog entry from Jesper Johansson, where he book that is co-authored with Steve. I ordered it almost im­me­di­ate­ly from Amazon.com and I wasn't let down. This book is a gem for any developer who is trying to understand in­fra­struc­ture security and the ca­pa­bil­i­ties of the Windows platform. It's a fairly easy read and only delves into the necessary detail, avoiding coverage of mundane technical details that are presented on TechNet. To get the most out of this book you'll want your own test rig set up on vir­tu­alised hardware (think VMWare or Virtual Server) with a domain controller, cer­tifi­cate services, ISA Server and the like.

It's really hard to fault this book, maybe it should be available in hardback?

Tagged with security and windows.

Crash reporting in Windows

Microsoft have been collecting crash data using a system known as Windows Error Reporting ("Dr Watson") since the release of Windows XP (and possibly earlier). When a usermode error occurs in an ap­pli­ca­tion, a minidump and other pertinent is extracted. The user is then prompted as to whether they wish to report this in­for­ma­tion. After the reboot that follows a kernal mode error (bugcheck) you are prompted to send this in­for­ma­tion to a secure Microsoft server.

If the in­for­ma­tion is reported, a back end process does some analysis to see if it matches other error messages and might offer you some feedback. I've certainly benefited from this in the past, as a buggy D-Link driver caused numerous bugchecks (blue screens) and WER pointed me to a source of newer drivers.

I've observed the use of this feature by many people and there seems to be a fairly even split between those that send the crash data and those who cancel out. It appears that many people don't provide feedback because they fear Microsoft getting getting access to private in­for­ma­tion. This fear is jus­ti­fi­able, but I think that Microsoft could encourage more people to submit bug reports if they improved their UI design and branding.

The current im­ple­men­ta­tion on Windows XP and 2003 has these faults:

  • The UI is simplistic. Although it offers some in­for­ma­tion on why you might submit, it fails to reinforce the benefits.
  • Technical in­for­ma­tion cannot be easily copied to the clipboard. It would also be good to be able to save this to a file.
  • There is little help provided to help decipher the technical in­for­ma­tion provided.
  • Lack of Windows UI in­te­gra­tion. If you are using a shared computer, an ad­min­is­tra­tor cannot see all of the issues which have been submitted to spot problem ap­pli­ca­tions. The settings for crash reporting are hidden away from most users in the system applet.
  • If you are offline you cannot submit a report.
Thankfully there are some im­prove­ments on the way. Windows Vista will include support for cen­tralised crash reporting management, and improved UI. I will post a review of this in Beta 2 soon. Users of Office 2007 will notice that the bug and usage data collector is more advanced, and allows you to submit later. This is enabled when you sign up for the ap­pli­ca­tion im­prove­ment programme when prompted in the task no­ti­fi­ca­tion area.

Tagged with debugging, error-handling and windows.

Don't forget about Parameterized SQL

It's common to see .NET developers and SQL Server DBAs arguing over the merits of stored procedures versus inline (ad hoc) SQL. It's un­for­tu­nate that these folks are so polarised since there is a solution that meets somewhere in the middle. It's called pa­ra­me­terised SQL and it's similar to inline SQL, except that it's based on templates. You ef­fec­tive­ly have the SQL that exists in a stored procedure, and you specify input/output parameters in the same way as you do for stored procedures. This SQL is then placed in the data access layer of your ap­pli­ca­tion.

From what I understand, Microsoft are using this for DLinq and have dropped their rec­om­men­da­tion on the use of stored procedure. I'm all in favour of this method since it makes upgrading ap­pli­ca­tions so much simpler, and reduces your dependency on the DBA whilst main­tain­ing a level of protection from SQL injection attacks. There is the point about setting security on individual stored procedures - but how many people really do that? Even when they do they often leave themselves open to other attack vectors.

Tagged with performance, security and sql.

Are data grid controls good for end users?

Rod Paddock recently posted on his ex­pe­ri­ences with WPF. Something that jumped out at me was his criticism of Microsoft for omitting a Datagrid control, although a basic grid control is included. The lack of a tra­di­tion­al Datagrid doesn't bother me too much, but I can see how it might impact a lot of developers. WPF is at least six months from release so it's likely a third-party will fill this gap, if Microsoft aren't pressured into writing one.

In case you don't know, the data grid is a UI control for Web and Windows de­vel­op­ment included with every release of .NET so far. It's a staple for UI control vendors and has been replicated in many other de­vel­op­ment en­vi­ron­ments. At a base level it displays data in a tabular format. However most in­cor­po­rate in-place editing and control hosting features.

Perhaps the lack of this control in WPF is a blessing in disguise since developers might stop to think for once. From my experience the data grid control is:

  1. Often misused by developers
  2. Too heavy­weight on the client
  3. Complex for the developer to implement and maintain
Misuse is the biggest concern for me. Time after time I see projects where a developer has slapped on a grid as the UI, without concern for the end user. I refer you to the hideous multi-coloured grids with full editing enabled that litter business ap­pli­ca­tions today. Vista is supposed to make us re-think the user interface to some degree - should we carry forward some of the rubbish that is produced today in the name of software UI design?

As an aside, I'm a big fan of FogBugz and it includes a grid UI for listing cases. However, it also includes a list view, which must be popular with some end users for FogCreek to include this func­tion­al­i­ty.

Onto point two which is only valid when you really care about your users (most line of business developers need not apply!). Grids are heavy on the client if thought is not put into their operation in production. I'm all for avoiding premature op­ti­mi­sa­tion, but avoiding op­ti­mi­sa­tion altogether is something else entirely. Costs for grids on Windows include the memory for the control and data. On the Web you often produce a lot of HTML tables and other junk which has to be delivered to the browser. If ASP.NET is used there is also likely to be su­per­flu­ous viewstate in­for­ma­tion. As you cram more features in you are penalised for each one unless you can se­lec­tive­ly control their use.

My final point, number three, relates to the complexity that you heap upon yourself as you strive to make your ap­pli­ca­tion more complex for end users. Why try to combine editing, deletion and creation of records into one screen? It's often a false economy on behalf of the developer that all of this can be rolled into a single ap­pli­ca­tion form. If I had a penny for the number of a reasonable developer struggles with getting access to the value cell in an ASP.NET Datagrid, I would be very rich.

Getting back to WPF and Vista, I think that developers like Rod need to start looking at how they visualise in­for­ma­tion. Until now, .NET pro­gram­ming has been about ramping up pro­duc­tiv­i­ty on the parts of an ap­pli­ca­tion a user shouldn't experience directly. With WPF it's about how the user interacts with the ap­pli­ca­tion, and this requires the attention to user experience that Web ap­pli­ca­tions have had for years. If the current generation of developers don't wise up and appreciate the im­pli­ca­tions of this technology they will deservedly end up on the scrap heap.

Tagged with datagrid, usability and wpf.