Thursday August 26, 2004

The balancing act, resolved The territorial imperative is a powerful force. When b.s.c started up, I grabbed the geoff slot, even though I already had a blog. In fact my very first posting mentioned the issue of balancing how I might use them. Well, after a few months I've decided that I'm going to concentrate on geoffarnold.com and let this blog lie fallow. I may even republish some pieces (such as a revised version of Anticipation and verification) and shut this one down. We'll see. For now, if you've blogrolled this site (Thanks!), you might want to switch the link to geoffarnold.com. (2004-08-26 11:16:08.0) Permalink

Thursday August 12, 2004

Anticipation and verification [long]

Imagine I'm a Windows PC power user. I buy some new software, perhaps on CD, perhaps via download. I start the installer, answer all the questions, and go off to have a coffee while the installation runs. When I return, the installation is incomplete: not because anything went wrong, but because my firewall software is asking whether I want to allow the installer to connect to the Internet.

What should I say?

Obviously I say "Yes", right? But why do I jump to that conclusion? And should I give the software carte blanche to do any subsequent net access, or not? Clicking OK every time gets ever so tedious, and it's a known product from a reputable vendor. Maybe it's even "Signed by FrobozzCo" - but that only tells me who to call if it breaks....

The fact that this interaction is occurring at all is because there's a human in the loop: me. And I'm fairly savvy about such things. I certainly wouldn't trust a "typical" user to get this right. Whenever my wife (a self-confessed technophobe) acquires new software for her PC, I always install and run it a few times, just to get the firewall settings correct. I've "trained her" to interpret any alert from firewall or antivirus software as a problem, not as a normal operational condition. But since I'm basing my decisions on guesswork, even I sometimes get it wrong (which can result in an urgent phone call to me at work).

Now it would be easy for the vendor to include a step in the installation that told me:

This software will contact registration.frobozz.com once during installation. When you use the product, it will contact update.frobozz.com every week to check for updates; you can disable this behavior via the Edit->Preferences menu. The Tutorial module will also open a web server on your machine on port 6565, but will accept only local connections on this port.

This would allow me to respond to the alerts from my firewall based on knowledge rather than guesswork. In fact, if my firewall were just a bit smarter, I could "lock down" the application so that any network access that violated this pattern would be caught.

But why not go further? Why should I have to train my firewall by responding to alerts? If the application vendor can describe the access patterns in human-readable form, why not include a machine-readable document with the same information? Why not include an installation option to Install firewall rules for this application, with the firewall software displaying its interpretation of the policy to me for approval?

So far, we've been talking about end-user software, with a human owner/operator in charge of a very simple firewalled node. But the same problems exist in commercial software, and as far as I know they aren't really being addressed. (If anyone knows differently, please let me know.) Suppose you want to deploy a new servlet (probably one of the most common situations). Some developer ships over a WAR file to you and departs for the weekend, assuring you that everything you need to know is in the web.xml metadata. Sure enough, there's a bunch of resources defined by <resource-ref> elements, and various <context-param> elements that look vaguely like URLs, JMS topics, JDBC sources. Do any of them require you to punch through the firewall from your web tier network to any other part of your network? Hey, that looks like an "https:" URL: ought you to be worrying about SSL keys? At least the EJB references should be straightforward....

Cut to the chase. Today, most of the intended behavior of a piece of software is buried in the source code. We've put a lot of work into expressing the functional interface to a component (whether it be an EJB, a Jini service, a servlet, or a WSDL-defined web service), but much less into describing its dependencies - what resources it uses, and how it interacts with them. Wouldn't it be nice if the application component metadata described the expected behavior of the component in such a way that "the system" (insert vague hand-wave) could:

• check the metadata for consistency with the operational environment (e.g. to catch an errant reference at deployment time)
• configure firewalls, containers, keystores, and so forth, and even
• monitor the component's behavior to ensure that it only did what it said it was going to do?

Of course, if we think about service dependencies in general.... but I'll leave that for another blog entry.

Wednesday June 23, 2004

Cleaning the Augean stables Just finished the periodic task of cleaning up my email. I'm on the Edgemail pilot, and there's a limit of 500MB per account. I'm glad to accept that restriction in exchange for the convenience of being able to access my mail from anywhere, inside or outside of the Sun corporate network. My mail client (Mail.app on my 12" PowerBook) barely skips a beat when I connect to any network: as long as SSL-secured IMAP and SMTP can reach the dual-homed server pool, it all just keeps working. I tend to clean up whenever my mailbox goes over 400MB, just in case someone dumps a bunch of multi-megabyte attachments on me. (We have plenty of tools for sharing stuff without doing that - I prefer Twiki - but some people never learn.) After archiving some ancient curios to a local folder on my laptop, and deleting stuff associated with past lives and projects, I'm back down to 350MB. For now. (2004-06-23 08:45:33.0) Permalink Comments [2]

Friday June 11, 2004

Me and Ronnie While everybody seems to be waxing lyrical (or apoplectic) about Ronald Reagan (and I did like Steve Bell's cartoon in the Guardian), I was reminded of a personal piece of synchronicity. We had just moved from the UK to the USA (for "just a few years," we thought - hah!), and it was my first day on the job, at Raytheon Data Systems in Mansfield, Massachusetts. I was joining the team to work on the OS for Raytheon's next generation minicomputer. It was March 30, 1981, and around 2:30pm, right in the middle of a meeting to get to know the rest of the team, everything stopped: Reagan had just been shot. From my perspective, as an outsider who viewed America as a pathologically gun-obsessed culture, it was an odd moment... what had I let myself in for?
(2004-06-11 05:54:50.0) Permalink

Monday June 07, 2004

General introduction For most people, their first blog posting is autobiographical; who am I to buck tradition? I'm Geoff Arnold, a Distinguished Engineer in Sun's CTO office; I work for Rob Gingell, the Chief Engineer of Sun. I generally work on "future stuff", but I'm also involved in matters affecting the engineering community at Sun. I've been with Sun since 1985, always in New England (despite occasional pressure to relocate to California).

My primary blog/website is at GeoffArnold.com, where you can read more about me and my professional background. The content is all over the map - personal, political, technical, whimsical, reflective, musical, occasionally professional. The first posting that got any attention is this one on the Sun-MS deal; occasionally I'll get TB'd which causes real bandwidth spikes.

And finally (in the spirit of full disclosure that seems appropriate for Sun's new blogging policy), I should mention that I am a huge supporter of both Java and Jini. Back in the early 1970s I worked with Simula 67 - arguably the first usable OO language - and I regarded the whole BCPL to C to C++ evolution as a colossal digression. When I finally got my hands on Java, I had a feeling of coming home. I'm also a distributed computing kind of guy: I worked on my first distributed OS in around 1979. Doing the first implementation of NFS for the PC in the mid-80s convinced me that the idea of network transparency, trying to make remote resources look as though they were local was just plain wrong. Everything is distributed. Even when it's local, treat it as remote. We can take a distributed system and optimize it for localized deployment, but the other way round just breaks. And Jini is, fundamentally, distributed Java done right - dynamic discovery, leases so that things will fail-safe, distributed events and transactions, interface contracts and private protocols. Those who don't use it are doomed to reinvent it.

That doesn't mean I don't believe in the value of XML web services. (I spent a year on the W3C Web Services Architecture WG.) But I do believe in using the appropriate technology for the job: I am suspicious of universal solutions. We barely know how to do real distributed computing; today it's mostly client-server stuff, synchronous, static, asymmetrical. Let's not pretend that we know the One True Way to do it.
(2004-06-07 14:37:11.0) Permalink Comments [2]

Saturday June 05, 2004

Getting started Just planning to beat the rush on Monday.... My primary blog is at GeoffArnold.Com; I'll have to see how I balance the use of the two blogs. (2004-06-05 06:02:06.0) Permalink Comments [1]