PHP has no language design philosophy.

With Ruby/Java/Python (almost) everything is an object. Perl has its "There's more than one way to do it" swiss army chainsaw. Python has "There's one obviously right way to do it" and zen of python in the "import this" easter egg. Lisp/Haskell/Erlang all have their (purely)functional related philosophies. PHP? Nada.

Not a general purpose language.

Really only meant for webpages. Not a general programming language. While technically you can run php from the command line and automate system tasks with it few people actually use it that way with shell, perl, python preferred instead. I have never downloaded a command line app to find that it is written in PHP. Being able to use the same language for web programming and, say, system automation is a handy way to amortize that learning curve over a number of projects.

Code embedded in HTML is bad

Originally started out as a way to embed basic site counters and such in HTML. It took years but a few people eventually figured out templates were the way to go and started heading towards MVC with templates etc. But far too many people still write PHP intertwined with HTML making a real mess.

Terrible security history

Long a major complaint against PHP and very sensitive subject to PHP programmers. Before flaming me go patch your Wordpress instance. You know it needs it.

The infamous register globals functionality is where people always start when complaining about PHP security. It took years but most people have moved away from using them, especially after it was turned off by default in 4.2. But why did anyone ever think it was a good idea in the first place?

I saw quite a few php apps get owned by the xml-rpc flaw in the 2005-2007 timeframe.

In 2007 it was discovered that you could insert PHP code into a gif name it image.gif.php and get it executed on many sites. Oops. Another instance where parsing your code out of content being served up (instead of separate of logic and presentation via templates) was a big mistake.

I am yet to see anyone religiously use prepared (aka parameterized) statements in PHP. While you can code sql injections in almost any language that speaks SQL to an RDBMS many other languages/frameworks do it differently by default. PHP's default database interface seems to encourage SQL-injections. The magic quotes hack is just an ugly band-aid. Same for addslashes(). Compare that to Java where you have Command and Parameter objects or can abstract away the SQL generation with Hibernate. Or compare it to Python/Django which also has an ORM. Or to Ruby with its Rails ORM. Or Zope/Plone with its object database and the inherent impossibility of SQL injection no matter what the programmer does.

And who can forget all of the file inclusion vulnerabilities? Remote file inclusion even! There have even been instances of code injection into PHP regexes via null bytes.

PHP wildly mixes code with strings all over the place causing this mess.

The latest trend is exploitation of memory corruption bugs in the PHP interpreter itself. You might think that because you are using an interpreted language you don't have to worry about pointer mishandling, buffer overflows, etc. But it just isn't so. And PHP has such issues. There are right now undisclosed remote exploits which have not been revealed to the public and have not been patched in the PHP interpreter. There will be a talk on this given at SyScan Singapore 2010.

You can say that all of this security attention is due to simply being a very popular language for implementing webapps if you like (although popularity leading to exploits is one of my favorite myths to bust) but it doesn't change the fact that there are a lot of problems which either don't exist or are simply less likely to be exploited in other languages/frameworks.

Be sure to keep an eye on http://php-security.org at least to know what you are up against.

PHP is almost everyone's first web programming language

This may hurt the feelings of a lot of PHP programmers whose business cards say "Software Engineer" but it is an important part of the argument.

Far too many people pick up a PHP tutorial, start coding knowing nothing about software development best practices or security issues, and turn loose some code on the net. This has nothing to do with the language necessarily but a lot to do with the community surrounding it. They are typically either newbies or at the very least not nearly as wise as they think they are.

If PHP is the only web programming language you have much experience with you have a problem.

ReST? MVC? Unit tests? What are those? I know that there are a few PHP programmers out there who practice these things but I have never met one personally.

Too many people start with PHP but then never graduate to any of the other languages/frameworks.

http://dev.mysql.com/tech-resources/articles/security_alert.html

and the Linux on MIPS router exploit from last year:

http://blogs.zdnet.com/security/?p=2972

and the Apache on FreeBSD worm:

http://news.cnet.com/2100-1001-940585.html?tag=fd_top

and the recent Linux router based botnet:

http://www.computerworld.com/s/article/9159758/Chuck_Norris_botnet_karate_chops_routers_hard

they are clearly trying anything that is exploitable including the very obscure software platforms. I just don't buy the idea that they only go after Windows because it is the most common. That is just where the low hanging fruit is and has the most exploits.

Software design has got to have something to do with it and being forced to maintain decades of backwards compatibility and poor design decisions as part of holding onto their monopoly has got to complicate things for Microsoft.

I actually like reading about Linux based appliances with poor security defaults being attacked. It really shoots down the whole idea that only Windows is targeted and that this is because it is the most popular. Notice that the primary way in which Linux systems are being attacked is misconfiguration or poor choice of password. Both are easily remedied issues. Actual exploitable implementation flaws are more rare than in Windows and actual design flaws rarer still.

On March 21st, 2009 (Yes, I'm a little behind in my blog entries!) I flew my wife and three of her friends to Catalina Island in Plus One's Cessna 210 N210BX. Catalina Island is one of the "Channel Islands" about 30nm off the coast of Los Angeles. We departed from Montgomery Field (KMYF) in San Diego which is 76nm away from the island. This is usually about a 40 minute trip since I like to climb up high going out over the ocean. This is a fun place to fly to for various reasons. I have flown out there probably 20 times by now.

From a pilot's point of view the trip out over the ocean is something you don't get to do often unless you fly the international big iron. There's something cool about seeing only water in any direction. Aside from my many Catalina crossings, the only other time I have flown across a long stretch of open water is when I had to fly due west across the Sea of Cortez from Culiacan to La Paz. There was a tropical storm to the north of Culiacan on my way to San Diego from a friend's place south of Puerto Vallarta.

Originally constructed in the late 1930's, the Catalina airport itself is on top of a mountain. Each end of the runway is practically a sheer cliff. The runway has a hump in the middle so that when touching down (or departing) you can't see the other end. Rumour has it that pilots have been known to think the peak in the middle of the runway is actually the end of the runway and slam on the breaks or initiate a go-around. Since it is often impossible to tell if someone is departing the runway going the opposite direction it is very important to use the UNICOM (local airport radio communications frequency) to be aware of what is going on and announce your intentions. The field has no official tower or controller but there is a tower of sorts above the terminal building where you go to pay landing fees and book transportation down to the town. There is usually an employee in there monitoring the UNICOM who will announce winds and help out within their abilities. The winds around the island can be tricky as you can get up and down drafts right around the cliffs on each end of the runway.

And then there is the fact that the airport itself is at 1,600' MSL (Mean Sea Level) elevation. And that is what made this day's trip more interesting.

We got a rather late start due to the low marine layer clouds that often cover the coast. I am a current instrument rated pilot and our 210 is a capable airplane with IFR instrumentation and a Garmin 530 so normally a marine layer is no problem. But if the clouds start at 1,900' MSL as they did on this day and Catalina Airport is already all the way up at 1,600' MSL that means there is only 300' of clearance between the runway and the bottom of the clouds. That is not enough room to safely get there and maneuver to a landing.

The combination of warm landmass and/or a light breeze often produces a bubble of higher ceilings over the island. On this day I met a pilot who had flown at about 1000' MSL the whole way over all that ocean (from LA but I know people have done this from San Diego too) and then quickly climb as they approach the cliff-face at the end of runway 22 at Catalina entering that bubble of higher ceilings immediately over the island just barely clearing the cliff making it up to runway level and then plop it right down on the deck. But that's not for me. Nor do I recommend it for anyone else. If you have a problem at 1000' over the ocean you have little time and even fewer options. Not only does this risky maneuver likely violate VFR (Visual Flight Rules) cloud clearance requirements but it leaves too few options should anything not go exactly as planned. Any go-around is likely to involve going into IMC (Instrument Meteorological Conditions). I insist on a normal, stabilized approach to landing. Lack of pilots choosing to go around has cost the club some bent aircraft in recent years. It is never a good idea to do anything which would preclude the ability to go around. Recall that the number one cause of weather related general aviation accidents is VFR into IMC.

So we waited. Some of us more patiently than others. A pilot must resist get-there-itis, especially when it comes from passengers, even if that passenger is the pilot's wife. Eventually the weather reported that the ceiling was 500' above AVX which put it at 2100' above sea level. Departing Montgomery Field (KMYF) in San Diego with a VFR-on-top instrument clearance to OCN (Oceanside) VOR (Variable Omni-range, a navigation beacon on the ground) we climbed up through the clouds, canceled our IFR clearance upon reaching clear skies, and then on up to 8,500' for the cruise out there. I was hoping that things would begin to clear during the flight to the island. As the surface of the island warms it will often burn a hole through the marine layer and sometimes you will find the island sitting in the clear surrounded by clouds. I knew this was unlikely to happen on this day as the temperature was just too cool. But I had a plan B and plan C.

We agreed before take-off that when we got to Catalina Island if there was no way to get down in clear skies I would attempt the VOR instrument approach to landing. That was plan B. And if that didn't get us down into clear view of the airport we would execute the missed approach procedure, get back on top, and then we would fly about an hour to the east and spend the day in Palm Springs instead of Catalina. This was plan C.

I have always considered the VOR approach to Catalina Island to be a fairly useless approach and never expected it would really get anyone below a marine layer. The airport is at 1,600' MSL. With this instrument approach you can get down to 2,440' MSL over the airport. This means you need at least 840' between the clouds and the runway. The marine layer is usually lower than that. When we departed it was reported that there were 500' ceilings.

Having descended from cruise altitude down to around 4,500' and approaching where my calculations told me the island should be and seeing nothing but clouds I advised SoCal approach that I would need an IFR clearance for the VOR-A approach to Catalina while beginning to slow the airplane from cruise speed to approach speed. They cleared us for the approach and with the missed approach procedure in mind and ready to execute we passed over SXC VOR nearing 90kts and tear-dropped into the holding pattern for a turn for alignment with the approach and started a descent down to 2900' which plunged us down into the clouds. There are only 1.6 nautical miles between the FAF (Final Approach Fix) to the MAP (Missed Approach Point) with an MDA (Minimum Descent Altitude) of 2440'. If you have the airplane slowed down to 90knots for the approach you have one minute and four seconds to descend from 2900' to 2440' which means you have to descend at 431 feet per minute to reach the MDA on time. If you go faster you must descend faster and have a smaller margin for error.

Upon passing the SXC VOR (which marks the FAF) inbound we turned to heading 352 degrees while keeping one eye on the time (counting down 1m and 4s), one eye on DME (Distance Measuring Equipment, to tell us when we are 1.6nm from the Catalina VOR on a mountaintop nearby the airport as a cross-check to the time), one eye on the attitude indicator (to keep us right-side up inside the clouds), one eye on the airspeed indicator (trying to maintain 90knots to make all the math work out correctly) and one eye on the compass trying to maintain 352 degrees. You didn't know instrument pilots have 5 eyes? They do. And at least as many hands.

Just as we passed through 2500' MSL we could see the ground. A few seconds later we were at 2440 and the airport had come into view off to our right. Ideally we would have come out right above it. With only 1.6 miles you don't have much room to get lined up on your outbound radial or established on your compass heading and we actually ended up passing just slightly north of the VOR on our way inbound according to the GPS which I suspect is what did it. We made a right turn into the downwind leg of the pattern while simultaneously calling SoCal to cancel our IFR clearance since landing was assured, announced our presence to any other local traffic on the UNICOM frequency (no control tower at this airport), ran a GUMPS (pre-landing) check one last time (landing gear had already gone down at the FAF), made a couple more turns in the pattern and gently squeaked the wheels onto the pavement. Mission accomplished! Apparently, my wife had been doubting our ability to land when we arrived to find the island cloud covered. She excitedly pointed out the airport when it appeared and upon exiting the aircraft I was promptly declared her “hero”!

Unfortunately, it was now around noon. The airport would close at 5pm after which no more takeoffs would be allowed. While open to the public this is actually a privately owned airport and has somewhat restricted hours. We planned to go back that same day. After landing I paid the $25 landing fee and then bought the five of us $25 round-trip van tickets for a 30 minute van ride down the mountain to the coastal town of Avalon, the only town on the island.

We had three hours to look around. It's a small place and you can walk from one end of the main drag to the other in 15 minutes. But the ladies spent a lot of time in each little gift shop along the way. We walked around town and ate buffalo burgers and oysters at a local burger joint with some sort of tropical island theme whose name I don't recall. I've eaten at nearly every restaurant on the island it seems. Many pictures were taken. By the time we had lunch and made it from the docks on one end to the historic "Casino" (not a place of gambling, simply entertainment) on the other it was time to head home. As usual, we got a pretty good look at some buffalo along the winding road from the airport to town and on the way back up. The island was the greenest I have ever seen it due to the recent rains. I also saw a number of scorched tree trunks from the wildfires they have had there in the last couple years.

At 4pm we met the van for the ride back up the mountain to the airport. The van left a few minutes late and we stopped to look at some buffalo on the way up. So we had around 20 minutes to get off the ground. While the passengers made final bathroom breaks and got themselves situated in the plane I did the pre-flight. Then hop in for the start checklist, start, taxi, final takeoff checks, and we were off the ground with only a couple minutes to spare. It was tight but we made it.

After takeoff we were still underneath the marine layer although it was higher now than when we arrived. A few miles from AVX I called SoCal for an instrument clearance to Montgomery so we could get above the clouds for a safe open-water cruising altitude. This was quickly granted and up we went through the clouds. The rest of the the flight back to Montgomery was uneventful aside from nice scenery. The clouds had mostly cleared by the time we got back although I stayed on the IFR flight plan and flew the ILS (Instrument Landing System) into MYF for a smooth landing and happy conclusion to a successful day-trip to Catalina Island.

http://twitter.com/tracyrreed

How could this be? One of two things must have happened:

1. A web app was compromised - Unlikely, but possible. I don't run any PHP and I don't use anything which isn't very careful about avoiding shell/sql injection exploits etc. A lot of my stuff is protected by SE Linux which should prevent web apps from talking to the mail system but not everything.
2. Someone compromised a users password - This is possible. People do dumb things with their passwords all the time.

So I fire up tcpdump and see a lot of traffic coming in via an authenticated SMTP session. I check the mail logs and notice that a particular user is authenticating from an IP address behind an Internet satellite link provider ("Spaaaam frooooom spaaaaaaaaace!" Thank you, Muppet Show) which is very unusual. So a quick iptables firewall rule to block off that IP address and a password change for that user and the spam stops. Then I whip up a quick shell script to clear the mail queue of all of the pending spam. Everything is back to normal.

I instant message the user in question and let him know what happened. The conversation went like this:

(05:48:35 PM) Tracy: I had to lock your email account on my server
(05:48:43 PM) Tracy: Someone guessed or stole your password and was using my server to send spam
(05:49:46 PM) Tracy: If you use that password anywhere else you need to change it
(05:51:12 PM) User: Oh really. It was studball. Thanks
(05:51:23 PM) Tracy: hmm...I doubt they would have guessed that.
(05:51:34 PM) Tracy: So I bet your windows computer or somewhere else where you have typed
                     that password in was compromised.
(05:51:38 PM) Tracy: You need to check that out.
(05:52:27 PM) User: Did it just start happening today or yesterday?
(05:52:41 PM) Tracy: Just today at 1:30pm my time which is 4:30pm your time
(05:59:41 PM) User: I checked my email about that time too.
(06:02:57 PM) Tracy: What computer did you check it on?
(06:03:11 PM) Tracy: Did you type in your password on that computer at that time?
(06:04:22 PM) User: windows. Yes I did. And I also choose save password.
                    My computer was acting slow today also. So I think it may be a worm.
(06:06:54 PM) Tracy: Yep. I bet that's it.
(06:07:33 PM) Tracy: You need to unplug that thing from the network asap.
(06:07:38 PM) Tracy: Then wipe and reinstall the operating system.
(06:10:19 PM) User: I will have to do that tonight when I get home.

So once again Windows bites me and I don't even use it myself. My server may be on email blacklists as a spam sender now. Hopefully not since I caught it quickly.

The funny thing about this is that from the user's point of view I have not done him a favor. I have only caused him a problem. Everything worked fine and his world was happy until I contacted him. He was not really inconvenienced in any way that he noticed at the time. What does he care if his computer sent his password to someone else so that they can use it to send spam through someone else's server? And now he has to change his password (I already changed it once for him) and reinstall his computer (although I seriously doubt that will happen and the infection will persist). I am reminded of "Typhoid Mary". The cost of lax computer security is a complete externality for most people which usually costs the insecure person/system nothing noticeable. So goes computer security apathy.

Why am I saying "Yeay!" about a Linux worm? Read on...

I've been a Linux fan for 15 years. Linux has always had good security and it is constantly improving. Much better than certain OTHER operating systems. We have always been proud of the lack of virus/worm infections in Linux. But there were always those who said that this was only because Linux was so small that nobody bothered to target it.

This hasn't been true for a long time but now they definitely can't say that anymore. Linux is big enough to be worth targeting. Not only that but Linux is big enough that they are targeting the very small and specific niche of Linux running on MIPS cpu devices!

In order to get infected by something like this you really have to open yourself up and let it in. This has always been the case for many years now and nothing new: If you allow root logins from the net and your root password is "root" you are going to be owned. Contrast that with another OS which recently only required that a specially malformed PDF merely get downloaded onto your machine (not even viewed) to become infected. But now there are enough Linux users out there that enough of them set things up with an ssh or telnet running on the WAN interface with a default or very simple guessable password that they are being actively targeted. Linux has hit the big time and this sort of "exploit" is still the best the worm authors can do.

Yeay!

This sort of thing is why I feel very good about selling and supporting RedHat Linux. You won't find any other OS vendor offering an honest look at the security of their software or producing such metrics.

RedHat Linux includes server, desktop, email, and web browser software which are all included in this analysis. In a production server one would only install a fraction of these software packages which removes many potential vulnerabilities.

Executive Summary: Top three riskiest packages and sources of potential security problems were mozilla, firefox, and thunderbird. These are all desktop software which provide very complicated functionality (thus more potential for bugs) which will not be found on a server. The riskiest server package was PHP (used to implement CMS systems like Drupal and Joomla) which has a special section of the report just for it. Over the past 4 years there was not a single worm/virus that affected RedHat Linux as long as you don't use PHP.

None of my webservers are running any of the packages which have had critical problems. So in theory I could have run my servers for the last 4 years and not patched a single time and been ok.

Update: I guess I should be worried! Robert Donovan emailed: http://www.kernel-panic.org/pipermail/kplug-list/2009-March/106765.html

HARTMAN stops in front of PYLE and notices his footlocker is unlocked. He picks up the lock and holds it up to PYLE.

HARTMAN: "Jesus H. Christ! Private Pyle, why is your footlocker unlocked?"

PYLE: "Sir, I don't know, sir!"

HARTMAN:  "Private Pyle, if there is one thing in this world that I hate, it is an unlocked footlocker! You know that, don't you?"

PYLE: "Sir, yes, sir!

HARTMAN: "If it wasn't for dickheads like you, there wouldn't be any thievery in this world, would there?"

PYLE: "Sir, no, sir!"

HARTMAN: "Get down!"

PYLE steps down, from the footlocker. HARTMAN flips open the lid with a bang and begins rummaging through the box.

HARTMAN: "Well, now .. . let's just see if there's anything missing!"

HARTMAN freezes. He reaches down and slowly picks up a  jelly doughnut, holding it in disgust at arm's length with his fingertips.

HARTMAN: "Holy Jesus! What is that? What is that, Private Pyle?!"

PYLE: "Sir, a jelly doughnut, sir!"

HARTMAN: "A jelly doughnut?!"

PYLE: "Sir, yes, sir!"

HARTMAN: "How did it get here?"

PYLE: "Sir, I took it from the mess hall, sir!"

HARTMAN: "Is chow allowed in the barracks, Private Pyle?"

PYLE: "Sir, no, sir!"

HARTMAN: "Are you allowed to eat jelly doughnuts, Private Pyle?"

PYLE: "Sir, no, sir!"

HARTMAN: "And why not, Private Pyle?"

PYLE: "Sir, because I'm too heavy, sir!"

HARTMAN: "Because you are a disgusting fatbody, Private Pyle!"

PYLE: "Sir, yes, sir!"

HARTMAN: "Then why did you hide a jelly doughnut in your footlocker, Private Pyle?"

PYLE: "Sir, because I was hungry, sir!"

HARTMAN: "Because you were hungry?"

Holding out the jelly doughnut, HARTMAN walks down the row of recruits still standing with their arms outstretched.

HARTMAN: "Private Pyle has dishonored himself and dishonored the platoon! I have tried to help him, but I have failed! I have failed because you have not helped me! You people have not given Private Pyle the proper motivation! So, from now on, whenever Private Pyle fucks up, I will not punish him, I will punish all of you! And the way I see it, ladies, you owe me for one jelly doughnut! Now, get on your faces!"

HARTMAN: (to PYLE) "Open your mouth!"

He shoves the jelly doughnut into PYLE's mouth.

HARTMAN: "They're paying for it, you eat it!"

HARTMAN turns to the recruits.

HARTMAN: "Ready . . . exercise!"

The platoon does push-ups.

Amazon.com has them as well as Newegg.com

The EEE PC is sold with both Linux and Windows. Asus claims that there is no higher return rate on Linux netbooks and they are the number one vendor. According to Asus CEO Jerry Chen their Windows/Linux production ratio is 6:4, which means 40% are Linux.

More Linux on desktops means less Windows which means less spam/viruses/malware or similar shenannigans and that sounds good to me!

There are an amazing number of Linux based open hardware projects hitting the market these days.

Fully open hardware:

BUGbase http://www.buglabs.net/

Chumby http://www.chumby.com/

OpenMoko http://www.openmoko.com/

OLPC XO laptop http://laptop.org/

Linux powered but not necessarily hackable hardware:

Everex TC2502 Green PC http://www.walmart.com/catalog/product.do?product_id=7754614 (Wal-Mart actually sells this one in stores here in San Diego, not web-only like that silly Lindows deal)

Tivo

Snom VOIP phones http://www.snom.com

Linksys routers Eee PC http://eeepc.asus.com/en/

And many more I'm sure. I just received my Eee PC laptop which I ordered from Newegg.com for $399. It is awesome. So tiny! Very portable. Weighs less than 2lbs. 4G flash HD. 512M of RAM. Comes with office suite, firefox, thunderbird, IM client, skype, pretty much everything I need. And it is Linux with an obvious idiot-proof interface and everything works right out of the box, no configuration needed. Straight from the factory. Asus says they are selling one of these every 6 seconds. We're going to have a million new desktop/laptop Linux users before this is done. XP would technically run on it but it would be tight and it would greatly increase the price of the hardware. I really relish watching hardware become so cheap that MS cannot make money on it. :) And after what they did hiding behind SCO then Acacia and OOXML and their long history of nastiness in general I am really looking forward to watching the vice tighten around their jewels.

I have Linux on my desktop. At home and at work. Linux came preinstalled on my laptop. I have a Snom phone on my desk. Linux in my DVR. Soon I will have Linux on my mobile phone as soon as the second generation OpenMoko comes out (Looking like December but like all open community driven projects "it's ready when it's ready" and no sooner). I have Linux in my Linksys router. I may just have to pick up a Chumby so my alarm clock will be running Linux. :) Although that's a rather expensive alarm clock.

"The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it." - Mark Weiser, almost 15 years ago in a Scientific American article titled, "The Computer for the 21st Century."

Linux is certainly heading that way. But that is just the consumer electronics side of things. Linux is doing great things on the server side too. Over the last few years I have become a big fan of virtualization with SAN storage. I put together a system called Xen-AoE which uses the free Xen virtualization software with the AoE ethernet based SAN protocol. We are slowly populating a community based site at http://xen-aoe.org to provide howto information on setting this stuff up. Not much there yet. But keep an eye on it over the coming weeks. A former employer currently serves a lot of their critical infrastructure out of a Xen-AoE cluster. You can see it in action at http://www.drjays.com as those pages are served off of it.

 function cd {
     builtin cd "$@"
     if [ -d .svn -a -r .svn ]
        then
        DIFFS=`svn status| egrep "^M"`
        if [ ! -z "$DIFFS" ]
            then
            echo "This directory contains uncommitted changes."

So whenever I cd into a directory I get a notification if I have been
lazy and not committing things. But eventually I ran into a problem:
if the directory has lots of files in it (which my home dir always  
does) the svn status command can take several seconds to return which
is unbearably annoying since this happens with every cd. I end up
hitting ctrl-c and not seeing the message saying I have uncommitted
changes and the whole thing becomes totally ineffective.

While playing with hg I have discovered that hg has the same problem.
However, hg also has the ability to use the Linux 2.6 kernel's inotify
functionality. It can subscribe to the kernel to be told when files in
the working directory change so it doesn't have to do a brute force 
check and stat every single file. So if we put the following in our  
.hgrc:

[extensions]
inotify =
[inotify]
autostart = True

we automatically get a little hg daemon running talking to inotify
which will communicate with any hg command we invoke. So I changed my
.bashrc cd function to read like so:

 function cd {
     builtin cd "$@"
     if [ -d .hg -a -r .hg ]
        then
        DIFFS=`hg status -q`
        if [ ! -z "$DIFFS" ]
            then
            echo "This directory contains uncommitted changes."

and now my cd function works perfectly and instantaneously even on 
huge directories. However, because I have so many files in my homedir
I had to do this to make inotify handle it:

echo 32768 > /proc/sys/fs/inotify/max_user_watches

So I dumped that in my rc.local. The inotify functionality requires
the most recent version of hg to work halfway decently. And even then
occasionally runs into issues. If I do an hg clone with the inotify
turned on the clone never finishes, it just hangs. And if I modify and
then revert a file hg status -q still says that file is modified and
does so until I commit it (but there are no changes so I'm not sure
what it's committing). So inotify still has a couple bugs.

Each hg repo is totally independent and does not rely on any other  
server. But one of the great things about having a remote server for 
version control is that if my local box catches fire and is destroyed
I have a remote copy of my code. So I need to find a way to easily
push my changes to a repository on a remote server. Mercurial supports
this and you don't have to push your code somewhere else but pretty
much everyone does it because that is the whole point of distributed
version control: being able to push your changes to another
person/place for further work or just another server for storage.

Every time I do an hg init . that creates a new local repository which
needs a corresponding remote repository. This is a bit different from
svn where each local repository fits into a sort of branch or folder
in the big subversion repository on the server. So I set up a remote
account with username hg, installed my public key in
.ssh/authorized_keys and inside ~hg I have a subdir
home.copilotco.com/home/treed inside of which I have done an hg init.

Now if I want to push my home directory from my home workstaion to
this server for safe keeping I can say the following:

hg push ssh://hg@hg.copilotco.com/home.copilotco.com/home/treed

but this uri is rather long. I want to make it the default. So in my
.hgrc I can say:

[paths]
default-push = ssh://hg@hg.copilotco.com/home.copilotco.com/home/treed

So now I can clone my dotfiles and various other settings that I want
to carry around with me from that url. When I make a change on some
machine somewhere I "hg push" the change back up to the
repository. Then I can "hg pull" on any other machine which I want to
have the update. Pretty slick.

I have long entertained the idea of an online logbook and tonight I realized that I could combine that with the blog and perhaps that would give me more incentive to make blog entries if each logbook entry could turn into a blog entry also. Keeping the logbook online and the math done by computer makes things neater and verifies my math as well as allows others to more easily follow along in my flying. I still have to keep the paper copy as the official record.

But until I get that coded up let me tell you about my flying weekend: I haven't done much flying the last few months so I was out of currency. I was supposed to have made a flight last weekend to visit a friend up in LA but the weather sucked (actually, it was easy IFR weather but it definitely wasn't VFR so I could definitely have made the flight) and I wasn't instrument or even VFR current. A pilot has to make 3 takeoffs and landings every 90 days to be able to fly with passengers and I haven't been keeping up lately. He must also do 6 instrument approached plus intercepting, tracking, and holding every 6 months to be instrument current.

So yesterday I flew N738TB which is a Cessna 172 which I had never flown before. But when it comes to 172's one is really like another except for the radio setup. I haven't flown anything smaller than a BE-76 or C-210 in the last couple of years so it was fun to get back into something as simple as a 172 again. This plane is fairly nice and even has a Garmin 430 GPS. The second radio is an ancient Collins which could do with replacement. So I departed from MYF around noon and flew down to SDM and did 4 touch and go's then came back to MYF. 1.1hrs total flight time. There was a decent head/crosswind of 15 gusting to 20 knots the first couple landings but by the time I was done it seemed to have faded to nothing. The runway at SDM is very long having been a base for F-4's and other Navy aircraft in the distant past. With the strong headwind I could land on the numbers and then be off again in very little space. After the first time down that long runway I started making early turn-outs into the pattern to speed things up.

Today I wanted to regain my night currency so around 8pm I went back to the airport and fired up 8TB once again to do some night stop and go's and then flew west to Mt Soledad and up the coast at 4,500' as far as CRQ checking out the city lights. Then back for an uneventful landing. When I departed the tower at MYF was open but at 9pm they close so I returned to an uncontrolled airport. It's always fun to click the mic and make the runway lights come on. MYF has a nice and fancy approach lighting setup (there's a specific name for this setup which I don't recall) which automatically turns off after so many minutes but can be re-activated by keying the radio. So I can roll out on final and tell the pax "Watch this...*click* *click* *click* *click* *click" and hear their "Ooohh!"

So now I'm day current and night current again. But still not instrument current. The way the regulations are written I can fly "under the hood" (which is a way to simulate instrument flight in a real aircraft in visual flight conditions) with a safety pilot whose job is to look out for traffic while I'm under the hood and we can both log the time. The two pilots usually split the flight expense.