The cloud is fantastic,
the cloud is so great.
If it's not in the cloud,
it makes me irrate.

The nodes in the cloud,
be they big, be they small;
doesn't matter their power,
I love them all.

The cloud's all around us,
even in my phone's soul.
I can talk on the cloud
as I drive into a pole...

And if I do not wake
from my hospital bed,
I live free — in the cloud —
though my body is dead.

My essence be fetched,
from the cloud where it's stored,
to be put in a body
bought off Amazon (with rewards).

And when I grow senile,
from the cloud I will gain.
It will upload sane thoughts
through a chip in my brain.

So you see the clouds beauty,
spawned from words said so proud?
This poem will live on forever...
it's been sent to the cloud.

The tool is called monit, and I’m surprised I ever lived without it. Not only does it monitor your services and keep them running, it can restart them if they fail, use too much memory/cpu, stop responding on a certain port, etc. Not only that, but it will email you every time something happens.

While perusing monit’s site, I saw M/Monit which allows you to monitor monit over web, essentially. The only thing I scratched my head about was that M/Monit uses port 8080 (which is fine) but NginX already uses port 8080, and I wasn’t about to change that, so I opened conf/server.xml and looked for 8080, replaced with 8082 (monit runs on 8081 =)). Then I reconfigured monit to communicate with M/Monit and vice versa, and now I have a kickass process monitor that alerts me when things go wrong, and also sends updates to a service that allows me to monitor the monitor.

I can’t look at things like queries/sec as I can with Cacti (which is awesome but a little clunky) but I can see which important services are running on each of my servers, and even restart them if I need to straight from M/Monit. The free download license allows to use M/Monit on one server, which is all I need anyway.

Great job monit team, you have gone above and beyond.

• Any server can go down. Assuming you have more than one replica of your data, you can lose any server in your setup and still be up and running. This can be achieved with replication, but it’s not as easy. You have to have some form of Master-Master replication, perhaps with DRDB, and some form of failover (usually heartbeat).
• Your data  set scales. If you start running out of disk space with a cluster, just add a few more data nodes and your data will be spread out over them. With replication, each replicated server has to have enough storage to fit the entire database. That means if your dataset grows too large, you have to either partition (a hack, essentially) or upgrade your servers.
• Your bandwidth scales. With a cluster, if you are running out of bandwidth, you can add more mysqld processes on your www servers or add more data nodes and your bandwidth scales almost linearly. With replication, you can only add so many slaves before your writes are the bottleneck. Then, once again, you have to look into things like circular replication (dangerous) or partitioning your data set (large updates to your app unless you have an insanely good ORM, big infrastructure change).

These are the main points that helped me decide. Historically, with a clustered approach, the entire dataset would have to fit in the memory of all the data nodes, which is somewhat restrictive if the dataset gets too large. Nowadays, the cluster only needs to store indexes in memory, and can store all non-indexed data on disk. There is talk of having completely disk-based store as well.

All that being said, I set up cluster, which was surprisingly easy. I’m not going to go over how to set it up or anything, just read the manual. After some benchmarking with the web API for beeets.com, the cluster setup appeared to be running about the same speed as the InnoDB setup when testing various commands…a pleasant surprise. It also appeared to handle concurrency a bit better.

Obviously once the dataset grows past a few megs and the traffic bumps up, we’ll revisit the benchmarking, but my hope is that what cluster loses in speed from your everyday general query, it gains in speed by having ability for higher concurrency.

I had a few problems though. In PHP (just PHP, and nothing else) hosts were not resolving. The linux OS was resolving hosts just fine, but PHP couldn’t. It was frustrating. Also, I was unable to sudo. I kept checking permissions on all my files in /etc, rebooting, checking again, etc.

The fix

Then I looked again. /etc itself was owned by andrew:users. Huh? I changed permissions back root:root, chmod 755. Everything works. Now some background.

A while back, I wrote some software (bash + php) that makes it insanely easy to install software to several servers at once, and sync configurations for different sets of servers. It’s called “ssync.” It’s not ready for release yet, but I can say without it, I’d have about 10% of the work done that I’d finished already. Ssync is a command-line utility that lets you set up servers (host, internal ip, external ip) and create groups. Each group has a set of install scripts and configuration files that can be synced to /etc. The configuration files are PHP scriptable, so instead of, say, adding all my hosts by hand to the /etc/hosts file, I can just loop over all servers in the group and add them automatically. Same with my www group, I can add a server to the “www” group in ssync, and all of a sudden the HAproxy config knows about the server.

Here’s the problem. When ssync was sending configuration files to /etc on remote servers, it was also setting permissions on those files (and folders) by default. This was because I was using -vaz, which attempts to preserve ownership, groupship, and permissions from the source (not good). I added some new params (so now it’s “-vaz –no-p –no-g –no-o”). Completely fixed it.

At the time, I thought “What’s the point of keep-alive for front-end? By the time the user navigates to the next page of your site, the timeout has expired, meaning a connection was left open for nothing.” This assumed that a user downloads the HTML for a site, and doesn’t download anything else until their next page request. I forgot about how some websites actually have things other than HTML, namely images, CSS, javascript, etc.

Well in a recent “omg I want everything 2x faster” frenzy, I decided for once to focus on the front-end. On beeets, we’re already using S3 with CloudFront (a CDN), aggressive HTTP caching, etc. I decided to try the latest HAProxy (1.4.4) with keep-alive.

I got it, compiled it, reconfigured:

defaults
	...
	option httpclose

became:
defaults
	...
	timeout client  5000
	option http-server-close

Easy enough…that tells HAProxy to close the server-side connection, but leave the client connection open for 5 seconds.

Well, a quick test and site load times were down by a little less than half…from about 1.1s client load time (empty cache) to 0.6s. An almost instant benefit. How does this work?

Normally, your browser hits the site. It requests /page.html, and the server says “here u go, lol” and closes the connection. Your browser reads page.html and says “hay wait, I need site.css too.” It opens a new connection and the web server hands the browser site.css and closes the connection. The browser then says “darn, I need omfg.js.” It opens another connection, and the server rolls its eyes, sighs, and hands it omfg.js.

That’s three connections, with high latency each, your browser made to the server. Connection latency is something that, no matter how hard you try, you cannot control…and there is a certain amount of latency for each of the connections your browser opens. Let’s say you have a connection latency of 200ms (not uncommon)…that’s 600ms you just waited to load a very minimal HTML page.

There is hope though…instead of trying to lower latency, you can open fewer connections. This is where keep-alive comes in.

With the new version of HAProxy, your browser says “hai, give me /page.html, but keep the connection open plz!” The web server hands over page.html and holds the connection open. The browser reads all the files it needs from page.html (site.css and omfg.js) and requests them over the connection that’s already open. The server keeps this connection open until the client closes it or until the timeout is reached (5 seconds, using the above config). In this case, the latency is a little over 200ms, the total time to load the page 200ms + the download time of the files (usually less than the latency).

So with keep-alive, you just turned a 650ms page-load time into a 250ms page-load time… a much larger margin than any sort of back-end tweaking you can do. Keep in mind most servers already support keep-alive…but I’m compelled to write about it because I use HAProxy and it’s now fully implemented.

Also keep in mind that the above scenario isn’t necessarily correct. Most browsers will open up to 6 concurrent connections to a single domain when loading a page, but you also have to factor in the fact that the browser blocks downloads when it encounters a javascript include, and then attempts to download and run the javascript before continuing the page load.

So although your connection latency with multiple requests goes down with keep-alive, you won’t get a 300% speed boost, more likely a 100% speed boost depending on how many scripts are loading in your page along with any other elements…100% is a LOT though.

So for most of us webmasters, keep-alive is a wonderful thing (assuming it has sane limits and timeouts). It can really save a lot of page load time on the front-end, which is where users spend the most of their time waiting. But if you happen to have a website that’s only HTML, keep-alive won’t do you much good =).

Everyone (who’s anyone) knows that gzipping your content is a great way to reduce download time for your users. It can cut the size of html, css, and javascript by about 60-90%. Everyone also knows that gzipping can be very cpu intensive. Not anymore.

I just installed nginx’s Gzip Static Module (compile nginx with –with-http_gzip_static_module) on beeets.com. It allows you to pre-cache your gzip files. What?

Let’s say you have the file /css/beeets.css. When a request for beeets.css comes through. the static gzip module will look for /css/beeets.css.gz. If it finds it, it will serve that file as gzipped content. This allows you to gzip your static files using the highest compression ratio (gzip -9) when deploying your site. Nginx then has absolutely no work to do besides serving the static gzip file (it’s very good at serving static content).

Wherever you have a gzip section in your nginx config, you can do:

gzip_static on;

That’s it. Note that you will have to create the .gz versions of the files yourself, and it’s mentioned in the docs that it’s better if the original and the .gz files have the same timestamp; so it may be a good idea to “touch” the files after both are created. It’s also a good idea to turn the gzip compression down (gzip_comp_level 1..3). This will minimally compress dynamic content without putting too much strain on the server.

This is a great way to get the best of both worlds: gzipping (faster downloads) without the extra load on the server. Once again, nginx pulls through as the best thing since multi-cellular life. Keep in mind that this only works on static content (css, javascript, etc etc). Dynamic pages can and should be gzipped, but with a lower compression ratio to keep load off the server.

That’s the stupidest thing I’ve ever seen. What kind of business limits the usage of its products to upstanding citizens only? Last I checked it was the government’s job to impose its views on businesses, not businesses imposing their views on their customers.

I have to say, it’s nice that someone is using their business to take a stand, I guess I’d just prefer it to be in defense of free speech and expression. Sure ALL porn is smutty and violent, but that’s expression in itself. Also, can you fight basic human nature? Perhaps, on a personal level. Repression of sexual tendencies is a lot different than acceptance and non-action though. My point is that pornography is the one place where sexual fantasies are allowed to exist in any way shape and/or form, and Americans, being extremely sexually self-repressed, need that outlet, not more repression.

I also think it’s funny when someone tries to be exclusive because they’re SO awesome when someone else is doing it way better…

I hate java. I hate having java on a server, but hate it even more if it’s only for running one small script. Forever, beeets.com has used the YUI compressor to shrink its javascript before deployment. Well, YUI won’t run without java, so for the longest time, jre has been installed collecting dust, only to be brushed off and used once in a while during a deployment. This seems like a huge waste of space and resources.

Well, first I tried gcj. Compiling gcj was fairly straightforward, thankfully. After installing, I realized I needed to know a lot more about java in order to compile the YUI compressor with it. I needed knowledge I did not have the long-term need for, nor the will to learn in the first place. I, although revering myself as extremely tenacious, gave up.

I decided to try JSMin. This nifty program is simple, elegant, and it works well. It also has a much worse compression ratio then YUI. However, I trust any site that hosts C code and has no real layout whatsoever. Knowing the compression wasn’t as good, I still wanted to see what kind of difference gzipping the files would have.

I recorded the size of the GZipped JS files that used YUI. I then reconfigured the deployment script to use JSMin instead of YUI. I looked at the JS files with JSMin compression:

YUI:
mootools.js     88.7K (29.6K gz)
beeets.js       61.5K (20.5K gz)

JSMin:
mootools.js    106.1K (29.5K gz)
beeets.js       71.0K (17.7K gz)

Huh? GZip is actually more effective on the JS files using JSMin vs YUI! The end result is LESS download time for users.

I don’t know if this is a special case, but I was able to derive a somewhat complex formula:

YUI > JSMin
YUI + GZip < JSMin + GZip

Who would have thought. See you in hell, java.

First off, you always hear that marijuana is a gateway drug. I respond: being a teenager is a gateway drug. The emotions, the hormones, the internal and external influences pulling you in a thousand directions every second of your life…it’s a wonder most of us make it through. That alone is enough to make most people want to try just about every drug out there. Also, another reason marijuana is a gateway drug is because kids are always taught how terrible it is and how addictive it is. So what’s the next thing they do? They try it. After finding that they were lied to and mislead, they learn to mistrust those telling them that “all drugs are bad.” So now heroin or cocaine doesn’t seem so bad either, even though they have much more far-reaching effects than marijuana. The point is, the only real cause of marijuana being a “gateway drug” is the fact that kids are constantly being told lies about it. The fix? Honesty.

Secondly, marijuana in moderation has no permanent effects. You can smoke till yer stupid for a few months, but take a week off and you bounce back completely. Its tar is more harmful than that of tobacco, but who aside from the most extreme users smokes a cigarette-pack’s worth of joints every day? The only way to get cancer from marijuana is to pump the smoke into a ventilator and breath it in 24/7. With cutting-edge advances in technology, there are now vaporizers, which remove the tar from smoking. It’s safer than ever.

Thirdly, smoking marijuana is a personal choice. Here we are, in the “land of the free,” restricted from doing things that even if they do have some negative effect, only affect us personally. It’s not illegal to saw off my arm. It’s not illegal to use a pogo stick next to the grand canyon. Why can’t I take a puff on a joint? Who am I harming?

Now to my main point. We’re in an economic crisis. We’re spending a lot of money on battling imports of drugs (including marijuana), and also spending a lot of money keeping potheads in prison (thanks, prison lobby). That’s two very large drains on our economy to

1. Fund a losing battle. I can go anywhere in almost any town in the US and within an hour, even not knowing anyone, get an eighth of weed. Good job drug war, money well spent. It’s good to know that the taxes I just filed will go to “stopping” me from buying marijuana.
2. Keep pot offenders in prison. Yeah, these people are really dangerous. They are on the edge of the law…sitting on the couch eating chips and giggling. The more money I can spend to keep them locked up, the better. Oh sure, most of them are dealers, but our culture is founded on the principals of capitalism: if a market exists, fill the void and capitalize. Makes sense to me. Nobody would sell pot if nobody wanted to smoke it. Yes it’s illegal, but once again let’s ask ourselves why instead of pointing to a law.

Now imagine a world where the government grew, cultivated, sold & taxed pot. That’s a lot of money we’d make back. Hell even if they raised the price on it, it’d be worth it to just be able to walk into a store and buy it. They could use the revenue from pot to plug the holes caused by battling all the other drugs.

Maybe it’s time to really start thinking about this. If you are against legalization of marijuana, ask yourself why. Anyone who wants to smoke it already does. Show me a person who wants to smoke pot but doesn’t because it’s illegal, and I’ll show you the portal that takes you out of Neverland and back to reality.

Conservative America: you want a smaller government with less services and less control on the population in general. Why not start with drug reform?

I love electronics. Building basic circuits, programming microcontrollers, making malicious self-replicating robots programmed to hate humans, and even so much as wiring up complete motherboards with old processors and LCDs. I had to find a USB flash/eeprom programmer that fit my hardcore lifestyle. On ebay a few years back, I bought the TOP2004. This wondrous piece of Chinese equipment is cheap, cheap, and USB. I needed USB because in the process of making my own flash programmer a while back, I destroyed half the pins on my parallel port. The programmer worked great, but only worked for one chip. I needed something a bit more versatile. The top2004 isn’t a bad piece of equipment. The manual was translated poorly from Chinese, as is the software that comes with it.

Well, for the longest time, I was a Windows XP guy. Nowadays it’s all about Windows 7. Don’t get me wrong, I’m Slackware through and through, but I need my gaming. So I installed 64-bit Windows and love it, but my programmer no longer works.

Requirements: a 64-bit OS that doesn’t let you use 32-bit drivers (namely Windows 7 x64), a 32-bit version of Windows laying around, virtualization software (check out VirtualBox) which is running your 32-bit version of Windows, a Top2004 programmer, DSEO, and the infwizard utility with libusb drivers (virus free, I promise).

Here’s the fix:

1. I remembered when jailbreaking my iPod a while back with Quickfreedom that there was a utility used to sniff out USB devices called infwizard, which I believe is part of the libusb package. I never liked libusb because I remember it royally messing up my computer, but the infwizard program was dandy. It can write very simple drivers for USB devices without any prior knowledge of what they are. I used this with the programmer plugged in to create a makeshift driver. Note: Make sure the libusb* files in that zip provided are in the same directory as the .INF file you create for the programmer.
2. 64-bit Windows doesn’t like you to load unsigned drivers. In fact, it doesn’t allow it at all. You have to download a utility called DSEO (Driver Signature Enforcement Override) to convince Windows that it should let you load the driver you just created.
3. Once you turn driver enforcement off and load up the driver, you should now be able to see your TOP programmer in the device list. Boot your VM, which previously couldn’t use the programmer (because it had no driver), and install v2.52 of the TopWin software. Once installed, you should be able to select the TOP2004 from the USB device list, and voilá…your programmer works.

Obviously running it in a VM is less than ideal, but it’s better than dropping $200 on a real programmer that might actually have 64-bit support. The great part about this version (2.52) of the TopWin software is that it supports the atmega168, which is almost exactly the same as the atmega328…meaning arduino fans new and old can use it. I’m not an arduino guy and use the chip just by itself with avr-gcc, but you can do whatever the hell you want once you get the TOP programmer working.

Let’s first talk about what an ORM is. Basically, you have an app, and you have a database. As the case with most apps, it needs to actually communicate with the database, usually by using queries. Queries are a language the database understands. They allow the application to ask the database for very specific information. An ORM sits between the application and the database. Its role is to give the application an object to communicate to. This object pretends as if it is a piece of data in the database, and allows the app to do things like data.update() or data.delete(). The ORM will write the appropriate queries to the database, regardless of the type of database. A good ORM can also perform joins between pieces of data and perform somewhat complex queries on the database. The purpose is to give a standard interface to communicate with any database.

So here’s my question: on a simple application, an ORM may be a good idea. It provides a standard interface to communicate with, and also allows the database to be “easily” switched out without modifying the main application code at all. But on any app I’ve worked on, there are many, many queries written that an ORM wouldn’t be able to map or understand. So what is the point of an ORM if it can’t handle everything? It’s a standard interface that becomes non-standard the second you write your first non-ORM query.

There is no way anybody could ever write an ORM that handles every query that possibly needs to be written. And instead of defining relationships between data in your queries, you have to define the relationships through the code.  Also, the argument I hear over and over and over: “it allows you to switch out your database easily.” Who the hell switches out their database? Why not just pick a database that does what you want from the beginning…and for the most part, they all do the same damned thing. Also, SQL is kind-of standard, so even without an ORM it’s not like you’ll be rewriting every query from scratch…most likely you’ll have to rewrite a few database-specific functions (think SELECT last_insert_id()). Is it really so hard to do this, especially if you only do it once? If you are switching from Oracle to PGSql to MySQL to MSSQL every other day, then yes, an ORM would probably make sense, but otherwise I don’t see the point.

Data is data, it is not another object. Moving everything under the sun into the object-oriented model does not make anyone’s life easier. SQL is good. Procedural is lightning fast. Learn how to use these, because OO will not solve all your problems.

I welcome use-cases besides those I have mentioned and arguments for/against ORMs in the comments. I’m speaking from personal experience and not married to my opinion…so I’m actually very curious if any of you successfully use an ORM that does everything you need it to.

• Love what you do. If you don’t love what you do, what’s the point? You aren’t really getting anything out of working for yourself, and I can tell you now that for all the stress and work it takes to get a business going and keep it going, it’s just not worth it if you don’t get to do what you love for at least a small portion of the day. Find something you’re knowledgeable and passionate about, and the money and success will follow.
• Consider working with a partner. Owning a business is hard work. Sometimes more than one person can handle. In my experience, it’s been a lot easier having a partner than if I had to deal with everything on my own…someone who you trust and who shares your passion for what you do and for success. You can take a sick day and he/she will work in your stead, you can swap meetings with clients/customers, take vacations while the other one works, etc. You have to split the profits, but can make it up by doing almost twice the work anyway, and you get a lot more freedom.
• Be smart about your time. Since you’re just starting out and don’t have much (if any) capital, it makes sense to try and do everything (bookkeeping, equipment repairs, etc) yourself, right? Absolutely wrong…it almost always makes more sense to hire a professional. You make money by doing what you’re good at. You don’t make money doing time-consuming tasks that you aren’t trained for. Hiring a professional to help you out may seem like a waste of money, but you save money in the long run. They’re great at what they do, you’re great at what you do…so use the time you would have spent floundering with what they’re good at to do what you’re good at, and you can pay them and have leftovers. Need a contract? Hire a lawyer. Doing taxes? Hire an accountant. Being smart about your time is really important, especially when considering your personal sanity.
• “No” can be a great answer. Speaking of personal sanity, let’s talk about the most important word you can possibly have in your vocabulary. “No.” This word will save you. Trust me. You can’t really use this word when you work for someone else, so enjoy it. Try it now…say “no” out loud. Didn’t that feel great? What the hell am I talking about? You don’t have to do everything everyone needs (read: wants) all the time, and you certainly don’t have to do it when they need it. I’m not talking about when you and a client set a deadline and you decide you just don’t want to do it…that’s called laziness or poor planning. But if you find yourself inundated with work and a client out of the blue decides they need that huge project they’ve been mulling over in their head done THIS WEEK, “no” is a very appropriate response. “No” can also be used in other contexts.

  For instance, someone comes to you with a project that doesn’t make sense or it just sucks. Or the project is the best idea ever, but you get a strange vibe from the person pitching it. You don’t necessarily have to use the word “no” in this case, but the general concept is there: money != happiness. Just because a project seems great at first doesn’t mean it won’t drag you into a fiery pit of everlasting hell later on. Listen to your intuition, and know when to turn something or someone down.

  On a side note, the more you exclusively work on better projects with better clients, the better projects and clients you’ll attract. This isn’t a business technique as much as it is the way of the universe.

• Communication is essential. Want to know a great way to piss someone off? Go way over budget on their project, then send them a bill at the end of the month. That’s a recipe for the swift end of a business relationship. Are you going to be 2 weeks late on a deadline? Tell your client ahead of time. Are you way over budget? Let your client know what happened and why! The sooner you tell them, the more appreciative they’ll be. Honesty, transparency, and proactive communication are the foundation of any relationship, but also translate well to business relationships.

  Also, be honest and verbose with your estimates. Sure, a prospective client may go with someone else with lower numbers on paper, but when they find out the other company more or less lied just to dupe them into getting their business, they won’t be happy. Also think of it this way: your numbers are the way they are for a good reason. If the client doesn’t want to pay your fair rate for a project, do you really need that penny-pinching tightwad arguing about every invoice with you anyway? Remember: the better the projects and clients you work with, the better the projects and clients you’ll get.

Ok, that’s about all I have in me for now. Maybe I’ll do a followup later, but hopefully these tips can help anyone new to business, or maybe give someone who’s been doing it for a long time a little perspective. A lot of this stuff I apply not only to my business life, but life in general, with great success on both ends. Keep in mind this is mainly geared towards the service industry, and being only 23 I’m not the most knowledgeable person in the world, but hopefully the things I’ve found so far are universal.

I’m not going to list a bunch of bullet points with features of both compared. I am, however, going to tell you my experiences with both. I started with Google Analytics. The setup and install is so easy, a blind ape could do it. Once tracking, the graphs, maps, numbers are all easy to understand. You can compare your site to others like it, and you can set up different segments of visitors and display the graphs according to your segments.

Google Analytics has been fun and easy. I do have some hangups about it. Although there is no cost, Google owns your data. They are giving you a service, you are selling them your data in return. They know about your visitors and can track them based on their interest in various pages of yours. They can do whatever they want with this information. For some people, this is fine. I personally don’t give much of a rat’s ass what Google thinks they know about me. For others, this is a privacy issue.

I also ran into some limitations with Google Analytics. It doesn’t track downloads very easily, and getting any sort of report that it doesn’t already give you is impossible because you only get what you see.

I decided to try Piwik. It’s open source, they advertise themselves as an alternative to GA, and you own all of your data. I threw up a new site on NearlyFreeSpeech.net, installed Piwik (literally a 5 min. install, just as they say), and started playing with it. A lot of the graphs are the same, the dashboard is completely customizable and is not jenky at all. After tracking some sites with it, I’m convinced it’s actually more accurate than Google. It picks up more visitors and keywords from search engines.

So I’ve been using Piwik regularly for about 3 or 4 months. There are some things I miss. Goals in Piwik do not have the awesome funnel that GA does. Not even close. The goals are pretty stupid, honestly, and all the ones I track are done manually through javascript. It’s nice to be able to track them, but it’s something I can get through any of my apps anyway. So from what I’ve noticed, Piwik is missing the funnel view (although they are working on it), and it’s missing an IP filter: half the visits are from me sometimes, and it’d be nice to be able to browse my own apps without having to worry about messing up the analytics.

Aside from those two points, Piwik is the winner for me. I really never actually check Google Analytics anymore. Piwik really has stepped up and provided a service that’s comparable in features to GA, but free as free for me to use it without having to give away info about my awesome users. I would definitely urge anyone who likes Google Analytics to check out Piwik. The best part is, they’re actively developing it and there more and more features to look forward to as new releases come out.

Prop 16 is designed such that before a city or state entity buys a section of power grid and resells that power to its residents, it must hold an election and get a 2/3 majority vote. While it may seem nice to have the voters decide on whether or not a government entity should be spending their money, it actually doesn’t make sense. The reason is the expenses involved in NOT allowing the entities to do this.

Think of it this way. A government agency spends some of your tax dollars buying up sections of the power grid. Money lost, right? Not necessarily. After they own that part of the grid, they start charging you for the power they give you. Great, so they spend your money to charge you money…but wait, there’s more. Because the government entity is essentially a business at this point which provides a service and charges for that service, it’s making money back. On top of this, the residents now have a choice of who they get their power from. This is known as “competition” and is the leading force against monopolization in any industry. If a market segment is profitable, doesn’t it make sense for the government to capitalize on that market segment?

Now let’s look from another angle. You are a taxpayer (I’m assuming) and you want to make the final decision about whether or not a section of power grid is bought. This is great, but your local government spends a lot (I mean, a LOT) of money without your express permission because we as a city/state/country give our government that power. We elect people to handle this in our stead because we are busy and don’t have the time to make every decision collectively. That’s how a representative republic works (no, the U.S.A. is not a democracy, sorry!!)

So why bother holding an (expensive) election so the govt. entity can spend more money petitioning and explaining to you why it’s good that they actually make money? Especially when they’re spending your money on lots of other things, all the time. Holding an election to give a local government entity the right to actually turn your tax dollars into profit (or at least offer you lower prices on energy) seems like a waste of time, no?

So where did this bill come from? If you read the Wikipedia page, it’s obvious: PG&E. Now, I have nothing against these guys. They do a great job, and obviously they’re just protecting their interests. They do not want the government competing with them, which is why thus far they have donated $6.5 million to the campaign, and have stated they plan to donate up to $35 million total. They obviously have a vested interest in forcing local governments to get 2/3 support in elections (which is very, very hard to do).

By voting “Yes!” on prop 16, you gain absolutely no more rights than you had before, you only make it harder for local and state governments to turn your tax dollars into something useful: cheap power for you. The name “California Taxpayers Right to Vote Act” is a misleading name designed to dupe the voters (that’s you!) into voting for higher energy prices and less competition in the energy market.

It’s important that our local governments are accountable for the money they spend, but passing highly targeted, specific bills that force them to ask, nay, beg, the voters for approval on everything they spend money on slows (if not stops) progress and makes our government much less useful…after all, we’re already electing them and paying them to decide where our money goes. Doesn’t voting on every single issue defeat the purpose of appointing representation?

Also, if the residents of a city really do not want the government spending their money on buying areas of power grid, they can get a ballot intiative (which takes a handful of signatures) and vote on it themselves.

I half-expected to see “teh service is dwn!! were trying to fix it! sry lol!” as with most hosts. Instead, there was page after page of updates with details and explanation. After this, I was able to rest easy, because I had a good idea of how long it would take to get everything back up. Whenever it didn’t go as planned, they’d post another update.

I cannot stress how awesome this was. Yes, they made my downtime awesome by treating me and the other customers as if we were techs in the server room. I didn’t really care about my sites being down, because I knew they were working really hard on it and probably wouldn’t go to bed until it was fixed.

This brings up another point though: transparency makes your customers wet. I know it’s been discussed time after time, but it really is true. People don’t like “Our apologies, our service went down,” as much as they like “Our service went down from 6:30-8:30 UTC today when lightning struck main Big-IP load-balancer, and our failover didn’t switch the backup on.”

What’s a Big-IP? What’s “failover?” It doesn’t matter…treating your customers as equals and letting them decide if information is relevant or not will make them wet.

In my three years experience with NFS, this is the first downtime I’ve experienced. Their support was amazing enough to update every customer with detailed information about the problems they were experiencing and how they were fixing it. I cannot recommend them more. For larger sites that require custom services running, you’re out of luck. For blogs, informational sites, paypal-driven shopping carts (no SSL, yet), etc this is the best shared host I’ve dealt with, ever. They’re dirt cheap, and the only host I know of who won’t disable your site without a court order or copyright violation.

I’m posting what’s left of the suicide note on here in the form of images (all that was left of it).

The part that struck me the most:

The communist creed:
  From each according to his ability, to each according to his need.
The capitalist creed:
  From each according to his gullibility, to each according to his greed.

I’m posting this because I agree with what was said. I believe that America is a wasteland of deceit where gains are privatized, and losses are socialized.

Like I’ve said and believe firmly, violence never solves anything… it continues cyclically and endlessly. It’s important, though, to see why violence happens and not just pass it off as “terrorism.” Yes, terrorism exists, but that doesn’t mean there isn’t a reason behind it, no matter how misguided.

My heart and thoughts go out to those who lost their lives as a result of this incident. Yes, they were part of this unjust, corrupt system, but isn’t everyone? They were obvious targets but we’re all in this together, and it’s not fair they should pay when everyone involved (everyone) is just as guilty as the politicians and corporations.

UPDATE – found the original text, linked on what used to be Joe Stack’s website.

I was kind of blown away by this. Obviously it’s a marketing ploy to scare unknowing customers into using them instead of doing a simple WordPress install, but it’s blatantly wrong and I feel the need to respond. Oddly enough, their blog is in WordPress. Hmm.

First off, all software has vulnerabilities. All servers have vulnerabilities. Yes, it’s easier to find them if you know the setup or know the code, but from what I’ve seen in my lifetime of computer work is this: if someone wants to hack your site, they will. If there is a vulnerability, they will find it. And as I just said, all software has vulnerabilities. It’s stupid to assume that because the source is only readily available to people who pay you money and the people who work on their site after you that no vulnerabilities will ever be found. They will be found. Look at Google. They were just hacked by China. Does Google open source their Gmail app? No, completely closed-source. But someone wanted to hack them, so they got hacked. That’s what happens. Also, if your proprietary CMS is written in PHP, Python, Ruby, Perl, etc etc…you’re still using open source. Someone could attack the site at the language level. Does it make sense to now develop your own closed-source programming language so nobody will ever be able to hack it?

Secondly, most well-known open-source software has been around a very long time and has had hundreds of thousands (if not millions) of people using it. This means that over time, it gets battle-hardened. The common and not-so-common vulnerabilities are found, leaving the users with the latest versions a rock-solid code base that has gone through thousands of revisions to be extremely secure. With open-source, you’ve got hundreds of eyes looking over everything that’s added/changed/removed at all times. With proprietary code, you get a few pairs of eyes at best, with much fewer installs, much fewer revisions to harden and secure.

Is open-source better than proprietary? If you’re poor, most likely, but otherwise they both have their good and bad points. The main point of this article isn’t to bash proprietary software at all, it’s to refute the claim that because the source is open the product is less secure. I believe the exact opposite, in fact. If your code is open for everyone to look at, you damn well better be good at seeing vulnerabilities before they even get deployed…and if you don’t catch it, someone else developing the project probably will.

Is open source too open? Hell no.

It appears Google is on a mission to alienate and anger their users. Mission accomplished. You know why I don’t use other searches? Because there’s too much clutter in the results. Google is simple. You type something, it shows results. Thanks. End of transaction. No need to show me “OH! Because you typed ‘gonorrhea’ you might like AIDS!!!” or “See news about ‘gonorrhea!’” No thanks. Just show me the listings. Or would you like to see images of gonorrhea?? If I did, I’d click the “Images” link you so graciously supply on top.

So now Google is on a quest to be more like Yahoo. Idiots. Google, why do you think nobody uses Yahoo? Why do you think everyone uses Google? IT’S THE FUCKING INTERFACE, you dumb shits. Are you really too fucking stupid to realize this? The more you copy other search engines, the more your appeal slips into the ether.

I really want to not hate you Google, but you make it so hard lately. PLEASE STOP FUCKING WITH YOUR INTERFACE.

So, I’d like to try something like Varnish (sorry, Squid) but that’s adding one more step in between my requests and my content. Sure it would add a great speed boost, but it’s another layer of complexity. Plus it’s a whole nother service to ramp up on, which is fun but these days my time is limited. I did some research and found what I was looking for.

NginX has made me cream my pants every time I log onto the server since the day I installed it. It’s fast, stable, fast, and amazing. Wow, I love it. Now I read that NginX can cache FastCGI requests based on response caching headers. So I set it up, modified the beeets api to send back some Cache-Control junk, and voilà…a %2800 speed boost on some of the more complicated functions in the API.

Here’s the config I used:

# in http {}
fastcgi_cache_path /srv/tmp/cache/fastcgi_cache levels=1:2
                           keys_zone=php:16m
                           inactive=5m max_size=500m;

# after our normal fastcgi_* stuff in server {}
fastcgi_cache php;
fastcgi_cache_key $request_uri$request_body;
fastcgi_cache_valid any 1s;
fastcgi_pass_header Set-Cookie;
fastcgi_buffers 64 4k;

So we’re giving it a 500mb cache. It says that any valid cache is saved for 1 second, but this gets overriden with the Cache-Control headers sent by PHP. I’m using $request_body in the cache key because in our API, the actual request is sent through like:

GET /events/tags/1 HTTP/1.1
Host: ...

{"page":1,"per_page":10}

The params are sent through the HTTP body even in a GET. Why? I spent a good amount of time trying to get the API to accept the params through the query string, but decided that adding $request_body to one line in an NginX config was easier that re-working the structure of the API. So far so good.

That’s FastCGI acting as a reverse proxy cache. Ideally in our setup, HAproxy would be replaced by a reverse proxy cache like Varnish, and NginX would just stupidly forward requests to PHP like it was earlier today…but I like HAproxy. Having a health-checking load-balancer on every web server affords some interesting failover opportunities.

Anyway, hope this helps someone. NginX can be a caching reverse proxy. Maybe not the best, but sometimes, just sometimes,  simple > faster.

Rackspace is an amazing company. They are know for having great servers, great support, great everything. You can’t beat them. Mosso was a side project that was swallowed up by them which aims to run websites in a real, actual cloud. This is a valiant cause. To be able to upload a site to one server and have it scale infinitely over however many servers their datacenter has without ever having to touch it…that’s a miracle. It’s a great idea, that unfortunately just doesn’t work.

Mosso has repeatedly let us down, again and again. Their service is always going down. It’s hard to find a month where one of our sites hosted on the “cloud” hasn’t seen at least an hour of down time. I’d expect this from a shoddy “HOST 100 SITES FOR $2.99/mo!!” host, but not from someone charging a base rate of $100/mo. Here’s what it boils down to: you’re paying Mosso a lot of money for the privilege of beta testing their cloud architecture. Great business model.

And while Rackspace is known for fanatical support, the Rackspace Cloud is known by us for support that is fanatical about ignoring or avoiding the issues plaguing them on a week-to-week basis. Questions go unanswered, support requests ignored, etc etc.

So all in all, it’s been a terrible experience. And yes, we have been using them for more than a month…a little over a year now. Yes, we stuck it out and payed outlandish hosting rates for horrible service. Why? Because I really do wish it worked. I wish I could put a site on it and have it be up 100% of the time. That’s the point of a cloud, no? To have >= 99.999% uptime? I really wish I could put a site on there and let it scale with demand as it grew without ever having to touch it – and I can do this – but the price is my site goes down for long periods of time at short intervals (oh, plus the $100/mo). We tried to give them the benefit of the doubt, and tried to believe them every time they told us that this was the last downtime they’d be having (yes, we heard it a lot). I just can’t lie to myself any more though. Mosso sucks.

So please save yourself some time and realize that it’s too good to be true. The Rackspace Cloud is the most real and cool cloud hosting you’ll ever see, but as far as I’m concerned they are still alpha-testing it, and your site WILL go down. Want hosting that scales automatically, is zero customer maintenance, always up, and has amazing support? You won’t find it anywhere.

Mosso comes close, but they just can’t get it right. Save your money and learn how to scale on a good VPS provider.

So, in case you haven’t heard, Apple took their iPod touch, made it 5x bigger, and are now marketing it as the iPad (or “Tablet”). Where does that leave us? A portable device that’s not portable and really fucking difficult to use. The reason laptops have keyboards and pointing devices is because people don’t like on-screen keyboards. They suck. It’s necessary on small and mobile devices like the iPod touch, but on a bigger level it’s not…which why laptops exist.

So before you follow the marketing hype and buy your new $500 tablet, ask yourself “What the fuck am I thinking?! I already have an iPod, and I already have a laptop. Those swindling asslickers don’t need more of my money!”

That’s right, the iPad is a shitty in between piece of shit which is shitty and smells like shit. It’s not quite a laptop, and it doesn’t quite fit in your pocket. Stay away!! Don’t be a dweeb!

<rant>
What the fuck? Your search page was so simple. So clean. There was nothing to fix, nothing to make simpler. There was minimalist navigation on the top, and a few links on the bottom. It worked very well and was very good design.

You took something very simple, and tried to make it simpler. You have not succeeded. You took what you view as a problem and swept it under the rug. Your homepage isn’t simpler at all…it just LOOKS simpler at first glance. Then with first mouseover, it fades in?! What the fuck are you thinking?

This is the kind of childish effect a high-schooler learning HTML 4 would hack into his first homepage with shitty javascript. It looks nifty the FIRST TIME but after that it’s completely obnoxious and frustrating. I don’t want to wait to click on Images or News. Even if it’s 1/2 second.

To use the words of a blog commenter: “Imagine being at your desk preparing to work, but the desk chair would not appear until you try to sit down.” This is exactly how I feel.

If you really want to keep your juvenile display of javascript skillz, please give people an option to disable it so we don’t have to keep a bucket nearby in case new the homepage induces violent bouts of vomiting. Until then, I (and several others from the sounds of it) will be using Bing.
</rant>

I had heard many, many times about the dd-wrt firmware. One of the good things about the WRT53Gv3 is that you can install just about any custom firmware you want onto it. I’d also heard in the past about a firmware called Tomato. It’s supposedly light, lean, fast, and has great QoS (although I never even bother with QoS).

I decided to give it a shot. I’m in love. It gives you all the options you need for the things you’d want, but doesn’t bloat up the interface with extra junk. It’s simply amazing. I really think Linksys should just stop bothering to make their own shitty firmware and just install Tomato on their routers.

Unfortunately, Tomato didn’t fix the wireless problem, so I had to plug in an old nemesis Netgear router I had laying around. It starting, in memory of times past, dropping my connection every 5 minutes. Fine for browsing the interweb, but not for streaming music or “videos.” I decided to give the Linksys one more shot…and it worked! Thank god. The best router ever with the best firmware I’ve seen so far, NOW with wireless. It must have been some strange hardware issue that fixed itself.

To be fair, I’ve never used dd-wrt and therefor can’t give a good comparison between it and Tomato. If I had a few extra routers laying around, I’d try it out…but each firmware flash is a dance with the devil and I can’t afford to get / find another one.

touch ~/.bash_profile
chmod a+x ~/.bash_profile

Now that you have the file, add this to it:

SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-s"
if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
	eval `$SSHAGENT $SSHAGENTARGS`
	trap "kill $SSH_AGENT_PID" 0
fi

This will start up ssh-agent for each Cygwin shell you have open. Close your Cygwin shell (if one is open) and open a new one. Now type:

ssh-add ~/.ssh/id_rsa
[enter your password]

Voila! No more typing your stupid password every time you need to ssh somewhere. Note that if you close the Cygwin window, you’ll have to ssh-add your key again! This is good security…you can close the window when you’re done and someone who happens on your computer sitting there won’t have password-less access to any of your secure logins.

It’s important to think of a REST web service as a web site. How does a website work?

• A website works using HTTP. If you need to fetch something on a website, you use the HTTP verb “GET.” If you need to change something, you use “POST.” A RESTful web service uses other HTTP verbs as well, namely PUT and DELETE, and can also implement OPTIONS to show which methods are appropriate for a resource.
• A website has resources. A resource can be information, images, flash, etc. These resources can have different representations: HTML, a jpeg, an embedded video. REST is the same way. It is resource-centric. Want a list of users? GET /users. Want an event? GET /events/5. Want to edit that event? PUT /events/5. Every resource has a unique URL to identify it!
• Resources are not dealt with directly. Instead, representations of resources are used. This can be a bit hard to grasp. What is a user? It’s a nebulous object somewhere that I cannot interact with. It is an idea, an entity. A representation is a form of the user resource I can interact with. A representation can be a comma delimited list, JSON, XML…anything the client and server both understand. How do we know what we’re interacting with? Media types:
• As a website will tell you what kind of image you’re requesting, a REST service tells you what kind of resource representation you are receiving. This is done using media types. For instance, if I do a GET /events/7, the Content-Type may be “application/vnd.beeets.event+json” which tells us this is a vendor specific media (the “vnd”) and it’s an event in JSON format. You can pass these media types in your Accept headers to specify what type of representation you would like. These media types are documented somewhere so that client will know exactly what to expect when consuming them.
• If you request a page that doesn’t exist or you aren’t authorized to view, a website will tell you. This is done using headers. A good REST service will utilize HTTP status headers to do the same. 200 Ok, 404 Not Found, 500 Internal Server Error, etc. These have already been defined and refined over many, many years by people who have been doing this a lot longer than you (probably)…use them.
• A website will have links from one page to another. This is one of the main points of a REST service, and is also widely forgotten or misunderstood (it took me a while to figure it out even doing intense research). Resources in a REST service link to eachother, letting a client know what resources can be found where, and how they relate to eachother. An HTML page has links to it. So does a REST resource. Links can be structured however you like, but some good things to include are the URI of the linked resource, the relationship it has with the current resource, and the media type. This creates what’s known as a “loose coupling” between client and server. A client can crawl the server and figure out, only knowing a pre-defined set of media types, what resources are where and how to find them. This principal is known as HATEOAS (or “Hypermedia as the Engine of Application State”).
• REST is stateless. This means that the server does not track any sort of client state. There are no session tokens the client uses to identify itself. There are no cookies set. Every request to the REST service must contain all information needed to make that request. Need to access a restricted resource? Send your authentication info for each request. It’s that simple. Isn’t it easier to track session? Not really. Maybe it’s easier on a small level, but once you start needing to scale, you will wish you’d gone stateless. Using a combination of HTTP basic authentication and API/Secret request signing, you don’t have to send over plain text passwords at all. Hell, even throw in a timestamp with each request to minimize replay attacks. You can get as crazy as you’d like with security. Or for those who prefer security over performance, use SSL.

Now for some examples. Because I’m currently working on an event application, we’ll use that for most of the examples.

Let’s get a list of events from our server:

GET /events
Host: api.beeets.com
Accept: application/vnd.beeets.events+json

{"page":1,"per_page":10}
-----------------------------------------
HTTP/1.1 200 OK
Date: Tue, 01 Dec 2009 04:12:48 GMT
Content-Length: 1430
Content-Type: application/vnd.beeets.events+json

{
	"total":81,
	"events":
	[
		{
			"links":
			[
				{
					"uri":"/events/6",
					"rel":"/rel/event self edit",
					"type":"application/vnd.beeets.event"
				},
				{
					"uri":"/locations/121",
					"rel":"/rel/location",
					"type":"application/vnd.beeets.location"
				}
			],
			"id":6,
			"title":"Paris Hilton naked onstage",
			...
		},
		...
	]
}

What do we have? A list of events, with links to the resource representations of those events. Notice we also have links to another resource: the location. We can leave that for now, but let’s pull up an event:

GET /events/6
Host: api.beeets.com
Accept: application/vnd.beeets.event+json

-----------------------------------------
HTTP/1.1 200 OK
Date: Tue, 01 Dec 2009 04:12:48 GMT
Content-Length: 666
Content-Type: application/vnd.beeets.event+json

{
	"links":
	[
		{
			"uri":"/events/6",
			"rel":"/rel/event self edit",
			"type":"application/vnd.beeets.event"
		},
		{
			"uri":"/locations/121",
			"rel":"/rel/location",
			"type":"application/vnd.beeets.location"
		}
	],
	"id":6,
	"title":"Paris Hilton naked onstage",
	"date":"2009-12-05T04:00:00Z"
}

Using the link provided in the event listing, we managed to pull up an individual event, which we know how to parse because we know the media type…but wait, what’s this? OMG, someone is trying to smear Paris!! She’s on at 8:30!!! NOT 8!!! Let’s edit…if we do a PUT with new information, we’ll be able to save Paris’ good name:

PUT /events/6
Host: api.beeets.com
Accept: application/vnd.beeets.event+json
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

{"title":"Paris Hilton naked onstage (yuck)","date":"2009-12-05T04:30:00Z"}
-----------------------------------------
HTTP/1.1 200 OK
Date: Tue, 01 Dec 2009 04:12:48 GMT
Content-Length: 666
Content-Type: application/vnd.beeets.event+json

{
	"links":
	[
		{
			"uri":"/events/6",
			"rel":"/rel/event self edit",
			"type":"application/vnd.beeets.event"
		},
		{
			"uri":"/locations/121",
			"rel":"/rel/location",
			"type":"application/vnd.beeets.location"
		}
	],
	"id":6,
	"title":"Paris Hilton naked onstage (yuck)",
	"date":"2009-12-05T04:30:00Z"
}

Holy shit, that was close. Notice we had to pass in authorization info, but now Paris won’t sue us for spreading misinformation. Phew.

What have we learned? Given one URL (/events), we have discovered two more (/locations/[id] and /events/[id]). We’ve also seen the media types in the responses that allow the client to know what kind of resource it’s dealing with and how to consume it.

Hopefully this pounds two really important points in: media types and HATEOAS. Without them, it’s not REST. You can’t just pass application/xml or application/json for every response. Sure, maybe the client can decode it, but they don’t know what it is, and without linking to other resources, they don’t know how to find anything…unless you want to document everything and never change your service.

Some other tips/points:

• Give yourself a few initial entry points to your REST service. You should be able to discover all of the resources in it just by crawling. If you can’t, you haven’t done HATEOAS correctly. This is a lot harder than it sounds, but it’s more than useful later on. Think of your REST service like a website with good navigation.
• Remember to implement the OPTIONS verb for your resources. It will tell the client what verbs can be used on what resources. With some decent routing built into your application, this should be a cakewalk.
• As mentioned, you can use HTTP basic authentication for your requests. If the client is anything but a web browser, you won’t have to serve up an ugly popup login box, you can just do all that shit transparently. If you don’t want to send a cleartext password (please don’t!) you can salt the password on the client side and send it over. Hash the password again with the client’s secret for added security. Crackers will be amazed at your 1337 computer hacking skillz. You can then verify the hashed salted value on the server side. Add client-secret request signing with a timestamp for uber security.
• Read a lot more info on REST. It seems that SO many “RESTful” services out there are half-baked and made by people who researched the topic for half a day. Some good ones to take points from are the Sun Cloud API and the Netflix API. Notice the documentation of media types and LACK of documentation on every single URL you can request. This is that loose-coupling stuff I was talking about.

That’s it for now! I wrote this as a culmination of knowledge for the last week or so of research I’ve done…please let me know if any information is missing or incorrect and I can make updates. Hope it was helpful!

Well I added this:

default_run_options[:max_hosts] = 1

To my deploy.rb, and although it now has to deploy to one server at a time, it works. Note that for two servers this is fine. For 200 it’s not so fine. I’ll worry about that when it comes though.

UPDATE!!!! Something I never thought about until now is that you can use ssh-agent to save your keys in memory pre-deploy. Then you have a password-protected key that works with Capistrano WITHOUT doing the max_hosts hack. This is tested (on cygwin) and working for me.

You can add arrays together:

	$test1	=	array('name' => 'andrew');
	$test2	=	array('status' => 'totally gnar, dude');

	print_r($test1 + $test2);
	---------------------------
	Array
	(
	    [name] => andrew
	    [status] => totally gnar, dude
	)

Wow…who would have thought. And my most recent favorite, converting objects to events. It’s a simple foreach($object as $key => $val) and putting each element into a separate array right? WRONG:

	$array	=	(array)$object;

No fucking way. Casting actually works in this case. Why does nobody tell me anything?! This is great for parsing XML because any parser normally returns an object, and quite honestly, I hate dealing with objects. All database data is by default returned as an array usually,  and it’s a pain having some data sources being objects while others are arrays. Now it doesn’t matter…if you like objects, cast an associative array as an (object), if you like arrays cast with (array). I love PHP…

“This service is NOT RESTful because in REST, payloads are self-describing and contain references to other resources, and servers should be able to change their namespace, and two points always make a line unless one is in hyperspace.” And xyz.com’s REST API wasn’t doing this? What could they have done to change this? What IS REST about their API?

Maybe I’m dumb. Actually, no I’m not. I just can’t look at a spec and say, “Oh, I get it.” I have to see real, live examples. Why can nobody do this? It seems every HTTP “REST” service is a false implementation yet nobody can give a concise explanation of why.

I get that using only GET and POST is not RESTful. I get that every resource is a noun, and has a URL associated with it. I get that verbs are defined by HTTP and should not be used in URLs. I get that HTTP status headers should be used in conjuction with responses. I sort of get what a media type is (application/vnd.ieatmcdonaldstoomuch.cheeseburger) but do not get where it is defined. Or is this arbitrary?

Some points I have taken from all the back-and-forth involved in trying to break into an extremely elitist (and rightfully so, REST is REST) architectural style:

• REST is stateless. All information required to complete the request is sent with the request. Every time.
• REST re-uses existing specs. HTTP has defined some very useful verbs (GET/POST/PUT/DELETE) for us to use. It makes sense to use those instead of creating custom verbage. HTTP also has status headers for letting a client know WTF is happening. 200 OK, 506 Suck My Balls Client, etc.
• REST maps resources to locations. I can find events by doing GET /events. I can post an event by doing POST /events. I can delete an event by doing DELETE /events/123. These URLs (/events, /events/123) are resources…an event collection and a single event. They are abstract things and a description of that thing is what is interacted with (aka “representation”).
• REST uses media types to define resources. I’m assuming this is the “application/vnd.event+xml” content-type thing. This is very confusing for me. Where is this MIME type defined? How is it defined? How does a client consume it? WTF is going on here? Any ideas, anyone?
• A REST service is self-descriptive. Reading one of Roy Fielding’s annoyingly-complex criticisms of bad REST implementations brings up the point that given an initial URL and a “set of standardized media types that are appropriate for the intended audience,” I should be able to completely discover all information on that service. So when I hit the homepage, I should get an XML/JSON/HTML response telling me that there are events under /events? How do I structure this response? What “media type” would this resource be? I get the point behind this, but would love to see a full implementation.

So while I’m have a lot of trouble grasping the last two points, everything else seems to make good sense. So far, anyway. I’m sure in a few minutes I’ll read another guide telling me that everything I know about REST is WRONG and I’m going to hell for even thinking the word REST without knowing exactly what it means.

Perhaps a REST web service that describes how to implement REST over HTTP would be a fun and amusing project…

UPDATE – I suppose a website comprised of HTML that describes REST would be RESTful…no need to make a “service.” Maybe this should be taken under because there seems to be a vague disseration, a few authoritative “resources” who love to use useless jargon, and a collection of blog posts that individually are all wrong, but pieced together create a somewhat workable view of that REST over HTTP should be like. So, someone should definitely get on that. In fact, I just might.