09 September 2007

Liveblogging PyconUK 2007 - Sunday

Whew, was saturday a busy day! Simon Willison's keynote on OpenID was disappointing, he basically responded to any critique of the (flawed, IMHO) security model by saying "well, recovering passwords through email is as insecure as this!" which is balderdash :) (there are legal QOS agreements between email providers) and then "well, of course banks will never use this, but your generic stuff might" which again is balderdash because even people behind "generic" stuff do care about security of their data UPDATE: see Simon comment further down for clarifications... Simon is a good speaker, but feedback from people was still sceptical to say the least.

Dinner was awesome, met lots of great people and Jono "LUGRadio" Bacon delivered a "rock&roll" after-dinner (what next, LUG-StandUpNight?) on why his pet-project JoKosher ended up being written in Python, and be fairly usable in less than a year (for an audio editor, apparently, that's a good timescale).

And we start again! David Boddie on the awesome QtDesigner, looks easy to do custom widgets, and autoconnecting features promise to do away with the signal/slot paradigm as much as possible.

UPDATE: Jonathan Hartley on the basics of TDD in python; I was probably expecting a more "theoretical" talk, or something more advanced, but it was just an introduction really. I suppose I should just be glad I already know about this, stop being lazy and JUST. TEST. IT.

UPDATE: The European Union gives 2.5 million euros to the SQO-OSS people to find new ways of measuring software quality: impressive! Paul Adams made an important point on developer turnover and how to get people on your project: open it! (mailing lists, wikis, svn, etc).

UPDATE: the presentation on Python EGGs was very informational, there are lots of ways on which you can use easy_install, not just to install stuff but also to update it, have multiple versions, get svn versions of installed software, and aslo package un-EGGed software. It's a shame that the presenter was trolled in Q&A time, it shouldn't have happened.

I confess I didn't really listen to the Pylons/WSGI talk. Middleware doesn't really turn me on. I filled in my (great) feedback form for a chance to get my dirty hands on a Nokia N800 -- apparently the best presenter will get an Xbox! Lunch was also sponsored from Microsoft, am I supposed to feel guilty? ;) I see the first slides are being posted online already, I shared some of them in my Google-powered sidebar feed as I find them, I'll try to link them all in the next few weeks, many were also recorded so they should appar on the pyconuk site.

I'm almost sad that in only a few hours everything will be gone... My target now is to have a lighting talk next year on my (very cool) django-powered app! The countdown begins, better start coding...


Simon Willison said...

Sorry if I was unclear - the point I intended to make about banks was this: they're unlikely to accept OpenIDs from any provider, but there's nothing to stop them from creating a whitelist of "trusted" providers who they know to be secure. If you're convinced that your application should have the same level of security as a bank you can do the same thing.

I was pretty surprised at the kick-back against that part of my talk to be honest. Usually people are happy with my comparison to "forgotten password" e-mails - most applications don't need the same level of security as banking does, and express that in the fact that they are willing to trust the user's e-mail provider to be secure.

I was unaware of legal QOS agreements between e-mail providers; do you have a link where I can learn more? At any rate, if they exist for e-mail providers they're likely to exist for OpenID providers as well before too long.

GiacomoL said...

from what I understand, bank customers are already concerned by schemes like "verified by VISA", which is also based on redirection in a similar way as OpenID. Trusting one provider with a multiplicity of accounts is, IMHO, a recipe for identity fraud on an even greater scale than what we have now, and I think that's going to be a concern for institutions which barely trust government-provided forms of ID... This doesn't want to be a flame on OpenID :) it looks like a very good tool for the intranet (huge companies have too many internal user/passwords already) especially when linked to MSAD/LDAP. That's, I think, the real killer market for it.

Who knows, if it really catches up in mainstream venues, I'll be happy to be proved wrong, but I really don't see it as a 100% reliable method for The Big Bad Internet, not more than the (much less geeky) well-entrenched user/pass schemes, or more ambitious ones based on hardware tokens and cards.

On the QOS/SLA thing, my google powers fail me as usual, but I used to work in IBM and several customers were wrapping in legalese every aspect of their service (uptime, rates of email delivery, proof of delivery, etc etc), and were quite happy to threaten legal action at any perceived failure (mainly in order to get discounts, but that's another problem). This might not be commonplace for the average little host, but corporate customers were happy to indulge. Certainly, as OpenID gets closer to big money, similar things will come up for it as you say.

Oh, and thanks for stopping by, I hope you found my little reports faithful enough (if occasionally biased ;)

Paul Boddie said...

The provider-to-provider aspect of OpenID isn't *that* far off the Liberty Alliance stuff, architecturally, as far as I remember, and I'm sure the big names involved with that (quite closely associated with banks, too) would like to know how the security model is flawed. Meanwhile, on the subject of e-mail delivery guarantees: how would the existence of agreements between individual providers work in general? And on the subject of mailed passwords, haven't we learned something about this from the recent reddit.com fiasco, anyway?

Off on a tangent: what was the "trolling" in the Python Eggs Q&A all about? Those of us who weren't there don't want to miss out on the melodrama!

GiacomoL said...

Now I know how to get readers to my blog, I'll just badmouth OpenID as much as I can and maybe the next commenter will be Guido himself! :D

Paul, as I said above, I'll be happy to be proved wrong. OpenID is great for the intranet, it might work for the internet... it's just not my cup of tea (yet), and from the questions in the room it looked like other people were still very sceptical too.

The trolling I referred to was from the guy who later gave a lightning talk on "the IDE which doesn't judge you": the presenter was a bit nervous (even though the slides were full of good tips on easy_install), and the first question he got from the guy was more or less "well, what's the point of all this anyway? just distribute the python script, it's so easy!" which is really unfair since big projects usually depends on lots of shared libs, extensions etc, don't really manage well when more than one version is installed, have to mess with PYTHONPATH etc etc. Unfortunately, as I said, the presenter was a bit nervous, and it looked like the guy in the audience was smelling blood and kept banging about how it was all useless. It really was the only unpleasant bit in two days (but it wasn't the organizers' fault, of course).

Paul Boddie said...

"...just distribute the python script, it's so easy!"

Perhaps the guy can tell us all how to do all-in-one statically-linked binary installers that work across different generations of GNU/Linux distributions (and related systems) - with source code included, of course. If stuff like this is so easy, it'd only take a few minutes of his time.

P.S. I'm not an OpenID advocate as such, but I'm always interested to hear perspectives on such topics if they're sufficiently detailed.