one more post about ApacheCon 2003

by Rod Chavez

i got the opportunity to attend
ApacheCon 2003 in Las
Vegas (Vegas baby! <g>) two weeks ago. i thought i'd blog my notes so that
you could get a feel for what was presented and how it was received. given
BEA's growing commitment to open-source and Apache, i was looking forward to an
interesting conference (and i wasn't disappointed). oh, there's also an
official conference
wiki you can check
out too

Stefano Mazzocchi, How the Apache
Software Foundation Works - plenary

this was a (quite good) overview of how the ASF (Apache Software Foundation)
works for those people who aren't already members. topics covered include:

  • lazy consensus

    in order to streamline decision making and to prevent gridlock and bureaucracy,
    the ASF has method of voting on decisions that ignores all abstaining members.
    then, if someone votes no "-1", they can't just use that as a veto.
    they must supply a reason for their objection as well as help to resolve it.
    the goal is to provide a measure of oversight and input, while at the same time
    keeping things vital and dynamic. i think some other standards groups could
    learn a lot from this model

  • project types

    when people think about Apache projects, they tend to think about the software
    projects (Apache, Ant, XmlBeans, etc), but there are "auxiliary" projects as
    well. their web-site, wikis, CVS servers, email archives, bug-tracking and
    distributions and download sites. each one of these is critical to the smooth
    functioning of the ASF, and without them the ASF wouldn't be nearly as capable

  • the Incubator

    created a year ago, this is where new projects being proposed for inclusion
    into Apache go while the members of that project get "well integrated" into the
    ASF. there are no hard and fast rules about how long a project remains there,
    but the steps involved are outlined
    there are several projects currently
    in the Incubator,
    and one that's made it all
    the way through and into Apache

  • a new license

    Apache is working on a new license. under development for more then 2
    , they hope it will be ready soon. there are a number of goals for the
    new license, like dealing with patent issues better, trademarks, and others. if
    you're going to participate in Apache or use Apache software, you should be
    aware of what's coming

  • security

    mentioned by Stefano, this was a reoccurring issue raised at several sessions
    throughout Monday. like spam, security is being viewed as a critical
    issue within the ASF. the security perception of a given project is seen as a
    litmus test issue of viability

John Fowler,
Looking Ahead: Challenges for Open Software - keynote

i was a bit worried when this talk started that it was going to be a pure
marketing pitch for Sun because one of the first slides was a list of Sun's
"strategic initiatives". but that slide to the contrary, it was a pretty good

  • trust

    huge problem for everyone. internet scams, intrusions, viruses (some mandatory
    Sun digs at Microsoft's expense) are costing billions a year worldwide (USD).
    he predicts total losses per year to exceed 10 billion USD very soon

  • connectivity

    cost of connecting is dropping, overall network bandwidth is going up. this is
    leading to a world where everything will be connected, all of the time

  • PRC

    Sun just announced at COMDEX (going on here in Vegas at the same time) that the
    Peoples Republic of China will be standardizing on the Sun desktop

  • AMD

    Sun also announced at COMDEX a deal with AMD where they will bee making a line
    of low-cost hardware using AMD chips

  • myth busting

    perimeter defenses aren't the answer. there are a number of reasons for this:

    1. the enemy is probably inside the firewall (he works for/with you)

    2. misconfigured hardware

    3. misconfigured software

    4. poorly defined roles and process

  • identity management

    relying on password based authentication alone is bad. it's way to easy to
    guess someone's password (for example, he uses the name of his dog as his
    password for online banking. but he's got two dogs, so it's twice as hard as it
    might be <g>). the answer is to use multi-factor authentication, like using
    both a password and a "token" of some kind (security card, etc.)

  • application security

    it's not just friendly apps vs. hostile apps. it's safe apps vs. unsafe apps,
    and an unsafe app isn't just a hostile app, but a flawed app. there's no one
    answer here, but a host of strategies need to be applied, like sandboxing,
    strict access control, etc

  • data security

    encompassing everything from access control to disaster recovery, data security
    is critical to the modern enterprise. typically, it's process failure and
    misconfigured (or hard to configure) software that leads to breaches in data

  • other stuff

    compatibility, intellectual property and security in
    were among the other topics discussed

Howard M. Lewis Ship, Beginning
Tapestry: Java Web Components - session

the goal of Tapestry is to create an O-O framework for building web-sites.
having not played with Tapestry myself, i don't know how well it succeeds on
its goals (of which there are many), but it seems pretty interesting

one think i liked about what i saw was the fact that Tapestry enforced a
separation between layout (HTML) and code (Java). this allows you to use
whichever HTML design tool you prefer to edit the UI template, unlike JSP pages
where WYSIWYG tools must play many, many tricks to deliver a similar experience

here's a list of goals and attributes of Tapestry based on the presentation

  • O-O centric

  • 100% component based

  • best practices rolled into framework

  • team friendly

  • simple, consistent and efficient

one interesting question was about a painfully slow development experience one
of the developers was having. it turns out that Tapestry has a cache which can
take a long time to heat up. in production, this is fine, but if you're
developing content, the time taken to reheat the cache after each edit can be
pretty painful. there's a way to disable this that you can find in the FAQ. i
looked but didn't see it, but i probably just missed it...

Onno Kluyt, Java Community Process - session (plus a sandwich)

Onno Kluyt is Sun's Director of the Java Community
. in addition to providing lunch for everyone, he gave a
presentation on the Java Community Process. he talked about the membership of
the JCP, like the fact that there are now more individual members then
corporations, and about how the JCP evolves, like the fact that
JSR 215 is in final
approval (it should be approved within the next week or so)

it was interesting to hear about the upcoming mods to the JCP process brought
on by JSR 215. one change has to do with transparency. from now on, JSRs will
be made public during community-review, instead of just at public-review. the
reason was for this is that the feedback being produced was excellent, but it
was coming too late to be used. by public-review, the spec is pretty much
baked. now, feedback will come in time to have real impact

there are some other changes coming as well. you can read about the whole thing
online. according to Onno, these changes will take effect in the Jan/Feb

and then the battery on his PowerBook died, and since he didn't have his power
supply, his presentation became "old school", where he had to make points by
simply speaking. very retro <g>

one rather interesting question that came at the end had to do with the use of
NDAs (Non-Disclosure Agreements) within the JCP. several people in the audience
objected to their use, and pointed out that the ASF does not use them. Onno
replied that NDAs would always be used in the JCP, the reason being is that
corporate participants would be unwilling to disclose their reasons for seeking
changes to a JSR if they know that any competitor would have access to their
comments. if you think about it, this issue illustrates one of the key
differences between a standards process at Apache (if you can call Apache a
standards body) and at the JCP. interesting...

Bruce Snyder, The State of
- session

this was a "must see" presentation for me, what with working for
BEA and all. and it seems like i wasn't the only
one who felt that way, as this presentation was packed

first thing discussed was "why another Open Source Java App Server?". there
were several reasons given for this; no current open-source JAS is provided
via a BSD derived license, there are already several pieces of the puzzle
being provided by Apache projects, and no open-source JAS is currently J2EE

next up was a review of status of the various pieces. i hope i didn't miss a
piece while taking notes (unfortunately the presentation given wasn't exactly
the same as the one on the conference disk, so i'm doing this all from my
notes). here goes:

  • EJB support - stateless session beans and stateful
    session beans are working, entity beans are almost working (they got
    them working later in the conference) and message driven beans are

  • Tomcat -
    they support the latest version of Tomcat, and one of their
    key goals in this area is to be able to drop at least part of the bean
    container directly into a running Tomcat installation to allow developers to
    play with EJBs without a huge upfront setup cost. then, if you want the whole
    thing, you can install the whole thing

  • JCA - they've got
    JCA (J2EE Connector Architecture) working outbound, and inbound is in

  • deployment - it's working, but it's not yet pluggable. the plan is
    to support deployment via JSR
    , which is the JSR defining the J2EE Application Deployment APIs

  • management - this is working via JMX, and the plan is to extend it
    to support JSR 77 too,
    which is the JSR defining a vendor-neutral standard for J2EE Management. they
    are also planning all sorts of additional features, like "hot system"
    management and an abstraction that makes it very easy to build and deploy POJOs
    (Plain Old Java Objects)

  • web services - the answer here is
    Axis. they are in the process of
    integrating Axis so that it will be the basis for all web services support in

  • security - they have a pluggable model for both authN and
    authZ (authentication and authorization) based on JACC (Java
    Authorization Contract for Containers). the plan is to allow all security
    vendors to plug in. one scenario that they are keen on supported is
    single-signon within an enterprise

  • transaction management - they've got a simple, heuristic TM working
    now, but they know this isn't production ready. the plan is to support
    by integrating with JOTM, but they
    haven't started this yet

other tidbits: they are currently in the Apache Incubator (or "probation for
newbies" as they called it <g>), their target for release of their first
version is one year from when they started (Aug 6th), and they invite people
to get involved

and of course, they got a question about the current dust-up between them and
JBoss. there reply was "no comment", but for those of you interested in
learning about what's going on, this is the
that the JBoss Group's lawyers sent to the ASF. it's interesting reading,
and (IMO) shows that our entire IP rights system is, without a doubt, totally
and completely fucked-up

i should also mention that during the presentation, for all the individual area
status reports, a different person stood up to deliver the status, said person
being the owner/driver for that area. it was really quite impressive. and
wandering around the resort, where you saw one of them, you usually saw a whole
group of them, talking, hacking, laughing. David Bau and i spoke with them
over some beers Monday evening, and you can tell that they are all very proud
of what they've accomplished so far, and hungry to do a lot more. this is a
project to watch for sure

David Bau, Inside
- session

before you read my notes on this presentation, i need to proffer a disclaimer.
not like i'm a real journalist or anything, but still. ok, here goes:
David Bau is a very good friend of mine, has worked for me off and on
over the last 8 years (wow, has it really been that long David?), and was
working for me all during the development of XMLBeans, which was done here at
BEA where he (and i) continue to work. i think that XMLBeans is one of the
coolest things i've ever had the chance to be involved with (not like i wrote
any of the code or anything, i'm just a PHM) and i'm sure this colors my
judgment. ok, end of disclaimer

so what is XMLBeans? it's a system for allowing Java developers complete object
support for XML instances whose type is defined by
XML Schema. in other words, if
someone has defined an XML type-system using XML Schema, and you want to read or
write XML types within that system, XMLBeans is the answer. and unlike many
XML-to-Java systems out there, it supports 100% of XML Schema and 100% of the
XML infoset (that's all the information that can be represented by a given XML
instance). let me say that again, 100%. period. end of story. stick a
fork in it <g>

early on in the design of XMLBeans, David decided that in order to really make
the power of XML Schema available to the Java developer, you really needed a
100% solution. anything less led to this horrible system where developers would
need to inspect the schema of an instance they wanted to read/write, and then
pick the system that allowed them full access to that type. the world would be
so much better a place if the developer needed to learn just one thing, and
could use that whenever needed. so that's what he and the guys built

ok, enough of the high-level, what is XMLBeans? well, it's really 3

  • schema compiler - this is used to turn XML Schema type definitions
    into early-bound type system objects. so for example, if someone has defined a
    purchase order in XML Schema, the XMLBeans schema compiler will produce
    a set of Java interfaces that correspond to the schema type system along with
    some internal data structures that allow it to support those Java interfaces

  • early-bound runtime - this is the backing implementation for the
    Java interfaces that the schema compiler generates. it understands the XML type
    system defined by the compiled XML Schema, and in turn uses the core runtime
    as the final backing store

  • core (late-bound) runtime - this is the XML store within XMLBeans.
    this is the only part that can be used separately, if desired, to allow a
    cursor style programming model directly against the loaded/generated XML. so
    if you wanted to build a generic XML processing engine, the XMLBeans core would
    be a solid foundation to build upon

XMLBeans are currently in the Apache Incubator, and hope to get out of
incubation soon. and they are looking for help, so if you're interested, get
involved! v1 is complete and usable today, and v2 work is just starting

Steven Noels, Introducing
Apache Cocoon - session

i have to admit, this was the last presentation i attended on Monday, and i was
getting pretty tired. so my not taking really suffered at this point. you'll

Cocoon is a web-publishing framework for portals. and it's really, really big.
it has a pipeline architecture, and runs inside Java web-servers as a servlet

and at that point, my brain froze for the day, and it was time to close the
laptop and crack a cold one. sorry for the short-shrift on this presentation. i
spoke with Steven a couple of times during the day, and he's a really smart guy

observations and extra-curricular activities

wireless power

that's right, what we need is wireless power. otherwise a laptop just can't
make it through the day. since we'll probably be waiting a long time for this
little innovation to show up, it'd be great if conference organizers would add
power outlets to the list of "things geeks need to be happy". it's pretty much
de rigueur that conferences provide 802.11b, but they must think that
all attendees are lugging a knapsack full of batteries because they sure
weren't providing power-taps. so at the beginning of each session, you could
see people unscrewing those brass floor plates to get at power outlets

PowerBooks are everywhere

the number of PowerBooks present was stunning. i'd say at least 1/3 of the
laptops present were Macs, maybe more. the 15" was the most common, with a
strong showing of 17" PBs as well. i'm sure i must be the zillionth person to
say this, but the PowerBook is becoming the laptop of choice for the
alpha-geek. people keep talking about Linux on the desktop as the trend that
Microsoft needs to worry about. forget it. Linux is the powerhouse on the
middle-tier and back-end. on the desktop (and laptop) the trend that
should be keeping Microsoft up is the Mac. we'll see...

and the winner is...

this year,
Workshop 8.1
(yes, the product i worked on) won PC Magazine's 20th Annual
Tech Excellence Award in the
category. and it (along with the other Tech Excellence Awards)
was presented Monday night at a party held at the Venetian. had a few cocktails
before the awards were announced, and had more then a few after winning <g>.
it was really great. David Bau and i got to go up on stage to accept for the
team. did i mention it was really great?

ok, back to ApacheCon 2003...

Ceki Gülcü & Mark Womack, What is new in
log4j version
1.3? - session

this presentation was very well attended. it started out with a description of
what log4j is. for those who've never used a structured logging facility, it's
a system (represented by an API) that allows developers to add calls to log4j
throughout a body of code, and then control the information that flows from
these calls. it can be sent to files, syslog, SMTP, the console, you name it.
as a matter of fact, we use it here at BEA throughout WebLogic Workshop. i
can't tell you how many times during a development cycle i've received a bug
report containing both a stack-trace and a log file, without which i
wouldn't have been able to diagnose the failure. logging is a good thing

coming in version 1.3 are domains (new way of organizing logs), more
sophisticated log rollover, improvements in speed and memory size, plug-in
model, external receiver model (for generating events into the log4j world),
watchdogs, interop foundation for integrating with .NET, C++ and Perl, a whole
new Chainsaw. anyway you slice it, there's a ton coming in the new version.
however, there is no current date set for deliver. it'll be ready when it's
ready <g>

one request that came during the Q&A session was for "TRACE" to be
supported. at this point there was a chorus of agreement from the audience. it
turns out this is in the process of being voted on, and so may be present in
future versions. stay tuned...

Chris Pirillo, The Death of Email
Marketing - keynote

you know how when you wake up in the middle of the night, there are no lights
on, and yet you can still see? i don't mean you can read a book, but you can
see the bed, the door, the desk, and can navigate without killing yourself.
and then suddenly, without warning, your spouse/sigot turns the light on and
even though it's just a 100 watt bulb, or a couple of 60 watt bulbs, you
suddenly find that you can't look directly at anything anymore, much less the
light itself? it's not the intensity but the contrast that's so jarring

well, that pretty much sums up my initial reaction to the first 5 minutes of
Chris' presentation. don't get me wrong, i really liked his presentation, his
delivery style, etc. this is a guy who loves to be the center of attention (and
it takes one to know one <g>). but after 2 days of solid geek-style
sessions delivered in passionate and yet muted tones, Chris' delivery was a bit
of a shock, albeit a pleasant one

ok, enough of that, what did he talk about? well, that the use of email as a
tool for marketing is over, and will be/should be replaced by RSS. restated,
that opt-in/opt-out distribution list messaging via SMTP has too many problems,
and should be replaced by RSS via HTTP. among the problems with opt-in/opt-out
messaging over SMTP:

  • spam (problem for users)

  • spam filters (problem for marketer)

  • defensive use of email aliases (nobody wants to give theirs out)

  • opt-in/opt-out systems are all mostly unique, and used by spammers to
    detect live aliases

all of these problems are overcome by using RSS. since the user decides which
feeds to subscribe too, the user is in complete control. if the signal-to-noise
ratio on a given feed gets too low, you just stop monitoring. thus the
marketers job focuses on two things, a) making users aware of their existence
and b) keeping their feed relevant to users that are monitoring their feed

overall, i agree with Chris and think this is the direction that things will be
moving to in the very near future. however, there is one point where i disagree
with Chris, and this is an assertion that RSS is by its very nature
unspammable. or i should more properly say, i agree with Chris that RSS is
unspammable in the case where all feed info goes one way, from marketer to
user. however, many RSS-based news systems are adding discussion groups and
traceback capabilities, and support RSS on those news sources. well, now the
spammers have a place where they can jump in and wreak havoc

for example, let's say i decide to monitor an RSS feed from Apple about product
announcements. and let's also say that Apple allows people to comment and rate
those products. i'd want to subscribe to a feed that contains both streams of
info, appropriately threaded. so that if Apply came out with a new iPod and i
was thinking of buying one for my wife, i could learn from the experience of
people who'd bought one. and this all sounds great right up until some user
posts a comment titled "defect in my brand new iPod" and i started to read the
body of the post and it was removing unwanted body hair. now of course, Apple
would remove this post fairly quickly, but my RSS reader might have already
downloaded this post. you see where leads

but while this is an important problem to deal with, i agree with Chris that
RSS is a significant step forward that should be taken with alacrity. i had
wanted to ask Chris about this issue in his talk, but he ran out of time and
wound up telling people to email him with any questions. so i'm going to do
that and see if he's thought through this wrinkle

Novell Vendor Showcase - session (plus a

Novell sponsored lunch on Tuesday to get the word out on it's participation in
and commitment to open source and the ASF. Novel is involved in the development
of Apache, Tomcat, Perl and PHP, as well as MySQL and Ximian. in fact, Novell
has purchased Ximian. they are also a big believer and supporter of AMP
(Apache, MySQL and Perl/PHP)

they are also in the process of purchasing SuSE Linux. overall they are trying
to do what IBM is doing with Linux, but where IBM is doing it on the
middle-tier and backend, Novell is trying to do it on the desktop. they know
that in order to really make inroads onto the desktop, someone needs to produce
an integrated, easy-to-use experience. many have tried this of course, but
Novell thinks it has an edge because it can control and direct an entire "Linux
stack". it's a gutsy move, but if someone is going to pick something other then
Windows for the desktop, it's hard to see another choice besides Mac OS X. but
i'm glad they're stepping up. this is what free-market types call "animal
spirits" <g>

they did a demo of some admin functions on Ximian to show the inroads they've
made in ease-of-use. it was good work, but as Mark Igra likes to say, "if you
want someone to switch, you can't just be 10% better, or even 100% better, you
really need to be 10x better". Mark, i apologize if i ruined your quote <g>.
but regardless, you get the idea

another demo they did was of them wrapping lots of "conf" file editing (more
admin tasks) with a browser-based app scheme. it turns the whole thing into
forms, etc. it's a really nice idea, esp. for remote admin. if they bake this
architecture throughout Linux, it could give then an interesting leg up on the
competition (Microsoft and Apple, IMO)

they wrapped things up with a discussion and demo of
Mono (that's moe-no,
not mon-o, as they point out). it's an implementation of .NET that runs
on *nix, as NT/XP and Win9x. they were immediately questioned about Microsoft's
response to this product, either legal or strategic, but none of the speakers
from Novell could answer this question. it must be the first time any of these
presenters has demoed Mono, for i can't imagine this question not coming up
every at every demo. on the other hand one of their presenters felt the
need to explain to the audience that GC stood for "garbage collection"
on a block diagram of the VM architecture <g>. so it may be that they'd
never presented to an alpha-geek crowd before

but their demo was quite impressive. they showed C#, VB and ASPX files all
running on their VM. i wish they'd of had someone really technical from the
Mono project present, as their are a bunch of questions that i'd have loved to
ask about. one fairly wacky idea i had was to focus Mono on being a Java
cross-compiler, so that instead of building a VM, you built a compiler and RTL
that mapped to the Java VM and RTL. i'm sure there are good reasons not to do
it this way (i can think of several myself). but it would have been cool to
hear about it from the perspective of someone faced with the job

all in all, Novell seems to be setting some extremely tough goals for
itself, but if even one of them succeeds, the rewards would appear to be great.
it'll be interesting to watch this one unfold

Sander Temme, Apache and
Zeroconf Networking - session

Zeroconf is cool. this presentation was
about adding support for Zeroconf to Apache, but began with a brief overview of
Zeroconf and it's uses

the one sentence description of Zeroconf can be found on the org's website,
"The charter of the Zeroconf Working Group is to enable Zero Configuration
IP Networking"
. what a simple and powerful goal. why? well, consider some
interesting scenarios, like you've got two computers that want to talk to one
another to play a game, swap some music or just trade some files. you'd like to
just plug a crossover cable into each one and just have things work. your
computer would get an IP address, as would the other, they would both find one
another and communication would ensue

but wait a second, how do they each get IP addresses? neither is running DHCP.
and how do they find each other? neither is running DNS. the answer is
Zeroconf. and more and more systems are taking advantage of it. one popular
example of this is iTunes music sharing. if you enable music sharing in iTunes,
you'll see a list of all the other iTunes users who have also enabled music
sharing. there was no coordinator involved making this happen, it was
Zeroconf allowing them to discover one another. in fact, Apple switched from
AppleTalk to Zeroconf (they call it Rendezvous) in the Jaguar version of Max OS

here's (roughly) how it works. first off, Zeroconf coexists with traditional IP
services like DHCP and DNS. so this isn't some either-or decision. but assuming
that DHCP is not available when the device wants to communicate, it will first
pick a random IP address from the link-local address range (169.254.*.*). then
use an ARP (Address Resolution Protocol) message to allow an already in-use
address to defend itself

next, use mDNS (Multicast DNS) to
discover the address of other services. for example, a game can look for other
games, etc. it runs on a different port then DNS, and on every host. in this
model, machines name themselves. but there's one thing missing, and that's
dns-sd (DNS Service Discovery). this
provides for actual network service browsing via either DNS or mDNS. this is
how the list of iTunes shares is populated

if you want to play around with Zeroconf on your platform, check out
Swampwolf Technologies, providers of a
cross-platform implementation of Zeroconf named

the plan is to enable Zeroconf in Apache httpd 2.0 so that virtual hosts are
registered with the mDNS responder. this will allow other Zeroconf services to
browser and connect to services proffered by any instance of httpd


that pretty much did it for my first ApacheCon. all in all, it was a really
good trip and i learned a lot about what's going on in Apache. there was some
very good energy at the conference. i'm looking forward to next year, and i
expect it to be even bigger

were you there? did i make any mistakes in my notes that you could help
correct? let me know!


2004-01-20 08:41:43
Tapestry / Cache
I may be remembering wrong, but the issue that was brought up wasn't the speed of the cache -- it was that, unlike JSPs, changing a Tapestry specification or template doesn't take effect immediately unless you purge Tapestry's cache.

There's an option to purge the cache after every request, but then the app runs a bit slower (not terrible, but noticibly slower).