Conferences – Sheeri Dot Org

Conference Tips!

For those going to Percona Live next week, I am re-sharing this blog post from September 2012 (from a now-defunct blog):

As many folks know, I do a bit of traveling, both going to conferences, and speaking at them (MySQL and others). So I have compiled a list of tips and tricks, from the basics like do not forget to eat breakfast to putting your business cards inside your bag. I have a list with pictures that I will add to as I think of more. I hope you enjoy this tumblr-style list of conference tips!

Do you have any other tips? Add them in the comments!

The 3 Hidden Messages in Tomas Ulin’s Keynote

This morning I watched Tomas Ulin’s Keynote at Percona Live: MySQL Conference and Expo, delivered yesterday. I missed this live as I am not at Percona Live (I am on a conference hiatus from March through September for personal reasons). … Continue reading

This morning I watched Tomas Ulins Keynote at Percona Live: MySQL Conference and Expo, delivered yesterday. I missed this live as I am not at Percona Live (I am on a conference hiatus from March through September for personal reasons). As far as the technical content in it, there have been a few posts about the Hadoop Applier and MySQL 5.7, so theres not much of a need to delve in there.

Message #1: Failure
I was impressed that Ulin spoke of failure. Around 7:27 in the video above, Ulin says, We really failed with 5.0, and even 5.1 we werent fully and back on track when we released. He spoke about the new way MySQL 5.5 and 5.6 were engineered, a hybrid agile/milestone development cycle. There are some hidden messages here:

Hidden Message #1: Oracle is a great steward for MySQL

MySQL 5.0 was GA on October 2005 and MySQL 5.1 was GA on Nov 2008. This was before Oracle was ever in the picture. Ulin said MySQL 5.0 and 5.1 failed, mentioning that the ship cycle was rushed and features were released when they were not ready, causing technical debt. MySQL 5.5 and 5.6 are different, and the hidden message is that Oracle had a part in making this better. And honestly, I believe that. Say what you will about Oracle, but this cannot be argued: they do know how to develop and ship a product.

When Sun bought MySQL, I was pretty hopeful. I knew a bunch of folks within MySQL that were unhappy, and from what I gathered, MySQL did not really need a parent company, they needed a *parent*. It looks like Oracle has been great for getting MySQL releases in shape MySQL 5.5 had a LOT of great features from the community, when previously it could take years before a community patch was accepted, and MySQL 5.6 has a lot of innovative features from strong developers.

Hidden Message #2: Oracle is more reliable for MySQL releases

With 5.5 and 5.6, the 2-year development cycle has been almost exact MySQL 5.5 was GA in Dec 2010, 25 months after 5.1, and MySQL 5.6 was GA in Feb 2013, 26 months after 5.5. I remember the agonizing wait for MySQL 5.0, and it looks like under Oracle we will not have a debacle like that again. Ulin specifically mentioned a 24-month cycle.

Speaking about cycles, have you noticed that Oracle has not stopped providing the MySQL binaries and code, even for the EOLd products? I have a blog post I want to write about the lifecycle policy and how it has evolved, so stay tuned for that.

Message #2: Oracles Investment in MySQL
Ulin mentioned Oracles investment in MySQL a lot. Why? Well, in 2009 Oracle made a written 5-year commitment to MySQL. It is now 2013, and some folks have been wanting Oracle to make another promise. Frankly, I think it is ridiculous to ask a company to make a commitment in writing so far ahead, and nobody demands that of any other company. Oracle has doubled the number of MySQL engineers and tripled the number of MySQL QA staff, and has the largest team of MySQL developers of any company anywhere. Unfortunately we did not get exactly how many people that isit is only a little bit impressive if you tripled the team from 1 person to 3 people, but more impressive if you tripled the team from 10 people to 30 people.

Lets take a number we did get the QA team now has 400 person-years of experience on it. Lets say the QA team was 10 people before, and now it is tripled to 30 people. That means the average QA person has over 13 years experience in QA, which is about a year longer than my entire post-college IT career. If there are more engineers with less experience, thats pretty impressive for the number of people working on finding and fixing bugs, and if there are fewer engineers, they have even more years of experience.

Hidden Message #3: Oracle has an open-ended commitment to MySQL
Oracle has MySQL trainings, events and tech tours on 6 continents (none in Antarctica, but plenty in at least 3 different cities throughout Africa Nairobi, Johannesburg, Pretoria, at lesat that Im aware of because I mention it on the podcast along with SkySQL, Percona, FromDual and Tungsten events). They have doubled the engineering staff and tripled the QA staff and are still hiring. In the past year they sponsored over 40 events, delivered over 70 talks at conferences, and of course they have a huge investment in MySQL Connect just as Percona Live added a day in 2013, MySQL Connect is adding a day as well. With all that time and money invested in people and events, they are not going to stop working on MySQL any time soon.

(BTW if you missed it, MySQL Connect has a super saver registration before May 3rd, save 45%. Hard to believe its almost half price if you register now!)

Note that the hidden messages above are completely my interpretation, and represent nothing other than my opinion.

Videos from Open Database Camp

Open Database Camp was just over a week ago, Mar 16-17th at Harvard University, co-located with Northeast LinuxFest. We had a great lineup of speakers, and we have processed all 11 videos in record time! We got new video cameras … Continue reading

2013 Open Database Camp
and Related Northeast LinuxFest Videos

Fractal Tree Indexes by Tim Callaghan of Tokutek
(45:23)
Elastic Database Virtualization by Amrith Kumar of ParElasticy
(56:25)
Elastic Clustering with Serializable Isolation by Ariel Weisberg of VoltDB
(27:23)
MariaDB: An introduction to 10 What Weve Achieved by Colin Charles of Monty Program
(38:37)
Introduction to MongoDB by H. Waldo Grunenwald
(47:08)
MySQL and MariaDB: Past, Present and Future by Max Mether of SkySQL
(47:38)
MySQL 5.6 Replication features and usability by Giuseppe Maxia of Continuent
(51:02)
Congratulations! Youre the New Linux Admin and the MySQL DBA by Dave Stokes of Oracle
(36:44)
High Availability Solutions for MySQL by Max Mether of SkySQL
(39:41)
Creating Multi-master Clusters with Tungsten Replicator by Giuseppe Maxia of Continuent
(63:35)
MySQL Backups by Sheeri Cabral of Mozilla
(56:48)

Enjoy!

Mozilla at SCALE 11x

Mozilla has a great presence at SCALE11x, the 11th Annual Southern California Linux Expo. This annual conference is completely volunteer run and one of the best Linux conferences around. Mozilla sponsored Friday’s DevOps Day LA and were part of the … Continue reading

Mozilla has a great presence at SCALE11x, the 11th Annual Southern California Linux Expo. This annual conference is completely volunteer run and one of the best Linux conferences around. Mozilla sponsored Fridays DevOps Day LA and were part of the selection committee for MySQL Community Day.

See Firefox OS phones
Want to see a FirefoxOS mobile phone in action? Want to learn how to write apps for FirefoxOS? Come visit us at booth #14 and we will show you the phones and how to write a great app.

Giveaways
Also at booth #14, we are giving away swag! Get the traditional Firefox logo sticker or the new blue rocketship Firefox Marketplace stickers. We also have Firefox lanyards and pens, Mozilla stickers and I support the Open Web wristbands.

Want a T-shirt?
We have a limited supply of T-shirts. If you want one, tweet this sentence, filling in why you love Firefox:

Then come to the Mozilla booth (#14) and show us your tweet! Choose between the traditional Firefox logo tee, as modeled by Casey on the right, or the new Firefox Marketplace soft blue T-shirt modeled by me on the left:

Mozilla Talks at SCALE
Mozilla presented three informative talks at SCALE11x to full audiences:
Sheeri Cabral (Database Engineering) presented Are You Getting the Best Out of Your MySQL Indexes? at the MySQL Community Day, and the PDF slides are available.

Brandon Burton (Web Operations) presented Puppet at Mozilla. Slides are available on speakerdeck.

Chris Turra and Brandon Burton (Web Operations) presented Simple Patterns for Scaling Websites: Some Lessons Learned at Mozilla, and the slides are available here.

We look forward to seeing you this weekend at SCALE 11x!

Conference Tips

As many folks know, I do a bit of traveling, both going to conferences, and speaking at them (MySQL and others). So I have compiled a list of tips and tricks, from the basics like “do not forget to eat breakfast” to putting your business cards inside your bag. I have a list with pictures… Read more

Cursors, Foiled Again!

While researching an article I came across a piece at http://www.simple-talk.com/sql/t-sql-programming/cursors-and-embedded-sql/. Basically the author says “embedded SQL” is bad — meaning developers should never put SQL in their code. Nor should they use ORM tools to generate SQL for them.

Instead, they should access everything they need through stored procedures. I have mixed feelings about this. On one hand, you have to give table-access permissions to users and then deal with the resulting security risks sounds very control-freakish to me. On the other hand, I agree that embedded code can be bad because if you change the database model in any way, you have to rewrite the procedural code that relies on the existence of the previous model.

And of course, stored procedures also help make your code more modular. But this article basically advocates that database administrators really need to do a lot of heavy coding into the database.

(The title of this post is just something that came to me when I read the article, because the author’s opinions were sparked by a cursor gone bad. (cursors gone wild?) )

And of course, stored procedures also help make your code more modular. But this article basically advocates that database administrators really need to do a lot of heavy coding into the database.

(The title of this post is just something that came to me when I read the article, because the author’s opinions were sparked by a cursor gone bad. (cursors gone wild?) )

Top 10 MySQL Best Practices

So, O’Reilly’s ONLamp.com has published the “Top 10 MySQL Best Practices” at http://www.onlamp.com/pub/a/onlamp/2002/07/11/MySQLtips.html. Sadly, I find most “best practice” list do not thoroughly explain the “why” enough so that people can make their own decisions.

For instance, #3 is “Protect the MySQL installation directory from access by other users.” I was intrigued at what they would consider the “installation” directory. By reading the tip, they actually mean the data directory. They say nothing of the log directory, nor that innodb data files may be in different places than the standard myisam data directories.

They perpetuate a myth in #4, “Don’t store binary data in MySQL.” What they really mean is “don’t store large data in MySQL”, which they go into in the tip. While it’s true that there is very little benefit to having binary data in a database, they don’t go into what those benefits are. This means that people can’t make informed decisions, just “the best practice is this so I’m doing it.”

The benefit of putting binary data in MySQL is to be able to associate metadata and other data. For instance, “user 200 owns file 483”. If user 200 is gone from the system, how can you make sure file 483 is as well? There’s no referential integrity unless it’s in the database. While it’s true that in most cases people would rather sacrifice the referential integrity for things like faster database backups and easier partitioning of large data objects, I believe in giving people full disclosure so they can make their own informed decision.

#5 is my biggest pet peeve. “Stick to ANSI SQL,” with the goal being to be able to migrate to a different platform without having to rewrite the code. Does anyone tell Oracle folks not to use pl/sql like collections? Nobody says “SQL is a declarative language, pl/sql is procedural therefore you should never use it”. How about SQL Server folks not to use transact-sql statements like WAITFOR? MATCH… AGAINST is not standard SQL, so I should never use it?

Now, of course, if you’re selling a product to be run on different database platforms, then sure, you want to be platform agnostic. But you’d know that from the start. And if you have to migrate platforms you’re going to have to do lots of work anyway, because there are third-party additions to all the software any way.

And why would *anyone* choose a specific database, and then *not* use those features? I think that it’s a good tip to stick to ANSI SQL if you *know* you want to, or if you have no idea about the DBMS you’re using.

If you want to see how this cripples MySQL, check out Visibone’s SQL chart at: http://www.visibone.com/sql/chart_1200.jpg — you can buy it here: http://sheeri.com/archives/104. I may post later on about my own personal MySQL Best Practices….

MySQL Boston May User Group: Auditing MySQL for Security and Compliance

Mehlam Shakir, CTO of RippleTech, discusses a practical approach for auditing MySQL databases to meet security and compliance regulations. Hear real-world cases and see a live demonstration of how RippleTech’s Informant solution compliments MySQL by adding a security layer without any performance impact.

For more information on RippleTech’s INFORMANT, visit http://www.rippletech.com/

I have to say, I was a bit worried this would be a typical vendor presentation where every other word is marketing speak for how great the product is. It actually just ended up being “here’s how Informant works, and here’s how auditing, security and compliance needs can be met,” presented in a way that’s useful and valuable to anyone who is interested in auditing or security.

Rippletech’s Informant is not only interesting because it’s currently the only software that audits MySQL, but it’s impressive in its simplicity and flexibility. I think my favorite surprise about Informant was that it has the ability to store a user session as just that.

Download the video of the presentation at:
http://technocation.org/movies/mysql/AuditingRippleTech2007MayUGbig.wmv”>http://technocation.org/movies/mysql/AuditingRippleTech2007MayUGbig.wmv

http://technocation.org/movies/mysql/AuditingRippleTech2007MayUGbig.wmv (446 Mb)

For more information on RippleTech’s INFORMANT, visit http://www.rippletech.com/

Download the video of the presentation at:
http://technocation.org/movies/mysql/AuditingRippleTech2007MayUGbig.wmv”>http://technocation.org/movies/mysql/AuditingRippleTech2007MayUGbig.wmv

http://technocation.org/movies/mysql/AuditingRippleTech2007MayUGbig.wmv (446 Mb)

MySQL Security Talk slides

For those wanting the slides for “Testing the Security of Your Site”, they’re at:

http://www.sheeri.com/presentations/MySQLSecurity2007_04_24.pdf — 108 K PDF file

http://www.sheeri.com/presentations/MySQLSecurity2007_04_24.swf — 56 K Flash file

and some code:

For the UserAuth table I use in the example to test SQL injection (see slides):
CREATE TABLE UserAuth (userId INT UNSIGNED AUTO_INCREMENT NOT NULL PRIMARY KEY, uname VARCHAR(20) NOT NULL DEFAULT '' UNIQUE KEY, pass VARCHAR(32) NOT NULL DEFAULT '') ENGINE=INNODB DEFAULT CHARSET=UTF8;

Populate the table:
INSERT INTO UserAuth (uname) VALUES ('alef'),('bet'),('gimel'),('daled'),('hay'),('vav'),('zayin'),('chet'),('tet'),('yud'),('kaf'),('lamed'),('mem'),('nun'),('samech'),('ayin'),('pe'),('tsadik'),('kuf'),('resh'),('shin'),('tav'); UPDATE UserAuth SET pass=MD5(uname) WHERE 1=1;

Test some SQL injection yourself:
go to Acunetix’s test site: http://testasp.acunetix.com/login.asp

Type any of the following as your password, with any user name:
anything' OR 'x'='x anything' OR '1'='1 anything' OR 1=1 anything' OR 1/'0 anything' UNION SELECT 'a anything'; SELECT * FROM Users; select ' 1234' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055

And perhaps some of the following:
ASCII/Unicode equivalents (CHAR(39) is single quote)
Hex equivalents (0x27, ie SELECT 0x27726F6F7427)
— for comments

For those wanting the slides for “Testing the Security of Your Site”, they’re at:

http://www.sheeri.com/presentations/MySQLSecurity2007_04_24.pdf — 108 K PDF file

http://www.sheeri.com/presentations/MySQLSecurity2007_04_24.swf — 56 K Flash file

and some code:

Test some SQL injection yourself:
go to Acunetix’s test site: http://testasp.acunetix.com/login.asp

And perhaps some of the following:
ASCII/Unicode equivalents (CHAR(39) is single quote)
Hex equivalents (0x27, ie SELECT 0x27726F6F7427)
— for comments

MySQL Security Presentation at Boston MySQL User Group Meeting

The February Boston MySQL User Group meeting was great! I spoke about MySQL security; you can now download the slides and the video. I continue to be impressed with the sound quality of the video camera I have, I was pretty good about repeating the question folks asked, but you can clearly hear it in the audio (well, I could when I was wearing headphones, but I also have pretty bad hearing).

Special thanks to http://technocation.org for hosting the bandwidth for the videos.

Topics covered in the talk:
ACLs
Test dbs & anonymous accounts
OS files and permissions
Application data flow
SQL Injection
XSS (Cross-site scripting)

PDF of slides (1.4M):
http://www.sheeri.com/presentations/MySQLSecurity2007_02_08.pdf

Slides in Flash (107K):
http://www.sheeri.com/presentations/MySQLSecurity2007_02_08.swf