[This article has also been posted
on Doctor Dobb's Journal
I remember when it felt odd to have colleagues I'd never met face to face. These days, though, I don't give it a second thought---not until one of them moves on, and the odds of ever
sharing a cup of coffee with them dwindle dramatically. It happened again just a few weeks ago, when Kathryn Barrett decided to move on from her position at O'Reilly. She did a great job of getting books and other material to me for years; I'll miss working with her.
In honor of her departure, this month's column will take a look at O'Reilly's Short Cuts series. Like most software-oriented publishers, O'Reilly has been experimenting with new business models, both to take advantage of emerging technologies, and to keep making money as fewer and fewer programmers bother with dead trees. Short Cuts are short (typically around 50 pages long), cheap (about US$10), available only as PDFs, and focus on one specific topic.
I have read six so far, and have two more queued up. The best feel like extended essays, or chapters from the latter halves of books that don't actually exist. The least satisfying do little more than repackage material that's freely available and easily found on the web, but still have excellent production values.
Let's start, as I did, with Ian Darwin's Checking Java Programs
, a user-friendly guide to tools that developers can use to gauge the correctness of their Java code. This is becoming a hot topic, just as testing frameworks were five years ago when JUnit was taking the world by storm, and I found Darwin's overview both timely and useful. The tools he covers---javac and IDEs, PMD, FindBugs (my personal favorite), and NASA's PathFinder---are progressively more demanding intellectually, but the technologies they're based on are all well on their way to being taken for granted. Darwin's writing is clear, and he clearly has hands-on experience with these tools. The only thing lacking, in my opinion, was enough examples, but that's a minor criticism.
Martin Nystrom's SQL Injection Defenses
is just as timely, and just as well written. (Note: if you're building any sort of networked application, and don't know what SQL injection is, please take your hands away from the keyboard now
.) After explaining how and why people use this kind of attack, Nystrom presents four defenses: code securely, monitor for attacks, block attacks, and probe for vulnerabilities yourself. It's all common sense, but as he shows on page 13, the right Google Code Search will turn up page after page of vulnerabilities.
What I liked most about this Short Cut was the number of tools Nystrom worked into his discussion. Nessus, nmap, Snort, wget, and many others I knew about are mentioned, as is FindBugs (again), and there were a few like SQLiX that I'd never heard of, but now have bookmarked.
My third Short Cut was Haldar's Inside SQLite
. At first glance, I thought this was just a repackaging of the architecture and maintenance documentation from the SQLite site (http://www.sqlite.org). I was therefore pleasantly surprised to discover how much more was in here, and how well organized it was. There aren't many places you can find a human-readable description of a real-world page cache, or of an SQL bytecode interpreter. For ten bucks, I think this would be a great supplementary text for a course on database implementation.
The other three Short Cuts I've read so far are all just as well written, but less satisfying than the first trio. I'm not really sure who Daly's Next-Generation Web Frameworks in Python
was written for: its coverage of TurboGears, Django, and Pylons was easy to read, but not nearly detailed enough to get a new developer started, or to allow someone to choose between them. Suda's Using Microformats
had too many trees and not enough forest: its descriptions of various formats, for example, are exactly the kind of reference material that works best online, in part because it is changing and growing so rapidly. Pruett's Yahoo! Pipes
was similarly flawed: over half of its content is just manual pages that "find in file" can't search.
Several dozen Short Cuts are now available, and more are on their way. They're a great way to get material into developers' hands more quickly than traditional books allow, though I think they'll be most successful when their authors tie loose ends together (like Darwin), or cover topics that are too small or specialized for book-length treatments (like Haldar and Nystrom). It'll be interesting to see how they do in the market; I wish them, and Kathryn Barrett, the best of luck.
Liza Daly: Next-Generation Web Frameworks in Python
. O'Reilly Media, 2007, 978-0-596-51371-9, 43 pages.Ian F. Darwin: Checking Java Programs
. O'Reilly Media, 2007, 978-0-596-51023-7, 54 pages.
Sibsankar Haldar: Inside SQLite
. O'Reilly Media, 2007, 978-0-596-55006-6, 76 pages.
Martin G. Nystrom: SQL Injection Defences
. O'Reilly Media, 2007, 978-0-596-52964-2, 39 pages.
Mark Pruett: Yahoo! Pipes
. O'Reilly Media, 2007, 978-0-596-51453-2, 63 pages.
Brian Suda: Using Microformats
. O'Reilly Media, 2007, 0-596-52817-5, 45 pages.