Perl Conference 2.0, Continued

The Inner Ring: Tutorials and Classes

Perl Conference 2.0 started with two days of half- and full-day tutorials on a variety of topics, from "Windows NT System Administration with Perl" to "Cool Tricks with Apache and Perl." I attended a set of two tutorials give by Mark-Jason Dominus on Web security. The tutorials were full of useful information on the security holes which you open up when you start running interactive programs on your web server.

He gave several specific examples of how a cracker might exploit server programs that don't launder user input sufficiently or might use a custom-made browser (written, perhaps, with Perl's libwww library) to get around lax security in poorly-written web server applications. These examples, plus his comments on the theories of security, had me going back over many of my own programs looking for loopholes. Two hints for those who didn't attend:

1. Do taint-checking in all of your CGIs.
2. Take the "Prussian" stance towards web programming (define a safe set of actions which you will allow your programs to perform, and don't allow anything else) rather than the "American" stance (define an unsafe set of actions which you won't let your programs perform, and allow everything else).

The various classes, while not quite as information-dense as the tutorials, presented some good hints and theories on dealing with problems programmers might face. Andreas Koenig gave an interesting talk on a web publishing system he set up at his company, which eases the process of previewing, link-checking, and publishing web documents. One of Tom Christiansen's talks, on "Perl Style," was full of hints (mostly useful for beginners) on how to make code more efficient and more easily readable. In a more theoretical vein, Tim Bray, co-editor of the XML specs, talked about how he expects XML to improve the state of inter-computer communication (as well as programmer-to-computer communication) through simplification and standardization of the "language" these entities speak.

The Apache Town Meeting at the end of the last day of the conference was disappointing. Only a handful of people showed up, and those that did had few questions. But I should have expected this—the Perl Town Meeting (with many of the famous and interesting Perl inner ringers as panelists) occurred at the same time.

During the Apache Town Meeting, one interesting question that was asked was whether the Apache people (the Native American nation) objected to the naming of a freeware web server after them. The panelists (who were members of The Apache Group) stated that some individuals, none of whom claimed to be representatives of the Apaches, had written to them with concerns about their use of the name. They went on to say that while the official story of how Apache got its name (from being a "patch-y" server) is essentially correct, most of the members of the group agreed to the name Apache because they admired the image of the Apache people, a proud people living off the land and building a vibrant culture with little environmental waste or inefficiency.

While a dedicated student could learn all the material presented in the tutorials and classes on his or her own, I would guess that most participants found the transfer of knowledge to be more efficient, and a bit more enjoyable, in a conference setting. For those who didn't attend, O'Reilly has made notes from many of the talks available online.

view a printable version of this article