Skip to content

Blog

DfontSplitter 0.4.2 for Mac — Critical Security Update

DfontSplitter icon

Today I release DfontSplitter 0.4.2 for Mac. This is a critical security update that fixes an issue relating to the Sparkle software update framework when the update pages are served over HTTP. As of 0.4.2, the update pages are now, naturally, served over HTTPS. (It was more than five years ago when the last release was made!)

The vulnerability means that in a scenario where an attacker could launch a man-in-the-middle attack during a Sparkle-enabled app’s update detection process, arbitrary JavaScript could execute in the WebView hosting the release notes. Due to the context that the WebView runs in, the app could then be convinced to run local files, expose local files to a remote server and even execute arbitrary code. More details and a full breakdown are at the post on Vulnerable Security.

This update fixes the Sparkle-related security issue by updating Sparkle and requiring HTTPS for all future DfontSplitter app update communications. Due to new build requirements in Xcode 7.2, the application now requires at least OS X Snow Leopard (10.6) and a 64-bit Intel processor.

The automatic updates feature within DfontSplitter should detect the update, but you can also download and install it manually.

Thanks to Kevin Chen for pointing out the existence of the issue with Sparkle and that it affected DfontSplitter. I had somehow missed the original reporting of the vulnerability, so I particularly appreciate Kevin bringing this to my timely attention.

The astute among you may note that in the Info.plist for this update, I explicitly disable the OS X 10.11 SDK’s check for HTTPS forward secrecy in the HTTPS communications to the update server. Once I figure out a cipher suite configuration that I am happy with, and understand, in Pound (my reverse proxy acting as the TLS terminus), I will update the app again to require forward secrecy.

SaveTimer

About a month ago (whoops!), I released another open source project into the wild, SaveTimer.

This was one of those “wouldn’t that be a cool idea” moments that spontaneously resulted in a modest little project. The whole thing was conceived, built and published in the space of a few hours!

Save Timer

SaveTimer screenshot

Notify a user if they have not saved in a ‘watch directory’ for a certain interval.

Basic Description

This is a very simple application, written in C#/.NET 4.5.2, which observes a specified ‘watch directory’ on a given interval. The most recent file in the watch directory is examined to determine its last modified time. If this is older than the specified interval time, the user is shown a message reminding them to save their work. The user can suppress the messages for an indefinite period of time by right-clicking the icon in the “clock box”/system tray and choosing “Stop reminding me”.

This was written to support academic examination access arrangements, where users are intentionally only given access to a cut-down word processor such as WordPad, without spellcheck support. Unfortunately, WordPad does not autosave, so this application provides a regular reminder for the user to save. In this usage, the user is given a blank mapped drive to save in. In addition to the regular save reminders, the application also ensures that the user has saved in the correct directory to avoid data loss and ensure compliance with controlled conditions of where they must save.

SaveTimer logo

SaveTimer logo (the Dashicons clock, licensed under GPLv2 or later with font exception)

At the risk of sounding immodest, one of the most enjoyable things about this project was jumping right back into the C#/.NET environnment, with which I have spent less time recently, and discovering that I still had all of the intuition of how to build the functionality I desired. Perhaps this is testament more to Visual Studio’s IntelliSense suggestions and the simplicity of the application, rather than my memory, but it nevertheless was a rewarding feeling to quickly go from zero to an app that does a specific task quite well!

I’m also pleased to say it ran in… shall we say, production… without causing any issues. If it saves one piece of work, I think it will be worth it!

SaveTimer is released under the GNU GPLv3 or later. The code is available on GitHub and you can also download a ready-to-run executable, if you have .NET 4.5.2 installed. No installer required!

Cautious Unattended Upgrades

I’m very excited to have put the ideas mentioned in my previous blog post about Cautious Unattended Upgrades into practice!

To quickly recap, the idea is that, on a Debian-based test system (“the canary”), this is a software package that runs the latest security updates, runs an automated browser-based test suite to make sure these new updates have not broken any critical functionality on our clients’ sites, then ‘pushes’ just these package updates to the production servers.

In keeping with my original plan, the software is written in Ruby and uses Watir/Selenium WebDriver to run a suite of tests that verify, just as a human being would in a live web browser, that client websites work correctly.

A canary — as in “the canary in the coal mine”

Cautious Unattended Upgrades — the canary in the coal mine. Image by stevep2008 on Flickr, licensed under CC-BY 2.0.

I was expecting the biggest challenge would be getting this browser automation side of things working, but actually that proved very easy, which is a testament to the design of those projects.

The software is still a little rough around the edges, as I explain in the README file on GitHub, but I’m very pleased with the project’s progress. We have put it into use on our live systems at Van Patten Media, so we can keep servers promptly up-to-date with security patches without our intervention, but retain a greater peace of mind that our clients’ sites are still working as they should post-upgrade. (This is of course dependent on the quality and breadth of the tests that we write!)

I am particularly excited that this marks the first ‘real’ project in Ruby that I have written. Ruby isn’t a platform I have worked with too extensively before, so I have enjoyed challenging myself to be exposed to a different environment and quickly pick up how to achieve what I want to do. There is definitely more work to do — it really should be organised in a slightly more ‘Ruby-like’ way, and perhaps become a proper Ruby Gem, listed on rubygems.org, so those are things I will be looking at over the longer term for this project.

If you are interested in using Cautious Unattended Upgrades, or contributing to making it better, the project is licensed under a BSD-style licence and the code is available on its GitHub project page.

Total Slider 2.0

Total Slider Banner

I am very excited to be able to announce that Total Slider 2.0 has been released!

Version 2.0 is a significant milestone in the plugin’s history, and brings a very important behind-the-scenes change to the way your slide information is stored. In addition to that, and a lot of cleanup work in the code itself, there is now the capability of having draft slides as well as auto-saving of those drafts, making it much more difficult to lose data!

Total Slider 2.0 draft functionality

Being a side project that has to fit in around my day job and other work, this has taken much longer to get out there than I would have liked, but I am very happy with the result. The particular challenge of making sure the data format upgrade goes without a hitch involved some extensive testing, but I’m pretty confident (about as confident as you can be!) that the upgrade process will be very smooth. In the unlikely event there is an issue, you can roll back the plugin to v1.1.5 without any loss of data. Obviously, taking a database backup is a good idea, though! 🙂

With this big infrastructure change out of the way, I’m looking forward to the future of this plugin. I hope we can deliver more graphical goodness (a slider template previewer would be nice!) and a greater variety of templates that ship with the plugin to support the different preferences people have for their sliders.

It’s really exciting to finally get this released to the 1,000+ active users (according to its WordPress plugin page) this software has, and I’m looking forward to making it even better as and when I can!

You can download Total Slider from the WordPress Plugins Directory.

5.0

As I move closer to the significant milestone of one decade of having this personal blog, I felt that it was time for a significant overhaul of the look and feel of this site, as well as some of its non-blog post content.

Enter the 5.0 release! 🙂

Responsive and Refined…

pwdb50_fullsize

Rather than evolving the existing stylesheet and making changes, I actually started over, using a new SASS-based CSS workflow. If you look really hard, you will see bits and pieces of the old CSS hanging around that I have migrated forward for the moment. In the fullness of time, though, any of the old code should be gone!

The result is a site that is truly responsive — it is designed for small screens first, then it scales up to larger displays, rather than having a full-size only layout, but removing content for display on smaller screens. I did have a retro-fitted responsive system before, but this approach is much cleaner and delivers a more consistent result.

PWDB 5.0 Mobile display

A Font First!

Adding to the use of Colaborate for headings from my last design refresh, this design actually débuts my first experiment with editing fonts.

Thanks to the GPLv3 licensing terms of Colaborate, I was able to take it into TypeTool, and tone down its rather characterful lowercase ‘t’ for use as body text. The result is a custom font that, while it has its imperfections with kerning and missing ligatures, is an exciting first experiment for me — putting my interest type design to some practical use. I hope I will look back upon this first experiment with embarrassment later on when I have learned so much more, but for the moment it is very gratifying to have something to say “I did this” about!

You can download my source files for this font. This font, as it is based on Colaborate, is also licensed under the GPLv3 with font exception.

A More Modern Portfolio

The content on my Portfolio page had definitely aged, and was long overdue an overhaul. It now focuses on four main areas — Devops and Automation, Systems Administration, Web Development and Software Development.

More to Come!

As mentioned, this is a big change, but that doesn’t mean I am done! There are various other places where older content and design still might be evident, and I hope to get to more in the coming weeks.

Working on Total Slider 2.0

Total Slider Banner

I’ve been fortunate this week to have a little time to work on Total Slider, my (and Van Patten Media’s) open source WordPress plugin for making those neat little slideshow things, like so:

Example Total Slider slider

I have been meaning to get to this project again for a while, so it is great to get a moment or two to give it the love and attention it deserves.

My focus thus far has been on a complete overhaul of Total Slider’s data storage format — away from using wp_option records and using a custom post type.

This change is not only the right thing to do to clean things up and follow best practices, but it opens doors to other neat features that will make Total Slider feel like it fits into the WordPress Way even more. Without making undeliverable promises, I’d love to see automatic saving of slide drafts make it into 2.0! 😉

One of the things I have found that is pleasing is that much of the code I have already written is sufficiently abstracted that ripping out the fundamentals of the data format has been a lot less painful than it could have been!

It is nice as well to use this blog for one of its original purposes, to give updates on the projects I am working on. 🙂

You can follow progress in the unstable branch on the project’s GitHub page.

Announcing Total Slider

Total Slider icon

I’m really pleased to announce that the WordPress plugin I have been working on with Van Patten Media, Total Slider, has now been released!

Total Slider is a plugin for WordPress from Van Patten Media that will transform your experience with sliders forever. Build your own templates in PHP and CSS, then preview the output in a beautiful WYSIWYG interface designed to blend seamlessly with the WordPress core.

Total Slider is released under the GNU GPL version 2 or later. We’d love your feedback, ideas, bug reports, translations and more.

Here is a quick 2-minute video introduction:

You can find out more at TotalSlider.com, and download Total Slider from the WordPress plugin directory.

The Very Simple PayPal Bridge

Just a quick note to say that I’m proud to announce the release of some more open source code, as part of my collaboration with Van Patten Media.

The Van Patten Media Labs site has all the details of the Very Simple PayPal Bridge — a simple way to connect to the PayPal API.

Interacting with the PayPal NVP API is something that a lot of e-commerce websites need to do. If you’re writing your own code for a bespoke e-commerce solution, rather than shoehorning in generic ‘Shopping Cart’ software, there is quite a lot to think about in order to communicate successfully with the API and provide a great payment experience for the site’s customers.

The Very Simple PayPal Bridge is a PHP class that, as the name suggests, provides a very simple interface for the PayPal NVP API.

In any situation where you need to interface more directly with the PayPal API, the VSPB provides a clean interface for the other layers of your code, dealing with all of the implementation details of sending requests via cURL, encoding and decoding the arguments, as well as offering full support for graceful error handling with PHP exceptions. It is great as a lower-level component of a wider PHP e-commerce solution.

For more information, see the post on Van Patten Media Labs and check out the code at GitHub!

New Year, New Site Design

A change of scenery here at my personal site has been long overdue, I think, so I’m pleased to usher in 2012 with a refresh of the site’s design!

A screenshot of the new site design

Keeping Things Compact

The first thing you’ll likely notice is the new compact, fixed header, with the navigation to the major parts of the site. It stays fixed in place, so you can always get back to any of those pages at any time. (It also swaps out the legacy image gradients for exciting new CSS3 gradients where available!)

Who Shot the Serif?

I have also moved away from Bitstream Charter/Georgia as the main font around the site, in favour of Helvetica Neue/Helvetica/Arial, combined with the existing accents of Gill Sans (where available!) for the headings. I think the site now has a more contemporary feel — and reads particularly well on devices where Helvetica Neue is available, like the iPad.

There is also a new webfont in use for the ‘Peter Upfold’ text in the header — Charis SIL (generously licensed under the SIL Open Font Licence).

Practising What I Preach

Cookie picture, by amagill -- http://www.flickr.com/photos/amagill/34754258/

As a strong proponent of users having control over their privacy online, I am pleased that the Do Not Track initiative, for indicating the user’s preferences about tracking technology on the web, has gained traction in many web browsers. Because I support the rights of users to make choices about the code running in their browsers and what information it is collecting about them, I took this opportunity to begin the implementation of Do Not Track support on my site.

» Read the rest of this post…

Amalia is Now Open Source

Amalia

I am very pleased to announce that Amalia, the content management system I helped to develop for Van Patten Media, has now been released as an open source project!

Amalia is designed to be a content management system ‘for the rest of us’ and to make it easy to manage a small website. Amalia is a database-less CMS, so it doesn’t need the complexity, maintenance, and expense of a MySQL server, making it possible to run on even many of the most limited of web hosting packages.

There are, admittedly, some missing pieces in Amalia — and it certainly isn’t perfect. I am excited, however, about the possibilities of Amalia and its future potential as an open source project. We would certainly love your feedback, ideas, Core code, plugins, and any other contributions you might want to make.

Please head on over to project’s GitHub page for the code and to get involved. You can also check out the install guide (PDF) and an install video on YouTube.