2008-11-25 11:56:56

Driving MySQL ad absurdum

I recently discovered that apparently there are database people with an insanely brilliant sense of humour: Drizzle.

Drizzle is a clone of MySQL 6.0 where any type of useful features has been removed. Its focus lies on Simply design for ease of installation and management (sic). There is a large list of features which have been removed:

  • Stored procedures, ok, they are not usually very useful in well-designed software, or maybe they are?
  • Query caches, so that queries will have to be reparsed and reexecuted every time, slowing down normal operation significantly
  • Prepared statements, slowing down repeated operations significantly and re-opening the doors to SQL injections
  • Views, ok, I admit I have started to dislike them myself
  • Triggers, because who cares about data integrity and the likes
  • Grants, who needs permission management anyway? Any attacker should be able to enjoy full damage capability
  • Some storage engines — I think this one slipped through, as it is not a hilarious idea

At the first glance I thought that someone was about to commit a devastating stupidity, but then, reading through the web sites and source code I am now convinced that this is an artistic act, aimed at making fun of the puritan MySQL community. Someone has proved a really great class of humour, especially in the way he imitates fresh students who fork software projects despite having no idea of what they're talking about. Also, the spelling mistakes look really authentic. I had a very good laugh.

Thank you a lot, Mr. Brian Aker, you're really a great commedian of the Open Source community!


Posted by Tonnerre Lombard | Permanent link | File under: programming

2008-11-17 13:11:03

"IT-Grundschutzhandbuch" against MySQL

The so-called IT-Grundschutzhandbuch of the German federal bureau of security in the information technology (BSI) openly pronounces itself against MySQL:

Zum Schutz der Datenbankintegrität muss die Datenbank-Software über ein vollständiges Transaktionssystem verfügen, welches dem ACID-Prinzip genügt.

(In order to assure data integrity, the database software must feature a full-blown transaction system which adheres to the ACID principle.)

As it is widely known, MySQLs transaction system, which was introduced only in version 4.0, does not satisfy the ACID criteria. Since the BSI also offers the BSI Grundschutzzertifizierung, which follows the guidelines laid out in the IT-Grundschutzhandbuch, this means that in order to obtain this certification, one cannot use MySQL — at least not as a database system.

As a side note, a number of German contract partners as well as numberous government agencies require their suppliers to have a BSI Grundschutzzertifizierung.

As a rather funny side note: according to a recent analysis by Alvar Freude, it is very likely that the new E-Petition site of the German parliament will fail not only the tests outlined in its own requirement specifications as well as accessibility guidelines, but also the very IT-Grundschutz certification.


Posted by Tonnerre Lombard | Permanent link | File under: news, standards

2008-11-14 14:06:59

Migration between operating systems or countries

I noticed today that sometimes there are serious parallels in migration between operating systems, just as there are between different countries.

Windows, for example, is somewhat like Germany. It will confront you with a large amount of bureaucracy in order to approve your immigration, and will sometimes refuse it claiming blatantly that you're a terrorist. If problems arise, you have to find someone to pay to fix them, who will usually be an immigrant. On the other hand, it lets go of you rather easily. If you attempt to immigrate into other operating systems, it may force you to choose either one.

MacOS (Versions 10, earlier and later) can be compared to the US. You have to be rich enough to immigrate in the first place. Your appartment comes with a record of the latest speech of the President himself. When you're finally there, everyone will keep iterating how everything is shiny, but looking out into the streets you quickly realize that there are many things seriously wrong. Despite borrowing various things from other countries (the Statue of Liberty is a glamorous example), they aren't really connected. Nevertheless, everyone will tell you how much they believe in their country. When emigrating, you're declared to be one of the greedy Germans, no matter where you go.

Solaris is like the british empire. When you immigrate, you first have to come to a much higher level. But then you are granted access to the most high-valued ressources of the entire Empire, and the Lords themselves will invite you to discuss their matters with them. When leaving, a message of regret is sent after you.

Linux is very much comparable to China. If you immigrate, you're greeted at first glance, but as soon as you start to critizise, you are outlawed. People will hate you, you may even be detained. People will try to prevent you from speaking at all. Once you try emigration, you will be chased until the end of the world by people trying to bring you back to the motherland.

OpenBSD, on the other hand, is a lot like Finland. You are welcome to join the country, but don't expect anyone to approach you with immigration forms. During your life, you will have to fix a lot of things on your own, and if you're doing that well, people will whisper words of thank to you when they're sure nobody listens. In the end, however, if you emigrate, everyone will say it's good riddance. (But most will not mean it.)

NetBSD has very strong parallels to Greece. You are welcomed warm-heartedly and people will bring cookies and other food and hard drinks. You're being asked by emigrated brits if you would care for tea. During your life, everyone keeps making jokes about problems, and one day someone comes up and fixes it. Since the majority of inhabitants is old and bearded, you use to meet for sitting on a bench and laughing benevolently about the mistakes of your own and other countries. People are assoicated with the things they do, if you need help in a specific area there is always a Mister or Miss Specific Area, who will be rather difficult to get hold of. Sometimes you're even referred to the wrong Mister Specific Area, because most of the time their name is Matt. When emigrating, people give you presents for the way and don't worry, as they know you will return either way.


Posted by Tonnerre Lombard | Permanent link | File under: general

2008-11-04 11:06:44

For all Django fans

There is now an ultimate must-have for all Django fans. OMG Ponies!

Unfortunately, it appears that this pony is not even free.


Posted by Tonnerre Lombard | Permanent link | File under: programming

2008-11-04 09:32:18

SQLAlchemy: With ancient methods against modern IT

There is a small number of projects the Python developers are especially proud of: Zope and SQLAlchemy.

The fact that the Python core team deliberately keeps breaking compatibility for Zope is probably bad enough, but at least SQLAlchemy appears to work well enough with the various versions. Well, but how does it work?

The answer is: bizarre.

Never trust the database to get sequences right!

The first thing I discovered was with PostgreSQL and sequences. Some tables use sequences for creating their primary key, which is then going to be a 64-bit integer. This is done automatically by either not naming the primary key column on insert, or by using the keyword DEFAULT.

Looking through the debug output, however, items like these can be spotted:

2008-11-04 09:26:24,258 INFO sqlalchemy.engine.base.Engine.0x..d0 select nextval('data_from_box_id_seq')

This is wrong on a number of levels. At this point, SQLalchemy manually queries the next value returned by the sequence for the id column. This value is consequently used in the insert statement for the id column. This breaks the atomicity of the insert statement — rather than letting PostgreSQL handle things internally as it's supposed to, the insert statement is artificially split into two statements. Of course, this also means that two SQL operations are performed, which almost doubles the network overhead (especially over encrypted connections).

The most likely reason why this is done is to have the row ID of the newly inserted row for use in the client side object representation. However, PostgreSQL has two much better mechanisms achieving the same: Firstly, the ID can be queried using the last_insert_id operation, or, even better, everything can be handled in one statement by using the RETURNING keyword:

INSERT INTO data_from_box VALUES (DEFAULT, something, else) RETURNING id;

Prepared statements are for the weak and timid

An even more bizarre affection manifests itself in the support for MySQL. Rather than to make use of the prepared statements, which are mandated by the API specification, SQLAlchemy attempts to reproduce prepared statements in the SQLAlchemy code, and to naturalize SQL statements manually. Then, the resulting statement is PREPAREd and EXECUTEd.

This of course constitutes a duplication of functionality, and more than this, the SQLAlchemy users are now prone to SQLAlchemy prepared statement naturalization bugs which cannot really occurr in SQL prepared statements (because they are never synchronized into a string but used as-is).

Overall, it is very hard to say what the SQLAlchemy developers had in mind, but it seems clear that it was nothing useful.


Posted by Tonnerre Lombard | Permanent link | File under: broken, programming