Tomorrow afternoon, I'm off to Amsterdam for the 4th annual Gallery developers conference. Last year in San Francisco was pretty great, and though the crowd will be a little smaller in Amsterdam, we should have a pretty good time! After that, San and I head to Paris for close to a week of tourism there, including seeing the end of the last stage of the Tour de France.

If you need to get in touch with me for any reason, just send me and email and I promise I'll go through each and every one when I get back! If something is urgent, send me an email and then send a text message to my cell phone. I should be able to receive those there, and I'll get in front of a computer if I need to.

As many of you know, I'm the project manager for Gallery. We host all of our bugs, tasks, source code, and mailing lists in our project on SourceForge. Over the last year or so, we've been paying for external security audits of our entire codebase which has been very helpful in identifying potential security problems in Gallery. The last round of audits from Gotham Digital Science were very thorough and gave us a good list of things to improve. SourceForge supports marking tracker items as "private" so that only members of the team can see the issues. We decided to use this for the security fixes because having everything in a central location in a way that team members can see what issues are open, pick ones to work on, and communicate their progress to others, helps us get things fixed much more quickly than just using email or a mailing list.

As project manager, I have a paid subscription to SourceForge which allows me to "monitor" projects, and I monitor both Gallery and gallery-contrib (a separate project we manage to allow anyone to develop for Gallery using SourceForge with no prerequisites). Monitoring a project means that I get an email for every single action that happens on the site: updates to bugs, new feature requests, etc. I received e-mail notifications of all the private security related bugs and didn't think much of it, but at some point it hit me: what if anyone with a paid SourceForge account could monitor a project and thus get notifications of private items?

Andy (another Gallery developer) and I set out to test this out and verified it on gallery-contrib. I removed him from the project, he monitored it, I created private items, and he was still getting the e-mail notifications! Not good! All of our security issues (which costs us a significant chunk of cash to find out about) in the bug tracker on SourceForge were essentially published. Perhaps noone was monitoring our project so it all could still be secure, but wow. I submitted a private bug with SourceForge (fortunately, they do not allow people to monitor their bug list :) ) and it went into the queue. Bharat, the founder of Gallery, used to work at Sourceforge and forwarded the issue along to some of his contacts there, and it was resolved a few days later. We verified that it works the right way now, but it leaves me feeling pretty nervous.

SourceForge is great because they provide all these things for Open Source projects for free including, perhaps most importantly, the ~6Mb/s of traffic our downloads generate. (In my current hosting setup, that would cost me over $400 a month.) However, like any Software-as-a-service, you can never be sure that a "private" checkbox works the way that you expect, and if you do find problems, there is no way to fix them on your own. Private tracker items are now truly private, but this could always be accidentally changed in the future without our knowledge, and we certainly can't keep testing this with the regularly that the severity of our security issues warrants.

While this was very surprising in a very negative way, we won't be switching away from SourceForge any time soon. They do a good job, are very responsive to requests, have the functionality we need, and host more Open Source projects than other things such as Google Code. We'll see what the future holds, perhaps one day we will have the resources to run things on our own!

I'm currently sitting in the Las Vegas airport waiting for my flight back to Atlanta. DIMA flew me out here to speak about Gallery during their portion of PMA 2008 (The "leading annual photo trade show and convention"). My session was D13 - Breakthroughs in Photo Archiving Using Metadata (read more on this page) and I was paired with Andrea de Polo from Alinari (The worlds oldest photography archive) and Jeff Sedlik from the PLUS Coalition (A new standards body for photography licensing and metadata).

Over the last few months, the session format kept changing, but it ended up being a small talk by each of us. I spoke about Gallery and how we work with metadata including EXIF/IPTC and tags, Andrea spoke about challenges of building a searchable digital archive from a museum's perspective, and Jeff spoke about PLUS's forward momentum in universalizing all aspects of photo licensing. We didn't have much time for questions as part of the "panel", but I did have a few people come up to talk to me afterwards. One person from the real estate industry was interested in using Gallery for a major project, a project manager from a startup related to photography and outsourcing Photoshop work to Asia was curious if Gallery could help them roll out their project faster, and a Sandisk employee from Israel with some great ideas (and patents) about social networking just wanted to let me know that Open Source software shows that there is still hope for an America so consumed with personal financial gain.

After my session (and a few others) was the DIMA keynote. I wasn't sure what to expect from this but turns out Ze Frank spoke for an hour on things ranging from his fear of flying and airline safety cards, to his adventures in becoming an internet phenomena and how important user created content is. It was very entertaining and I managed to talk to him for a minute after the keynote because he uses Gallery on his site but I didn't really know much about what the "big deal" about him was until seeing his talk. I walked the mile or so back to my gigantic hotel room (some pictures on my flickr) and put in a wake up call for 3:30am, and with that, today is going to be a long day! I'll be back in Atlanta around 4pm Eastern and hopefully will make it to the track tonight for some riding around in circles.

Jesse and I went to the Microsoft Web Developer Summit a few weeks ago representing Gallery. Microsoft promised us that they were trying to be better citizens in the PHP community and make PHP work better on Windows. For those of you not in the know, the common way to run PHP on IIS was through CGI, which means that every single visit to a PHP page requires loading the entire PHP stack. Think starting up your web browser from scratch every time you open a new URL, and multiply that slowness by a few thousand users... it's baaaad. To get around this for PHP (and other CGI scripts) FastCGI came along and made everyones servers perform better. It daemonizes PHP (or anything else supported) so that it doesn't need to start up for every request, but it's never worked quiiiite right on IIS and has never been supported. Until now.

So today, after working with Zend for a while, Microsoft has released FastCGI today for the current version of IIS, with full Microsoft Support. Have a PHP app that you are trying to get to work in IIS? They'll help you. Cool! You can download FastCGI for free from www.iis.net/php. (And from what I understand, it really is FastCGI so you can use it for any CGI based application server in IIS.)

Have a Windows server running IIS? Want to use Gallery? Check out the howto that Microsoft wrote on Installing Gallery 2 on IIS. In addition to writing some docs, over the next few months Microsoft will supposedly be getting us resources like virtual machines, licenses, hosted test environments, etc so that we can make Gallery work on a wider range of Microsoft products.

A little Kool-Aid is definitely good every now and then.

Sunday to Tuesday of this week, Jesse and I represented Gallery at Microsoft's invite only 3rd annual Web Developer Summit. This year their focus was on PHP, and 24 "important" people from the PHP community were invited. The two authors of the book "Pro Drupal Development" that are also Drupal core developers, several people form the PHP (and PEAR) core team, an engineer from SugarCRM, and the guy at Facebook that wrote their developer platform were among the other attendees. On the Microsoft side were the important "higher ups" that work with Open Source technologies (see microsoft.com/opensource).

Sunday was my flight out and a few hours of catching up with an old friend I haven't seen since middle school, followed by meeting up with Jesse for some beer samplers at a local brewery, followed by some snacks and drinks with the rest of the summit attendees.

Monday was a day full of sessions followed by dinner, and Tuesday was more sessions. You can read someone else's presentation notes here so I'll keep this to highlights:

• Pictures! Jesse's blog where he talks a lot more about some details
• Microsoft is seriously interested in Open Source now. They've realized that their value is as a platform, and PHP applications need to work well on Windows for people to be willing to use Windows in may server environments. Sure, it's just business because thats what their customers demand, but they're ready to work with us to do what needs to be done.
• Monday after dinner (and after Jesse ordered a round of tequila shots for the entire conference on Microsoft's tab), I spoke with Sam Ramji, Microsoft's Director of Platform Strategy, for an hour or so. He runs the Open Source Software Lab at Microsoft and was very interested in any ideas that I and the other attendees have for Microsoft.
• Surprisingly, many of the ideas we had were news to them. It seems that there are a lot of things in the community that we all think Microsoft should do, but nobody ever goes to the trouble of telling them! Things like experienced Linux admins wish their BASH and Apache configuration skills could transfer more directly to PowerShell and IIS, etc. I don't remember all of these because they seemed so obvious, but they took notes and hopefully will get around to doing some of these.
• Jesse and I were convinced at the last minute to do a talk on Gallery. We quickly put together a presentation and some people at least seemed pretty interested. We got a healthy number of questions and I looked at some number I haven't looked at in a while (Gallery gets ~150k downloads a month!). As a result of this, we may have 2 people contributing some code and one person starting on some more documentation for us. Hoorah.
• While some of the presentations were pretty useful, much of it wasn't really targeted to the audience. Sure, learning about Silverlight and Expression were neat, but were they really the best use of our time? Probably not. However, internet worked well and it was easy to get other things done during the less interesting parts. (And most people in the room were on IRC so we could discuss things at the event as they happened.)
• We were not given suitcases full of cash to use ASP.net, but each of us walked out with a full MSDN Subscription and Microsoft is going to be working with us to provide whatever products and licenses we need to be able to effectively develop for and test on Microsoft platforms including IIS7, Windows Server 2003 and 2008, Microsoft SQL Server, etc. No complaints there. (One attendee just hasn't gotten around to publishing something she's been working on yet, and it sounded like Microsoft will be shipping her an XBox 360 to encourage her to get around to it :) )

All in all, it was a pretty useful couple of days. I think the most important part was networking with other PHP developers and the Open Source people at Microsoft, as this should encourage future email conversations with everyone to be timelier and more effective. Hopefully, everything will come through and Microsoft will be able to provide Gallery with what we need to be able to test and develop on Windows, and hopefully Microsoft will be able to implement some of our suggestions for the way they work with Open Source. They do seem very interested in making this happen! If you want to read more from them (which you should, especially if you think I've just been drinking their KoolAid all week), check out: port25.technet.com and microsoft.com/opensource.

It's been a while since I've updated, but there are good reasons. This is my last semester of grad school so I have a few projects to work on:

• Advanced Operating Systems is a project every few weeks. So far I've written priority and co-scheduling components for a user space thread scheduling library that works on multiprocessors, and I'm working on code to implement a shared camera driver across UML instances
• Networked Applications and Services has me working with 2 other people on a semester long project to analyze the social graph created by forum postings on Faster Mustache.
• My final 3 hours of research for my master's project is spent on the data storage model for CPR. We now have a real time database, a plan for file archiving, and a plan for long term SQL accessible data archiving for the 300k or so rows that get added to the database every day.
• And then 3 hours are spent working on IMS, specifically building monitoring and deployment management tools for the carrier side of the system.
• And then, the usual 20 or so hour a week job working on other aspects of CPR.

Give that, my schedule is pretty full but there is still some time for other things. Two weekends ago was the third annual Gallery Developer Conference in San Francisco. It was a blast, as usual, and I took my share of pictures as well. The following week I got to attend a talk by Jim Lovell about his experiences in the Apollo program, followed by the GTISC Annual Security Summit with speakers such as Vint Cerf (one of the founders of the internet), the Information Assurance Technical Director from the NSA, and various influential people from the security industry.

Then there are the toys. First came a Garmon 60Csx GPS receiver. It does fun things like tracking where I bike, letting me tag places, and uploading all of the information into Google Earth. One of these days all that information will have a run in with my photo library and there will be maps with pictures and so on. I'm looking forward to that day but it's a long way out. On a related note, I picked up a scanner: the Epson 4990 Photo. It's great and I've been scanning the shoe boxes of prints from 1990-2000. Eventually these will make it online, but I need to get together with some old calendars at my parent's house to figure out when most of them were taken. Lasty, I replaced my Motorola L6 with an iPhone. My only complaint is that the 1.1 firmware broke 3rd party application support, but all I need is a SSH client so if Apple would just do that, it'd be great. The firmware update is important to me because it fixed what I see as a major problem: With the 1.0 firmware, the UI didn't warn you if IMAP server credentials changed. This means that the iPhone mail client would send your user name and password to any mail server (read: hacker) that showed up in DNS on the phone as your mail server. Given the iPhone's ability to connect to any old WiFi network, this could be pretty disastrous.

In other news, my leg is mostly healed up and I've almost gotten everything right on the newest addition to the bike collection: a Redline 925 and the collection of various parts I've somehow attached to it. (I had a bike shop cut the fork and press the headset for me since I don't have those tools yet.)

With the contributions of the rest of the Gallery team I put together Gallery's first every "bounty" plan. We're not the first Open Source project to do this, but it's still not as common as it could be. The basic idea is that we get a lot of donations from our users and a lot of money from advertising on our website, but don't have a lot of expenses. We have to pay for server hosting (We rock ~2Mb/s outgoing traffic 24/7) and an annual developer conference (this year will be our third!), but thats about it! For Gallery 2, we started paying security companies to do security reviews of each major Gallery 2 release, and a security company is currently doing the first and only paid review of Gallery 1, but there is still money left over.

So to help the project continue to grow (and spend this money) we're now paying anyone on the Internet that submits a valid security report or implements to our satisfaction one of the top 10 features (as voted on by our users) in our list of open feature requests and bugs. So what are you waiting for? A security report that requires us to release an immediate fix is worth $1000!

You can read all the details in the Gallery bounty program announcement.

Sure sounds awful right? Nope! Last weekend Jens (from Gallery and Germany) was in Mountain View, so we figured we should do something. Friday night Ben (my roommate) and I showed Jens the most important things American: Malt Liquor and In-N-Out Burger. Good times! On Saturday, Bharat had a cookout at his place (another American experience that Jens needed before heading back to Germany on Sunday) and Bharat (+family), Robert, Alan(+Family), Jens, and I ate burgers and drank beer. Jens picked up a 12-pack of PBR to give to Bharat with a Stein from Germany and much hilarity ensued for the whole afternoon. Jens apparently thinks that Bharat's dog only speaks German and Bharat's kids apparently do not have an off switch. Bharat, Jens, Robert, and I ended up at a bar playing pool for the late evening and I ended up sleeping on Bharat's couch. (Robert was on another and Jens was on an air-mattress). Good Times.

But on to presentations... Google has these things called "Tech Talks." Sometimes it's internal Google things that I can't really talk about but they're really neat, but other times it's people from the outside talking about things that they think are cool and that Googlers will likely find interesting. I managed to go to three of them today and they were all definitely worth going to!

• A guy from the Rentrak came and talked about how they use custom scalable database solutions to manage all of the video viewing data they can get their hands on. Movie theatres, Movie rentals, video on demand downloads, etc. Think several billion records generated a day..
• A researcher from University of California Santa Barbara came and talked about fiber optic switching technologies. His lab has come up with actual working switching devices that can do things like switch 10GB/s of traffic in a single completely optical path using mere Watts of power dissipation. Compare this to the current optoelectronic that often require hundreds or thousands of Watts and can't even begin to work at wire speed for higher speeds without taking up lots of space. This guy's fully optical switch for a large amount of bandwidth will take up the space of one line card in a router and have the same capacity of a router that takes up two entire racks (~64 line cards) and uses _lots_ of power.
• Carolyn Porco, the imaging team lead from the Cassini mission to Saturn. Her presentation was all pictures (you can see lots of images at ciclops.org, which she runs) with very interesting narration. The thing I found most interesting is that one of Saturn's moons has jets of particles shooting into space that are likely the result of liquid water on the surface. There could be life because there is plenty of organic matter and liquid water would do the trick! She gave the example that all a probe would need to do to detect things would be to land and just look up and stick out it's tongue. Interestingly, even though her involvement with NASA is tied up in robotic exploration, she is still a supporter of human space flight and things we should work on getting people further into space instead of just "flying around in circles." Her suggestion that NASA could use a lot more funding gets my vote!.

More tech talks to come in the following weeks!