Blocking comment spam with mod_security

I’ve mentioned before that I use mod_security to (partially) prevent comment spam on this site. The trouble with spam is that it evolves, so it’s a constant arms race.

I’ve noticed in the last few months that the spam on this site typically has a URL as the comment name. There’s also a URL field in the comment form, with a note on it that you shouldn’t fill it out. Then, in httpd.conf, I have the following.

SecDataDir /tmp
SecTmpDir /tmp
SecRequestBodyAccess On
SecDefaultAction log,deny,status:406,capture,phase:2,t:lowercase

# Reject comments where the name contains a URL
SecRule ARGS:comment_name “https?://”

# Also, reject comments where the url field contains a URL
SecRule ARGS:comment_url “https?://”

Note that that config is specific to the Habari blogging platform. You’d need to tweak the names of the fields (comment_name and comment_url) for whatever blogging platform you’re using.

I haven’t had any spam since putting this in place, but I’ve had several legitimate comments that, ordinarily, would probably have gotten lost in the noise of moderating hundreds of spam messages.

I don’t believe for a moment that this is a permanent solution, but it at least stems the flood for a moment so I can catch my breath.

I also have a bunch of legacy rules, like:

SecRule ARGS “(zoloft|acyclovir|zithromax)” “msg:’Pharm spam'”

(which, ironically, prevented me publishing this article until I disabled it!) but those require constant maintenance as the spam trends shift from week to week.

OpenStack User Survey (Juno Summit)

Last month at the OpenStack Summit in Atlanta, the highly-anticipated OpenStack user survey results were released. For reasons of respondent anonymity, the raw data of the survey will not be released, but rather just a summary of the numbers. Even with that, the new numbers are very interesting.

It should be noted that the results of any survey like this have to be understood in the light of the respondent sample set. People answering this survey are those who are somewhat engaged with the OpenStack Foundation, and (obviously) aware that there even is a survey. When software is available freely, like OpenStack, there is simply no effective way to contact everyone that’s using it, so we’re necessarily seeing only a small percentage of the total population, and have to hope that it’s a representative percentage. There’s also a lot of marketing of the survey in the various “camps” in the OpenStack ecosystem, trying to get people to fill out the survey. Here, too, we have to hope that this is roughly fairly distributed, and does not itself skew the results.

That said …

The results of the survey are here: http://www.slideshare.net/ryan-lane/openstack-atlanta-user-survey

As the RDO community guy, of course my initial interest was in the distribution of deployment OS platform, as well as the deployment tools.

Let’s start with OS.

*Note: Graph corrected – I had the wrong numbers in this earlier*

Note that since the survey combines paid and non-paid Ubuntu, it seems reasonable to combine CentOS and RHEL deployments. I’m sure that there won’t be universal agreement that that’s the right thing to do. So be it.

Compare these to the numbers six months ago:

We’re not comparing apples to apples here, but here’s a graph of all the combined deployments across the categories, in the 2014 survey:

Several interesting conclusions that I draw from these numbers. Although, again, we’re not comparing apples to apples, so I’m sure that other folks will interpret differently.

Overall, the Ubuntu to RHEL/CentOS split moved from 55/34 to 47/39, indicating, overall, a movement away from Ubuntu towards CentOS and RHEL as the preferred platform for OpenStack deployments.

More interesting, looking at the breakdown into poc/dev/prod categories, there’s an even stronger motion towards CentOS (and RHEL) as a preferred platform for *new* deployments. Looking at the versions deployed in production, it’s clear that once folks have something deployed, they leave it alone, with a pretty high number of people running versions that are as far back as Essex, Diablo, or even earlier.

On the deployment tool side, I think that the question could stand to be clarified. I wonder, of the people who indicate that they are using Puppet or Chef to do their deployment, whether they’re using another tool such as crowbar or packstack to run those tools, for example, or if they’re actually writing their own Puppet/Chef scripts. I would also have expected, just anecdotaly based on various conversations, to see devstack much further out in front. Perhaps I’m just talking to a rather unrepresentative group – which is, of course, why surveys like this are so useful.

Also of great interest to me is the distribution of industries. I need to do more work on comparing the numbers side-by-side, but the academic sector (the #2 industry) has grown against the previous survey, from 11 to 13%, and some other industries have also grown a little. The fact that IT is still far and away the largest consumer of this stuff seems to confirm everyone’s impression that we’re still very early days in this stuff, and the more we see it grow in non-IT industries, the more we’ll know that it’s here to stay. (It also seems likely to me that people outside of the IT sector are unaware that there’s even a survey to fill out.) So that’s something to keep watching in the next time around.

LinuxCon Japan day 1

I started off LinuxCon Japan day 1 with a bang by delivering my very first conference keynote ever, in which I described how the Apache Software Foundation operates, and how it differs from some other foundations. I have’t been this nervous giving a talk in almost 15 years. The audience was amazingly attentive – I’m used to 2/3 of an audience looking at a laptop screen while I speak, and there were only a handful of them in this talk – most of them foreigners. Japanese audiences are incredibly courteous.

II attended several talks during the day, and met a lot of fascinating people.

At lunch, I went to the soba restaurant that’s in the Chinzanso garden. It was A Maze Ing. Wow. Delicious, while also being all new to me. I’m a sucker for a new experience, and the food was just so great.

At lunch we discussed ApacheCon Europe. (By the way, the CFP for ACEU is still open. Submit now. Avoid the inevitable last minute rush.) We’ve got some great keynotes lined up, and we’re investigating some others. I got a tentative yes from someone very cool yesterday. I’m so excited.

In the evening, there was “VIP” event, where I ended up at a table with several french people, one of whom is the E.D. of the Open Daylight Foundation. He was talking about, among other things, their sponsorship/membership program, and helping companies understand the value of sponsoring OpenDaylight. It was a truly fascinating and eye-opening conversation. I’m looking forward to more conversations with Neela in the coming months.

By the time the party started to wind down, I was so tired I could barely keep my eyes open, and went to bed. The 11 hour time difference between here and home is very hard to adjust to.

On the whole, I am very glad I came. Although being away from home two weeks in a row is pretty awful, this is an event I wouldn’t have wanted to miss. LF always puts on a great show, and everything about this venue is wonderful.

LinuxCon Japan day 0

My flight out of Lexington was delayed an hour and a half, resulting in a very tight connection in Chicago. I ran from gate to gate, and arrived as they were sounding the gate closing alarm. And a gate agent said that she thought I shouldn’t go, because my passport expires in September, and they’re not going to let me through immigration. (Turned out to not be a problem at all.)

But I made it on board – last one through the gate door – and had a pleasant flight to Narita. I arrived at Narita at about 5pm, and went to buy train tickets.

First challenge was getting cash. My debit card doesn’t have a chip in it, which is how cards work everywhere in the world other than the US, so the ATM said it wasn’t a valid card. Fortunately, the other ATM accepted it, and I was able to buy train tickets.

I took the train to Nipponi, and then changed trains there to go to Mejiro, without incident. People were very helpful in telling me how to get where I needed to go, and my worry was for nothing. The train was cheap ($12 and $1.50 for the two trips) and the taxi from the train station to the hotel was cheap ($15) and fast, too. I expected the trains to be packed, but they were spacious and incredibly quiet. Apparently it’s rude to speak on the train – or at least to speak loudly.

The airport was really quiet, too. The noise level in public spaces is really surprising – soooo quiet.

I arrived at the hotel around 7:30pm, and it is beautiful. It’s easily the most beautiful conference venue I’ve ever been at, and probably the nicest hotel I’ve ever stayed at. Check out the photos at http://www.hotel-chinzanso-tokyo.com/

My photos: https://www.flickr.com/photos/rbowen/sets/72157644738464202/
Conference website: http://events.linuxfoundation.org/events/linuxcon-japan/
Hotel website: http://www.hotel-chinzanso-tokyo.com/

If Meritocracy is a dirty word, what should we say instead?

The Apache httpd project has been based around a concept called “Meritocracy” since the very first. Meritocracy means that you earn your seat at the council table by working hard. If you work to make things better, you get to decide the direction of the project.

Unfortunately, over the last year or two, Meritocracy has become a dirty word, by association with projects and communities that are not truly meritocratic.

Two main problems stand out:

* People tend to elect/promote other people that are like themselves, resulting in largely homogeneous communities that reward similarity to the ruling class, rather than actual merit.

* In order to gain merit, you need to already be privileged in certain ways. You need to be wealthy enough to have a computer, spare time, and internet access. You need to speak English proficiently. You need to have grown up in circumstances that made it possible for you to develop an interest in computing. And on and on. And while it’s possible to fight your way up through the ranks without these privileges, few people actually do.

And so a well-meaning word that describes a utopia has come to mean all the failures of communities that strive to be meritocratic, as well as other communities that make no such attempt.

So, what do we do? Because I want to continue to strive to be genuinely meritocratic in the projects I’m involved in, while at the same time acknowledging that the project that I spend most of my time on has more Williams than women.

While making up a new word doesn’t solve anything, it seems a worthwhile exercise to clearly define what we want our communities to look like, while stating that we want to distance ourselves from the dysfunctional habits of old-boys’-club style project governance.

And of course, just *calling* it something different doesn’t fix anything – we also need to change how we do things to so that we actually are inclusive, rather than just saying we are.

We want communities that are accessible to everyone, regardless of their privilege, while acknowledging that this is probably impossible, since a certain level of privilege is a minimum requirement. We want our developer communities to reflect and represent the diversity of our user communities. We want to be welcoming enough that nobody feels that they have nothing to contribute, or that it’s just too much effort, or that they are somehow outsiders.

The trouble going forward from here is, as Einstein said, “We can’t solve problems by using the same kind of thinking we used when we created them.” But while I recognize that I’m part of that white male educated privileged power class, I don’t think that means that I’m excluded from working to find solutions to the very real problems in the software development community.

Edit 1: Related reading, if somewhat more … ahem … confrontational.

Edit 2: I think I’m going to call it the little red hen governance model.

ApacheCon NA 2014 Keynotes

This year at ApacheCon, I had the unenviable task of selecting the keynotes. This is always difficult, because you want to pick people who are inspirational, exciting speakers, but people who haven’t already been heard by everyone at the event. You also need to give some of your sponsors the stage for a bit, and hope that they don’t take the opportunity to bore the audience with a sales pitch.

I got lucky.

(By the way, videos of all of these talks will be on the Apache YouTube channel very soon – https://www.youtube.com/user/TheApacheFoundation)

We had a great lineup, covering a wide range of topics.

Day One:

0022_ApacheCon

We started with Hillary Mason, talking about Big Data. Unlike a lot of droney Big Data talks, she defined Big Data in terms of using huge quantities of data to solve actual human problems, and gave a historical view of Big Data going back to the first US Census. Good stuff.

0084_ApacheCon

Next, Samisa Abeysinghe talked about Apache Stratos, and the services and products that WSO2 is building on top of them. Although he had the opportunity to do nothing more than promote his (admittedly awesome) company, Samisa talked more about the Stratos project and the great things that it’s doing in the Platform As A Service space. We love WSO2.

0127_ApacheCon

And to round out the first day of keynotes, James Watters from Pivotal talked about the CloudFoundry foundation that he’s set up, and why he chose to do that rather than going with an existing foundation. Among other things. I had talked some with James prior to the conference about his talk, and he came through with a really great talk.

Day Two:

0602.ApacheCon

Day Two started with something a little different. Upayavira talked about the tool that geeks seldom mention – their minds – and how to take care of it. He talked about mindfullness – the art of being where you are when you are, and noticing what is going on around you. He then led us through several minutes of quiet contemplation and focusing of our minds. While some people thought this was a little weird, most people I talked with appreciated this calm centering way to start the morning.

0635.ApacheCon

Mark Hinkle, from Citrix, talked about community and code, and made a specific call to the foundation to revise its sponsorship rules to permit companies like Citrix to give us more money in a per-project targeted fashion.

0772.ApacheCon

And Jim Zemlin rounded out the day two keynotes by talking about what he does at the Linux Foundation, and how different foundations fill different niches in the Open Source software ecosystem. This is a talk I personally asked him to do, so I was very pleased with how it turned out. Different foundations do things differently, and I wanted him to talk some about why, and why some projects may fit better in one or another.

At the end of day three, we had two closing keynotes. We’ve done closing keynotes before with mixed results – a lot of people leave before. But we figured that with more content on the days after that, people would stay around. So it was disappointing to see how empty the rooms were. But the talks were great.

1052_ApacheCon

Allison Randal, a self-proclaimed Unix Graybeard (no, really!) talked about the cloud, and how it’s just the latest incarnation of a steady series of small innovations over the last 50 years or so, and what we can look for in the coming decade. She spoke glowingly about Apache and its leadership role in that space.

1105_ApacheCon

Then Jason Hibbets finished up by talking about his work in Open Source Cities, and how Open Source methodologies can work in real-world collaboration to make your home town so much better. I’d heard this presentation before, but it was still great to hear the things that he’s been doing in his town, and how they can be done in other places using the same model.

So, check the Apache YouTube channel in a week or so – https://www.youtube.com/user/TheApacheFoundation – and make some time to watch these presentations. I was especially pleased with Hillary and Upayavira’s talks, and recommend you watch those if you are short on time and want to pick just a few.

ApacheCon North America 2014

Last week I had the honor of chairing ApacheCon North America 2014 in Denver Colorado. I could hardly be any prouder of what we were able to do on such an incredibly short timeline. Most of the credit goes to Angela Brown and her amazing team at the Linux Foundation who handled the logistics of the event.

My report to the Apache Software Foundation board follows:

ApacheCon North America 2014 was held April 7-9 in Denver, Colorado, USA. Despite the very late start, we had higher attendance than last year, and almost everyone that I have spoken with has declared it an enormous success. Attendees, speakers and sponsors have all expressed approval of the job that Angela and the Linux Foundation did in the production of the event. Speaking personally, it was the most stress-free ApacheCon I have ever had.

Several projects had dedicated hackathon spaces, while the main hackathon room was unfortunately well off of the beaten path, and went unnoticed by many attendees. We plan to have the main hackathon space much more prominently located in a main traffic area, where it cannot be missed, in Budapest, as I feel that the hackathon should remain a central part of the event, for its community-building opportunities.

Speaking of Budapest, on the first day of the event, we announced ApacheCon Europe, which will be held November 17-21 2014 in Budapest. The website for that is up at http://apachecon.eu/ and the CFP is open, and will close June 25, 2014. We plan to announce the schedule on July 28, 2014, giving us nearly 4 months lead time before the conference. We have already received talk submissions, and a few conference registrations. I will try to provide statistics each month between now and the conference.

As with ApacheCon NA, there will be a CloudStack Collaboration Conference co-located with ApacheCon. We are also discussing the possibility of a co-located Apache OpenOffice user-focused event on the 20th and 21st, or possibly just one day.

We eagerly welcome proposals from other projects which wish to have similar co-located events, or other more developer- or PMC-focused events like the Traffic Server Summit, which was held in Denver.

Discussion has begun regarding a venue for ApacheCon North America 2015, with Austin and Las Vegas early favorites, but several other cities being considered.

I’ll be posting several more things abut it, because they deserve individual attention. Also, we’ll be posting video and audio from the event on the ApacheCon website in the very near future.

ApacheCon welcomes SourceForge back for another year

The following guest post appears on the SourceForge blog today. I’m personally very pleased to welcome SourceForge back to ApacheCon for another year.

————-

The Apache Software Foundation is pleased to announce ApacheCon US 2014, which we’re presenting in conjunction with the Linux Foundation. The conference will be held in Denver, Colorado, and features three days, ten tracks of content on more than 70 of the Apache Software Foundation’s Open Source projects, including Apache OpenOffice, Apache Hadoop, Apache Lucene, and many others.

We’re especially pleased to welcome SourceForge as a media partner for this event.

See http://na.apachecon.com/ for the full schedule, as well as the evening events, BOFs, Lightning Talks, and project summits.

Co-located with the event is the Cloudstack Collaboration Conference – http://events.linuxfoundation.org/events/cloudstack-collaboration-conference-north-america – the best place to learn about Apache CloudStack.

Apache OpenOffice – http://openoffice.apache.org/ – has an entire day of content, including both technical and community talks.

Hadoop, and its ecosystem of Big Data projects, has more than five full days of content (two tracks on two days, one track on the other).

Other projects, such as Cordova, Tomcat, and the Apache http server, have a fully day, or two, of content.

If you want to learn more about Apache Allura (Incubating), an Open Source software forge (and also the code that runs SourceForge) we’ll have two presentations about Allura, by two of the engineers who work on that code: Dave Brondsema and Wayne Witzel. Learn how to use Allura to develop your own projects, and join the community to make the platform even better.

This is the place to come if you rely on any of the projects of the Apache Software Foundation, and if you want to hang out with the men and women who develop them. We’ve been doing this event since 1998, and this promises to be the best one yet, with more content than we’ve ever presented before.

The Margin Is Too Narrow