Late last month, I received some bad news about web2project...

It turns out that web2project was vulnerable to a handful of select Cross Site Scripting (XSS: definition) vulnerabilities. While the attack vector was pretty specific to being an already authenticated user, it had the potential to be a major problem in a poorly configured system.

On the positive side, I say "was" because within 10 days of being notified of the problem - and the same day the vulnerability became public - we had a patched release out the door and available to users. We've spent the past month since encouraging them to upgrade. Of course, we further benefit from the fact that although the vulnerability does affect us, we're not named in the report.

Recently, I realized that despite talking about Karl Fogel's book - "Producing Open Source Software" - numerous times over the past year[1][2][3], I've never written a review of it. So without further ado, here we go.

I originally picked up my copy in mid-2007. It took me a couple months to get to it, but once I did, it rocked my professional world. To be clear, Karl Fogel is an early (founding?) member of the Subversion Version Control System.

Since the v1.2 release in early December, it's been a bit of an adventure... in the first week after the release, we got a couple major bug reports. Another few days resulted in a few more. Another day, another bug. In the first two weeks, we received a total of 7 bugs that ranked from major to critical. All in all, it was a bad time. Conveniently enough, none of the bugs were particularly complicated or deep, so we were able to quickly resolve each of them and eventually release a v1.2.1. And after receiving word of a small issue requiring another merge, v1.2.2 shortly after the New Year.

While a few members of our community were understandably upset, I was impressed that the bugs were found so quickly and resolves just as quickly. I couldn't put words to this well until I read Karl Fogel's post "Bug Growth is Proportional to User Growth, and Bugs are not Technical Debt." Wow, that Karl is a smart guy. More on that topic later.

For v1.3 we have quite a few features and fixes on the way:

Twas the night before Christmas and all through the house,
Not a peripheral was stirring, not even my mouse.

I with my Xbox and wife with the same
had just settled down to a nice co-op game.
I covered the front, she took the rear
our enemies had a dynamic duo to fear.

At a loud crash, I arose from the chair
wondering "what could be happening down there?"
We entered the room and what did we see,
but two surprised cats and a sad Christmas tree.

"But wait, what is that in the paws of the kitten?"
Something unexpected, something unbidden.
A gift certificate for Amazon, another for Fry's,
both looked like glittering gold in my geek eyes.

My imagination went wild, it just wouldn't stop,
so many ideas, my head might just pop.
But then I wondered "from where did this appear?"
and the wife agreed "this wasn't just here."

As of this morning - 09 December 2009 - web2project v1.2 is live!

While there is not a huge amount of new user-facing functionality, the sheer number of fixes and amount of cleanup is staggering.  Since the v1.1 release in September:

After the recent beating I gave Packt Publishing's "PHP Team Development" , I had a number of people ask what books I would recommend.  To be honest, that's one of the easiest questions I've gotten in a while.  And that's because when we put together Blue Parabola about a year ago, I had the chance to make this list exactly.  There are about 5 books that I believe should be in nearly any software developer's library:

Generally, I only use this space to talk about concepts, products, and events that are important to me when I believe others can find value too.  I try not to write negative reviews because I don't believe it adds value to the community... but occasionally, I have to do otherwise.  In terms of disclosure, I wrote the publisher - Packt Publishing - and offered to quietly forget that I read this book.  Alas, they demanded a review anyway, so here it goes...