The Changelog

Open Source moves fast. Keep up.

nphysics: a 2D/3D physics engine for Rust #

As you all know, I’m paying close attention to Mozilla’s Rust programming language, and I’m always really excited when new stuff comes out written in it.

That’s why it’s neat to see nphysics: a 2 and 3-dimensional rigid body physics engine, written in Rust. There’s even a demo video!

The “Why another physics engine?” section of the README does a great job of explaining why nphysics is neat:

There are a lot of physics engine out there. However having a physics engine written in rust is much more fun than writing bindings and has several advantages:

  • it shows how well rust behaves with highly generic code

  • it shows that there is no need to write two separate engine for 2d and 3d: genericity wrt the dimension is possible (modulo low level arithmetic specializations for each dimension).

  • in a not-that-near future, C++ will die of ugliness. Then, people will search for a physics engine and nphysics will be there

Super cool!

Prototype JSON APIs with Fortune.js #

If you hadn’t heard, JSON API is a format for building awesome APIs on top of JSON. You can see other posts tagged with JSON API here.

Recently, a new project related to JSON API was released: Fortune.js.

Fortune.js, a web framework for prototyping rich hypermedia APIs, allows you to rapidly prototype the server side of any JSON API api.

Check it out:

var fortune = require('fortune') 
  , app = fortune({ 
    db: 'petstore' 
  .resource('person', { 
    name: String, 
    age: Number, 
    pets: ['pet'] // "has many" relationship to pets 
  .resource('pet', { 
    name: String, 
    age: Number, 
    owner: 'person' // "belongs to" relationship to a person 

This will give you all the proper routes and format the responses in the right way to conform with the spec.

If you didn’t guess, fortune.js makes heavy use of Node, so you can get it from npm:

$ npm install fortune

I am super pumped about projects like this, because it shows off the great benefits of standardizing around a type like JSON API. Tooling that knows how to handle the type makes it really easy to get off the ground.

JSON API now has a MIME type #

If you hadn’t heard, JSON API is a format that myself and Yehuda Katz have been persuing to help standardize APIs. It came out of the work done on ember-data and active_model_serializers.

We’ve been tweaking the format after receiving feedback from many people, and both the exemplar implementations as well as a variety of other implementations have made it pretty easy to use our format.

Here’s the news, though: we’re one step further along the standardization process.

Recently, the IANA approved our application for a media type designation for JSON API. This means you can officially serve your APIs with the type application/vnd.api+json. Neat!

A startup template for Ruby on Rails 4 applications #

Way back in January, I wrote a blog post called “Rails has two default stacks”. In it, I discussed how people like to customize the defaults that Ruby on Rails gives you. Your company might prefer Postgres/HAML/RSpec, for example, over the default MySQL/ERB/MiniTest.

There’s an under-used feature of Rails that allows you to automate the creation of your own stack: templates. Check it:

$ rails --help

  rails new APP_PATH [options]


-r, [--ruby=PATH]              # Path to the Ruby binary of your choice
                               # Default: /opt/rubies/ruby-2.0.0-p195/bin/ruby
-m, [--template=TEMPLATE]      # Path to some application template (can be a filesystem path or URL)

Application template? Yep. There’s very little documentation on this feature, unfortunately. There is a work in progress Rails Guide that gives some answers, but it’s not done yet.

Anyway, the TL;DR is this: you can write a little script to help initialize a Rails app just the way you want to. And Rails startup template is exactly that.

Here’s some of the things it gives you out of the box:

  1. Adds analytics-ruby, simple_form, uuidtools, rspec, guard-rspec, and bourbon gems, as well as a few more.
  2. Creates a new git repository, and optionally a new one on GitHub
  3. Sets up foreman for easy environment variable and background service config.
  4. Removes include_tree . from your application.css, since the author prefers to require things manually.

There are some other features, as well.

Check it out on GitHub and vote it up on Hacker News.

angolmois: a music game ported to Rust #

Angolmois is “a BM98-like rhythm game”. It looks like this:

angolmois screenshots

Its author, lifthrasiir, has ported it to Rust.

This is really cool for a few reasons:

  1. It’s possibly one of the bigger Rust codebases that exists today, klocing in at just over 6,000 lines of code.
  2. Some useful utility bits will be sent back upstream into Rust’s standard library.
  3. Lifthrasiir is writing a detailed guide to how it was made, and “hope[s] it to be a starting point to the advanced programming in Rust.”
  4. Games are fun.

You can check out more in its repo.

rust.ko: a minimal Linux kernel module for Rust #

Hot off the heels of and rustboot comes rust.ko. rust.ko is a minimal Linux kernel module for Rust.

What does this mean? Well, from the Kernel Programming Guide,

Modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.

Neat, eh? So basically, ‘extend your operating system with Rust.’

I’m excited to see this flurry of ultra-low-level activity from the Rust community. I’m sure there’s more neat stuff to come!

rustboot: a tine 32 bit kernel written in Rust #

Hot off the heels of the release, charliesome has written a tiny, tiny kernel in Rust.

It is, of course, incredibly fully featured:

rustboot screenshot

Ha! But, more seriously, this program that writes the screen red is written in Rust, and, in theory, will run on 32 bit commodity PC hardware.

Is something with no features actually a kernel? In the hobbyist OS community, this still counts. Way back in the day, there were applications that were written that also needed to boot the computer, and while an OS that only runs one program may not be what you conventionally think of, I’d say it fits. But really, I don’t care: even if it isn’t a full kernel, it’s a neat hack that would provide a great starting place for someone interested in operating systems and Rust to pick up and run with it. write Rust without a runtime #

Late last week, pcwalton released, a way to write Rust code without a runtime.

What does that mean? Well, normally, a runtime defines all of the basic features a language supports. For example, the garbage collector. You need this to be compiled in with your program for the program to work properly.

What does is provides small stubs for everything that is absolutely necessary for a given Rust program. The only thing that depends on is 5 C functions, which are usually provided by libc.

What does that mean? Well:

Garbage collection, tasks, and failure will not work. All the other language features, including unique pointers, references, and closures do work, so programs such as sprocketnes that do not use garbage collection should be fine.

The Rust standard library cannot be used in this mode, but splitting out the Rust standard library into a portion that can be used in freestanding mode would be an interesting and valuable project (IMO).

Why is this useful? Well, you could use Rust to write the Rust runtime. Or you could write a Linux kernel module, since it doesn’t depend on the rest of Rust. Or you could write an operating system in Rust. Or write the Rust garbage collector in Rust. Reducing dependencies means that it’s much easier to use Rust in a large number of places.

Hyperresource: a hypermedia API client for Ruby #

Any of you who know me aren’t surprised about me posting this story: it’s right up my alley!

Basically, hyperresource is intended to be a general hypermedia client. What’s that mean? It can work with any API that happens to use one of the media types it supports. Right now, that’s just HAL+JSON, but more will be added in the future.

What’s that mean in terms of code? Well, here’s an example from the README:

api = '')
# => #<HyperResource:0xABCD1234 @root="" @href="" @namespace=nil ... >
root = api.get
# => #<HyperResource:0xABCD1234 @root="" @href="" @namespace=nil ... >
# => { 'message' => 'Welcome to the API',
#      'version' => 1,
#      '_links' => {
#        'self' => {'href' => '/'},
#        'users' => {'href' => '/users{?email,last_name}', 'templated' => true},
#        'forums' => {'href' => '/forums{?title}', 'templated' => true}
#      }
#    }
jdoe_user = api.users.where(email: "").first
# => #<HyperResource:0x12312312 ...>

How does it know how to look up those users? Well, there’s a users link relation on in the response, and it has a templated URI as its href attribute. This lets the client reflect and know how to look up users by their email or last name.

The power of this generic tooling is that we no longer have to think about how to parse HAL, how to interpret the response… we have this one library which works with any HAL-powered API.

The biggest drawback of hyperresource is that it’s read-only at the moment, nothing but GET. But it shows a lot of promise, and I’m excited to see this kind of stuff pop up in the wild. Everything I see points to 2013 as the year of example code for hypermedia services.

Check it out on GitHub.

csscss parses your CSS and shows your duplicated declarations #

Yesterday, a neat little gem called csscss celebrated a 1.0 release!

csscss will parse any CSS or Sass file you give it and let you know which rulesets have duplicated declarations.

It’s super easy to use:

$ gem install csscss
$ csscss path/to/styles.css path/to/other-styles.css

{.contact .content .primary} and {article, #comments} share 5 rules
{.profile-picture}, {.screenshot img} and {a.blurb img} share 4 rules
{.work h2:first-child, .archive h2:first-child, .missing h2:first-child, .about h2, .contact h2} and {body.home h2} share 4 rules
{article.blurb:hover} and {article:hover} share 3 rules

Cool! This really helps when you’re trying to get a handle on refactoring. Maybe it’s just me, but I find remembering all of my CSS rules very complicated. There’s a reason I’m more of a back-end developer…

For those who write their CSS in Sass, csscss can also parse Sass files, as well. Just point it at one and it’ll go to town!

Check out the homepage or the source on GitHub for more details.

There’s one other neat part about this gem, but it’s not for users of the gem — it’s for developers. csscss contains, as you’d expect, a full CSS parser written in parselet. I’m sure that others could do need static analysis stuff with CSS if they had a parser that was pre-built for them, as well.

Reminder: Upgrade your Postgres today! #

Last week, I told you all about an incoming security patch for Postgres. Well, today, it’s here. Please check out this page and upgrade your Postgres. As the Postgres team says, ‘This is the first security issue of this magnitude since 2006.’

What’s the issue?

As always, you can find the latest information about security patches via the CVE system. Here’s the one for this vulnerability, CVE-2013-1899.

There are three things that can happen with this vulnerability:

  • Denial of Service. Error messages can be appended to files in Postgres’ data directory. This can fill up disks, or cause Postgres to crash.
  • Configuration Setting Privilege Escalation. If they have a legitimate login, and the username and database name are identical, then that user can set a config variable as the superuser.
  • Arbitrary Code Execution. The ‘boss level’ of vulnerabilities. If they can do both of the above things, and can save files outside of the data directory, then they can execute arbitrary C code.


What versions are affected?

Versions 9.0, 9.1 and 9.2.

Where can I find more?

The Postgres team has a FAQ for this release, and here are the release announcements.

You can also see the commit that fixed the issue, with all the gory details.

Or, discuss on Hacker News.

Today is a big day for Rust #

Lots of great stuff in the Rust world today.

Rust 0.6

First of all, Rust 0.6.0 has been released! You can find the announcement here.

As always, Rust works on Mac, Windows, and Linux. To get it, do this:

$ wget
$ $ shasum -a 256 rust-0.6.tar.gz
e11cb529a1e20f27d99033181a9e0e131817136b46d2742f0fa1afa1210053e5  rust-0.6.tar.gz
$ tar xvf rust-0.6.tar.gz
$ rust-0.6
$ ./configure
$ make
# make install

I added the SHA in there so you can verify you got everything properly. Now, compiling Rust is still pretty slow: it took about an hour on my MacBook Air.

I also have a pull request in on Homebrew, so after that’s merged, you should be able to use homebrew instead of mucking about on the command line.

What’s new

So what’s new in Rust 0.6? You can find a detailed list of changes here, and the commit list here. There were 2,398 commits by 17 authors, damn!

While we cannot promise that this is the last time there will be incompatible changes, the great majority of anticipated language-level changes are complete in this version. We expect subsequent releases before a beta and final 1.0 to be more focused on non-language-level work (performance, libraries, packaging and building, runtime system) with only modest language-level changes as we discover bugs and areas requiring residual polish (primarily in the trait system, macro system, and borrow check).

This is the biggest thing for me. The language is almost completely settled down. You can find the meta-bug which describes all of the things that have yet to be removed here.

Here’s some of my favorite changes from the release:

  • Trailing sigils on closure types such as fn@, fn~ and fn& were removed in favour of the more-consistent leading sigils @fn, ~fn and &fn. (More consistent syntax is always good)
  • The move keyword was removed; owned types are always passed and assigned by moving now. (It was sorta odd that move was needed in places where the compiler could just infer it. This removes a bunch of clutter in code that sent owned types into spawned tasks, for example.)
  • The fail and assert keywords were replaced with macros fail!() and assert!(). (I’m generally pro-remove keywords, add macros)
  • in all cases mutability is controlled by mutability of the owner (inherited mutability). (Read this section in more depth, but I think this really helps the visibility of the mutability rules for a struct).
  • impl Ty : Trait { -> impl Ty for Trait {. (pretty!)
  • the “main function” doesn’t need to be called main anymore, you can use #[main] to change it.
  • Rust now supports using inline assembly through the asm! macro. (WEBSCALE!!!!111lolz)

Neat stuff!

Mozilla + Samsung

Mozilla put out a press release today called “Mozilla and Samsung Collaborate on Next Generation Web Browser Engine”.

Translation? Servo is a real project now. At least, that’s how I read it.

We are now pleased to announce with Samsung that together we are bringing both the Rust programming language and Servo, the experimental web browser engine, to Android and ARM. This is an exciting step in the evolution of both projects that will allow us to start deeper research with Servo on mobile.

n the coming year, we are racing to complete the first major revision of Rust – cleaning up, expanding and documenting the libraries, building out our tools to improve the user experience, and beefing up performance. At the same time, we will be putting more resources into Servo, trying to prove that we can build a fast web browser with pervasive parallelism, and in a safe, fun language.

Cool! If you’re not aware, Servo is a massively parallel browser rendering engine, written in Rust. I haven’t been covering it here on the Changelog because it’s been a purely research project, but I’m really excited to see it move forward.

Helios: a server side for your iOS app #

Today, the always-impressive Mattt released a new project: Helios.

Helios is an open-source framework that provides essential backend services for iOS apps, from data synchronization and user accounts to push notifications, in-app purchases, and passbook integration. It allows developers to get a client-server app up-and-running in just a few minutes, and seamlessly incorporate functionality as necessary.

Getting started is easy:

$ gem install helios
$ helios new myapp
$ cd myapp; helios server
$ open http://localhost:5000/admin

Helios is broken down into useful components, too. If you check out the .gemspec, you’ll notice a few other gems that would be useful for anyone trying to build a backend service.

There’s a lot of startups that do “Backend as a Service,” such as Parse, so it’s nice to see an OSS competitor pop up.

simple-web-server: A web server in Rust #

There’s a project that I’d been meaning to try with Rust, and that’s write a basic web server. I kept putting it off, and when I saw the 0.6 rc land recently, I said I’d give it a try to play with 0.6. But schaars has beaten me to it, and released simple-web-server today.

simple-web-server was written with Rust 0.5 in mind. It’s pretty easy to build, just use make!

$ cd rust
$ make

Trying it out is easy, too:

$ ./ws -p port -s pool_size -d web_dir

Right now, the server is simple, very simple. It only supports GET requests as HTTP/1.0. That said, that’s enough to qualify, and it’s certainly enough to toy around with Rust. As schaars says,

The goal is not performance, but rather discovering the language and building a simple distributed system.

Rust’s concurrency features, used properly, should make for a really awesome web server. I’m excited to see what happens when a production-ready one comes out.

fast_blank: String#blank? in C #

Sam Saffron is part of the team doing Discourse, an open-source Rails-based discussion platform. He’s been kicking all kinds of ass all over Ruby-land lately, but I wanted to share a specific bit of that with you. It’s a new gem, fast_blank.

Basically, due to these awesome-looking flame graphs that Sam added to his MiniProfiler gem. Here’s what it does: it samples stack traces while your app runs, and then lays them all next to each other so you can see where they’re especially deep. He has a demo here, which you can click around and check out what was going on on Discourse’s home page before Sam started working on making it faster.

Anyway, so what’s this has to do with fast_blank? Well, Sam noticed that a ton of time in Discourse’s code was being spent in String#blank?, a method which was added to Rails by _why the lucky stiff way back in the day. Sam attempted to fix it, but making it 100% compatible, yet fast, was difficult.

This lead him to notice that Ruby and Rails have different implementations of #blank?, he decided to fix the issue in Discourse by writing a #blank? in C so that it was super fast.

To use fast_blank, just add it to your Gemfile:

gem 'fast_blank'

That’s it! Your String#blank? will be faster.

Actually, that’s not quite it. Over on GitHub, Sam told me that it’s not up on Rubygems yet, but will be in a few days. For now, you need to clone it down and use Bundler’s :github option:

gem 'fast_blank', github: "SamSaffron/fast_blank"

That’s it.

Now, you may be wondering why I’m making such a big deal out of all of this. Well, this is pretty much an absolutely model open source interaction between a bunch of different projects.

  1. A performance issue was found. Rather than wonder or speculate, measurements were taken.
  2. A new tool was developed to help make sense of the measurements.
  3. Attempting to fix performance in the main project itself, with a pull request.
  4. Recognizing that there was a lot going on here, so fixing it from himself via a patch.
  5. Sharing the fix with everyone until the details in the main projects could be sorted out.

Obviously, this isn’t the end of this story. What will happen next? Will Rails and MRI end up with the same implementation? Can we make it work in Ruby as fast as the C version? Will fast_blank just replace the implementation of #blank? in MRI?

I guess you’ll have to stay tuned to find out. ;)

Postgres preps for a big security release #

UPDATE: Reminder: Upgrade your Postgres today!

Yesterday, I became aware of this email to the PostgresSQL-hackers email list. The email states that there is a very serious security release coming up next week — so bad that they’re taking extra precautions.

Here’s my summary of the email:

The core committee has decided that one of the security issues due to be
fixed next week is sufficiently bad that we need to take extra measures
to prevent it from becoming public before packages containing the fix
are available.

What we intend to do is shut off updates from the master git repo to
the anonymous-git mirror, and to github, from Monday afternoon until
Thursday morning.

We do not intend to start doing this
as a routine thing, and apologize in advance for any disruption.

Every project has security flaws, and it’s great to see the Postgres team take this so seriously. If your team relies heavily on Postgres, consider scheduling a maintenance window sometime shortly after the patch is due to be released, so that you can get your servers fixed up. This one looks to be anomalously big.

Share your thoughts and vote this up on Hacker News.

Rustyhex – a roguelike in Rust #

I love roguelikes. My first ever interaction with a computer was in a related genre: interactive fiction. As soon as I saw Adventure, I was hooked on computers forever. Then, in college, I discovered nethack, and friends and I wasted way too much time attempting to ascend.

I mean, how can you resist this?

The bat bites!

     |....|    ----------
     |....-#   |...B....+
     |....|    |.d......|
     ------    -------|--

Player the Rambler     St:12 Dx:7 Co:18 In:11 Wi:9 Ch:15  Neutral
Dlvl:1 $:0  HP:9(12) Pw:3(3) AC:10 Exp:1/19 T:257 Weak


Well, they’ve gotten a bit better since then. Here’s what Rustyhex looks like:


As the README mentions:

Rustyhex is a work toward implementing a simple rouge-like game with hex tiles.

It’s written in Rust and it’s primary purpose is to learn and practice Rust language.

Seems cool! It uses the Rust SDL bindings to interface with the outside world, and is pretty small: it’s right around a thousand lines of code, by my rough count.

Games are one area that I’m really excited about with Rust: given that it’s native to Mac/Windows/Linux, and has an emphasis on low-level speed, Rust could be a pretty decent language for making them.

sinatra-asset-pipeline: Sprockets for Sinatra #

I remember being really excited for Rails 3.1, and that’s because it was going to have ‘the asset pipeline,’ helping us manage the assets our application needed. I also remember being so excited by it, I fooled around with sprockets 2.0.0.beta6 to get it running on my Sinatra apps, as well. It took me a while, and when beta7 came out, it didn’t work any more…

But this isn’t a story about me. It’s a story about Joakim Ekberg. He did better than I ever did: when he put Sprockets on Sinatra, he made a gem out of it. He calls it sinatra-asset-pipeline.

It’s pretty easy to use: just

gem 'sinatra-asset-pipeline'

in your Gemfile. After bundling, add this to your Rakefile:

require 'sinatra/asset_pipeline/task.rb'
Sinatra::AssetPipeline::Task.define! MyApp

and add it to your application, too:

require 'sinatra/asset_pipeline'

class MyApp < Sinatra::Base
  register Sinatra::AssetPipeline

Then, sinatra-asset-pipeline gives you the rake tasks you’d expect:

$ rake assets:precompile
$ rake assets:clean

Sinatra-asset-pipeline is still pretty young, and currently only supports the stock Haml, Sass, and CoffeeScript options that the Rails asset pipeline uses. Hopefully, future releases will integrate Tilt so that you can use arbitrary endings, but there’s a reason why these are default in Rails: they’re the most popular alternate options from the defaults.

Vote this up on Hacker News.

rust-antlr: An ANTLR grammar for Rust #

I just heard about a neat new project: rust-antlr. Basically, it’s an ANTLR grammar for Rust.

Unfortunately, if you’re not a compiler nerd, you may not know what that means.

At the highest level of detail, implementations of a language’s grammar are useful even outside of the compiler itself. For example, syntax highlighting tools, static analysis tools, and alternate language implementations are all good usages of a grammar that’s separate from the official language implementation. So, this project should help out anyone wanting to do something along those lines.

More specifically, ANTLR is a tool for writing grammars. You can write an ANTLR grammar, then have it generate a bunch of code that you can compile into a project, or use standalone as a grammar checker.

Anyway, as the README shows, it’s pretty easy to get started:

1. install antlr 4 jar, put it in your classpath
2. run make
3. try java org.antlr.v4.runtime.misc.TestRig Rust tts -tree <

That’s it! I’m excited to see some tooling pop up around Rust, and hopefully this will enable even more neat tools to be built.

Spring: pre-load your Rails apps #

When you’re working on a big app, Rails’ startup time can be slow. It’s a hard problem, and there’s been a lot of work done in Ruby and Rails to help solve this pain.

Rails Core member Jon Leighton has a new gem that helps solve this problem: it’s called spring. Basically, Spring is in the same ‘genre’ of gems as Spork and Zeus: it loads your app up and keeps it running in the background, so the next time you run your tests, things are fast.

Using spring is easy:

$  cat >> Gemfile
gem "spring"
$ bundle
$ spring testunit

This boots up your app, runs the tests, and keeps the app running in the background. You can see that your app is running with spring status:

$ spring status
Spring is running:

26150 spring server | rails-3-2 | started 3 secs ago
26155 spring app    | rails-3-2 | started 3 secs ago | test mode 

Now, adding spring before every command is a lot of effort, so similar to bundle, spring can generate binstubs that take care of this for you:

$ spring binstub testunit
$ bin/testunit


If you haven’t used Spring before, check out the README. If you were using earlier versions of Spring, Jon just released 0.8, so check out the CHANGELOG for details on what’s new.

Scorched: a new Ruby web framework #

Disclaimer: this is a story about Ruby web frameworks, and I have commit bit to Rails

Ruby has a long tail of web frameworks. There’s the big dogs, Rails and Sinatra, there’s some smaller frameworks with a devoted following like Padrino or Camping, and then there’s a ton of other frameworks like Ramaze, Merb, Cuba, or Renee.

Now, we have another: Scorched. Here’s what it has to say about itself:

Scorched is a true evolutionary enhancement of Sinatra, with more power, focus, and less clutter.

This looks to be true. Here’s a Hello World in Scorched:

require 'scorched'
class App < Scorched::Controller
  get '/' do
    'hello world'
run App

Here it is in Sinatra:

require 'sinatra/base'
class App < Sinatra::Base
  get '/' do
    'Hello world!'
run App

Sooooo yeah. What’s different about it then? It takes on a very anti-“full stack” philosophy:

unlike other lightweight web frameworks that attempt to hide Rack in the background, Scorched makes no such attempts, very rarely providing functionality that overlaps with what’s already provided by Rack. In fact, familiarity with Rack is somewhat of a pre-requisite to mastering Scorched.

You can do this kind of thing with Scorched, which somehow makes it feel even more low-level than Sinatra, yet higher-level than Rack:

map pattern: '/', priority: -99, conditions: {methods: ['POST', 'PUT', 'DELETE']}, target: proc { |env|
  [200, {}, 'Bugger off']

The documentation is pretty, and seems very full.

Scorched is also sponsored by Phusion, who make the popular Passenger app server.

You can get the code on GitHub, of course!

One more note: it was pointed out to me on Twitter that Scorched requires Ruby 2.0 only, and that’s true:

Scorched requires Ruby 2.0 as it makes use of a couple of new features. By the time Scorched hits v1.0, there should be little reason not to be running Ruby 2.0.

otr.js: Off The Record Protocol in JavaScript #

Before we talk about otr.js, we have to talk about crypto in JavaScript. It’s important to discuss issues with cryptography, because bugs are much more severe than in ‘normal’ code. If your Rails app has a bug, maybe some emails don’t get sent out. If your crypto has a flow, your secrets are all wide open.

So, before discussing a JavaScript crypto library, I must point you to the first line of the README:

This library hasn’t been properly vetted by security researchers. Do not use in life and death situations!

Furthermore, for more on the issues of crypto and JavaScript specifically, I refer you to this post by Matasano Security, whose opinions I trust when it comes to security.

Okay, now that we’ve got that out of the way, let’s talk about otr.js! OTR is a protocol which allows you to have private conversations over IM. As you may guess, otr.js is an implementation of this protocol in JavaScript.

There’s a lot of setup required, so please read the README, but once you’ve got it set up, it’s pretty easy to use:

var newmsg = "Message to userA."

Not that hard, right? There’s a ton of different options, though they are pretty well-documented. What is odd though, is that apparently messages aren’t encrypted at first; you must call


to make that happen. I believe this is because the OTR protocol itself allows for unencrypted messages, and otr.js seems to be a lower-level library that others will build upon, rather than something you’d use directly.

log2viz: Logs as Data for Performance Visibility #

Today, Heroku announced log2viz: a way to visualize your log data. Here’s what it looks like:


This is for one of my applications, running on Heroku. It gives you real-time updates; these graphs actually change as you watch them.

It’s pretty easy to use the version Heroku has up, located at, I was already logged into my Heroku account, and all my apps were there.

If you’d like to use your own private install, that’s easy too: just clone the repo and do this:

$ heroku create -a myviz
# create a new oauth client
$ curl -i -n -X POST \
-d "client[name]=myviz-production&client[[redirect_uri]="
$ heroku config:set HEROKU_ID=xxxxxxxx HEROKU_SECRET=xxxxxx HEROKU_AUTH_URL=
$ git push heroku master

Pretty easy! Now you have your own copy running on an app.

For more details, check out the official blog post over on Heroku’s blog: it explains more details about how it actually works.

Git 1.8.2 released #

I’m pretty sure that most of you who read The Changelog care about git. Well, yesterday, 1.8.2 was released!

Of course, linking to the commit that actually did the release isn’t mega-helpful, so here’s a link to the CHANGELOG instead.

My favorite change is this one:

The patterns in .gitignore and .gitattributes files can have **/,
as a pattern that matches 0 or more levels of subdirectory.
E.g. foo/**/bar matches bar in foo itself or in a
subdirectory of foo.

I find myself wanting this a bunch, so it’s nice to have in. I’m also pumped about ‘git check-ignore’, which helps you figure out if what you added to your .gitignore actually did what it’s supposed to do.

Discuss on Hacker News

halbert: a JavaScript implementation of HAL #

Building an awesome hypermedia API, and using HAL to do it? You might want to check out halbert.

Halbert is pretty easy to install and use, just do this:

$ npm install halbert

And then, in your code:

var parser = require('halbert').parser;
var resource = parser(json_object);

And that’s it! Of course, you’ll get an error if the JSON isn’t proper HAL.