There and Back Again

I just got done with my PEAR2 unconference talk. It was well attended and I got some good feedback from Derick about the installer and got some interest from Bill Karwin about adding a PEAR channel.

I didn’t really make slides so I don’t have a lot of info to post.

But I do have a list of new features planed(or already implemented) for the Pyrus installer:

1) no installation necessary. It runs out of the box as a .phar. No go-pear.phar needed
2) most packages can be used without installation, and even upgraded later by Pyrus (try then buy scenario)
3) Pyrus is much more development/production-oriented, and will have a “deploy” command for managing deployment of development code to a production server
4) Pyrus is much smaller than PEAR, and consumes far less memory
5) out-of-the-box supported packaging formats include .tar, .tgz, .tbz, .zip, and .phar
6) PHP 5.3+-based code means it fully utilizes cutting edge PHP features such as SPL iterators, XMLReader/XMLWriter, ZIP extension, phar extension (if enabled), exceptions
7) full application support is available with the new www and cfg (configuration file) roles
Pyrus can install just about every PEAR package that uses package.xml version 2.0 without any code change to the PEAR application – you can use Pyrus to manage your PEAR packages as well

I passed the ZCE exam this morning. Wasn’t that hard of an exam, though there was lots of code reading, with little errors to detect.

The conference has been off to a slow start, but i’m in Ilia Alshanetsky’s State of PHP Security talk and it seems that were off to a good start.

The focus of the talk is on the security of the core language, the talk started with the state of PHP security at the beginning of the year. And I think the best way to sum it up is that PHP wasn’t taking a proactive enough approach. The good news is items like the Month of PHP bugs got people to react and things have gotten better.

Improvements:
Automated code analysis (Coverity)
Tests for all security bugs, and lots more tests in general (There is an IBM developer writing 10-20 unit tests a day).
Valgrind memory checking
Code coverage using gcov
Fuzzing
Giving credit to security researchers

The good news is tons of vulnerabilities have been fixed in 5.2.x series. The even better news is most of the vulnerabilities aren’t easily exploitable.

The talk made me feel better about security issues overall, its all part of PHP growing up but I wish PHP would have been taking this more proactive security approach years ago.

Ilia’s slides should be available in the next couple days from his site.

I’m starting my second day here at ZendCon, its the first real day of the conference, yesterday was a tutorial day. There were a lot of good tutorials going on, i spent my time in the Zend Certification crash course since i’m taking the test to get my ZCE today (the test was included free with the conference).

From the crash course the ZCE doesn’t seem to hard if your an experienced php5 developer, but it does seem that you need to pay attention when reading the code examples.

I had a chance to talk with a lot of people last night, it looks like the conference is off to a great start, if your here make sure to look me up.

Things have worked out for me to go to ZendCon this year (thanks Helgi). If your going to be there and want to talk about anything PEAR, WebThumb, or AJAX related let me know and we can make plans to meet up.

Also I’ll be giving a talk during the un-conference about PEAR2.