Releasing to Maven Central

While we already published releases on JCenter, we are now in the process of getting OpenFastTrace published on Maven Central. The goal is of course to make using OFT as convenient as possible for everyone.

I am happy to see that the people from Maven Central take security seriously and do not just let anyone publish modules under any package name. They asked us to prove that we own the domain “itsallcode.org”, so that gave me the necessary kick in the butt to speed up my plan to set up a web presence for OFT outside of Github on our domain. This blog is the first part.

Samsung Printer “security”

Not much time today, so just a list of “features” I’ve discovered on my shiny new Samsung M2825 printer:

  1.  HTTP but no HTTPS (admittedly most devices do that since there is the problem of how to start the certificate chain)
  2. Default user / password: “admin” / “sec00000”
  3. No mention of open HTTP server in installation manual
  4. No mention in handbook
  5. Shipped with firmware from 2015
  6. Firmware update dialog does not indicate that new firmware is available
  7. Firmware update via file upload from PC – not convenient
  8. Ton of protocols switched on by default
  9. HTML Handbook broken (text only) after unpacking
  10. Firmware well-hidden on the support page (unfold and scroll down): http://www.samsung.com/de/support/model/SL-M2825ND/SEE (edit 2018-07-01: this link not available anymore)
  11. Password cut after 18 characters (no indication when entering new password)
  12. Offers to select source IP for login (probably intended to improve “security”)

tl;dr:

Another example that “S” stands for security in IOT.

Intrusive Sharing

Good software tries not to surprise the user. Today I was surprised that four of the integration tests in OpenFastTrace (OFT) failed although I did not touch the code.

The failure reason given was a character encoding problem. Since I was quite sure that the problem did not occur last time I ran the test and I did not touch the code since, I knew the reason was not in our code.

I suspected that the test did not (or not only) use the test data in the resource directory, so I manually ran the test and explicityly pointed OFT to the resources. This time the test passed.

Then it started to dawn to me: the strange .AppleDouble directories that seemed to appear out of nowhere in my home directory might be the culprit.

A quick Internet search later I realized that they were a result of sharing my home directory over my LAN with another machine. Surely enough they contained the same filenames and that OFT mistook them for input files. Since the content of those files looks binary, OFT could not read them.

I stopped sharing and search-deleted all those directories. After that everything was back to normal.

Coming back to my original point: the appearance of .AppleDouble directories just because I shared a directory via Samba from my Linux box came as a complete surprise to me. I am grinding my teeth already because they will also be in all backups. Luckily I spotted them before I did any git commits.

Bottomline: don’t suprise your users – do exactly what they expect.

Test coverage pitfalls

When did I test enough?

While code coverage is a good indicator, you still have to know how code coverage works. Today I was hunting a bug in a Markdown importer I wrote for OpenFastTrace. The class where the bug sits had a whooping 93.1% code coverage and part of that missing coverage was owed to the fact that the JaCoCo coverage tracer can’t mark code that throws exceptions as covered – even though there is a test case for it.

So I wrote a new issue ticket, created a fix branch and wrote a three line test case that reproduced the problem. While the test now failed as expected, the code coverage didn’t go up.

I used the Mockito mocking framework to verify that an interaction with a mocked observer happended or in my case due to the bug didn’t.

The error was hiding in a regular expression which read

"Needs:\\s*(\\w+(?:,\\s*\\w+)+)"

instead of

"Needs:\\s*(\\w+(?:,\\s*\\w+)*)"

Notice the asterisk in the end.

So while there are a lot test cases waiting to be written for this regular expression, code coverage won’t tell you.

You get what you measure, so be sure you understand what it is you are measuring.