Open source software security

PHP Quebec

30 November -0001

So I just got back from PHP Quebec, and although the trip home was horrendous the conference itself was a lot of fun. It is held in the amazing Sofitel Hotel along the 'Golden Mile' in Montreal, just at the base of Parc du Mont-Royal. The conference space was sparse, but attendance was probably under 200 so it worked out well. There were three lecture rooms with lectures in both English and French. There were five lectures a day, over the course of two days, and only two lecture slots where there wasn't a talk in French. I went to as many French talks as I could. Unfortunately the Quebecois accent is a little difficult to understand, and after the very first lecture I almost threw in the towel.

The first speaker, Louis-Philippe Huberdeau, was young, and a little disorganized, so he mumbled a bit and spoke very rapidly. He also had a heavy accent so I could only pick out about half of what he was saying, which was unfortunate because the half I did understand was very interesting. Louis-Phillipe's talk had to do with implementing an agile approach to web development to react to changing customer 'besoins' (needs). He demonstrated a system for estimating and abstracting time requirements for a project that could easily adjust to shifting goals and requirements.

Luckily the second lecture I attended, given by Fréderic Schmitt, was *much* easier to understand. Fréderic is actually French (he works for FM Logistic) so his accent was, well, he didn't have an accent, which is what I was used to. His talk covered the usages of SOAP to do data abstraction so that PHP can serve as a data abstraction layer, allowing uniform access to data from multiple locations. He also introduced me to uses for Symfony:Lime - the Symfony debugging/unit testing module. Fréderic showed how by using a SOAP layer implemented in PHP you could share resources across an organization. This applied especially to situations where the data was being drawn from several different data sources. Fréderic also showed how to use products like YAML to help craft and test complex WSDL definitions for your SOAP services.

The third lecture I attended was by Gérald Croës, and was about design patterns. I'm roughly familiar with design patterns and the slides were really good, so when I didn't understand something Gérald said it was easy to look up at the slides and figure it out. I brought my small French dictionary with me as well, which was handy for looking up words I didn't understand. I learned a lot of new French technical terms, which I found out don't always correspond with their English equivalents. 'Base de donée' was one of the common ones (data base, abbreviated 'BD'). Gerald's talk was extremely good as it related many of the basic Gang of Four design patterns directly to PHP and he provided excellent examples to illustrate implementation.

Throughout the conference I found the code examples to be extremely good. Everyone was using PHP 5 in an object oriented way and including several of the advanced features. Hardly anyone referenced the old style PHP 4 notation using functions, rather the examples included used class and method references.

The next talk I attended was in English, by Rob Richards of Local Thunder and it was about SOA (Service Oriented Architecture). SOA, very simply, is merely using SOAP (or REST, but more commonly SOAP in PHP) to make your code objects available remotely as a service. Rob made an excellent case for why SOA isn't always an appropriate approach and outlined good uses for SOA. He used examples from his own experience to show how SOA could in some cases actually retard production times and be a detriment to development. Similarly he showed how mature projects and organizations can benefit greatly from SOA. His thesis, in a nutshell, was that when a company or product is young it needs to be fast and loose, agility over all else, but that when that company or product matures and settles down, implementing SOA to share resources can greatly enhance availability and support.

The last lecture I attended on the first day was by Fabien Potencier, and it was by far my favorite. Fabien works for Sensio, a French 'web agency', and was the second French French speaker I heard at the conference. Even though he spoke at the end of the day he spoke clearly and concisely and I was able to understand him quite easily. Fabien's talk had to do with Symfony, what it was and how it was used. Symfony is a web framework based written in PHP and designed for enterprise applications. Fabien emphasized that Symfony wasn't the tool to use if you were just going to throw together a blog or a small application as it was designed for large scale applications. Symfony provides an easy way (much like Ruby on Rails) to bootstrap your application development, generate a well documented, easy to maintain framework and implement code that is clean, modular, secure and portable. Symfony has methods to do multiple deployments of the same project to different levels of productions, each of which have tuned settings for features such as logging and debugging. Symfony creates quick, robust applications and I'm really looking forward to implementing my next project using Symfony.

Day two started with the biggest talk of the lecture, by Rasmus Lerdorf. Almost everyone at the conference went to this talk, but my supervisor Roberto Mansfield was delivering his talk on Oracle and PHP at the same time. Consequently there was almost no attendance at Roberto's talk, which was unfortunate. I think the inclusion of Oracle probably hurt attendance a bit since most of the conference attendees seemed to be pretty hard core open source (there were more laptops running Linux that I saw than there were Mac laptops, and the Windows machines were definitely a minority). Personally I think Rasmus' talk should have been the keynote of the entire conference since many subsequent speakers referred to his ideas.

The second lecture I attended on day two was on rich internet applications (RIA) by Mike Potter, who works for Adobe. Although his talk was listed as covering Flex in the program he actually didn't really touch on Flex. Mike also emphasized using PHP as an abstraction layer, but rather than using it as a data abstraction layer as Fréderic did, Mike emphasized using PHP as a presentation abstraction layer. In this way PHP could produce content in a somewhat uniform manner such that any number of presentation technologies could be used to display and manipulate the data. Mike emphasized using the browser to sort and arrange data for display to reduce page requests and reduce the overall size of data delivery. This method means a large up front delivery of data to the client, but after that the client doesn't have to re-request the same data be delivered twice. By using tools like AJAX so that the browser only requests new data that it requires for display the RIA can emulate the responsiveness of a desktop application and cut down on overall data delivery to reduce bandwidth consumption. Mike also demonstrated Apollo, which is Adobe's new technology for deploying Flash based applications on the desktop (much like Java applets). He showed a desktop application that worked with eBay to provide an interface to the auction directly from the users desktop.

The third lecture I attended was in French (my first French lecture of the day). It was given by Patrick Gaumond on Typo3 as an SGV (Système de Gestion de Contenu - the fancy French way of saying CMS :)). Patrick gave an excellent talk about the features and advantages of using Typo3 as your CMS. The biggest sell to me was the sprints that they do in Switzerland or Germany where the coders write extensions and updates all night and ski and snowboard all day. Typo3 (pronounced 'tie-poh-tree' in Quebecois) is a robust, enterprise scale CMS system that is used across the world and is one of the older and more robust PHP based CMS systems. In addition to being very mature and scalable, with tons of plugins, Typo3 also sports a relatively unique feature that allows a single installation to support multiple sites. Typo3 also has very robust workflow management and user permissions.

The next lecture I attended was by John Coggeshall who works for Zend and it was about PECL. John pointed out a number of useful PECL extensions as well as explaining exactly how PECL came about and the best ways to use it. PECL is a repository for PHP extensions written in C that are not part of the core distribution. John explained that many of the extensions archived here were removed from the core due to limited adoption and are perfectly viable for production usage. He also warned, however, that PECL is unmanaged and that there were extensions that were unsafe for production so it was important to thoroughly review PECL extensions before deploying them. Many of the best PECL extensions actually end up getting wrapped into PHP core though, so it's also a good proving ground for new ideas. The two PECL projects of interest that John pointed out were the Fileinfo extension and the SSH extension that both looked pretty cool.

The last lecture I attended on day two was by Sylvain Carles. Despite Sylvain's intense accent I was able to pick out most of what he was saying (two full days of exposure must have gotten me somewhat more used to the accent). Sylvain's talk was about microformats and metadata (méta-données) used in HTML. Sylvain gave a comprehensive overview of microformats and showed several interesting examples. More than just explaining microformats though, Sylvain provided some really cool real world examples of things you can do with microformats. He showed integration between browsers and other application (such as contact management software) as well as between browser based applications that used microformats. For instance, he pulled up one event planning site that used microformats so you could pull up Google maps of event locations instantly and click on locations in the presentation and have them added to your local contact list. You could even click on events and have them added to your local calendaring software. He also showed some Firefox plugins that could easily pick out and export microformats. Overall it was a really interesting look at some very cutting edge technology that can be incredibly useful.

I have to say that overall the conference was extremely enjoyable and I'm looking forward to going back next year. I loved being able to speak and hear French also. Montreal is a great if you're learning French because even though there's a thick accent, you can always bail out of a conversation and use English in a pinch. For instance, when you forget words or can't quite make out what someone is saying you can just ask them to repeat it in English. In a purely French speaking country this isn't always the case. I also loved the way that people in Montreal often speak in Franglais, mixing English and French together, which is often times much easier for a novice like myself to understand. The food in Montreal was amazing as well. Even my room service in the Sofitel was phenomenal and I was sad to leave. I think next time I'll have to stay for the weekend to actually enjoy the city as well as the conference.