The Phantom Inker's blog

This is an angry rant about something that is simply plainly stupid. Be forewarned.

Bye bye, NVIDIA

This computer has an NVIDIA GeForce 9600GSO video card in it.

I bought this card last August (or thereabouts) to replace another NVIDIA card that was dying (sometimes it wouldn't display anything at all, at random). I had purchased that card only a year before that to replace another video card that was dying (the picture would occasionally fritz out or jump around the screen, until one day it simply displayed no picture at all). I had gotten that card as a replacement for another card that was dying that was less than a year old.

In total, in the last ten years I've owned twelve cards with NVIDIA chipsets on them. And if you do the math on that, the average card lasted less than a year. In fact, there were three years in the early 2000s that I had a card with ATI chips instead, so that means the average NVIDIA card has lasted less than eight months.

( Read more... )

And so, in summary, let me say this: If you're an average user buying computer equipment, DON'T BUY NVIDIA. YOU HAVE BEEN WARNED. I learned my lesson the hard way, and I'll never make this mistake again so long as I live.

It's time for the second article in my occasional series on the ProColor color-picker. Last time, I gave a rough overview of what ProColor is and why it's designed the way it is. In this article, I'm going to cover some the topics in reverse and discuss capturing the mouse on a web page.

( Read the rest of this article... )

I'd like to talk a little bit about web coding, specifically client-side Javascript and DOM coding.

For CMXpress, I needed a good drop-down/pop-up color-picker for use with Prototype, and it seemed to me like such a thing ought to be an easy thing to find, but in reality, it turned out to be as rare as a blue moon. There are some basic controls out there, some with irritating popups, some with tolerable design but ugly licensing, and I couldn't have any of that. CMXpress is open-source, under the BSD license, and I needed something that would play nice with that. I also needed something that would play nice with Prototype, and that ideally would be friendly to your garden-variety end-user and that would also ideally look like a control that was native to the browser.

So, since nothing fit the bill, I built ProColor. You can see a screenshot below, or you can visit ProColor's website and download yourself a copy.


In a future posting, I'll talk about how ProColor works internally. And if you want to learn how to use it, that's well-documented on ProColor's own website. Here, I'd just like to spend a little time elaborating on what it is, why it is that way, and what it can do for you.

( Read more... )

I've been hunting for a new job since the start of October.

It started out as a light search two months ago, but I'm now searching really hard, and I'm starting to be worried.  The economy's bad, and it's not a good time to be hunting for jobs.  In theory, I'm in the one sector that has growth potential — computers, especially web programming — and I'm highly skilled and well-educated, but those facts don't seem to be helping much.

My current employment consists of a lot of consulting work, and some sales of some software I wrote.  That was fine when I was a bachelor, but now that I'm married, I'm earning for two, because my wife got laid off in July and hasn't successfully found full-time work yet.

It's not like I'm asking for much; I'm a talented, skilled professional, darn it, but I'm willing to work for peanuts just to get off my feet:  Several folks in the industry think I'm worth about $75K/year, so I started out hoping for $70K/year with benefits, and I've watched my price point slide from $65K to $60K to $50K and now I'm getting close to being willing to settle for anything over minimum wage.  (Okay, I'm not <i>quite</i> that desperate yet, but ask me again in a month...)

We're already not buying Christmas gifts this year, and we've cut back on everything.  We don't waste money:  I'm half Dutch and half Jewish!  We haven't bought electronics of any kind in over a year, we haven't bought clothes, we have a small 900-square-foot apartment — we've been thrifty.  But even so, thanks to my wife's lack of income, her (large) student loan payments, the rising cost of everything (including our depressingly large health-insurance premiums), and my current meager income, about a week ago we hit negative for the first time:  We owe more money than we actually have.  I don't know how I'll pay December's bills when they come around, much less my $1000 quarterly tax bill in January.

So the upshot is that lately I'm highly unambitious about art and writing and life in general.  I'm doing little else lately but job-searching and hearing "You're a great candidate" but never hearing anything beyond that, and I'm feeling generally pummeled by the world.  Maybe this'll seem like nothing in a few months, but right now, I'm at the bottom of a pit, and the narrow shaft of sunlight that's sustained me is thinning by the day, soon to vanish altogether.

lj-music: Ikimono-gakari

Well, folks, the election's done, and I wish to offer my heartfelt congratulations to Barack Obama. He won soundly, and earned his new job. Let's now all cross our fingers and hope that he really is as good as we all think he is. It's gonna be an interesting four years, folks.

---

I'd like to conclude the series of journals I've been writing on politics here with a commentary on something I read in the news today. It probably comes as no surprise that the Republican Party is doing some soul-searching right now, demonstrated well by this AP interview with RNC Chairman Mike Duncan:

Republicans, Duncan said, "are going to take a deep breath and listen to the American people." The party is creating a new online forum that will allow people to explain "how we let them down" and "what we can do to restore confidence in our party," he said.

I'm a registered Republican, a moderate centrist. I voted for Obama.

Why? I voted for Obama not because he himself was a centrist — he's definitely not — but because the modern Republican Party and its platform moved so far away from the center that it didn't include me anymore, and Obama at least tried. There is no "big-tent GOP;" if anything, the GOP's tent shrank remarkably over the last few years to exclude nearly everyone who's not a hardcore evangelical Christian.

So, GOP, when you get your forum up, here's what I'd suggest if you want my vote again:

• No more dumb wars. You can wage a war if you want, but focus on the target and have an end-game. If you can't explain from the outset in exacting terms precisely what victory looks like, you shouldn't be involved in the war in the first place. I know people who voted against you because they lost friends in Iraq — but you dishonored those losses by never giving them meaning, by never showing how they could add up to victory. Iraq's a loser because it has no end-game; Afghanistan's tolerable to the American public because there's an exacting target: If we kill or capture bin Laden, the war's over.
• Curb your evangelicals. I know the Christian Coalition is a respectable chunk of the Republican base, but there are a lot of us out here who see the Jerry Falwells and Pat Robertsons of the world as cut from the same cloth as the Ayatollah. The more influence they have over you, the less I want to be anywhere near you.
• Prioritize wisely. Guns, God, and gays are fine topics, but when there's a war on and the economy's in the toilet, most of the public doesn't care whether gays are marrying or teenagers are getting abortions because we have bigger problems to deal with. All politics is local, and you lost because you didn't pay attention to the highest local priorities.
• Litmus tests scare people away. In the same vein, if you want a bigger tent, you'd better be willing to let moderates back into it. I don't cast my vote based on which candidate shouts loudest about abortion, pro or con: I'm more concerned with fiscal issues than social ones, so when you play up the social ones, I tune out, with good reason.
• Remember your platform. You're the party of small government and fiscal conservatism --- or at least you used to be. For eight years now, you've wasted money like a drunken teenager on spring break. When you were actually conservative, people voted for you, but right now, you're more liberal than your opponents, and the voters can see that.

So there you go, GOP. You have four years to reform yourself and show me why I should be voting for you again. Good luck; you'll need it.

I do most of my artwork with CorelDRAW version 11, and today I was encouraged to try Inkscape (again). Now the last time I tried Inkscape (about two years ago), it just wasn't even close to powerful enough for my needs. I'd get supremely frustrated if I tried to use it for anything big too; it was missing a large number of the features (especially PowerClip) that I (ab)use heavily to create drawings like this.

So I played around with it, and it's improved a lot over the last couple of years, but it's still incredibly weak in its handling of clipping objects, which are pretty much essential to all of my shading. Its clipping support has gone from a usability grade of F to a grade of D+; that's an improvement, but it has a long way to go. Overall, it went from a D- to B-; there's a lot to like there, but it feels very incomplete compared to its commercial competitors. Much of what it improves over CorelDRAW 11 is stuff that CorelDRAW X4 or even CorelDRAW 12 has, if I ever get around to upgrading; and there's a lot that CorelDRAW does that it doesn't.

So if you ever talk to the Inkscape people, this is what I'd need to see them change (at a minimum) for me to consider switching to it:

• A clipping system (like PowerClip) that (A) doesn't destroy or hide the clipping object, (B) lets me readily alter the clipping object's shape, (C) lets me easily add multiple objects to the clipping object or remove them on a whim, and (D) lets me go inside the clipping object and alter its contents without removing them first. Their clipping system does none of these.
• An objects docker that shows the entire document tree. Maybe Inkscape has such a thing, but I couldn't find it, and I looked all over. This is an incredibly useful tool, and I refer to it frequently.  It has other dockers (right-side tool panels); there's no reason it can't have this one too.
• Direct import of CorelDRAW .cdr files; I won't switch if I can't bring my artwork with me.  Having a dubiously-supported third-party tool doesn't really cut the mustard.
• Object blend. I use this a lot, and while their path thing can do this (I think), it seems very cumbersome compared to simply selecting two objects and clicking "Blend."
• Right-click zoom-out. When you have the zoom tool selected, the right mouse button should zoom back to the previous zoom level, not pop up a menu. There is not even a button anywhere in the interface that I can click on to perform this same simple task right now, which makes navigating around the picture a real chore.
• An actual useful right-click menu for the node tool. I expect node-related operations to be on its menu, not object-related operations.  Having to move the mouse up to the toolbar for every node operation involves a lot of wasteful mouse motion.

This doesn't even get into printing support, color management, paragraph text, or any of a hundred little niceties that are missing. About the only thing it gives me over CorelDRAW is bug fixes for some features, and I'm willing to place bets those bugs have been long since fixed in newer versions of CorelDRAW.

On the plus side, some features I did like in Inkscape were its nice handling of alpha on all objects and its ability to easily gaussian-blur objects.  Those are really neat features, great for performing really sophisticated shading, and I'd love to have them be a part of my standard toolset; but things like PowerClip and blend and other tools I use daily are more critical to me.

So, well, good try, guys, and keep it up; you'll be competitive eventually, but for now, Inkscape is still a little too weak for me to use regularly; but, unlike two years ago, I can at least now see myself potentially using it in the future, if the feature set becomes capable enough for my needs.

On Saturday, October 4, 2008, just as the fall leaves start to turn (and a mere three days from today), the lovely Songbird and I will be married near sunset in a little white Methodist church in the even littler town of New Milford, Pennsylvania, a pretty picture that's right out of a Norman Rockwell painting. Say hello to the soon-to-be Mr. and Mrs. Inker :)



We have about 120 guests who will be coming from all over the world (literally!). There'll be the ceremony itself (very traditional, too!), the reception, music, a sit-down dinner, dancing, and an open bar, so it's gonna be one heckuva party.

On the night of the reception, she and I will disappear around ten o'clock, to hop into our limousine to the Philadelphia International Airport to catch our early-morning flight to the sunny warm aqua waters and fresh winds of the Aloha State.

Me, I'm incredibly happy and terrified out of my knickers at the same time. I've never been good in front of large crowds, and I'm a lot more comfortable behind the scenes than being the center of attention. But I really, really want to be married to Songbird; she's the best thing that's ever happened to me, and if that means I have to spend a day scared [bleep]less, I'll do it in a heartbeat. Songbird, I love you, and I can't wait to see you walking down the aisle on Saturday.

So it's been some time since I last posted here, not because I really wanted to delay, but because the past few weeks have been pretty rough. First, I banged up my arms on the boat and could barely type for a week; then I accidentally jabbed a knife into my thumb (ow) and couldn't type for most of another week; and lately I've just plain been busy.

Part of that's because I've been preparing (gulp) to go job hunting: My current work is good, but I'm getting married really soon, and my current income and Songbird's current income just aren't enough to cover our collective bills — that, and I've been thinking for a while now that it was time to start doing something different career-wise.  Despite the fact that I own my own (very small) company, I really do feel like I'm going in the wrong direction right now.

Luckily, I work in the computer industry, and folks pay pretty well here, so we'll be okay once I find a new job, hopefully in web-dev stuff; that's been a lot of fun to work on as I've been doing it more and more over the last couple of years, and it's a place where I feel like I can actually contribute something meaningful.  But job hunting is scary no matter when or where you do it, and as it's been seven years since I last did it, I'm pretty rusty on the whole resume-and-interview process — not on my work skills, which are, as always, in tip-top shape and very current, but on my interview skills.

Anyway, to that end, I've decided to clean up this blog a little; I've removed some of the sillier postings and personal postings from awhile back, and left mainly the more recent postings and stuff about CMXpress, since that seems to be why most people are coming here anyway. Anybody who really wants to delve into my private life can find plenty of it elsewhere online.

---

But let's get into the meat of the topic: What's the status of CMXpress?

The answer is that it's in progress. We did a successful rollout of it to Crossworlds back in June, and Crossworlds has been running on it ever since, which is good. That said, I learned a lot during that rollout, and realized that it wasn't quite ready for the general public yet. Thom was willing to put up with some installation headaches to gain its administration tools, but the average Joe-on-the-street isn't going to be able to. (C.D. Rudds, who draws and writes SailorSun.org, has been working with it a little bit for his new site, Wolfpac, and that's also demonstrated some areas where it's needed more cleanup and end-user-friendly-ization.)

So some parts of it were pulled back into the workshop for retooling; during the Crossworlds rollout, I went through three or four version numbers in a hurry, patching and fixing and upgrading. I've since done a lot of work on the installer, and fixed a lot of interesting (and ugly) bugs in the backend, and added in some services that really should've been there since the start (like logging). It also needs documentation by the barrel; this is a huge and powerful package, and right now, I'm really the only person who understands it fully, and a lot of folks who are testing it have been griping about that fact.

And, of course, there was about a month during July when I was swapping out its BBCode parser with NBBC, because the old parser was slow and was covered under GPL, which isn't very friendly toward my preferred BSD license.

So where's that leave us? Right now, I'm working on the logging-and-statistical facilities, so that site owners can get a handle on their visits and visitors, which is useful for a wide variety of purposes (not the least of which is paid advertising). I've backported some of the new code to the old Wotch site, so that their database is kept in sync with CMXpress's preferred format (Lordy, Lordy, I can't wait to finally switch in the new code at the Wotch site). The search engine is in pieces right now, too, and needs some work; and I've seen a lot of evidence from the test sites that the custom-page facilities will need to be done, finis, finito before I can release CMXpress to the public too.

I know I told folks that I was hoping to have it released this summer, and I'm sorry for not releasing it yet. But I think it's better this way: The test sites have identified some places where it still needs work, and their discoveries (and my subsequent bug-fixes, patches, and upgrades) will help all of you who are waiting on it. Ideally, this thing should just be install-and-go, but it's just not quite there yet.

---

One other topic that arose as I was talking with Becky Heineman the other day was a simple enough question: She pointed out that she'd needed a webcomic engine for Sailor Ranko, and so she just built one in a weekend, and added most of the facilities she wanted within a week or two after that; and given that that was so easy for her to do, what was the point of CMXpress? To this question, I have several answers, and I think they're all valid:

• Most webcomic authors aren't a Becky Heineman, for one thing: Becky's a star programmer, capable of coding anything she wants in relatively short time. Whereas a typical webcomic author knows how to write and draw, and if he's lucky he can scrabble together a few lines of PHP to help automate the site a little, but coding a solid backend is beyond him.
• Becky's engine is no doubt powerful and well-suited to her needs, but it probably doesn't scale to other sites. That's the same problem the current Wotch code has and that many webcomic sites have: The code's acceptable enough code for the needs of that site, but it was designed to run that one site, not hundreds of others, and isn't easily customizable for another site. There's a very good reason we've repeatedly turned down requests for the current Wotch site code — it's ugly and unportable.
• CMXpress provides sophisticated and easy-to-use administrative services. A coded-over-the-weekend system provides very minimal administration (I should know; I've built enough of those kinds of things). A good general-purpose package should be so incredibly point-and-click-crowd-friendly that anybody can manage reams of data, and the Crossworlds rollout has shown CMXpress is meeting that goal: Darin Brown, the artist for Crossworlds, is very computer-phobic but has used CMXpress to post a comic or two by himself, and I consider that a very successful benchmark.
• CMXpress provides a solid API. The API of most backends is somewhat ad-hoc: You add stuff by altering a line of code here and there. For CMXpress, I wanted to do better than my last webcomic engine, and build a system that a programmer could love, with a clean, tight API that makes a lot of nasty stuff (page templates, BBCode, form handling, administration, etc.) really easy, and that ensures that site changes can usually be done without altering the engine. I'm tired of reinventing the wheel, and I think that even the webcomic authors who are programmers probably would rather the hardest work be done for them too.
• CMXpress is maintained. This thing was built first and foremost to meet the exotic needs of the Wotch, and that means I still am going to be regularly adding features and patching bugs because of my involvement with them. Although I've drawn some webcomic pages in the past, I'm not a webcomic author and don't really want to be; I'm a coder, and I'm quite happy with that job. This means that you can fix bugs and add upgrades to your own site just by downloading the latest copy of CMXpress and installing it: It's a lot easier to steal my bug fixes than to make them yourself, even if you are a programmer.
• CMXpress is needed — whether any other site ever uses it or not, Crossworlds is already using it, and the Wotch needs it very badly, and Tsel's asked several times if he can install it on Cheer! too. For those reasons alone, I will continue working on it. People want it; it has a purpose; there's the answer.

All that said, there's nothing stopping anybody from building their own webcomic engine and distributing it; competition is healthy for the market, and in the end, the users win, and the readers (like me!) win too.  I'm gonna keep working on CMXpress because people want it and need it, but if a competitor arises?   May the best webcomic engine win :-)

I had a fight with a steak knife and lost today. I'm typing this one-handed right now. My hand will heal, and I (thankfully) didn't need a hospital visit, but this touch-typist is down for the count right now. So... uh... there you have it. If I'm not talking over IM or responding to your comments, now you know why.

I'm glad I knew to quickly apply a tourniquet, and I'd like to thank my Songbird for her support; I doubt I'd be doing well right now without her.

Edit, 12 hours later: I can type a little better today (still minus a finger and on painkillers), so here's what happened: Hold your hands out in front of you, palms down, about shoulder-width apart. Pretend you have a knife in your right hand, and a scrubby brush in your left hand, and that your hands are over a sink. You've finished cleaning the knife, so you put the scrubby brush behind the sink. You go to put the knife away in the rack to your left, but you miss, and the tip of the knife strikes the back of your thumb, right at the joint.

Lots of blood spurts out of the stab wound, because you hit an artery. You cry out, your fiancée comes over, and she quickly helps you apply a tourniquet to stop the bleeding while you wash it under cold water. The stab wound is small but deep, but doesn't hit the bone, thankfully. But the loss of blood is making you woozy, so you lay down. She applies antibiotics to the cut, and then a bandage, and makes you take a bunch of painkillers, and you spend the next few hours laying down and drinking liquids, trying not to pass out. Eventually, you slowly recover, but your thumb hurts like hell. It's a very small but very deep cut, so there's not much a hospital could do, so you don't go, but it still hurts.

Funny thing is, I know knife safety. I carry a swiss army knife in my pocket, and have since I was 16, and I use it all the time. I've never gotten even so much as a tiny cut from it; I get more injuries from paper cuts than I do from knives. But... all it takes is one mistake.

On the plus side, I learned firsthand that our new steak knives are really nice and sharp! :D

As most of you know, I've been working hard on a webcomic software package called CMXpress, and one of its distinguishing features is that for nearly all the places where a user can type text, it uses BBCode to allow you to format it.

I discovered around the start of this month (July) that the BBCode parser I'd been using was covered under the GPL.  This is bad.

See, here's the thing:  CMXpress is covered under a BSD license, which is about as open as open-source gets:  Free as in speech, free as in beer, you can download your copy, modify it, sell it, do anything you damn well please with it --- you just can't claim you wrote it.  Which is fair, I think:  BSD and similar open licenses have helped spur the development and the spread of a huge number of software packages.

The major competing open-source license is the GPL, which is similar in principle, except for two things:  First, you can't take the code, modify it, and not release your modifications to the public.  BSD allows you to have a private copy, effectively, and GPL doesn't.  Second, the GPL is, as Micro$oft rightly argues, somewhat like a virus:  It infects everything it touches, and overrides everything it touches.  If I had (stupidly) included that GPL'ed BBCode parser with CMXpress, CMXpress itself would have been forcibly covered under the GPL.

I don't like people telling me what I can and can't do.

So the old GPL'ed BBCode parser is out, and I couldn't be happier, really.  It wasn't really that great a piece of code to begin with; it was cranky and somewhat inflexible, didn't handle whitespace in ways I really wanted, and the original author stopped supporting it two years ago.  I did some searching, and there weren't any other good BBCode parsers out there; seems a lot of people are looking for one, and nobody's written one...

...Until now.  Introducing NBBC, a fast, flexible, well-documented BBCode parser that's covered under a BSD license.  Unlike most open-source code, it's well-commented, includes a huge user's manual, includes several examples, and is small and lightweight to boot.  It's a validating parser, meaning that no matter what broken garbage your users type in, you get XHTML 1.0 Strict out.  It runs under PHP 4.0.5 or later, and is everything that old parser wasn't.  It's long overdue.  Go download your own copy now.

NBBC will quickly replace all of the places where I used that old BBCode parser:  It's faster, more flexible, works flawlessly right out of the box, and has a nice API for adding extensions and new tags and smileys and other stuff.

NBBC is hosted by SourceForge, and I have mixed feelings about that.  On the one hand, SourceForge is a nice clearinghouse for open-source projects.  On the other hand, SourceForge seems to me to be a royal pain in the @$$ to work with, and somewhat slow.  Still, I'm giving it a try, and maybe SourceForge will grow on me over time.

And those of you who have been wondering where CMXpress is can stop wondering:  CMXpress has been inside the garage while I replace its BBCode parser and get rid of anything that smells even vaguely like the stink of the GPL.

My fiancée is a theater geek, and tonight's her big night of the year:  the Tonys.  It's a bit more entertaining than the drivel embodied by most award shows, since theater tends to be a bit more substantive than most other fields of entertainment, but still, at three and a half hours, it drags like a bad prom dress.

Much of the boring part is, of course the acceptance speeches.  Sometime around the 900,000,000,000th award, I found myself wishing that someone would stand up and actually make a good and entertaining acceptance speech for a change.  It would be spoken slowly, and it would go something like this:

"I couldn't be here tonight, so I asked myself to come in my place and read this speech I wrote.  Please bear with me."

(He reaches into his jacket and withdraws a written acceptance speech.  He begins reading it slowly and carefully.)  "Screw you.  I hate you all.  Backspace.  Backspace.  Backspace.  Thank you all so much for giving me this award in the field of acting, writing, and/or directing."

(Pause.)  "Note to reader:  If I have been nominated for a different category, please alter the speech accordingly, and remove references of loathing and anger where appropriate."

(Deep breath.)  "I could not have acted, written, or directed this play or musical without support from loved and cherished immediate family members whose names I conveniently forget when I write speeches.  I would like to thank the producers who saw my obvious brilliance and asked me to star, write, or direct this play or musical, knowing that my talents would win them an Oscar, a Tony, an Emmy, a Pulitzer Prize, and/or a Nobel Prize.  I would like to thank Jesus, Ghandi, Mohammed, Buddha, Zeus, and my mother, not necessarily in that order.  Finally, I would like to thank my wife, whose name I cannot recall, having just married her in Vegas last Thursday."

"Thank you all once again for this statue or certificate, and please know that if you were to star, write, or direct a play I would gladly give you a similar one in return, so long as it is made entirely of chocolate, preferably without nuts, as nuts are expensive."

See that?  That's an acceptance speech with some cohones.  That's an acceptance speech they'd be talking about around the water cooler the next day.  Anybody can thank everyone they've ever met.  Not everybody can thank nobody, much less make it fun to watch.

P.S.  If you're nominated for something and want to steal my speech, steal the damn thing.  Maybe that'll be one less boring, lame-ass acceptance speech I'm stuck having to sit through.  Thank God for TiVo.

I built a comic-import tool for CMXpress over the past two days, mainly because while CMXpress makes it pretty easy to upload a comic, if you have to upload, say, a hundred of them at once, it can get to be a chore.  The initial test installation on the Crossworlds comic is going well; once I had the bugs worked out of the import tool, I was able to import, sort, and categorize all 93 comic pages (that's 75 in-canon comics, 2 cover pages, and 16 fillers) in the space of about a half hour; and most of that time was spent going through the comics and trying to decide which ones belonged in which story arcs.

Overall, CMXpress is starting to feel very good.  It's still a little rough around the edges, and there are some bugs to deal with, and a few things that aren't fully implemented yet, but the overall feel, to compare it to cars, is "Porche in need of some body work" (which is a lot better than "Yugo in need of demolition"):  There's more work yet to do, but it's starting to finally really feel like something people can and would willingly use.

For the record, the initial version of CMXpress we installed on the Crossworlds test site was v0.9.2, and the current version installed there is v0.9.4.

Okay, we're not quite at the stage of a major rollout, but we hit a milestone with CMXpress tonight.  I got enough of the installer done that I was able to package up CMXpress in its current beta form and install it successfully on another site --- or, more accurately, I watched and fretted while my friend Thom installed it ;-)

There are a number of bugs to squish yet, but overall, I'm pleased; we got it installed relatively painlessly on his site in about an hour and a half (it'll take only about fifteen minutes for most people to install once CMXpress is released, but we were finding and fixing bugs during the install), and the next step is to start configuring it to the needs of Crossworlds and import his existing data.

Based on his needs, I think I need to spend a lot of time working on importer code, even though that wasn't part of the original design spec, because he's got a decent-sized comic that really needs to be inhaled more easily than importing the comics one at a time, and he's also got a blog that he'd like to turn into CMXpress's built-in news system.  A package for managing data isn't very useful if you can't get your data into and out of it easily.

Still, though, I'm a relatively happy camper; I've suffered through far worse initial software rollouts than this.

So today I tried out the newly-released Internet Explorer 8 beta. You can download it and install it yourself, but it's a beta, not a final release, so don't expect polished edges.

Overall... well... my results were mixed. Yes, it passes the vaunted ACID2 test. That's good. It's definitely a step in the right direction. However, ACID2 isn't a test of all of the CSS 2.1 language specification; it tests a lot of important cases, but not everything. And while IE8 does correctly render ACID2, it definitely doesn't get all the other parts of the CSS 2.1 spec correct.

I pointed IE8 today at the current build of CMXpress to see how it'd handle it. CMXpress is a very Web 2.0 program, and its back-end (the administration side of it) makes extensive use of CSS, XHTML, Javascript, and AJAX for its page layouts. Its front-end (the part visitors see) uses whatever page template the site is set up with, and the default front-end I've been working with is an XHTML+CSS variant of the Wotch's front page.

Both the back-end and front-end are rendered, perfectly, unchanged, by Firefox 2, Opera 9, and Safari 3. They do have embedded IE-conditional comments so that they can render acceptably on IE6 and IE7 by including additional stylesheets.

IE8 gets it wrong. Not massively wrong, but wrong enough that the site is unusable. The front-end has a lot of formatting and layout glitches, with many of the link images being scattered around the page semi-randomly. The back-end's Javascript is broken in its entirety; IE8 gives up somewhere in the middle of the code, and I'm not really sure why yet. Without that Javascript working, all the AJAX and Web 2.0 stuff that it does is non-functional, so the back-end is effectively unusable.

Don't get me started on other Web 2.0 sites like the new Yahoo! Mail (crashes on a Javascript error) or Google Maps (looks like it went through a blender) even a simple page like script.aculo.us's front page (flickers and animates all wrong).


And did I mention the speed? You can tell when IE8 is rendering a page in "Standards Mode" because it's slow. Slow like molasses in January. Slow like a dead sea turtle crawling up the beach with a towtruck on its back. Maybe they have a lot of debugging code in there: I don't know. But what I do know is that its page-render times are better-expressed in geologic terms than in seconds. I dare you to resize the browser window. Go on, do it. Let me know how that turns out for you, if it ever finishes.

Oh, about all those new features... Yes, IE8 comes with a raft of new features, most of which seem to be designed to point IE's users at various Microsoft Live services. You can right-click on text and search for it on Microsoft Live Search. You can translate it with Microsoft Live. You can post it to your blog on Windows Live Spaces. Anybody see a trend here?

Conclusion? IE8 breaks pages that worked under IE7. We knew that going in, and that's okay, because IE7's rendering sucked. The problem is that it didn't replace IE7's pseudo-standards mode with a real standards mode: It still breaks pages that are standards-compliant, pages that work fine with three different competing renderers. And it adds in new "features" that seem to me more about targeting people toward Microsoft services than anything else. From my perspective, it looks like Microsoft spent some of their time making IE8 appear less broken without actually making it less broken, and the rest of their time extending the monopoly.

I wanted to like IE8. I really did. I wanted to believe the hype about CSS compliance and all the other good rumors. I've been telling other devs, well, just wait for IE8, you'll see, it'll be great. But this is just pathetic. Seems to me like it's business as usual in Redmond, and now we web developers will have yet another nonstandard renderer to support.

Thanks, guys, thanks a lot.

Nobody's above learning a new lesson, and I'm no exception. Today, I spent several hours going through many large chunks of PHP code I'd written removing security vulnerabilities. Yes, that includes the Wotch and CMXpress.

On last week's 910CMX podcast, I explained that website coding should really be left to the experts: If you want to have a webcomic site, let somebody else write the code, and stick to drawing and writing your script, because I can pretty well guarantee you'll produce code that's a hacker's dream. There are a hundred well-known pitfalls, and there are really weird, obscure pitfalls too, like the two I cleaned up today.

---

The first pitfall was that of not including the "D" modifier on all regular expressions that use the "$" operator. (If that sentence confuses you, you'd better skip to the bottom of this post, because it only gets more technical from here.) For those who don't know what the "D" modifier does, you're not alone: It's not mentioned in most commentaries on preg_match(). But it does something very important: It says that the "$" operator matches the end of the string, not the first newline embedded within it.

This means that this simple-looking code has a huge, huge security vulnerability, a gaping hole big enough for a dragon to fly through:

$page = $_GET['page'];
if (preg_match("/^[a-zA-Z0-9_]+$/", $page)) {
    ... do some stuff with $page, which has been checked and found safe ...
}

Don't see the hole? You're not alone. It's perfectly-reasonable code that checks to make sure that the incoming parameter "page" is a C-like identifier --- doesn't it?

Turns out that it doesn't do that at all. This code will allow "apple" through and "apple2" through... and it'll also allow "apple2\n@^#$" through and "x\n<script>Insert evil code here</script>" through, because the "$" operator will match any newline. If a malicious attacker were to feed a newline into this script, he could insert any characters he wanted after that newline and they'd go right through.

The right way to code it is this:

$page = $_GET['page'];
if (preg_match("/^[a-zA-Z0-9_]+$/D", $page)) {
    ... do some stuff with $page, which has been checked and found safe ...
}

The all-important "D" modifier on the end says, "Match the whole string, not just up to but not including the first newline." Without it, an attacker can potentially inject anything he wants to into your variables, bypassing your checks. Nasty.

And this isn't just a PHP problem, either. Anything using the PCRE library to process regular expressions is a potential victim --- Python, I'm looking at you too, and I wouldn't be surprised if Ruby were also a victim here.

---

The second one I ran into is a PHP-only issue, which is that the $_SERVER['PHP_SELF'] and $_SERVER['HTTP_HOST'] parameters are wildly, terribly unsafe to use. In fact, many security advocates are generally now recommending that people avoid using $_SERVER whenever possible. Which, of course, it often isn't, but that's beside the point.

The issue here is that PHP_SELF and HTTP_HOST come from the client and aren't generated by the web server itself. Which means that a suitably-nasty client can insert all sorts of unpredictable stuff into those, some of which will definitely break your code. This is discussed much better here, if you want to study it in depth.

The upshot is that in your code, you should never use the variables on the left below and always use the variables on the right:

• PHP_SELF ----> REQUEST_URI
• HTTP_HOST ----> SERVER_NAME

As usual, you should never, ever, ever trust HTTP_USER_AGENT, because that can be (and often is) readily spoofed. DOCUMENT_ROOT is marginally reliable, as it comes straight from the server's httpd.conf file. SCRIPT_FILENAME is relatively safe, but often not useful; and SCRIPT_NAME should be avoided because it often isn't what you think it is (on a server that uses PHP in CGI mode, it points to the PHP binary, not to your script).

Again, mishandling these can allow an attacker to inject nasty things into your variables that you don't expect to be there.

---

These holes now are fixed on the sites I maintain (including the Wotch), so don't bother trying to take advantage of them. But before a few hours ago, they were there, which just goes to show how difficult web security can be: By all measures, I'm an expert --- I have a degree in computer science, I've been coding for 23 years, and I speak PHP very fluently --- and I still made these mistakes. So be careful when building web sites, folks, and if you're not sure what you're doing, leave the code to the experts (who at least know how to fix these problems when they learn about 'em).

It's been asked (again) why I don't take commissions and don't do requests. So I think I'd better boil this down one more time.

Commissions: To put it bluntly, you couldn't afford it. Not because the art's so wonderful, but simply because it takes me hours and hours and hours to do a typical picture. Lineart often takes four to ten hours, and a finished colored work can be anywhere from twenty to sixty hours. At even ten bucks an hour, I'd have to charge anywhere from $200 to $600 for a finished work, and that's far outside the price range of most potential commissioners --- especially for all-digital artwork where you don't even get a canvas in the mail for your money.

Requests: I usually have plenty of ideas of my own, for one thing, and for another, most ideas that have been suggested don't inspire me. My muse is fickle, and if she doesn't get inspired, I don't draw: It's that simple. You can propose a thousand ideas, but if none of them strike me, it just won't happen. Sorry. So to save you the embarrassment of being turned down a thousand times in a row, I just say upfront, "No requests."

That's it. No commissions because you can't afford them, and no requests because my muse won't like them anyway.

But, hey, if ya got a few hundred bucks burning a hole in your pocket and you're just dying to get a PI original, maybe we can still talk ;-)

Okay, I'm getting pissed.

I just uninstalled my antivirus program (Kaspersky AntiVirus Trial Version) and it took a very large percentage of my computer's functionality with it when I did. Everything worked fine yesterday before I uninstalled it, and now --- well, now it might be simpler just to reformat the thing and start over:

• The Windows login screen is borked. Clicking on names to login does nothing; you have to hit Ctrl+Alt+Del twice to get to the old login screen and login from there.
  
  
• The mouse is borked. I have a six-button mouse that now thinks it's a two-button mouse no matter what mouse drivers I have installed.
  
  
• The UI is borked. Clicking on windows to bring them forward often doesn't work, and neither does the taskbar and usually the only reliable way to switch between applications now is Alt+Tab (and even that doesn't always work).
  
  
• The software is borked. Sure, some stuff runs, but a lot of the most essential applications I use, like Firefox and CorelDRAW, now have weird glitches --- like in CorelDRAW, I can use all of the tools --- except the critical select tool, which makes the entire package now utterly useless. It's like having a word processor that lets you type text, but that prohibits you from changing anything you've already typed in the document.

I hate antivirus software.

I hate antivirus vendors.

It wasn't always this way. Once upon a time, an antivirus program was something you ran at your leisure, and it would search, find things, and then go away. No intrusion, no logos, no blasting alerts in your face, no hooking its tendrils into the core of the operating system.

But faced with declining revenues and declining interest, every one of the antivirus vendors now installs a package that is brutal, gargantuan, dictatorial, and, whether you ask for it or not, sinks its hooks into every last corner of the OS. It's not just Kaspersky --- I've seen the same exact behavior (on other computers, thank God) from McAfee, Norton, Trend Micro, Panda --- they all uniformly suck.

So, AV vendors, you want to mollify me? I've been in the computer industry longer than many of you have, and I have expectations. If you want a thumbs-up from me, here's the criteria:

1. You add or modify a single file in C:\Windows or any subdirectory under it? You fail.
2. You may add ONE key to the Registry under HKLM\Software and HKCU\Software, but if you add or change anything outside that key, you fail.
3. You may add ONE directory under C:\Program Files, and you may not place anything executable --- EXEs, DLLs, OCXs, you name it --- anywhere other than that directory. You alter or replace any other EXEs or DLLs anywhere else? You fail.
4. You may add ONE directory under [username]\Application Data if you need to store configuration files somewhere. Store them anywhere else, or alter files anywhere else? You fail.
5. You may not "call home". No exceptions. If you call home, you fail.
6. You may not use system hooks, API hooks, or input hooks of any kind, no exceptions. If you hook anything, no matter how temporary the hook, you fail.
7. You may not monitor my actions, for good or for evil. If you monitor even a single byte, you fail.
8. I will tolerate false negatives, but not false positives. If you give me a false positive, you fail.
9. If you run without me explicitly asking you to run, you fail. No exceptions.
10. If I cannot manually uninstall you by simply deleting your single directory like any other application, you fail.

So, antivirus vendors, you want my thumbs-up? That's what it takes. There's not a current antivirus product on the market that even comes close to meeting those criteria --- most can't even meet two or three of those criteria, much less all of them. Hell, by those criteria, Notepad is a better antivirus program than any current antivirus software. If you want my thumbs-up, those are my rules. They're not hard rules to meet --- unless you don't give a flying f*** about your customers.

Which, I think, pretty well explains most of the current antivirus software on the market.

Well, folks, on Saturday (that's a mere four days from now by my clock), I'll be moving.

It's a big move, in that my fiancée, Songbird, and I, are moving to a new apartment together.

All of my life is packed in boxes right now, from the credit-card bill I paid last week to the book of Christmas carols a six-year-old boy received and then kept for another twenty-five years. It's a strange thing to have your life compressed down into countable units, to say, everything that defines me except for what's in my head is sitting in a Tetris-shaped pile on the floor, awaiting large men to whisk it away and my past, my present, and my future with it.

Maybe that's a little too deep. What can I say: I'm exhausted.

The packing isn't done yet, either.

We're moving to an apartment complex about a half hour away, and it's a nice place, with good nearby amenities, ready access to public transportation, a reasonable driving distance to Songbird's job, and a nice little office for my work. I've been here for eight years now, almost eight years on the dot since graduating college, and I've felt a little like I was in a holding pattern the whole time, neither child nor adult, neither student nor salaryman, despite making a reasonable income and not being in any kind of school.

I wonder at what point you go from being a boy to being a man. I'm certain that in elementary school and middle school, I was just a boy, but somewhere after that I evolved into just "a guy," and I think I'm still waiting for that next step where Mr. Name actually sounds normal instead of a phrase referring to my father. I don't know if this move will do that, but it feels like it might.

Or maybe getting married will. We'll find out in ten months...

Anyway, I'm exhausted tired, and still haven't finished packing, and have four days of semi-coherent emboxing to perform before I can consider myself moved, followed by an equal quantity of imboxing (ain't English grand?). I apologize if this posting was less lucid than most of my writing; it's 3 AM and I've been running on very little sleep lately.

The upshot is that this week's and next week's Caity's World installments will likely be delayed due to circumstances way, way, way psychotically beyond my control. Fear not, though: The story will continue!

Okay, so I don't have too much new to say about CMXpress, but I thought it'd be nice to show off a few of the handful of new and changed things in it, especially since I get to show off the Wotch's current status page. Here's a screenshot that gives you about 90% of what's new all at once:



Here's what's new, in short:

• Admin pages with a modern theme! That's right, folks, the old flat-shaded '90s Macintosh look is out, and a shiny new orange-and-blue theme is in! Functionality is no less, and the software isn't significantly slower, so all hail the shiny and new! (Admin-page themes are not swappable, at least not in the current design. They might be in a later version, I suppose, but not for now.)


• Tip-of-the-day to help remind you of things you should remember to do or things you might not already know about CMXpress or (web)comics in general.


• Artists' comments (not shown) is about 80% done now, from its former ten-ish percent as of the last posting. A lot of progress there, but the remaining 20% is gonna be a bear, since it's very AJAX-heavy.


• Personal settings (not shown) allow individual administrators to set personal preferences for the admin pages, like how many comics you'd like to see in a comic gallery or whether you'd like to see tips-of-the-day.

And last, but not least, there's the "events" feature, which congratulates you on having reached significant milestones. It existed in the last announcement, but as you can see, the Wotch has reached its 5th birthday today, so a big hearty congratulations to Anne and Robin on reaching five years!

Okay, so here's what we're up to. The official CMXpress homepage is always reliable for the latest statistics, but as of midnight, November 1, 2007, this is what we're up to. These are the completion levels of the code, more-or-less:

• Core page renderer (100%)
• Core admin system (100%)
• Database subsystem (100%)
• Security subsystem (100%)
• Template subsystem (100%)
• Plugin subsystem (100%)
• Standard plugins (85%)
• News archives (100%)
• Comic archives (70%)
• Custom page renderer (95%)
• Search system (20%)
• Admin: Comic mgt. (90%)
• Admin: News (100%)
• Admin: Artist cmts. (10%)
• Admin: Search (10%)
• Admin: Custom pages (10%)
• Admin: Site (75%)
• Admin: Users (80%)
• Installer (0%)

And this is how much code there is in this thing. (If you're thinking of writing your own Web 2.0 content-management engine, this ought to give you an idea of the kind of work that's involved.)

563 kb : 15,753 lines : PHP
 87 kb :  2,501 lines : Javascript (custom for CMXpress)
 80 kb :  3,652 lines : CSS
 21 kb :    592 lines : HTML templates
 32 kb :    645 lines : CMXpress documentation (very minimal at present)
 35 kb :                GIF, JPEG, PNG images (custom for CMXpress)

 89 kb :  3,504 lines : BB code string parser 0.3.1 (PHP library)
333 kb :  9,982 lines : Smarty 2.6.0 (PHP library)
 96 kb :  3,276 lines : Prototype 1.5.1.1 (Javascript library)
140 kb :  4,030 lines : script.aculo.us 1.7.1-b3 (Javascript library)
 64 kb :  1,850 lines : Window 1.3 (Javascript library)
 11 kb :    308 lines : Misc. Javascript libraries (sprintf, Tab control)
  8 kb :    395 lines : Window CSS
 23 kb :                Window GIF and PNG images

Yep, that's a lot of code, with more yet to come. I'd estimate the overall completion level of the project at around 75%, give or take a bit.

---

Okay, numbers are nice, but new screenshots are more fun! :D

Here we have the newly-completed news-management module, in two different configurations. Most of the administrative stuff in CMXpress is designed so that you can look at your data from a variety of different angles, and "News" is no exception. In the first screenshot, we have each posting in short form, and in the second screenshot, we're correlating news postings to whichever comic was posted closest to the same date. Cool, huh?



Note that the "Delete" button you see there is safer than it looks: Both news postings and comics don't simply vanish when you delete them; they simply get moved to the trash can. At any time, you can empty the trash and destroy them for real, or pull them back out, just like managing files on your desktop. CMXpress is designed from the perspective that its average user isn't likely to be a computer guru, and to that end, is designed to be safe and comprehensible for anybody who's even a little web-saavy.

The third screenshot is from the arc-management module, which lets you organize your comics into larger sets. Yes, we're in the process of using drag-and-drop to rearrange the arcs in this screenshot. Drag-and-drop is cool and easy to use :D

The fourth screenshot shows the user-management module. CMXpress is a fully secure multiuser system, since many comics are managed by two or three people, and allows each user to be assigned different rights and access levels. You can even grant limited comic-management rights by story arc, which is useful if you're going to have a guest artist provide filler: The guest artist can be allowed to post their comics directly, but can still be prohibited from altering any of the comics you've posted.

What's next? Artist comments have to be finalized, and some of the menu-management stuff has to be added, and the initial template has to be finished off. Once that's done, we can roll this out on the Wotch site and see how well it works under a heavy load of visitors (I expect it'll perform well).

After the Wotch, assuming there are no major glitches, I need to build a simple installer, and then we'll be rolling it out on Crossworlds, and after Crossworlds, Cheer!. If everything goes well with those three sites, then I'll open up a limited beta-testing program (a couple dozen people or so) to try to crush any remaining bugs in it and get some initial site templates built so that it can come prepackaged with a few so that true newbies can get a new webcomic up-and-rolling in a matter of minutes, no coding necessary. Sometime around early 2008, CMXpress should be available to the public, and as I said before, it'll be 100% free to use and abuse as you see fit.