Weekly notes 1

For some time I’ve been reading several newsletters to keep note what happens in the field of software development and the intention was also to share the interesting parts here. And now it’s time to move from intent to action.

In the new “Weekly notes” series I share what interesting articles I have read with short comments. The overall topic is technology but other than that they can cover all things related to software development, from web applications to mobile development and from devops to user experience. I’ll publish my reading list every week or every two weeks.

I also tweet about interesting topics so follow me on Twitter:

Issue #1 // Week 48, 2015


Ludicrously Fast Page Loads – A Guide for Full-Stack Devs
Nate Berkopec explains in detail how can you diagnose performance issues on the frontend of your site with the use of Chrome Timeline. (from CSS Weekly, #185)

The Docker Monitoring problem
Detailed look at why monitoring containers is both different and difficult for traditional tools. Also a good introduction to Linux containers. (from DevOps weekly, Issue 204)

Tools of the trade

Continuous Integration Platform using Docker Container: Jenkins, SonarQube, Nexus, GitLab
Setting up CI is easy but moving beyond that and getting value out of the CI is different matter. This article covers some of the practices to employ. (from Java Web Weekly 42)

Amazon Web Services in Plain English
Amazon’s services are everywhere but with 50 plus opaquely named services, some plain English descriptions were needed. (from Hacker News)

Modern Java – A Guide to Java 8
Java 8 brings quite a lot of new things like default interface methods, lambda expressions, method references and repeatable annotations. This tutorial guides you step by step through all new language features. (from Hacker News)

To think about

Corporations and OSS Do Not Mix
Maintaining open source projects isn’t easy and that’s not about technology.

Not once has a company said to me:
“This bug is costing us $X per day. Can we pay you $Y to focus on it and get a fix out as soon as possible?”

(from Weekend reading)

Sustainable Open Source
Continuing the previous article’s topic, good read for anyone involved in or planning a community-driven open source project. (from Weekend reading)

Edward Snowden explains how to reclaim your privacy
“Operations security (Opsec) is important even if you’re not worried about the NSA.” Snowden gives 4 quick tips: Encrypt, use password manager, use 2-factor authentication, use Tor.

Event Sourcing – Capturing all changes to an application state as a sequence of events
Application architecture is the base for everything and Martin Fowler’s reference intro to this powerful style of architecture is worth reading.

Something different

How snowmaking works
If the Mother Nature isn’t doing its job and making snow, we can do it by ourselves. Important topic as couple of Winters even here in Finland have been mild and it’s not looking good this year either. “A resort that can guarantee 5+ inches of powder every day is a license to print money.” (from Hacker News)

ApiOPS and Test Automation at DevOps Finland Meetup

Couple of weeks ago at Tampere goes Agile the question was what’s beyond agile and partial answer was DevOps. I’ve read about DevOps before and tried to introduce it to use in my daily job but new things move slowly. So, it was good time to hear more about DevOps and how others are using it at DevOps Finland meetup about ApiOPs and Test Automation. The meetup was held at GE Healthcare building in Vallila and organized by Eficode. Delicious coffee and sandwiches were from Warrior coffee. Here’s my short notes about the topics discussed.


Jarkko Moilanen, talked about APIOps – Focus on Iterative and Collaborative Design-First driven API development. How to automate and streamline API-strategy and development process. But what’s APIOps? In short, APItalist creates strategy and APIOps troops implement it.


The talk was more about mindset related to developing APIs than tools but Swagger was mentioned for representing your API and SoapUI for testing. For API management Moilanen talked about APInf which is an API management platform.

Test automation with Robot Framework

Eficode guys talked about Test automation with Robot Framework which is a generic test automation framework for acceptance testing and acceptance test-driven development (ATDD). It’s originally developed in Nokia Networks 2005 and open sourced in 2006. Robot Framework uses keyword-driven testing approach and it’s capabilities can be extended by test libraries implemented either with Python or Java. Robot Framework is quite big in Finland but to get the work forward and more known worldwide there’s now Robot Framework Association put together by Eficode, Omenia, Reaktor, Eliga, Knowit, Qentinel and HiQ.

Automating payment terminal testing

After some technical difficulties with projector we heard intro to Robot Framework with Selenium2Library and saw video about using it. Selenium is a suite of tools to automate web browsers and with Selenium2Library you can use it with Robot Framework to easily implement and maintain automatic browser testing of your web application. Another use case which I find interesting is for testing REST APIs.

You can use Robot Framework in many was as we saw with the demo of a machine for automating payment terminal testing which Eficode had built (slides, blog post in Finnish). It was a Shapeoko 2 CNC milling machine where Arduino parsed g-code sent over terminal bus, payment terminal was captured with Tesseract OCR and it was controlled by Robot Framework running in Raspberry Pi. They had extended Robot Framework with new libraries for communicating over serial bus and reading images from Raspberry Pi camera.

What you can do with Robot Framework is up to you as the framework doesn’t limit you.

Future of DevOps Finland

The last talk of the meetup was about the future of DevOps Finland. DevOps Finland was started in 2013 by Erno Aapa and now the load is distributed over new planning team to keep things active. Sharing is caring and so we were encouraged to share our experiences and war stories about DevOps by talking in some future meetup.

Some possible future themes for the meetup were also discussed.

  • Infrastructure Orchestration
    • e.g. Coreos, Mesos, Kubernetes, AWS tools, Rancher.
  • DevOps on Windows
    • PoweShell and Azure.
  • DevOps without computers
    • AWS lambda, heroku, dokku, aws beanstalk, Google app engine, IBM Bluemix. (DevOps as a service).
  • How to move ops work to developers?
    • Hubot, configuration management, continuous delivery.
  • Security.
  • Ops do Dev. Dev do ops.
  • How to handle corporate IT?
  • Configuration management system
    • Chef, Puppet, Ansible, Salt.
  • Continuous integration
    • Jenkins, circleCI, Travis. Alternatives for Jenkins.
  • Working with legacy systems
    • Handling existing data, migrating legacy operations to modern operations, using old hardware to create a cloud.
  • DevOps in the cloud
    • what cloud services to use? Why?, developing in the cloud, build promoting practices
  • Measuring, monitoring, logging
    • elk-stack, Kafka, sentry, newrelic, loggly, graylog, practices & different needs
  • Containers
    • Docker, LXC, Xen, VMware, Qemu

Patching RichFaces 3.3.3 AJAX.js for IE11

Couple of years ago I wrote about patching RichFaces 3.3.3 AJAX.js for IE9 and as the browser world has moved on, it’s now time to patch RichFaces 3.3.3 AJAX.js for Internet Explorer 11. Of course you could update your web application to JSF 2 and RichFaces 4 or PrimeFaces but it’s neither trivial nor free. The issue with RichFaces 3.3.3 still stands, development has moved to 4.x version and they’ve dropped support for the older versions although at least IE issues could be easily fixed. Fortunately patching RichFaces AJAX.js is relatively easy.

The problem with Internet Explorer 11 is that although you upgraded Sarissa Framework and patched RichFaces AJAX.js file for IE 9 it just isn’t enough anymore as IE 11 uses different User-agent string and disguises itself as “like Gecko”. The User-agent string in Win 8.1 for IE11 is “Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko”. The issue is also discussed on JBoss Forums and on Stack Overflow.

The different User-agent string breakes the “rerender” after Ajax Request. For example using a4j:function in combination with “rerender” is not working on IE 11 and the problem is that after Ajax request the result XML can’t be correctly append to the body. Also the rerendering is abnormal for h:inputTextarea, rich:modalPanel, h:inputTextarea and rich:calendar.

Fortunately the fix is simple as RicFaces issue RF-13443 tells.

Patching RichFaces 3.3.3 AJAX.js for IE 11

Step 1: Do the “Upgrading Sarissa Framework and patching RichFaces AJAX.js file” steps in my Patching RichFaces 3.3.3 AJAX.js for IE9 article.

Step 2: Edit the AJAX_IE9fix.js file you just created and add IE 11 checking to Sarissa._SARISSA_IS_IE and Sarissa._SARISSA_IS_IE9. The changed lines should look like the following:

Sarissa._SARISSA_IS_IE = (document.all && window.ActiveXObject && navigator.userAgent.toLowerCase().indexOf("msie") > -1 && navigator.userAgent.toLowerCase().indexOf("opera") == -1) || (navigator.userAgent.toLowerCase().indexOf("like gecko") > -1 && navigator.userAgent.toLowerCase().indexOf("11.") > -1);
Sarissa._SARISSA_IS_IE9 = Sarissa._SARISSA_IS_IE && (parseFloat(navigator.appVersion.substring(navigator.appVersion.indexOf("MSIE")+5))) >= 9 || (navigator.userAgent.toLowerCase().indexOf("like gecko") > -1 && navigator.userAgent.toLowerCase().indexOf("11.") > -1);

If all fails you can try to tell IE 11 to emulate IE 10 with adding X-UA-Compatible meta tag to head.

<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE10"/>

The other thing I noticed with RichFaces 3.3.3 and modern browsers is that if you use ui:fragment which contains rich:suggestionbox and rerender it, the suggestionbox doesn’t work correctly. It gives an error: SCRIPT5007: Unable to get property 'parentNode' of undefined or null reference. For now I didn’t have time to figure out the issue and just changed my page structure and function.

Although it’s 2015 using JSF 1.2 and RichFaces 3.3.3 is still working quite nicely :)

Notes from Tampere goes Agile 2015

What could be a better way to spend a beautiful Autumn Saturday than visiting Tampere goes Agile and being inspired beyong agile. Well, I can think couple of activities which beat waking up 5:30 to catch a train to Tampere but attending a conference and listening to thought provoking presentations is always refreshing. So, what did they tell about being “Inspired beyond agile” in Tampere goes Agile 2015?

Tampere goes Agile 2015

Tampere goes Agile is a free to attend event about agile and this year the theme of the conference was “inspired beyond agile”. The event was held at Sokos Hotel Ilves and there were roughly 140 attendees. Agile as a topic isn’t interesting as it’s practices are widely in use, so the event went past agile and concentrated on “being agile”. How the organizational level and our mindsets has to change to make agile work. Waterfall mindset eats your agile culture for breakfast. And that’s the problem many presentations addressed.

Juho Vepsäläinen wrote also a great blog post about afterthoughts of Tampere Goes Agile 2015. It was nice to read a recap of the sessions which were in the other room than I was.

Keynote: After Agile

Event started with a keynote by Bob Marshall who asked what’s after agile. He has introduced the concept of right shifting where the core idea is that a large amount of organizations are underperforming. We’re always more or less prisoners of our mindset and existing ways.

“It’s not enough to do your best; you must know what to do, and then on your best.” – W. Edwards Deming

Marshall showed his right shifting organizational effectiveness chart where mean is around 1 (0 to 5 scale) and organizations using agile sit around 1.25 to 2. So, what’s beyond that? Agile thinking isn’t getting us there. What differs the organizations in the chart is their mindset: adhoc, analytic, synergistic and finally chaordic.

The Marshall model:

The Marshall model

In order to improve the effectiveness and efficiency of our organizations, we’ll need to be able to imagine better ones. The question is, what does an ideal organization look like? What kind of society we would build if it was wiped out? Starting from clean slate. We should look at the organization as a whole and what Marshall suggest is to use therapy to understand organization health and changing the mindset of the organization to one that’s more conducive for high performance.

The ideal model for IT company is built around: people, relationships between people, collective mindset, cognitive function and motivation. And it’s good to remember the difference between effectiveness and efficiency: Doing the right thing or doing the thing right.

Doctor, please fix my Agile!

Ville Törmälä talked about how we have seen changes on the method level, organizations are still mostly functioning the same ways as before. Many have tried to become more agile but without much success as there’s a waterfall way of doing everything.

Törmälä presented his definition of agile: 1) Make the work better 2) Make the work work better 3) Make lives better. But waterfall mindset eats our agile culture for breakfast so it’s about time to broaden our thinking about what really constitutes a long-term success in organizations doing any kind of knowledge work. Agile gives you tools and ideas but organizations can’t change or improve by “doing agile” better. If you fail with one agile “method”, you probably fail with the rest of them. It’s a systemic problem. It’s all built deep in to the thinking and structures of the organizations. That is the challenge.

“Every system is perfectly designed to achieve the results it gets”. We should change from “project thinking” to “stable teams thinking”. To change the power and influence structure from managing people to empowering people and further to liberating people.

One way of doing this is to use KBIs, Key Behaviour Indicators, where you write down examples of behaviour you want to see, think in what kind of environmental it’s possible or could happen and then create the environment, write down concrete actions.

“The supreme art of agile is to subdue the waterfall thinking without fighting” – Sun Tzu, The Art of War

In summary, we need to look beyond methods and practices. Organizations change by changing how they think and become better by understanding better how work works, how to create value and how to learn better. We’ve to work with the system, aiming to understand and affect its thinking.

Pairing is sharing

Pair programming is a core agile technical practice but many people still have reluctance to pair and Maaret Pyhäjärvi talked about the deliberate practice in building up the skill of pairing to allow pairing to take one’s skills on other activities to a new level. Pyhäjärvi shared her different stages of pairing and lessons picked up as a testing specialist.

Again, pairing is also about mindset and effective pairing is far from trivial – but it is skill that can be practiced. Pyhäjärvi talked about growth patterns from pairing with peers to pairing and mobbing with developers, from traditional style and side-by-side work to strong-style pairing and to pairing on both testing and programming activities.

Mindset: fixed <> growth

Listeners also got to test specific style of pairing, Strong-style pairing, where for an idea to go from your head to the computer it must go through someone else’s hands. You really need to think the steps through for the other to manage the given task.

One presented point about pairing was that you must unlearn ownership of ideas and contributions. Co-creation vs. collaboration.

Pyhäjärvi also told that selling pairing to team (of introvert programmers) is hard but Mob Programming has been their gateway to pair programming. It feels safer. You can read more about it from Mob Programming guide book.

Beyond Continuous Deployment: Documentation Pipeline

Before lunch there was also nice lightning talk about documentation pipeline by Antti Virtanen. He told about Lessons learnt from creating a Documentation Pipeline for Continuous Deployment with Jenkins and other open source tools. His slides are available from SlideShare.

1 ???
2 Continuous Delivery DevOps magic
3 ???
4 Profit

The DevOps magic with Jenkins was more or less standard practice and it was configured to generate documentation from database schema, JavaDocs, test coverage reports, performance test results and API specification. Reminded me of all the work I should introduce to our continuous integration.

3 standard tricks were presented:

  • Jenkins is the Swiss knife.
  • Database documentation in database metadata and generating ER-diagrams with SchemaSpy.
  • API documentation with Swagger.

When quality is just a cost: Useful approaches to testing

Testing is also important part of successful projects so Jani Grönman talked about useful approaches to testing and software quality.

“Software quality is measured by your customer success, not development project metrics and quality processes.”

Grönman approached the topic with often surprisingly common attitude towards testing and quality:

  • “Quality is just a cost and like other costs, it should be avoided or minimized.”
  • “Testing is it just another buffer in project’s budget”
  • “testers are not skilled labor, it’s enough if they can read and write.”
  • “What automation? They can quickly click trough the app can’t they?”.

And as you know this is all wrong. It’s true that testing is expensive but so is development. Can you afford not to test? You should think it as an investment. The presentation went through the reasons and motivations behind the various attitudes and explored differences in views and how to best tackle them using the right technology and approach. He also talked about the schools of testing: Analytical, Standard, Quality, Context driven, Agile.

But overall you should know that testing is skilled activity and part of the development. Testing provides information to the project and you should use mix of techniques like exploratory and automatisation. And think about what testing would be most effective now. You need to choose the right set of QA tools for the job. One size fits no-one.

DevOps: Boosting the agile way of working

DevOps has been quite the buzzword for some time, so it was interesting to hear what Timo Stordell had to say how Devops is boosting the agile way of working. In short DevOps isn’t anything revolutionary and should be seen an incremental way to improve our development practices. And talking about revolution, Stordell’s slides had nice Soviet theme.

The presentation was more or less what you would expect from a topic covering DevOps and has nice touch to it. In short: Small bangs over a big bang, requirements management meet acceptance testing, standardize development environments, monitor to understand what to develop.

Stordell had nice demo of how they perform acceptance testing using physical devices and automation. They have built a rig of CNC mill run by Raspberry Pi to test payment system.

For those interested about DevOps movement and everything around it there’s DevOps Finland meetup group. You can also download Eficode’s DevOps Quick Guide to read more about it.

Keynote: Beyond projects

Event’s final keynote was by Allan Kelly who spoke about #noprojects. Why projects are wrong and what to do instead. The main point of the keynote was that the project model doesn’t match software development and outlined an alternative to the project model and what companies need to do to achieve it. The presentation slides are available from SlideShare. Kelly has also written a book about team centric agile software developmen,: Xanpan, which combines Kanban and XP.

Going beyond projects is an interesting idea as everything we do is somewhat tied to doing things in projects. So, what’s wrong with projects? Projects are temporary whereas software is forever. Projects have end dates which in turn is against the defining feature of successful software: it doesn’t end. Software which is useful is used and demands change, stop changing it and you kill it. At worst the project metaphor leads to dead software, higher costs and missed business opportunities.

We should think projects more like a continuous flow where it’s success isn’t determined by staying on schedule, on budget, and with quality. We should concentrate on the value delivered and put value in flexibility as requirements change. This goes against the fixed nature of projects. Also after project you often break a functioning team and start all over again. We should put emphasis on teams, treat team as an unit and push work through it.

The other thing is that software is not milk. It’s cheapest in small packages, not in big cartons. Software development has not economics of scale. Big projects are risk. Think small and make regular delivery which increases ROI. Fail fast, fail cheap. Quite basic agile thinking.

So, beyond projects: waterfall 2.0, continuous flow

Continuous flow of waterfall

Now we have #noestimates, #nomanagement and #noprojects. Profit?


It was my first time visiting Tampere goes Agile and it was nice conference. The topics provided something to think about and not just the same agile thinking. You could clearly see the theme “Inspired beyond agile” working through different presentations and the emphasis was about changing our mindsets.

Going beyond agile isn’t easy as it’s more about thinking than tools. Old habits die hard and changing the waterfall way of thinking isn’t trivial. We should start with understanding our organization’s health and changing the mindset of the organization to one that’s more conducive for high performance. Switch from “project thinking” to “stable teams thinking” and change the power and influence structure from managing people to empowering people and further to liberating people.

The after party was at Ruby & Fellas but after early morning and couple of nice beers it was time to take train back home. But before that I had to visit the Moro Sky Bar with nice scenery over Tampere.

Tampere from Moro Sky Bar

Newsletters for software developers

Software development is one of the professions where you just have to keep your knowledge up to date and follow what happens in the field. But as normal information overload is easily achieved so it’s beneficial to use for example curated newsletters for the subjects which intersects the stack you’re using and topics you’re interested at. Here are my selection of newsletters for software developers covering topics like web and mobile development, user experience and design and general topics. For more newsletters for developers you can check what for example Dzone wrote.

The power of newsletter lies in the fact that it can deliver condensed and digestible content which is harder to achieve with other good news sources like feed subscriptions and Twitter. Well curated newsletter to targeted audience is a pleasure to read and even if you forgot to check your newsletter folder, you can always get back to them later :)


Hacker Newsletter
Weekly newsletter of the best articles in Hacker News.

Status code
A language agnostic roundup of the latest ideas, releases, trends, events and must-read articles from the programming world (think C, UNIX, algorithms, editors, protocols)

Mobile development

iOS Dev Weekly
Hand picked round up of the best iOS development links published every Friday.

This Week In Swift
List of the best Swift resources of the week.

iOS Dev nuggets
Short iOS app development nugget every Friday/Saturday. Short and usually something you can read in a few minutes and improve your skills at iOS app development.

In depth Mac and iOS articles archives


Java Web Weekly by Baeldung
Once-weekly email roundup of Java Web curated news by Eugen Baeldung.

The Java Specialists’ Newsletter
A monthly newsletter exploring the intricacies and depths of Java, curated Dr. Heinz Kabutz.

Java Performance Tuning News
A monthly newsletter focusing on Java performance issues, including the latest tips, articles, and news about Java Performance. Curated by Jack Shirazi and Kirk Pepperdine.


DB Weekly
A weekly round-up of database technology news and articles covering new developments, SQL, NoSQL, document databases, graph databases, and more.


Weekly HTML5 and Web Platform technology roundup. Curated by Peter Cooper.

CSS Weekly
Roundup of css articles, tutorials, experiments and tools. Curated by Zoran Jambor.

Web development

Web Development Reading List
Weekly roundup of web development–related sources, selected by Anselm Hannemann.

SitePoint’s daily newsletter, which features the latest web development news.

Hacking UI
Newsletter for designers, front-end developers and product managers.

Scott Hanselman
Includes interesting and useful stuff Scott has found over the last few weeks and other wonderful things.

The Modern Web Observer
Biweekly email newsletter about current issues and trends in front-end web development. It is much like a commentory on the important current news and articles related to front end development.

Web Design Weekly
Links to the best news and articles to hit the interweb during the week.

Weekly email of curated links to articles, resources, freebies and inspiration for web designers and developers.

For front-end developers there’s “How to keep up to date on
Front-End Technologies”
page which lists newsletters, blogs and people to follow.


JavaScript Weekly
Weekly e-mail round-up of JavaScript news and articles. Curated by Peter Cooper.

A Drip of JavaScript
“One quick JavaScript tip”, delivered every other Tuesday and written by Joshua Clanton.

Collection of the best articles, videos, and presentations on creating, testing, and maintaining a JavaScript code base.

User experience and design

UX weekly
Five links each week with the best UX writing, process, analysis, and critique from around the web. Its content lies at the intersection of user experience design, game design, and tech industry critique.

Monthly newsletter where the author will share ideas on how to improve customer conversion and ease of use.

To satisfy your web aesthetics with list of the 5 best design links of the day. The content is manually curated by a couple great editors.

Updates you monthly about the happenings in the UX/usability arena.

UX Design Weekly
Best user experience design links every week, published every Friday.


DevOps Weekly
Weekly slice of devops news.

Web Operations Weekly
Weekly newsletter on Web operations, infrastructure, performance, and tooling, from the browser down to the metal.

Using Bacon2D with Sailfish OS

Sailfish OS development for Jolla is quite versatile and you can use QML plugins to enhance your application. But if you’ve used a QML module which isn’t approved in Harbour and want to distribute your application via Jolla Store, you’ve to do some extra steps with it. Lately I ported Ubuntu Phone’s Falldown game for Sailfish OS and it uses Bacon2D framework to ease 2D game development. Bacon2D isn’t allowed in Harbour so I had to patch it to accept custom namespace and either package the dynamically linked library with my app’s RPM or use statically linked Bacon2D with my app. Here are my notes about it.

The examples will be with my Falldown game project and the code can be found on GitHub. The steps shown below are not the optimal way of doing things as you could streamline the process by including Bacon2D build to your project build and in RPM spec patch the needed files. Will see if I get around doing that and automate things.

Building Bacon2D for Sailfish OS

Bacon2D is a framework to ease 2D game development, providing ready-to-use QML elements representing basic game entities needed by most of games. Bacon2D uses Box2D, a 2D rigid body simulation engine for games. Box2D lets you make objects move in realistic ways and make the game world more interactive.

You can use Bacon2D in your Sailfish OS project by using it as dynamically or statically linked library. The easiest way is to just use the statically linked version so it’s statically compiled into your project. But it’s almost as easy to build the dynamically linked library.

The other issue is getting the Bacon2D built such way that you can use it in your project and submit your application to Jolla Store. As Bacon2D plugin isn’t allowed in Harbour you’ve to patch it to your own namespace, e.g harbour.falldown.bacon2d.

The next chapters cover the three different ways to build and use Bacon2D with Sailfish OS.

Get Bacon2D framework

Start with adding the Bacon2D repository to your project’s Git repository as submodule.

$ git submodule add https://github.com/Bacon2D/Bacon2D.git

Now the Bacon2D project files are in e.g. falldown/Bacon2D and falldown directory will be our base.

Now you’re ready to build and use Bacon2D with three optional ways:

After I got the needed things to work, I used the Option 3 way to get Bacon2D included in my application and hopefully it gets approved to Jolla Store.

Option 1: Using statically linked Bacon2D

In your project’s project file e.g. harbour-falldown.pro add to the top of the file include clause for including Bacon2D statically


In your project’s main.cpp include plugins.h and register types before loading QML resources.

#include <plugins.h>
Plugins plugins;

Build your project in Qt Creator by selecting Build->Release, Deploy->Deploy as RPM Package and then running Build -> Clean, Build, Deploy.

Your Bacon2D powered app should now launch in your phone.

Option 2: Using dynamically linked Bacon2D

Open Bacon2D/Bacon2D.pro with Qt Creator and disable the test and examples subdirectories.

SUBDIRS += src

Build Bacon2D for Armv7: Select Kit – MerSDK-SailfishOS-armv7hl – Release – Deploy by copying binaries. The build will fail with “Error 127” but the libbacon2dplugin.so is built so you can use it now.

Copy the “build-Bacon2D-MerSDK_SailfishOS_armv7hl-Release/src/imports” directory which contains QML files and libbacon2dplugin.so to your project’s lib directory, e.g. falldown/lib.

$ cp -r build-Bacon2D-MerSDK_SailfishOS_armv7hl-Release/src/imports/Bacon2D lib

In e.g. harbour-falldown.pro add the lib directory to be added inside RPM.

lib.files += lib
lib.path = $${DEPLOYMENT_PATH}

In your main.cpp add import path to Bacon2D files.


In Qt Creator select Build->Release, Deploy->Deploy as RPM Package. Run Build -> Clean, Build, Deploy.

Your Bacon2D powered app for Sailfish OS should now launch in Jolla.

Option 3: Using statically linked Bacon2D the Harbour way

Including statically linked Bacon2D to be built with you Sailfish OS application can be done different ways and I chose not to write my own plugins.cpp to register QML types and just patched the plugins.cpp which Bacon2D provides.

In harbour-falldown.pro add to the top of the file include clause for including Bacon2D statically


Patch Bacon2D Bacon2D/src/plugins.cpp to accept e.g. harbour.falldown.bacon2d namespace. Change every qmlRegisterType line from “Bacon2D” to your namespace.

qmlRegisterType<Layer>("harbour.falldown.bacon2d", 1, 0, "Layer");

In your project’s src/main.cpp include plugins.h and register types before loading QMLresources.

#include <plugins.h>
Plugins plugins;

Put Bacon2D QML files under e.g. qml/components and change them to import e.g. harbour.falldown.bacon2d 1.0. Somehow I didn’t get the Bacon2D type to work which defines enums.

Build your project in Qt Creator by selecting Build->Release, Deploy->Deploy as RPM Package and then running Build -> Clean, Build, Deploy.

Your Bacon2D powered app should now launch in your phone.

Option 4: Using dynamically linked Bacon2D the Harbour way

You can link against shared libraries which ships with your Sailfish OS app in the RPM but because of Harbour rules you have to install the library under e.g. /usr/share/harbour-falldown/lib.

But before you can use the dynamically linked Bacon2D for Sailfish OS app intended to be distributed via Jolla Harbour you have to patch Bacon2D to accept e.g. harbour.falldown.bacon2d namespace and build the library.

In Bacon2D project change the following files.


PROJECT_NAME = harbour.falldown.bacon2d


TARGETPATH = harbour/falldown/bacon2d
DESTDIR = $$OUT_PWD/imports/harbour/falldown/bacon2d/


qmlRegisterType<Layer>("harbour.falldown.bacon2d", 1, 0, "Layer");


module harbour.falldown.bacon2d

In Bacon2D/src directory change every QML file to import e.g. harbour.falldown.bacon2d 1.0

Build Bacon2D with Qt Creator for Armv7: Kit – MerSDK-SailfishOS-armv7hl – Release – Deploy by copying binaries

Copy Bacon2D QML files and libbacon2dplugin.so under lib directory and to the structure which match you import namespace, e.g.: lib/harbour/falldown/bacon2d/.

$ cp -r build-Bacon2D-MerSDK_SailfishOS_armv7hl-Release/src/imports/harbour lib

In your project’s project file, e.g. harbour-falldown.pro add the lib directory to be added inside RPM

lib.files += lib
lib.path = $${DEPLOYMENT_PATH}

In your spec file, e.g. rpm/harbour-falldown.spec add following exclude as Harbour RPM packages should not provide anything.

# >> macros
%define __provides_exclude_from ^%{_datadir}/.*$
# << macros

Also to use QML modules which ships together with the application but you have to prefix the name of the imports with e.g. “harbour.falldown.bacon2d”. And you have to install them under /usr/share/harbour-falldown (loadable QML plugins or the QML files).

In src/main.cpp add import path to Bacon2D QML files and plugin before loading qml resources.


Build your project in Qt Creator by selecting Kit – MerSDK-SailfishOS-armv7hl – Release – Deploy – Deploy as RPM Package and then running Clean, Build, Deploy.

Your Bacon2D powered app should now launch in your phone.

Build secure Web applications by reading Iron-Clad Java

Building secure Web applications isn’t easy and contains many aspects that the development team has to consider and take into account. “Iron-Clad Java: Building Secure Web Applications” book is good starting point to learn concepts, tactics, patterns and anti-patterns to develop, deploy and maintain secure Java applications. With 304 pages the book is more about getting an overview and pointers for further reading and research but works quite nicely in that regard.

“Iron-Clad Java: Building secure Web applications”

As the name suggests, “Iron-Clad Java: Building Secure Web Applications” by Jim Manico and August Detlefsen, is targeted for Java developers and is suitable reading also for less technical people in the team like project managers and managers as it doesn’t go too deeply to technical aspects or code. After reading the book even the managers should get an appreciation and the vocabulary to discuss security with their staff. The reader should get a solid understanding of what is wrong with many web apps in general and what corrective measures to take to mitigate the issues. The book was published September 2014 and has 304 pages (ISBN-13: 978-0071835886).

The book covers topics like secure authentication and session management processes, access control design, defending against cross-site scripting (XSS) and cross-site request forgery (CSRF), protecting sensitive data while stored or in transit, preventing SQL injection, ensuring safe file I/O and upload, using effective logging, error handling, and intrusion detection methods and also guide for secure software development lifecycle (secure-SDLC). The topics are written with theory and practice and so that they are approachable for developers new to security, for those that might be a little inexperienced but still providing useful nuggets for experienced developers.

In good and bad the book gives somewhat opinionated answers what technics and tools you can use to address security issues but overall the advice is solid and un-biased and more or less framework agnostic. So, the lessons learned should apply to any project. For me, writing examples with e.g. JSP and Struts makes me question if also the other tools the book suggest (which I wasn’t familiar with) are suitable for modern Java EE application development. Something to look into after reading the book. Also OWASP seemed to have answer to almost every security aspect.

Anyways, the book’s advice isn’t about using certain technologies but giving you something to think about and educating about security aspects in your Java Web application. What matters is that the book gives explanations of why you need to implement a specific control for a given issue, how you could do it and what the impacts are. This is what many security professionals miss when speaking to developers. The book tells you what the security problem is and then why and how you should fix that so it makes sense for developers.

Taking care for Web application security isn’t just for architects and developers but it’s also a topic which importance whole team should know and understand. The “Iron-Clad Java: Building secure Web applications” gives good overview to security and is suitable for the whole development team to read.

Creating Vagrant Base Box with Veewee

Vagrant is a great tool for creating and configuring lightweight, reproducible, portable virtual machine environments but the first step for using Vagrant, downloading an existing “base box”, raises some questions. E.g. How are these unverified boxes built? So, you might end up building your own base box which is often time consuming and cumbersome. Fortunately there’s a tool called Veewee which aims to automate all the steps for building base boxes and to collect best practices in a transparent way.

Vagrant Base Box with Veewee

Veewee is a tool for easily (and repeatedly) building custom Vagrant base boxes, KVMs, and virtual machine images. You can use it to build a Vagrant box in Linux, Mac OS X and Windows but I found out that fulfilling the requirements on Windows is quite difficult (read Ruby and RVM) so just forget it.

To get you started there are some requirements you need to fulfill. First you’ll need to install at least one of the supported virtual machine providers like VirtualBox and second you need some development libraries.

On Ubuntu 15.04 Linux and using VirtualBox you need these packages:

$ apt-get install virtualbox git curl ruby ruby-dev libxslt1-dev libxml2-dev zlib1g-dev

Install RVM on Linux

For Ruby environment it’s recommended to use either rvm or rbenv. I chose the RVM and followed the RVM install documentation.

Install mpapis public key:

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3

if keyserver fails, you can use $ curl -sSL https://rvm.io/mpapis.asc | gpg --import -

Install RVM stable with ruby:

$ \curl -sSL https://get.rvm.io | bash -s stable --ruby

Installing Veewee with RVM

With RVM already installed, ensure a ruby version that’s supported by Veewee is available on your machine:

$ source /home/marko/.rvm/scripts/rvm
$ rvm install ruby

Clone the veewee project from source:

$ cd <path_to_workspace>
$ git clone https://github.com/jedi4ever/veewee.git
$ cd veewee

Set the local gemset and ruby version within the current directory:

$ rvm use ruby@veewee --create

Run bundle install to install Gemfile dependencies for your local gemset:

$ gem install bundler
$ bundle install

Bundle install will take some time.

Building Vagrant Box with Veewee

Veewee uses definitions to build new virtual machines and ‘definition’ is derived from a ‘template’ and preconfigured templates are found in templates/ folder. Veewee Basics explains how you can create your own customized definition.

For my customized Vagrant Box I decided to use Tommy Muehle’s definition as a template as it contained what I wanted. Simple CentOS 6.6. Box with Puppet. I just changed the localization to Finland and made it bigger for WebLogic use case in mind. My definition for Vagrant Box can be found in GitHub.

To use my definition just clone the repository for CentOS 6.6 Box, copy the “centos-6.6-x86_64_puppet” folder to definitions/ folder under Veewee and make your own changes if needed. After you’re done run:

$ bundle exec veewee vbox build centos-6.6-x86_64_puppet

The build command runs Veewee scripts and automates the manual steps needed while installing a new Linux distribution.

Installing CentOS to Vagrant Box with Veewee

To export the Box for further use with Vagrant, run:

$ bundle exec veewee vbox export centos-6.6-x86_64_puppet

The above command is actually calling “vagrant package –base ‘centos-6.6-x86_64_puppet’ –output ‘boxes/centos-6.6-x86_64_puppet'”. The machine gets shut down, exported and will be packed in a centos-6.6-x86_64_puppet.box file inside the current directory.

And you’re all done. Now you can use your just created base box for Vagrant boxes. Import it into Vagrant’s box repository and use it to initialize a fresh project:

$ vagrant box add 'centos-6.6-x86_64_puppet' 'centos-6.6-x86_64_puppet.box'
$ vagrant init 'centos-6.6-x86_64_puppet'

Using Veewee to build a Vagrant Box is simple and what’s more important it’s automated and reproducible. Using Ruby and RVM on Windows 7 turned out to be practically impossible but old ThinkPad W510 with Ubuntu 15.04 worked nicely. Of course you could create a base box with Vagrant way which means installing and configuring your Linux manually. But why would you want to that if you can just automate it?

Starting iOS development with Swift

Mobile application development differs between platforms and after doing couple of applications for the Sailfish OS powering Jolla phone it was finally time to see what other platforms have to provide. I develop Java applications at work so it was logical to look into iOS and learn some Swift. The Internet is full of resources of how to start developing for iOS and here’s my take to the topic. Now I just need an iPhone to run my app on a real device :)

Getting started

Coming from the Java EE and Web application world it’s good to read some documentation about mobile application development for iPhone and iOS before starting to code. You need to learn the basics concepts about iOS platform and Swift language and good starting point is to check Apple’s resources for developers and iOS developer library and read the guide how to start developing iOS apps (although it’s with Objective-C). To learn Swift you can read guide to Swift language or if you like books there’s also The Swift Programming Language book.

You can also start learning iOS development with several free or paid online courses. Coding with Chris “how to make an iPhone app” series of videos is a good starting point although it’s designed for people who have no programming experience. It provides nice overview to the tools and how to start developing. You can also follow the App Development: Teaching Swift by Apple Education with code examples or if you’ve the money and need diploma see the Udemy course for iOS developers or Udacity’s iOS developer Nanodegree.

It’s also good to read Human Interface Guidelines for iOS-based devices although the guidelines don’t provide any practical examples. It’s a good resource to learn how iOS applications should work, tells you how your app should look and behave and how to use the UI elements that UIKit provides. As I have done apps for Sailfish OS it was good to adapt my thinking to see things in the iOS way.

In practice the best way to learn is to just write code and experiment. Getting to know XCode and Interface Builder takes some time. After using Eclipse and IntelliJ IDEA for Java development both XCode and Apple’s graphical UI editor are somewhat confusing at first.

There’s also couple of iOS development newsletters to follow: iOS Dev Weekly, This Week In Swift. Also the In depth Mac and iOS articles archives is a good resource.

And if you’re using IRC there’s #cocoa-init channel on irc.freenode.net focused on asking and answering questions for beginning developers on iOS and OS X. For more general iOS development you can join #iphonedev channel on irc.freenode.net. To join them you need to register your nick.

Development in practice

Getting started with iOS can be challenging as Swift and Objective-C are used mainly only on Apple’s platform and it has its own names for almost everything. I haven’t yet gathered my own good practices so it’s great that you can read about iOS good practices from Futurice.

Basic tools

For iOS development your options with tools are somewhat limited as you need Mac computer running OS X (10.9.4 or later) for being able to run Apple Xcode and iOS SDK. The other option is to use JetBrains Appcode (99e) which is better (what I’ve understood). Xcode can be installed from Mac App Store and it comes with iOS SDK. Also although you can run your applications in iOS Simulator it helps to have a real device which helps you to understand how apps interact with users and what the look and feel should be. The documentation and examples gets you far but nothing beats to have first hand experience of the platform.

I found it beneficial to watch e.g. the Coding with Chris “how to make an iPhone app” series of videos for getting around XCode development environment.

Xcode and UI builder

Developing for iOS

iPhone applications can be written with Objective-C or with newer Swift programming language. Objective-C is built on top of the C programming language and provides object-oriented capabilities and a dynamic runtime. Swift in the other hand can be described as Objective without the C and is a replacement for the Objective-C language and works side-by-side with it. Wikipedia has good short description of Swift.

Although Swift is relatively new and what I’ve read isn’t quite as robust as Objective-C it’s good starting point for developing iOS apps. Having used some Objective-C for OS X apps I wouldn’t recommend it to anyone if you don’t actually need it.

iOS platform

Apple’s operating system for iPhone, iOS, provides many frameworks for developers and as a developer you’ve to decide which version to target as it affects your application and capabilities. Apple’s iOS developer page provides short overview of what it has to offer. The current version is iOS 8 and i.a. Shinobicontrols has written iOS 8 Day by Day eBook which consists of 39 blog posts covering the most significant features available to developers in iOS 8.

As a developer you have to choose which version of iOS you target and whether your app is universal or only for iPhone or iPad as it affects your code and potential users. Do you need the new features in iOS 8 or is iOS 7 enough and is it worth to make solutions to fit both versions? And do you need different user interface for bigger screen in iPad or is universal version enough? iOS 8 is supported on iPhone 4s or newer and newer iPads and what I read about 72% of devices are using iOS 8 and 25% are on iOS 7. So, I think it’s enough to target iOS 8 as it provides you more options how to implement your app.

Developing with Swift

The best way to get to know Swift is just read some code, watch tutorials and of course write code. To learn Swift you can read guide to Swift language and you can watch from Youtube e.g. rm2kdev series about Swift starting from the basics and example of doing a To Do List app.

One nice element of the Swift system which helps you to get hang of it, is its ability to be cleanly debugged and run within the development environment, using a read–eval–print loop (REPL). It gives you interactive properties more in common with the scripting capabilities of Python than traditional systems programming languages. It’s useful to play with Swift in Xcode Playground and see what your code does.

Knowing Swift language is just one part and the bigger part in my opinion is to know how to use the UI elements that UIKit provides to create good user experience. When I started developing my app with Swift majority of time went to figuring out how to construct the user interface with Xcode UI builder and what the elements should be, not actually writing much code in Swift. User experience section in iOS Developer Library and UI Elements in iOS Human Interface Guidelines provide good starting points for reading about user experience but doesn’t help you much with coding especially when the sample codes are in Objective-C. Basic UI elements like “pull to refresh”, “swipe between views”, “split view” and “slide-out navigation” are more easily found by googling.

We all have our own ways to learn new platform and programming language and I find it beneficial to just create small application which experiment with different concepts and interactions. I’m gathering my own experiments with iOS technologies to GitHub and building a news reader application for High.fi on the way.

So, what are you waiting for? Download Xcode and start developing your own app for iOS :)



iOS 8

Other resources

Courses and guides

Notes from Owasp Helsinki Chapter Meeting 27

Security is important part of software development and often it doesn’t get enough attention or developers don’t know enough about it. I have been following Troy Hunt on Twitter for some time and as he was coming to Owasp Helsinki Chapter Meeting #27 it was great opportunity to hear about application security at first hand. Especially about hacking yourself first. The event was held at Life Science Center in Keilaranta and although it didnt’ provide much new information about security and how to protect against hackers, it was nice event. The event consisted talks presented by Troy Hunt: 50 Shades of AppSec and Hack yourself first.

50 Shades of AppSec

50 Shades of AppSec

The first talk was “50 shades of appsec” which covered a broad spectrum of what’s happening in our industry and how challenging it’s becoming for those of us working in AppSec to keep ahead of the attacks. Troy covered everything from the social aspects of hacking through to some of the more obscure attacks and the increasing challenges we have as defenders.

There was some nice bad examples how not to do things and hilarious examples how even criminal masterminds are fallible. Asking questions in StackOverflow with an account tied to your real identity, take a photo with iPhone and not clearing the EXIF data (which has location info).

“50 Shades of AppSec” talk didn’t provide much new information which I wouldn’t have read from Twitter or other news sources but was entertaining anyways. Good presentation matters.

Hack yourself first

If you’re protecting applications against attacks it’s good to know how attackers can exploit your application’s security holes. The online attacks against websites has accelerated quickly and the same risks continue to be exploited. These are often easily identified directly within the browser; it’s just a matter of understanding the vulnerable patterns to look for.

Troy Hunt’s “Hack Yourself First” talk was about developers building up cyber-offence skills and proactively seeking out security vulnerabilities in their own websites before an attacker does. It looked at website security from the attacker’s perspective and how to exploit common risks in a vulnerable web application. As usual the issues were quite basic information and could be easily identified and fixed with right knowledge and tools like Havij and Fiddler.

One interesting example was to use Fiddler to proxy your device’s traffic and look how remote server communicates with it and even decrypt HTTPS. You can e.g. edit request and response and change values sent to mobile. One example is to change the value for admin and see if the mobile application validates it on every request or do you really get admin rights to the application or service. Practical example was capture the traffic sent to British Airways mobile app and see the WiFi password list for free WiFi.

Or is it?

Second interesting example was about using WiFi Pineapple. To trick devices to connect with “known” wireless network, capture and circumvent it’s traffic. You did know that devices broadcasts the SSIDs they have previously connected and with devices like Pineapple you can easily see it and then do some magic.

WiFi Pineapple and captured SSIDs.

Q & A and afterwords

Views from Life Science Center Sauna

The questions and answers section was quite active as security is an interesting topic. There were good questions like how do you verify companies you use, like you’re using Freedome from F-Secure? It’s about choosing the least risky option. Better than WiFi at airport without VPN. You don’t really know.

Other interesting topic was about how security people don’t understand development and developers don’t understand security. It’s about working together and not just security people saying “There are vulnerabilities, fix those.” More cooperation would be better and it needs support from higher up to work together.

Afterwards the event had reserved the sauna on the 7th floor which provided also nice views over Laajalahti and some refreshments. Time to network and try to do small talk although I’m not the most social person. I wasn’t surprised that Troy didn’t join us to the sauna but it was nice that he had some time to talk in the lounge.

I didn’t get the Owasp sticker but I got some crafty swag from Nixu and Troy also provided one month free pass for Pluralsight which has courses to educate yourself

One of the crafty takeouts from the event camera cover sticker for laptop. Who is paranoid about infosec?

Will be busy month after to see all Pluralsight courses

Thanks to the organizers and event sponsor Nixu. Nicely noticed that Hunt is in Europe and to get him to talk about security. I also got a ride home with some good tips about restaurants in Tallinn which was nice. Thumbs up.