Sessions at Open Source Bridge 2011 on Thursday 23rd June

Linux has long enjoyed excellent package management systems in the form of RPM, DEB, EBuild and others—the CoApp project has brought the power of these systems to Windows. Supporting rich features such as side-by-side installation, versioning, dependency management, configurable updating, and distributed package repositories, CoApp is providing a stable and reliable system for distributing open source software on Windows.

Maybe you need to replace an aging phone system, or just like cutting edge technoloy. Either way if you have an interest in Voice over IP and want to get your hands dirty, this session aims to get you on the road fast.

Using some basic hardware, “Asterisk”:http://www.asterisk.org/ and Linux you can be experimenting with VoIP in no time flat. This session aims to provide you enough information and tools to have a basic functioning phone system compiled from source. Topics covered include:

• Design considerations
• Required services for a basic IP PBX
• Quick overview of OS installation
• Compiling and installing Asterisk
• Basic service configuration
• Configuration of Asterisk (SIP, call routing and voicemail)
• Overview of SIP end-point configuration
• Making calls!

bq. "You are a true pillar of democracy."

bq. "I love you."

Who wouldn't want to get emails like these? We'll show how it's done. First half, presentation. Second half, questions and discussion.

*Presentation Outline*

* *A New Model: Open Sourcing our Laws*
** Not an entirely new idea
*** Kohel Haver, first person to 'open source' the ORS.
** There is plenty out there, ready for the doing
** Examples
*** [...]
** Legal Issues to Consider
*** Federal legal documents: public domain
*** State and local governmental legal documents: quasi public domain

* *This helps so many people in different groups*
** Increasing access to the legal system, e.g. for
*** The person who got into a car accident
*** People who want to link to, discuss, and debate our laws
*** Law students, lawyers, and law librarians
** Students and non-wealthy lawyers are exploited by the old, existing research system.
*** "It's awful; it's terrible."

* *Enabled by Open Source Tools*
** HTML Parser — Nokogiri
** Web Crawling — wget, curl
** Specialized web browser — Lynx, specially hacked
** Text File Manipulation Tools — find, grep, awk
** Text editing — emacs, vi
** Web Server Stack — Linux, Apache, Ruby, Rails
** Communication — Wordpress

* *Unique Benefits to this Type of Project*
** Many, e.g.:
### Immense good will
**** “People never get sick of hearing about your site's updates. It
must feel pretty freakin’ good that your site is so desirable.”
**** “It’s pretty cool that you can get away with stuff like that. People
actually do want to know when there's something new.”
### It can pay for itself.

Our motto: *you snooze, you lose!*

Every paradigm eventually produces a language which pushes it to its puritan limit; lambda calculus let to church notation, in which even numbers are functions; symbolic list processing produced lisp, in which even code is a list; OOP gave us Smalltalk, in which everything is an object; the stack machine model produced forth in which everything a stack operation is; the modifiable storage location paradigm produced c, in which even the memory after a buffer...well, you get the idea.

But until about a week ago, the RESTful paradigm had failed to deliver on this fine tradition. There was no language in which every object of the denotational semantics was fully first-class and REASTful, with its own URI and CRUD. But now there is.

You have been warned.

This session is all about spending more time hacking on open source software, while still paying the rent:

• Finding the balance between work and play.
• Redefining "business" on our own terms.
• Bootstrapping and finding your first clients.
• Giving back to the open source community.

I'll demystify what it means to be in business for yourself, give you concrete data and advice on getting started, and share stories (good and bad!) from over ten years of independent software development and open source hacking.

What's going on in the mind of the user as they use your system? Did they choose it, or was it chosen for them? Do they like it or hate it? How can you tell?
Users are different. Some are technical, others aren't. Some are passionate. Many are silent and enjoy (or not) your project without any community interaction.

This talk will discuss the different types of users that exist, and their motivations. It'll take a tour of some of the study around this topic.

This talk will not talk about how to change your users, get them to be more (or less) involved or more (or less) passionate; although there will be time at the end for an open discussion on that topic.

When you have a pile of C code sitting in a library and need it quickly available to a higher level scripting language then you want lua. I will explain two methods of how you can use lua to talk to C code:

• Call existing C libraries like libmysql with alien
• Extend an application by embedding lua inside of it

The goal is to have you walking away with both an understanding of how the moving parts mesh together and empowered to shuffle bits out of C code into a lightweight scripting environment with a ton of higher level libraries.

Lazy hackers will appreciate the Garduino, an open hardware Arduino to automatically water your garden and tweet at you when your plants are thirsty. Want a frost alert on your phone so you know to cover your precious tomato starts? How about a tool that tells you when to start seeds, when plants will be harvested, and whether you're going to have too much lettuce in July? (Automatic seed planter not included.) Discover these projects and more at http://gardengeek.org!

Come and learn about open source tools for all types of garden hackers.

Modern Perl is one way to describe how the world's best Perl 5 programmers write great code: simple, well-designed, effective, and maintainable. Their tools and techniques are available for the rest of us to use--but you have to know what they are before you can use them.

This talk discusses several tools and techniques for making the most of Perl 5, from adding new features to the core language to verifying and distributing software. If you want to build great software with Perl, there's no better place to start.

You are standing in an open cube west of the VP of Product Development. There is an email inbox here.

> _open inbox_
Opening the inbox reveals a new message.

> _open message_
Message is open.

> _read message_
WELCOME TO THE PROJECT

You are an employee of COMPANY. COMPANY is investigating open sourcing PROJECT. You will explore some of the most obscure and frustrating territory as you lead this effort. Hardened leads have run screaming from the terrors of this undertaking!

In PROJECT the intrepid explorer delves into the little known corners of a labryrinth deep in the bowels of COMPANY politics and OPEN SOURCE best practices, searching for vast rewards guarded by fearsome trolls and professional pitfalls!

> _go west_
Life is peaceful there.

> _go west_
In the open air...

Should you propose open sourcing your company's project? What sort of questions should you ask (and answer) before making such a proposal? Are you prepared in case a hollow voice says, "Fool?" How do you avoid offending management and being eaten by a grue?

This session will be part presentation, part guided discussion. Come prepared to participate in a conversation about which t's to cross and i's to dot when considering whether and how to open source an existing project at your company or organization.

Whether it's node.js, goroutines in Go, gevent/eventlet in Python, Rubinius's hydra branch for Ruby, Akka for the JVM, or async primitives for C# 5.0, concurrency is a hot topic.

It's too easy to forget that coroutines were first defined in a 1963 paper and that preemptive multitasking, like traditional Thread interfaces offer, were a part of Unix's first release in 1969.

This talk aims to present a historical context for all of the "new" concurrency models and attempt to peer into the future to see how existing concurrency paradigms will serve hackers in a massively multicore future.

The release of "Firesheep":http://codebutler.com/firesheep last year and "the presentation by Reid Beels and Michael Schwern":http://opensourcebridge.org/sessions/484 at the last Open Source Bridge opened the industry's eyes to the fact that most web applications are inherently insecure. Any application that sends requests over plain HTTP and that uses cookies to track user sessions is vulnerable to "session hijacking":http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking.

Many applications have reacted to this by offering options to run all traffic through HTTPS. Examples include Gmail, Github, Facebook, and Twitter. Using HTTPS does go a long way in improving web application security. But in most cases HTTPS security is opt-in - probably due to difficulties in rolling out HTTPS on a large scale and added application complexity. This means that only relatively paranoid users benefit. Less fortunate users, like Ashton Kutcher, will often be "left vulnerable":http://techcrunch.com/2011/03/15/twitter-enables-always-use-https-setting/.

Furthermore, HTTPS by itself does little to protect against "cross-site request forgery":http://en.wikipedia.org/wiki/Cross-site_request_forgery. It is still necessary for developers to use "form tokens":http://www.thespanner.co.uk/2007/04/12/one-time-form-tokens/, "JSON obfuscation":http://directwebremoting.org/blog/joe/2007/04/04/how_to_protect_a_json_or_javascript_service.html, and the like to protect application resources. This results in extra complexity and statefulness.

CSRF(cross-site request forgery) does not just force complexity though. Its existence actively stifles innovation. The new "cross-origin resource sharing specification":http://www.w3.org/TR/cors/, which allows servers to opt-into cross-origin XHR(XMLHttpRequest) requests, presents many possibilities for rich interaction between web applications. Unfortunately this specification is infrequently used because it opens up XHR(XMLHttpRequest) as another vector for CSRF(cross-site request forgery) attacks in cases where cookie authentication is used. In the eyes of many developers this is just too dangerous to justify exploring a new technology.

All of these problems are products of the fundamental design of cookie authentication: what is essentially a temporary password is transmitted with every web request and that password is easily accessed - directly by eavesdroppers or indirectly by third-party web pages.

There are better options. There are now pure JavaScript implementations of various cryptographic algorithms, including "SHA-1":http://en.wikipedia.org/wiki/SHA-1, "SHA-256":http://en.wikipedia.org/wiki/Sha-256, "AES":http://en.wikipedia.org/wiki/Advanced_Encryption_Standard, and "RSA":http://en.wikipedia.org/wiki/RSA. There are also well-studied authentication mechanisms built on top of those algorithms designed specifically to prevent man-in-the-middle attacks, like session hijacking. And an authentication mechanism based on JavaScript rather than cookie data would be far less vulnerable to CSRF(cross-site request forgery).

I will explore authentication mechanisms such as "HMAC":http://en.wikipedia.org/wiki/Hmac, as seen in "OAuth":http://oauth.net/, and block cipher authentication, e.g. "CMAC":http://en.wikipedia.org/wiki/CMAC. I will present on the applicability and feasibility of implementing these solutions in JavaScript in ordinary web applications. I will analyze performance and cross-browser compatibility considerations. Finally, I will demonstrate my own recommendation for next-generation browser authentication.

Manuals are boring, but learning is necessary.

New contributors often have to figure out how to operate the tools of a project, like IRC, git, or svn, in a highly social environment: public communication between peers. When, for example, you post your first patch to a mailing list, it’s intimidating to know that your mistakes with the tools might reflect poorly on your programming skill.

Some video games have a “training level” where you can get shot without dying. Open source could have a training level where you can learn the skills you need without getting burned.

Our community built one. The OpenHatch training missions are a group of interactive web pages for learning skills you would use when contributing to free software like using diff, patch, tar, version control, IRC, and so on. A training mission shuns “manuals” and long, boring blobs of text, and it protects its users against learning through trial by fire. We say, “Here’s a short, concrete task to perform. Interact with our web-based robot, and it will tell you if you succeeded.” You can build up your comfort in a space without embarrassment.

Project maintainers often end up teaching basic community skills to new contributors. If you can ask them to complete a relevant training mission, you can save time and have a more knowledgeable contributor base.

In this talk, you will learn about the current training missions and discuss as a group how they can be useful to the attendees. We will highlight the training mission for a version control tool in which you are an agent for Mr. Good trying to gain the trust of Mr. Bad. We will discuss the diversity ramifications of learning community skills in a safe environment. After a tour of the OpenHatch community that built them and the Django-based implementation, we will discuss the attendees’ situations with new contributor skill levels and identify the most useful training missions to build next.

Have you ever wanted to automatically turn on your lights when you get home, or turn them back off when you leave? What about controlling your lights by SMS or IRC? Aaron Parecki and Amber Case have been living in a smart home controlled by mobile devices and their locations for the last year. The house is filled with sensors and networks for collecting all sorts of information and automated processes. They'll show you some of the expensive smart homes of the past, and how the same effects can be achieved with microcontrollers, 20-year-old technologies, and the mobile phone you currently have.

This presentation will cover a number of fun DIY elements of home automation using GPS, SMS, location sharing, geotriggers, Geonotes and other mashups that can be done using mobile location, IRC and SMS as control hubs. We'll also cover advanced geolocation triggers and messaging based on the real-time location platform and API we built, and how it can be used to build apps that can notify people automatically when you land at an airport, or automatically text message your kids when you're there to pick them up from school.

A deployment pipeline combines several development best practices, fully automated and taken to their logical extreme. The result is almost magical: changesets go in one end, and fully-tested software packages come out the other. We'll take a tour of the components of a deployment pipeline, with concrete examples showing how to use Hudson, Rake, and Puppet to deploy PHP projects.

In this session, we will answer the following questions:
* what is a deployment pipeline?
* why do I need one?
* how can I implement one using open source tools?

We will begin with a quick overview of deployment pipelines and their powerful benefits. We will then look in more detail at the components of such a pipeline, and some of the excellent open source tools you can use to implement your own. Along the way we'll look at concrete examples of a specific deployment pipeline implemented at Second Story to deploy PHP-based web applications.

The session's examples will involve these tools:
* continuous integration using Hudson (or its recent fork, Jenkins)
* configuration management using Puppet
* build automation using Rake

This is a high level session meant to introduce concepts and tools; it will be light on code examples or live demonstration of software.

Startups have unique business challenges and goals. It can be a very daunting prospect to try to start one, especially when there isn’t a lot of experience or history of success in your area. Getting something off the ground is just the beginning, though, as you have to start managing growth and success. This talk will navigate common pitfalls of creating a startup outside of the Silicon Valley and include advice on when to seek funding, how to go about it, and, once you’ve done that and have started to see success, how to make sure that your team doesn’t fall apart from the changes and transitions that appear.

Technical debt is something that most project teams or independent developers have to deal with - we take shortcuts to push out releases, deadlines need to be met, quick fixes slowly become the standard. In this talk, we will discuss what technical debt is, when it is acceptable and when it isn't, and strategies for effectively managing it, both on an independent and team level.

Bitcoin is an anonymous, distributed, decentralized, internet-based system for storing and transmitting value in a new e-currency. There is an active marketplace to buy and sell Bitcoin for US dollars. It has a controlled rate of inflation. It automatically rewards people for running the servers that make the network work. Exchanges between any two parties are zero cost and anonymous, yes at the same time the transaction history of the bitcoin system is public.

ETL. OLAP. BIDW. ELT. M/R. MPP. Windowing. Matviews. Data Marts. Column Stores. Are you at sea in a tidal surge of arcane terminology, trying to cope with big data problems?

While big data may be bigger today, and far more common, and while we have a lot of new tools for dealing with it, the essential practices of how to process, store, and visualize large quantities of data haven't changed very much in the last ten years. Data warehousing veteran Josh Berkus will give you a lightning tour of the techniques and tools for dealing with masses of data, including: the data processing pipeline, types of big databases, visualizing and summarizing, and tips on dealing with GB to PB. All in a friendly FAQ format.

This talk will give you everything you never wanted to know about data warehousing but were forced to find out. Or at least enough that you can Google the rest.

Government is helping lead open source adoption. One of the biggest growth areas in the public sector is using web technologies to help build communities. Using technologies like Moses, Drupal, Wordpress, Jabber, and others is helping to connect people in government, and governments to one another. Using open source to enable people to form connections and enhance informal communication is a major area where open source is leading within the public sector.

Building communities with both domestica and international organizations has helped me see some of this contribution first-hand. I would like to share my own experience of building a community for the US Department of Defense and showcase some of the contributions we're making to Drupal and other open source technologies.

If you didn't think JavaScript was ubiquitous enough being in every browser you're certainly happy now that it's taking over as a backend platform languages and even getting embedded in to databases :)

This talk will cover the common elements of different JavaScript environments in browsers, node.js and CouchDB and various strategies for breaking up and structuring code that can be modularly used across environments.

I'll also cover some real world use cases and a few libraries that straddle the different JavaScript worlds as well as the fate of CommonJS.

Open Source GIS software has proven to be reliable, fast, and cartographically pleasing on the WWW, however it has traditionally lagged behind commercial systems on the desktop.

In this session we will highlight the capabilities of some of the leading, most feature-rich, desktop applications in the open source ecosystem. Each presenter will demonstrate a specific set of tasks from cartography to analysis in a specific software platform. The programs featured are: Quantum GIS, gvSig, OpenJump, and MapWindow.

Over the past year, I've been working on three projects that make open datasets available to the public:

• "PDX Trees":http://pdxtrees.org
• "Public Art PDX":http://publicartpdx.com/
• "Portland Poetry Posts":http://poetrybox.info/

Although the public-facing parts of these projects appear similar on the surface -- apps or websites with locations on a map -- the design and development process has been quite different for each.

In this talk, I'll explore the opportunities and challenges I encountered in each, covering factors like:

• Data source -- Who gathered it, when and why?
• Data content -- What's in it?
• Metadata definition and stability -- Is it clearly structured? Does it follow standards? Is the structure or format subject to change?
• Data accuracy and completeness
• Data volatility -- How often does the data change?
• Geographic scope -- Does it cover a neighborhood? A city? A metro region? A state?
• Geographic density -- Is it more or less evenly distributed or are there obvious clusters and empty areas?
• Intellectual Property -- Is the data itself clearly licensed for re-use? Does it point to other data or media that have copyright restrictions or limitations?

I'll use this comparison to suggest a re-usable blueprint for analysis and planning of open data projects, including how to match available data to audience interests and expectations, as well as identifying opportunities for community participation.

Ever been envious of how easily Python, Ruby and even JavaScript can “meta-program”? Meta-programming provides new ways of writing your code that goes beyond traditional object-oriented composition or inheritance. It’s like magic: seemingly simple or innocuous code takes over big responsibilities; new methods appear out of thin air. Your code, your primary code, stays simple and easy to follow.

Now, we know you can do that for scripting languages, but what do we do about Java? With the proper context, it is possible to emulate many of those same capabilities, by applying a simple set of code transformations at runtime. In this session you’ll learn about meta-programming and how it can apply to traditional Java. You’ll learn about the techniques needed to transform classes at runtime, adding new behaviors and addressing cross-cutting concerns. The presentation will discuss a new framework for this specific purpose, but also draw examples from the Apache Tapestry web framework, which itself is rich in meta-programming constructs.

Accessibility is commonly viewed as a dry formal requirement absent of any real beneficiary. It is all too often tacked on as reluctant "polish".

In this talk we will blur the line between people with disabilities and "able-bodied" people and see how everybody benefits from inclusive design, and how good decisions from the start leave us with a more aesthetic product that is usable in more ways than we could have initially imagined.

We will use user interfaces in GNOME as a case study for good and inclusive design.

Open Source projects are most successful when they attract enthusiastic and capable contributors. But, often the first thing a new contributor to a web development project faces is a README file with a long list of instructions needed to even get the thing running.

And that’s if they’re lucky: Just as often, the necessary documentation is incomplete or missing entirely, leaving a new hacker no way to get involved without investing a lot of time up front.

This is no way to treat potential volunteers; they’re doing us favors by spending time with our projects. In return for their time, we should do the best we can to make our projects accessible and rewarding without unreasonable demands.

To that end, we can use modern tools like VirtualBox, Vagrant, and Puppet to turn walls of text into virtual machines. We can offer simple bootstraps and even bootable disk images to can get new developers started quickly, allowing them to explore a running system rather than demand they understand the complete stack before the first page view.