Stay safe devs, update your Java…

If you’re an Android developer, you’ll have the JDK installed somewhere. You need to keep this up-to-date. Java, along with the even more vulnerable Flash Player and Acrobat Reader make up the lion’s share all current serious security vulnerabilities on your computer.

Today, Oracle released JDK 7 update 7, and it specifically fixes a vulnerability disclosed last week. You can always download the latest JDK from this page: http://www.oracle.com/technetwork/java/javase/downloads/index.html. Click on the button ‘JDK 7u7′ (though, of course, over time that u7 will become u8 and so on).

Do it. Do it now!

If you’re not a developer and you have Java installed you still need to stay up-to-date. You should be promoted to update your Java — let it run and it’ll help you stay safe. Same goes for Flash, Acrobat Reader and Windows/OS X updates.

Edit: if you’re running OS X, you’ll notice that java -version still shows the version you had before. Annoyingly, you have to open ‘Java Preferences’ in your Applications/Utilities folder, and in the ‘Version’ column for Java 7, change the drop down to the version you just installed:

Shows how the Java Preferences window must be used on OSX to ensure that you are running the latest Java updates

Set the latest Java version in Java Preferences

A Better Tool For Android Development: IntelliJ IDEA

Are you developing Android apps in Eclipse? If so, I highly recommend that you go over to the JetBrains site and download the community (free, open source) version of IntelliJ IDEA.

Eclipse is good, and enjoys a loyal following, but many people regard IDEA as being the best IDE for Java. I’ve been using it for developing Android this week, and my first impressions are “wow”. Maybe it’s because I’m used to Visual Studio, and IDEA feels more like VS than Eclipse does (it’s no coincidence that JetBrains are the people behind Resharper). It’ll certainly be hard for me if I ever need to go back to Eclipse after using IDEA.

The only downsides I’ve found so far are that certain set-up tasks are a little more involved (you need to add each version of the SDK you want to support as a configuration, whereas in Eclipse it’s automatic), and signing/exporting an APK requires using the command line tools (and also setting the build properties for the project to generate the unsigned APK — you need that to sign with your own key). That’s no deal breaker though. If you’re stuck, email me and I’ll whip up a quick blog post with copy-paste instructions on doing just that. You could even probably still use Eclipse to build the APK, if you wanted to use the wizard, because IDEA supports working with Eclipse projects and I bet Eclipse works the other way round too.

Finally understanding something about MVVM

I’m a bit of a journeyman programmer, in so far as I’ve worked with dozens of languages and servers of all kinds over the years. While I’m no thought leader, I have seen a lot — enough, I’d like to think, that I’m allowed to form the occasional opinion. They might not count for anything, but here is one such opinion, on MVVM.

When I see a new acronym or hear about a new fad, (sorry, technique), it often seems to me to be a re-spinning of an old idea. For example, I’ve seen dependancy injection re-invented a few times (though to be fair, each new form of an idea tends to be more all-encompassing and generally useful than the last).

Sometimes there are genuinely new and exciting ideas, though those are probably just old ideas that I don’t know about (XML was probably one of the best examples in this category).

And then there are acronyms that, no matter how I look at them, just don’t seem to make much sense. MVVM is one such thing. MVC is a fantastic pattern. MVP makes sense, especially when the form is not constantly recycled (unlike a web app). MVVM is just a bizarre layer of abstraction. Why?

I learned a lot about MVC back in 2006, when Rails started taking off. I developed some habits as a result that are proving very hard to break, especially as I move back in to the world of .NET. Unfortunately, Microsoft’s MVC web framework is not nearly as well featured as Rails, and Entity Framework in particular doesn’t compare well to Active Record (albeit fast, and strongly typed and with a few other benefits). There are many examples of why I think Rails is better — one might be that there is no easy way (I can see) to create a has_many_through association in Entity Framework. Another example would be nested resources in routes.rb. A third example would be that you can’t pass anonymous types to the view, despite the fact that they scream to be used that way.

However, tonight, as I was struggling with Entity Framework and trying to get the right data in to a view I’m working on (even after the addition of ViewBag in MVC3, which certainly helps), it dawned on me — .NET programmers need the View Model in MVVM because their M in MVC isn’t flexible enough. The problem I was looking at was eminently solvable in Rails — I’d just create another association, using one of the fabulous association methods in the model, and I’d be set. In Rails I can jump between models at will. That doesn’t happen in .NET, so you need to shape your data before you hand it off to the view. That’s where MVVM comes from, and it’s why I didn’t get it until now.

CQRS

This week I came across my first real-world honest-to-goodness example of a CQRS application. It works really well, and it’s very interesting to see a proper example of CQRS.

Even if you’re a full-time professional progammer, the chances are you won’t know what CQRS is. Martin Fowler explains it well in a blog post, though even after reading that you still might not be entirely sure what it really means.

So far as I understand, CQRS means updating your data-model using well-defined commands, which in turn cause events to fire, which in turn can be used to build a read-only view.

It sounds strange, and the name CQRS doesn’t help. I’ll be honest here and tell you that I can’t even remember what the acronym means, and even if I could it doesn’t really describe the mechanism that well [I just looked it up, and it means Command Query Responsibility Segregation].

Now, the idea of updating a model through commands actaully makes a lot of sense in many ways. It kind of ties in with the way you should do Domain-Driven-Development — you don’t want a bunch of properties and a Save() method, you really want operations that describe well-defined business goals.

As you execute commands against your model, events are fired. These events are used by the application to build a view of the data that meets a particular need. For example, let’s say you’re building an app for tracking used car sales. If you had a page that listed Prestige Used Cars, you might have a ‘NewCarListing’ event handler that only pays attention to events that involve cars over $30,000, and stores that data in a way that is custom-built just for that screen. It seems redundant, and it is, but the goal is to keep your domain logic pure.

As you read the last paragraph, you might have wondered how you could possibly build new reports based on commands and events that have already happened? Well, you keep a history of the commands, so you can replay them. [edit: I got a correction from @ToJans on Twitter that you actually replay events, not commands]. This strikes me as the place where any CQRS app is going to start getting overly complicated (compared to an equivelant solution, using an ORM for example), but in the example I saw yesterday (a definitely non-trivial application) it absolutely worked.

There aren’t many CQRS drop-in frameworks that you can easily use in your own projects, but there is a SimpleCQRS example project over on Gregory Young’s git hub page, and it might be worth looking at the Ncqrs Framework. Even if you don’t do CQRS in your own solution, just being aware of it is going to give you some good ideas that you definitely will be able to use.

Do You Need To Know About Hashing and Encryption?

There has been a bit of a hullabaloo over the past few days that started because of an app called Path. It even hit the mainstream news. This app was sending address book data back to its servers where it got stored in clear text. Not the smartest move, and Path certainly weren’t the only ones guilty of this.

If you’re a developer working on a system that handles sensitive data — and any email address or personally identifiable information is sensitive — you must educate yourself about hashing, salts and general encryption techniques (and the various gotchas). You owe it to your users. You’ve got to understand when to use encryption, when to use hashes and how they work and how they can be compromised.

Matt Gemmell (who writes a bit about Mac development) has posted a pretty long post on the topic of hashes that could serve as a good introduction. I’ll admit I haven’t read it all the way through yet (currently I am very tired — my brain isn’t functioning properly so far as I can tell), but I scanned it and it looks like it should set the scene well.

Path also did this without the user’s consent. Needless to say, that is a pretty awful sin. If you are designing an app that accesses sensitive information on a device, you’ve got to ask permission. It’s only polite.

Bootstrap – a handy toolkit for your HTML apps

The bootstrap project from Twitter is a great collection of CSS and Javascript helpers that make a really good starting point for your HMTL based apps. Here’s a sample of what it gives you:

  • Nicely styled buttons with clear visual clues for default/delete etc
  • An easy-to-use grid system for trying different layouts
  • Simple fluid-layout modes for resizing down to phone-screen size
  • Styled form elements to quickly make your forms look good
  • Toolbars and menus based on nothing more than ul/li elements
  • It’s all controlled by adding and removing CSS classes

If you build web apps, check it out. It’s open source too, so you can tweak it, change it, do what you want with it.

Nice app for creating CSS-styled buttons

I use CSS styled buttons quite a bit these days, but I’m not a fan of manually tweaking the properties and refreshing the page to get the right look. I’ve used this site [cssbuttongenerator.com] a few times, and it’s pretty good. It at least gives you a great start.

A Couple Of Minor Rails Problems After Latest Updates

This is surely my biggest gripe with Ruby on Rails — the regular changes to Ruby, gems, the gem system and, of course, Rails itself sometimes break existing code and server configurations.

Please understand though that this is also one of the things I love most about Ruby on Rails. Rails makes it very hard to stagnate, and that’s actually a really good thing. It’s no coincidence that pretty much every leap forward in web development over the past 5 years have more often than not happened on Rails projects.

Anyway, it’s not usually all that bad, but yesterday I came to update my server and was almost instantly hit by broken websites and an error along the lines ‘Missing method Gem#Deprecate’. Anyway, it turns out I needed to roll-back the Ruby Gems system update from 1.8.15 to 1.8.10 before Passenger was happy.

Next I deployed a Rails 3.2.0 site… I got hit by another error:


Invalid gemspec in [/gems_path/specifications/actionmailer-3.2.0.gemspec]: Illformed requirement ["# 3.2.0"]

Gah!

It turns out that I can fix this error by updating to Ruby Gems 1.8.15, but that of course breaks my sites on Passenger. I worked around it by updating and then downgrading again.

Interestingly, if I try and update to Ruby Gems 1.8.15 today I just get a message ‘Killed’, so maybe they pulled the update. I’m not actually sure who ‘they’ are (I should find out) or where we’re supposed to go to get official word on the Ruby Gems updates.

Last week I found that I couldn’t use JRuby for a Rails 3.2 project because it throws an error inside one of the core libraries when you rake:migrate. That’s already in Jira and it doesn’t look like it’ll take too long before it’s fixed. JRuby’s a bit different — it’s a great project that I’m going to write more about soon…

I guess when you’re so used to the glacial pace and stability of something like the .NET world, you can be thrown when stuff like this breaks. Happily, these issues are always fixed in super quick time, and like I said at the top, I wouldn’t want it to ever change (or rather, not change, if you see what I mean).

Sending Data From Your iPhone App To Your Web App

I came across the ASIHTTPRequest library for the first time today:

http://allseeing-i.com/ASIHTTPRequest/

Maybe I’m late to the party, and maybe everybody else is already using this great little library, but I’m posting about it anyway just in case. It’s a wrapper around CFNetwork and co, and it makes it really easy to interact with your RESTFul wbe services (for example, your Rails or Sinatra back-end), lets you POST data up to your website (as multi-part mime) and even has a wrapper around the S3 API.

In short, if you’re sending data to a web server, you should probably evaluate this library.