So in Rails 3 xss is protection is built in.  This is good.  In fact, I’ve wanted to see this since I first start coding rails in the 1.x days.  I have not started any Rails 3 projects yet but I have been playing with enabling this on a Rails 2.3.8 project by using erubis and the rails_xss gem.  Switching over I found lots of problems where strings which should be safe are being escaped.  Of course I can easily mark the string as safe but I wanted to learn why this was happening.  I found that the join method does not seem to keep strings safe.

1
2
3
4
5
6
7
8

>> ("foo".html_safe + "bar".html_safe).html_safe?
=> true
>> ("foo".html_safe << "bar".html_safe).html_safe?
=> true
>> ["foo".html_safe, "bar".html_safe].join.html_safe?
=> nil
>> ["foo".html_safe, "bar".html_safe].join(''.html_safe).html_safe?
=> nil

I’ve also noticed that mail_to does not return an html_safe string.  It appears to have been fixed in Rails 3 but not correct in the rails_xss gem.

I’m planning on buying/building a new computer and I think I will install Ubuntu 10.10 on it.  My plan is to use btrfs for the first time.  Risky, but I will be taking nightly backups.  However, Ubuntu 10.10 is planning on shipping with the Linux 2.6.35 which has a severe btrfs performance regression as documented here:

• Btrfs Did Regress Hard In The Linux 2.6.35 Kernel
• maverick btrfs slow install

But besides that I’m also hoping that the I/O performance situation will be improved.  It has been very difficult to track down where the bug is but I have certainly experienced it.  I haven’t tested the patches but if they work I hope they find there way into Ubuntu 10.10

• Fix “system goes unresponsive under memory pressure and lots of
  dirty/writeback pages” bug.
• Large I/O operations result in poor interactive performance and high iowait times
• The Linux Desktop Responsiveness Patches Are Feeling Good
• Heavy Disk I/O harms desktop responsiveness
• Very poor desktop response (high latency) during I/O-load with SATA+NCQ

Running SSD’s in RAID can get very expensive very quickly.  A more cost effective solution is to have a disk RAID and use an SSD as a cache.  I’m not sure if any of these are production ready but all are worth watching:

• zfs-fuse – supports the ZFS L2ARC feature which can be used to setup an SSD as a cache for a ZFS pool.  Checksums SSD data and supports multiple devices.
  • ZIL and L2ARC cache questions
  • ZFS – zpool ARC cache plus L2ARC benchmarking
  • How stable is zfs-fuse 0.6.9 on Linux?
• bcache – a recent project for caching linux block devices. Currently only supports 1 cache device and offers no checksumming.
  • Bcache: Caching beyond just RAM
  • Want to use an SSD as cache? Now you can
• flashcache – created and released by and for facebook this at least seems to be in production. documentation is not great however.
  • Facebook releases Flashcache

It’s been a frustrating night trying to figure out how accepts_nested_attributes_for, autosave, dirtyness, and Rails versions all fit together.  Going to try and summarize my findings and hopefully I’ll get it right.

• accepts_nested_attributes_for turns on autosave
• autosave will cause any loaded associations to be saved when save for the parent object is called
• the key word is “loaded”, so a find with an include will cause the association to be loaded, and thus autosaved (took my a long time to track this down)
• in Rails 2.3.5 the association is saved regardless of dirty state
• in Rails 2.3.8 the association is saved only if dirty

In doing some work with OAuth today I cam across xAuth which is apparently supported by Twitter.  Good thing to be aware of:

• Using xAuth, an alternate OAuth from Twitter

With recent versions of Ubuntu running as Xen DomU’s I’ve noticed that the default scheduler is deadline.  I’ve read documentation that noop should be the preferred scheduler.  However, I make use of ionice, as do disk intensive programs such as fcheck.  It’s not often noted but ionice only works with the cfq scheduler and because of that cfq is probably the best default for any system.

While choosing an SSD may be difficult at the moment, other components for a solid workstation are not.  Here’s what I’ve been looking at for the past few months:

(continue reading…)

It is not uncommon for people to have performance problems with the their virtual servers and chalk it up to virtualization as the problem instead of insufficient entropy.  Running a mail server or SSL web server are particularly vulnerable to virtual servers without much entropy.  I have noticed that my virtual servers have had a lot less entropy in the past 6 months or so.  I decided to revisit what simple and effective solutions exist to solve this problem.

(continue reading…)

It is extremely difficult to keep up with all the filesystems being developed for Linux these days.  Clearly, so much activity represents an understanding that the current filesystems do not address the needs of users.  However, as is all too often the case, development is extremely fragmented with very small groups each trying to build the 1 true filesystem and thus each effort taking longer than a collaborative project.

What I want from a filesystem: snapshots, replication (local, aka RAID and network), checksums (at least optionally), compression (at least optionally), and some basic intelligence such as when a checksum fails and replication is used to get the data from another replica.  Yes, fast error recovery and good performance are important too.

(continue reading…)

• Copy Without Formatting
• FlashBlock (there’s also this FlashBlock, not sure what the practical difference is)