If you make the center of your world data, then everything else becomes easy.

This got me thinking.  From a computer-centric viewpoint it all makes sense.  Our machines are built specifically to store data, crunch data, and present that data to the user.

But I don’t just work with computers.  I also read a lot.  And I write a lot.  And I publish books.  And even in the computer world I spend a great deal of time working on WordPress – a tool used primarily for writing.

From the media-centric viewpoint, this argument stops making sense.  The most important piece of this blog, for example, is the content.  And that content is stored, essentially, as blobs in the database.  The data on my server consists of titles, keywords, post dates, views, comments, and other meta information that adds little value to the content itself.

This meta doesn’t provide any meaning to the data/content it’s meant to represent.  And that, is a huge failure on our part as developers.

Carlos

My freshman year in college, I took Poetry 101.  It was a great class, filled with roundtable discussions, interesting reading assignments, and daily tear-your-work-apart sessions intended to help us become better writers.

One of the best poets in our class was an older student named Carlos.  He and I shared a couple of classes, actually, so we got to know one another’s work fairly well.  He was a huge Shakespeare fan, but avoided allusions to the Bard’s work in his own. He thought it was too cliche.

His final poem for the class was particularly interesting.  It was an artistic rant against the rules of writing.  It called out the authors of the various writing guides we’d studied and criticized their narrow views of art.

One of these authors was named Mary Oliver – I checked, I still have her book on the mechanics of poetry.

In Carlos’poem, he lays out great arguments both for and against using Shakespeare references in modern poetry – and slams Oliver pretty hard for how she claimed all poems were somehow a reference to Shakespeare.  At the closing of that stanza, it almost looked like Carlos made a mistake.

On a single line he wrote: “Marry Oliver.”

Then went on to give up on respecting outside opinions and went on to his next artistic target.

Most of the class – including the professor – missed the reference.  ”Marry” was an often used curse in Shakespeare’s writing.  Using it as part of Oliver’s name was a sideways jab at her, and quite artistic in a sense.  Berating someone for overusing Shakespearean references using a Shakespearean reference.

But if you didn’t know Carlos, you would have seen a typo.  I guarantee that I took away a completely different reading of that poem than the rest of the class because I understood the context from which it was written.

Context

How do you store this kind of data about a story?  With a typical WordPress/Tumblr/MovableType/etc website, you’d put the poem in as a content string, Carlos in as the author, and 2002 as the year of publication.  You might throw in a few keywords – Shakespeare, Mary Oliver, art critique.  You might even tag it with the name of the class and professor.

Where is the context stored?

Where is Carlos’backstory?

So much of the poem’s meaning was not actually in the poem itself, but in the story of the author who penned it and the circumstances surrounding its writing.  None of that can be categorized as meta information in a data-centric database, though.

The Problem

I can’t say I have a solution to this problem.  At least, not yet.  But I can characterize the problem fairly well at this point.

Every story is made of discrete parts.  A logical idea would be to split it up into its relative parts – each sentence then becomes a piece of data.  But sentences alone are not sufficient vehicles to convey meaning.  For example, look at the sentence “Jesus wept.”  Now look at these two possible contexts:

When Mary reached the place where Jesus was and saw him, she fell at his feet and said, “Lord, if you had been here, my brother would not have died.”

When Jesus saw her weeping, and the Jews who had come along with her also weeping, he was deeply moved in spirit and troubled. “Where have you laid him?” he asked.

“Come and see, Lord,” they replied.

Jesus wept.

Compare that with this:

Jesus Torez was an energetic child. He loved to ride his bike around the neighborhood and play make believe in the alleyways down the street from his school.

One day, Jesus found the door open to the abandon building he liked to think of as his “Intergalactic Headquarters.”  He didn’t even hesitate when the idea occurred that it would be more fun indoors that outside.

He crept inside and surveyed the rundown plank flooring.  There was a light on upstairs, so Jesus tiptoed in that direction to investigate.

Just as he shifted his weight to the first step, the plank broke and dropped him through the floor into the basement.

His leg was broken.  Jesus wept.

Different contexts, different characters, different stories.  In one, you’re dealing with Christ and the phrase “Jesus wept” brings up questions of his humanity, his relationship to the deceased in the story, and how these events fit in with the rest of his story.  In the other, you’re dealing with a young boy in an awkward – albeit self-induced – horrific situation.  The phrase “Jesus wept” conveys a different kind of pain, and possibly even some panic.

You can’t separate stories into mere sentences and work with those building blocks as discrete items – in isolation a sentence means nothing.

A story is, at best, compared to a woven cloth.  Hundreds and thousands of discrete threads are woven together to create a large picture.  It might be a tapestry, a mono-color sheet on a bed, or even a random smattering of color in a carpet block.  In each case, the cloth is greater than the sum of its parts.

And a story is greater than the collection of sentences that comprise it.

The problem is that it can’t be properly understood as just a story.

Data structures today give us one world or another – either a story is one, monolithic data element or it’s a set of discrete, related, but independent data points.  I say it’s more, and current data structures fail to properly catalog stories, articles, news feeds, blog posts, and the like.

Distilling any piece of art into the data we catalog today robs us of its meaning.  I think we should take this as a challenge and see if we can do better.

I don’t host sites there, but I registered the domain there anyway.  Then I immediately pointed the domain at my old shared hosting account over on 1and1.

Things worked perfectly!

After a few weeks, I decided to add an email at this short url.  But I didn’t want to use 1and1′s email system, so I set up Google Apps for the domain and pointed my MX records at Google.

Again, things worked perfectly!

Then … two weeks ago I started getting inundated with spam.  Lots of spam.  I got about a hundred or so “Out of office” emails an hour from a mailing list in Russia.

All in response to an email that seemingly originated from my address.

Turns out, some spammer was using my email address in the “from” field of their messages.  As a result, I got all of the “unsubscribe” and “out of office” responses.

One system even blacklisted my email address as a known spammer.  I didn’t find out until several angry client phone calls – why haven’t you sent us the code we paid for?!

Simple Solution

Google recommends setting up authentication for your email to prevent this.  It’s actually pretty easy.  Just add a TXT record to your DNS with some encrypted strings that Google knows.  Then email recipients can verify that messages appearing to be from you are actually from you.

Well, simple if you don’t use 1and1.

You see, shared hosting accounts with 1and1 use a very basic DNS system.  You can use their name servers, or remote name servers.  You can use their MX records or set your own MX records.

But you can’t add a TXT record.

Migrating

I was one of the many who jumped ship when GoDaddy announced their (shortlived) support of SOPA.  I quickly moved my email domain (and several other domains) over to Namecheap.

But to keep things simple, I had left the DNS in place – still pointing at 1and1.

To add a TXT record, I moved my DNS registration to Namecheap for my .me domain as well.  I figured it would be easy enough:

• Keep the domain registered with Namecheap
• Register the DNS with Namecheap
• Set the TXT record I needed for authenticated email
• Set an A record to point back at my 1and1 hosting account

And sure enough it worked!  The spammy emails stopped.  My sites still worked.  Everything was happy.

Until I got the email …

The Problem

We at 1&1 Internet have noticed that you have changed the name server of your eam.me domain. Your new settings are:

DNS1: dns3.registrar-servers.com
DNS2: dns2.registrar-servers.com
DNS3: dns5.registrar-servers.com
DNS4: dns4.registrar-servers.com

Because of these new settings, your website hosted with 1&1 Internet can no longer be reached via the eam.me domain. The e-mail addresses included in your Developer Package, if any, have also been disabled.

If you still intend to keep using our services, you can enter the following name servers with your registrar by February 23, 2012 at 11:46:00 PM and continue using our services as usual.

DNS1: ns51.1and1.com
DNS2: ns52.1and1.com

If by February 23, 2012 at 11:46:00 PM you have not registered with our name servers, we will remove the eam.me domain from our systems. If you want to use your domain with your 1&1 Package after February 23, 2012 at 11:46:00 PM, you can specify this configuration on the Control Panel once more and enter the name servers specified there with your registrar.

Yeah … this doesn’t work for me.  The applications (namely YOURLS) are still running on my shared hosting system over at 1and1.  But I need the DNS running through Namecheap so I can keep the TXT entry available for email authentication.

I tried one workaround – setting a CNAME record for the domain to point to my 1and1 account – but this ate my MX and TXT records as well.

At the moment (assuming no one offers a better alternative) it looks like I’ll just need to move my applications to a different system entirely.  That is not an optimal solution … and this entire c****** f*** has me wanting to dump 1and1 altogether.

Update

I emailed 1and1 a potential workaround that I found in their own knowledge base.  Essentially, it recommends setting the external domain, pointing it at an external DNS system, then pointing the external DNS system back at 1and1.

My email was along the lines of “I found a solution posted on your site, had you directed me here in the first place, it would have saved us all a lot of time.”

They responded … by directing me to the exact same link:

Dear Eric Mann, (Customer ID: XXXXXXXX)

Thank you for contacting us.

We advise you to use the method on the link below.

How do I use my own name server for a 1&1 domain?

http://faq.1and1.com/domains/domain_admin/dns_settings/18.html

The technical subdomain for your account is sxxxxxxxxx.onlinehome.us

If you have any further questions please do not hesitate to contact us.

> For the record, I have found a way to make this work. According to your
> own knowledge base, it *is* possible to host a site with your system while
> the domain and DNS is registered elsewhere:
>
> http://faq.1and1.com/domains/domain_admin/dns_settings/18.html

I’m not sure why … but this irritates me even more than the original fiasco.

Inserting the sharing and like rows at the bottom of the post text before the byline/classification metadata seems wrong. It should go below that, so it is closely related to commenting, not part of the content itself. The plugin-generated widget is not “by” the post author, after all.

I haven’t used very many social media plugins for exactly this reason.  Nor have I ever used a “related posts” plugin.  They always seem to conflict with one another and build up a bunch of unnecessary cruft below my content.

So for the past few months, I’ve been thinking about different ways to handle this.

The Art of Manliness adds an author box, a Facebook "like" button, a related content gallery, and a subscription feature to the bottom of each post.

Template Parts

My first idea was to just use a template region within a WordPress theme.

Each individual theme would call some variety of get_template_part() to set up whatever region is being used.

Plugins would then provide content for these templated regions.  So get_template_part('social_media') and get_template_part('related'), for example.

The problem with this, though, is one of standards.  What template regions will be supported?  How will new ones be developed?  After the battle over post formats, this isn’t a particular standard I want to battle.

Post Intents

Another developer suggested modelling  system after the emerging Web Intents standard.

Basically, a new function would be added to WordPress to output various registered post intents – share this, “like” this, subscribe to updates, etc.

Individual plugins would then register these intents and their various actions, but leave it to the theme to style the presentation.

I was entirely sold on this idea.  Well, until a long Twitter conversation with Helen Hou-Sandi:

@EricMann Thinking in CMS-land, I could see using that template tag for a lead form, or a gallery, or something not sharing.

December 21, 2011 9:31 am via Twitter for MacReplyRetweetFavorite

@helenhousandi

Helen Hou-Sandi

When you take things like photo galleries, related posts, and actions other than social media integration into account, the concept of post intents no longer makes sense.

New Action Hooks

Chris Pearson add a personal "follow me" Twitter link, a "Tweet this" link, and several other action items below his posts.

I love having a large number of action hooks to use when I’m building a theme.  I can move content around, add custom views to my content, manipulate the display.  The sky’s the limit.

So when several developers suggested that we just add a few action hooks before and after the post content, I was intrigued.

But really, this is what themes are already doing.  And merely adding a few extra action hooks just gives plugin authors the ability to inject their own markup into the flow of your otherwise well-built design.

Considering some of these add-junk-to-the-bottom-of-my-content plugins already break the display, why would they function any different if I gave them a specific hook to tie in to?

My Proposal – Post Supplements

Instead, I have in mind a hybrid of a new action hook and registering a new object: post supplements.

Think about widgets for a second.  There’s a specific area to display widgets (the sidebar), each widget is registered with WordPress and placed in this area, and a well-coded widget leaves much of its markup to the theme (before_widget and after_widget).

So think of two things:

1. A new object defined by WordPress: WP_Supplement
2. A new action hook/function used by WordPress to output registered supplements in the theme

The theme can register supplements (one for sharing, one for related posts, one for a photo gallery, one for an about-the-author box, etc).  Various plugins can also register supplements.

Then, just like with widgets, these supplements can be added to the theme.

Widgets use add_action( 'widgets_init', create_function( '', 'register_widget("Foo_Widget");' ) );

Supplements could use add_action( 'supplements_init', create_function( '', 'register_supplement("Foo_Supplement");' ) );

Decisions, Not Options

I don’t envision a UI for this feature.  Everything can be handled programatically – supplements appear on screen in the order in which they were added to the system.  Likewise, they can be unregistered the same way.

This keeps the WP interface lean and mean, but still gives us a more efficient way to add content to a post in exactly the place the theme designer intends: do_action( 'post_supplements' ) or wp_post_supplements().

The theme designer would be in complete control of the position of these elements, what styling (if any) separates them from the content of the post, and what styling (if any) distinguishes them from one another.

This would be non-trivial to build, so before I dig in to the code I want to solicit feedback on the idea.

Does this make sense from a usability standpoint?

I just read that Apple’s latest patent victory is for:

A portable electronic device displays, on a touch screen display, a user interface for a phone application during a phone call. In response to detecting activation of a menu icon or menu button, the UI for the phone application is replaced with a menu of application icons, while maintaining the phone call. In response to detecting a finger gesture on a non-telephone service application icon, displaying a user interface for the non-telephone service application while continuing to maintain the phone call, the UI for the non-telephone service application including a switch application icon that is not displayed in the UI when there is no ongoing phone call. In response to detecting a finger gesture on the switch application icon, replacing display of the UI for the non-telephone service application with a respective UI for the phone application while continuing to maintain the phone call.

In plain English – Apple has patented the feature where you can switch to another app on a device while maintaining a phone call.  Considering that the phone system on an iPhone is, itself, an app on the device this means that Apple has laid the foundation for patenting the ability to switch from one app to another without turning either one off.

Haven’t we been doing this for years already?

Does the fact that one of the apps is a phone app really make this a unique, non-obvious invention or innovation?

I would argue no.  And even though I am not a lawyer, I stick by that argument.

Nothing in Apple’s patent application seems to be anything more than an “ante-in” offering for any sophisticated electronic device.  The fact that they can now, legally, prevent other software developers from releasing a feature we already have, use, and expect from even entry-level offerings is, in a word, laughable.

My prediction: Apple’s next patent attempt is for a handheld computer capable of also making phone calls.  Really, that patent would be no less legitimate than the one they were just awarded …

And that’s where I face a dilemma.

A lot of people use my free stuff.  And several of them come to me from time to time asking for new features, bug fixes, or just regular “I can’t figure this out” support.  Up ’til now, I’ve offered that support for free.

And that’s proven to be a bad idea.

So my question to you, how much is reasonable to charge for ongoing development and support?

Please complete the following survey to share your thoughts on how much (if anything) is reasonable to charge for support, on-going development, and feature requests when it comes to open source software. ¹

Complete the survey through Google Docs

To say “thank you” I’ll be giving away a handful of Amazon.com gift cards to those who complete the survey.  How many I give away and the exact amount on each card will depend on how many people complete the survey.

Even Firefox has changed their release schedule to push out updates more frequently.  And for those of you who don’t know, when Firefox ships a new version, they cut off support for older versions.

From a web development standpoint, this is fantastic.  It means you can use cutting-edge technologies as soon as they’re ready and you don’t need to worry about supporting clunky, legacy browsers.

Unless you’re supporting Internet Explorer.

Well, until now.

Microsoft announced today that, starting next year, they will “automatically upgrade Windows customers to the latest version of Internet Explorer available for their PC.”

My thoughts on this development?  It’s about ****ing time!

IE to Start Automatic Upgrades across Windows XP, Windows Vista, and Windows 7

Everyone benefits from an up-to-date browser.

Today we are sharing our plan to automatically upgrade Windows customers to the latest version of Internet Explorer available for their PC. This is an important step in helping to move the Web forward. We will start in January for customers in Australia and Brazil who have turned on automatic updating via Windows Update. Similar to our release of IE9 earlier this year, we will take a measured approach, scaling up over time.

As always, when upgrading from one version of Internet Explorer to the next through Windows Update, the user’s home page, search provider, and default browser remains unchanged.

[Read the rest of Microsoft's announcement on the Windows Team Blog ...]

But really, much of what I do in the .Net arena is pretty transferable.  And – this is me bragging a bit – I’m a good developer no matter what language or paradigm I’m working with.

There’s been a lot of talk about WordPress 3.3 coming out soon.  And a lot of that talk has been about the number of contributions and contributors to the project.  I’m proud to say that I’m in that group – I’ve had a patch in every major version of WordPress since version 2.8!

And I want to show that off.

You might notice a “Coding Credibility” section on my sidebar.  I’ve got Stack Overflow widgets, Ohloh widgets, Smarterer stats … but today, I polished off a new addition to that area – the WP Core Contributions Widget.

I saw a nifty list of contributed core patches on another developer’s site.  I wanted to steal it and throw it up on mine, too!  But apparently she hand-coded the widget for the sidebar.  Effective, but I’m too lazy for that.  So instead, I sat down and whipped up a plugin to do it for me.

WP Core Contributions Widget

This plugin scrapes the WordPress Trac site for any mention of “props ericmann” (or “props bob” or “props coolcoder” … whatever your username might be).  It then strips the search results down and extracts a changeset ID, a Trac ticket ID, and a commit message.

The IDs and links to the appropriate changesets/tickets are then displayed in a list in the sidebar.

Themable Widget

On top of that, the template for the widget is theme-able!

I’m using a pattern I adopted from another fantastic WordPress developer.  Basically, there’s a widget template file bundled with the plugin.  When the widget loads, it first checks to see if you’ve added your own template to your theme.  If you have, it loads that one.  If you haven’t, it loads the bundled one.

So if you want to use something other than an HTML unordered list (or if you want to add classes to better style the list), you can do that without hacking the plugin!  It’s a vast improvement on my previous work.

Next Steps

The plugin could still use a bit of work.  I literally wrote it in an hour or two, so there’s bound to be room for improvement.  Just off the top of my head:

1. The plugin only scrapes the first page of search results.  So if you’ve written more than 10 patches, it will still only display the latest 10.
2. The plugin searches for “props {username,}” but if your username isn’t the first in a list of multiple contributors, you won’t show up.
3. I’ve created a .po file, but have yet to translate any of the plugin’s strings to other languages (seriously, there are 5 … should be easy).

So is it perfect?  Not yet.  But it’s ready for a public beta test!

Get The Plugin

For now (until I’m ready for a 1.0 version that solves at least the first 2 of the above issues), the plugin will be located on GitHub.

If you’re a developer, I’d love if you’d clone the repository and maybe take a stab at fixing one of the outstanding issues.  Send me a pull request and I’ll take a look at your work.

If you just want to use and test the plugin, the latest version is bundled for download as a ZIP file.  Just follow the standard manual installation instructions (also outlined in the readme) to get started.

And if you run in to any problems at all, leave me a note here or open an issue on GitHub.

And again, please do not use these in distributed plugins/themes.  They’re only slated for Core at the moment, but if you feel that they’ll help in your custom theme/plugin development with clients, feel free!

The question came as a complete surprise.

Apparently, back in January, someone discovered a potential security hole in one of my plugins, WP Publication Archive.  The frightening thing about the report, though, was the fact that he never bothered to report the vulnerability to me so I could fix it.  Instead, an open report sat there on his site, and was then picked up by a few other security sites and syndicated across the Internet.

Had this user not contacted me, I would never had known about this issue.  And I can’t fix something if I don’t know it’s broken.

The Hole

WP Publication Archive uses a proxy file to load a remote file as an attachment so it can be downloaded by the browser.  Here’s the entire source of the “vulnerable” file:

In reality, there isn’t a security hole here.  It was reported that this file would include a remote file, thus opening your site up to the possibility of remotely executing malicious code (along the same vein as the TimThumb exploit from several weeks ago).

But this is not the case.

Nothing is included from the remote file, it only downloads the file from within the browser.  So the worst you could do is intentionally download a malicious file as an attachment.  But it also does open your site up to being used as a remote proxy for files you don’t want passed through your server.

So needless to say, it did need to be patched.

So I took some time tonight to sit down, fix a couple of other bugs, and add some code to quickly plug that hole.  It’s not a permanent fix, but does prevent the immediately apparent proxy exploits.  A more elegant patch is already in the works.

Why I’m Upset

But the issue here isn’t really the seemingly insecure code, or even that I had to spend extra time fixing the code.  It’s that a vulnerability was detected and, rather than being reported to me, was posted in a public forum.

For those of you who know, the standard process for reporting any potential vulnerability or exploit is to contact the original author and give them a reasonable amount of time to create a patch before disclosing a 0-day hack to the rest of the world.  Developers need a chance to take action to protect their users’sites.  It’s common courtesy in just about every developer community in existence.

So I contacted every site that posted information about this security hole, expressed my frustration that they posted it without contacting me, and asked what could be done in the future to prevent this kind of communication breakdown.

One of the reporters, who is also a respected member of the WordPress community, got in touch with me immediately.  He was only recycling a notice he’d seen on another site and didn’t realize that I hadn’t been contacted by the original author.

The original reporter, however, was somewhat less useful:

[O]ur policy is immediate, full disclosure. We also release a variety of tools to aid in the security testing process. It must be stressed that the burden of writing secure code is that of the developers. We encourage you to learn more about secure programming practices.

Am I responsible for writing secure code?  Absolutely.  And I test all of my code to the best of my ability before I release anything.  But just like every other developer on the market, I make the occasional mistake.

Nobody’s perfect.

Had I been notified about this bug and given time to fix it, I would have.  And in doing so, I would have helped make several sites somewhat more secure.

The Real Issue

The real problem here isn’t the security vulnerability, or even how it was reported.  It’s how the community as a whole functions.

A few years ago, I discovered a nifty WordPress plugin on Google Code that let you create a file/document archive on your site.  I loved it!  I used it on my sites, on client sites, and talked it up at WordCamp.

Then, in 2007, the original author abandoned the project.

The next version of WordPress introduced changes that broke the plugin.  So I took the time to re-write it, clean up the code, and eventually update it to use Custom Post Types.  I placed my fork of the plugin in the official plugin repository and all was good.

This is how the community is supposed to function.  Developers help one another out.  If one guy can’t keep going on a project, someone else can step in and take over.  That’s the beauty of open source.

The problem with the security vulnerability wasn’t actually with my version of the plugin, but was reported against the pre-fork version hosted on Google Code.  I’ve been able to verify that the current release doesn’t suffer from the same issues, and have proactively patched the one issue that might crop up as a result of this report.

Unfortunately, the original reporter didn’t contact me about the issue, so I couldn’t clear things up.

And subsequent reporters actually linked the report back to my post-fork version of the plugin, essentially linking the new, secure versions to the old, insecure one.

On the one hand, we have developers going out of their way to help one another.  On the other hand, we have developers sitting on their laurels and mis-reporting information that ends up hurting one another.

The real problem here is one of a massive communication breakdown.

Update

One of the first re-posters of the security notice has clarified things on his site to explain that the vulnerability is actually present in the old, abandoned pre-fork version of the plugin.

The original poster has re-scanned the updated version and verified that no vulnerabilities were detected in the current release. His notice remains on the site, though, as it is accurate for the pre-fork version that triggered it in the first place. However, anyone can contact him directly to verify that the current version is tested to be secure.

You can also leave comments at the bottom of the feed …

—