Software Development

Wanting real schema support in MySQL

While upgrading WordPress towards the latest version it also required some database modifications, but here is where I start hating MySQL again and more. I really hope that MySQL will get support for schemas as PostgreSQL or Oracle has, but it appears that MySQL has painted itself in the corner. And before some will say that MySQL has, the create schema function is only an alias to create a database.

There lies a problem as I don’t want to create a new database for every new instance of an application. Others suggest to use a prefix for the tables, but this means I need to know the prefix in advance before creating tables and/or altering tables. This is nice when you have two or three instances, but there it stops. I want a single set of commands and just switch from schema to schema and apply the patches without any additional scripting changing prefixes.

So you have the choice of creating a “database” for every instance, which will just create another directory with database files. Or you need to use prefix, but then you’re limited to a max of 64 characters for the complete table name. If you would do replication it may even need to be shorter then that if I may believe MySQL fora. I can only hope that some applications will get decent PostgreSQL support or that Oracle will give MySQL real schema support, but I doubt if they would do that.

Internet, Unix en security

WordPress “upgrades”

I have been a long time WordPress user and not very happy with it from time to time, but sometimes you just have to accept certain things. Using WordPress is one of them as it slow became the industry standard for weblogs. It also became the standard for trouble, quick updates and hacked weblogs. As I have to live with it, it became time to take a closer look at WordPress.

While WordPress has a lot of coding errors and that is something that can’t be fixed overnight, but what can be solved is the ability to install additional code. While it sounds a smart move to offers users a way to upgrade WordPress with one click in their browser or to install new plugins or themes, it is also a hazard. If a webserver is allowed to update the application it is running without any trouble, then it simply means anyone who can trick the application to write code to disk and execute it also can host anything he or she wants. A lot of phishing and spam sites do this trick to host their code in some directory of a broken plugin. And the PHP-interpreter always happy to execute any PHP-code it finds, this is a mayor flaw.

For Debian Squeeze there is a backport of WordPress 3.3.2 which matched my version already running. So installing the packages and switching the webservers documentroot to the one supplied by the packages resolved the first issue. Now only the user root can modify the WordPress installation which also include all plugins and themes for WordPress. The base of WordPress now has been secured as remote users can’t modify or install any code. Right? Both yes and no as people still are able to upload content for WordPress and this is something for further review. Most ideally the content will be hosted in an image gallery for example, but it is a risk to accept for now.

Switching to packages also showed something else as most WordPress users just install plugins and themes by using the webinterface. As only root can install new plugins and themes this reduces the choice people have to what the system administrator puts in a package and installs it. Sadly enough now script currently exist for building packages from plugin/theme files and a quick look it appears that this isn’t an issue for themes. But it appears to be an issue for plugins as some developers include an extract from PHP Pear to make sure the plugin always works.

So the coming week I have to spend some time in creating packages and do some coding to make packages work with system provided and updated PHP Pear code. But I still wonder why people write plugins and just copy code to make it “work”. I also wonder how many plugins have outdated code with some funny features or is it something I don’t want to know?

Internet, Unix en security

Etch, vaarwel

openlogo-100Na meer dan twee jaar gebruik is er een einde gekomen aan Debian, de Etch release om precies te zijn. Recentelijk is ook de laatste machine geupgrade van Etch naar Lenny welke eerder dit jaar uitkwam. Het is nu wachten totdat de Squeeze release komt en de verwachting is in de eerste helft van 2010.

Tot die tijd is het kijken wat voor mijn mist in Squeeze, want voorlopig zijn lijkt Squeeze al redelijk te voldoen als backend. Helaas is er nog voldoende te doen aan de frontend. De frontend als in webapplicaties zoals WordPress, Mediawiki en Drupal. Dus de komende maanden maar eens kijken wat er nog mist in dat gebied en patches insturen.

Internet, Unix en security

First thoughts about WordPress 2.8

WordPress logoGoing mainstream has its price and so has going with WordPress. It is a populair application and does work great as a drop-in-place-and-run application, but it kicks and screems when you try to tame it for mass shared hosting. And I still wonder who kicks and screems harder. The code or the developers.

For now 2.8 is on hold for me to see how I can modify it so it becomes usable again in a shared hosting environment. And the following line in the release announcement worries me.

The core and plugin updaters in previous versions of WordPress have been such a success we decided to bring the same to themes. You can now browse the entire theme directory and install a theme with one click from the comfort of your WordPress dashboard.

It is going to be interesting when I load it on a test container next week. Maybe I will update MediaWiki 1.14 to 1.15 first to get in a good mood.

Internet, Unix en security

Op zoek naar een alternatief voor WordPress

Release 2.8 van WordPress staat voor de deur, maar wat de toegevoegde waarde voor mij gaat worden blijft de vraag. In de huidige release 2.7.1 heb ik te veel aangepast om het gemakkelijker voor shared hosting in te zetten, maar om alles nu weer te gaan porten naar 2.8 zie ik eigenlijk niet zitten. Het wordt misschien tijd om maar eens opzoek te gaan naar een alternatief voor WordPress, want na al wat discussies over de veiligheid van de code en nu de policy om alles op te lossen met plugins is niet geheel mijn keuze.

Zeker niet als er dan ook een plugin moet komen om beheer van plugins onmogelijk te maken. En dan ook keuze om voor elke weblog een aparte set tabellen aan te spreken spreekt niet echt tot de verbeelding van een mooie oplossing. Maar ik moet maar eens gaan kijken wat een goed alternatief is wat ook redelijk goed schaalt en te beheren is. Misschien is dit ook gelijk een optie om te kijken naar een alternatief in Python of Java. Wie het weet, mag het zeggen.