Looks like I've been tagged twice - so here goes.

How old were you when you first started programming?

Apple II e when I was like 7, Vic20 when I was like 8... but really my start was about 10 with GW-Basic on a 286 AT 16mhz.

How did you get started in programming?

I was interested in programming from about age 6 or 7.. though I think I was 12 when I taught myselfTurbo C++ (And the object oriented concepts that went with it) - so I've spent over half my life in object oriented languages - not sure if that's good or bad! 

I owe my parents a large amount of gratitude as they recognized my interests early on, and though we had little money they spent a lot trying to encourage my interests (computers were not so cheap in the 80's).

What was your first language?

Basic on the Apple II e and Vic20 - but really I think it wasn't until GW-Basic in Dos4 (and later quick basic) that I became fluent at writing programs and starting to break problems out into a series of functions. After basic came C++ (and in-line assembler), Tcl/Tk and Visual Basic 3 or 4 - then once I started tertiary study I added Pascal, Delphi, Jade, bash, java and perl to the list.

What was the first real program you wrote?

A "real" program ... I'm going to take "real" as something commercial with "users" ... hmm.. I had a part-time job when I was like 14 helping to add functionality to a C based DOS accounting system used around New Zealand - That'd be the first "real" program I added code to.  Around 17 I started writing a lot of code for open source projects [same time I started studying at Unitec] (I think all the projects are dead and gone now) and had a keen interest in writing libraries for game development prior to the advent of hardware accelerated 3D, later transferring that interest to OpenGL once Voodoo and NVidia hardware started getting cheaper.

What languages have you used since you started programming?

Basic (at least 4 or 5 variants), C, C++, Tcl/tk, Bash, Pascal, Jade, Java, JavaScript, Python, Ruby, ASP, T-SQL, Visual Basic 3 and above, VB.Net, F#, VBA, Lisp, Perl, Boo and a few others - though C# has been my language of choice since the early beta's of the .Net Framework v1.

What was your first professional programming gig?

I think probably working as a Junior at Terabyte Interactive (when they were based in Newmarket) on a rowing machine C++/OpenGl visualization app (the infamous RowPro project).

If you knew then what you know now, would you have started programming?

Without a doubt - I was passionate about it when I was 8... I'm still passionate about it after 20 years. It scratches 2 itches I've had my entire life, a need to create and a need to debate/discuss/analyze problems/challenges.

If there is one thing you learned along the way that you would tell new developers, what would it be?
Learn to learn, and if you don't like learning find a new profession.  I almost feel like learning is my job, and developing solutions is a side-effect of trying to achieve my primary objective of learning.

What's the most fun you've ever had ... programming?

Hmm... I couldn't pick any one project - most fun environment-wise would be my early days a Terabyte, it had a wonderful dot-com feel, and we didn't have much work on (at times), so we got to pursue our own pet projects and take long team breakfasts in the local cafe - A fun environment, albeit a doomed one.

Probably since then I would say the "Syzmk Rich Media Processor" - an application which had a wonderful variety of requirements and an interesting suite of technologies (it was developed with early releases of the Castle project and betas of the .Net Framework 2.0) and was one of the first projects I approached in a TDD fashion.

Who’s next?

• DevHawk
• Sam Gentile
• Jacqui's Dev blog
• Castle Charlton (Insane World)
• Keith Nicholas

Architecture chat tomorrow, some things that have caught my eye lately:

• Non-paged CLR host - Nno paging during normal operation and no paging will occur when the application is idle.... hmmm... could be useful!
• StyleCop - C# source code analysis for compliance against a set of rules that embody Microsoft's own style conventions.
• Spartan programming
• PSake - build automation tool without the angle bracket "tax" (bit like rake or bake (boo make) - but with more similiarity to existing command line tools).
• Dependency Injection is dead? (A provocatively named article, but really it's just about using compile-time IL-weaving to do lazy loaded DI).
• TypeMock racer - interesting deadlock finder (still under development) - and probably a sign of things to come (i.e. array of tooling to verify sound multi-threaded code).
• AAA style syntax for Rhino Mocks (Arrange, Act, Assert) - I've been using this for the past couple of weeks on a project, it really allows for concise easy to read testing with stubs/mocks.

If anyone has any topics they'd like to cover just leave a comment on this post (so other's can get a heads up as well).

Notes from previous meetings and directions etc. can be found here on my wiki - all are welcome to attend.

Also tonight is the Ellerslie .Net user group - A testers perspective's with Hafiz Vegdani, starting at 6pm.

Reasonable turnout at the last Architecture Chat - appologies about the late write-up!

So we talked about a few things last week - on a recurring them of IL generation and weaving we discussed verifying generated assemblies with PEVerify - and how to ensure IL you generate is not invalid and Garreth mentioned some issues with ILDASM crashes when using Mono.Cecil.

We talked about the process for wrapping and abstracting functionality and services, and I gave a brief mention to this blog post which provides a slightly more formalized description to this process - Wafagy.

The discussion moved onto file/XML persistence and substituting traditional relational databases with alternative persistence mechanisms, especially in the cloud.

Static analysis tools were discussed, and thoughts about what (if any) alternatives exist to tools such as NDepend.

We talked about the use of "toolkit" style projects such as the Umbrella project or Rhino Commons and the compromise often felt between plucking out only the bits you want (to control the surface area of your project) verses the wish to easily integrate updates and unit tests from the library into your project as they undergo continual improvement.

I also talked about hostile templating/transformation languages (such as the template language in Enterprise Architect which I've been using for a recent project) and what features make a domain or templating language "hostile" to being part of your daily process i.e. lack of debugging, lack of comment syntax, poorly identified or completely missed syntax errors, left to right expression evaluation, lack of operator presidence rules etc.

I then gave a quick run through how I've been using the MDA and MDG to model a PIM (platform independent model) of the domain, including OCL constraints, and how it's automatically transformed into a platform specific model (Castle ActiveRecord with validation attributes in this case) which is then used to generate code from - and the issues I've encountered so far with the tool.

Details of previous chats can be found here on the wiki.

The next Architecture chat is this Thursday, all are welcome.

Jonathon Rossi over in Brisbane has been hard at work on the CVSI project (Castle Visual Studio Integration) and has released version 0.3 which now supports VS 2008 - for those not in the know CVSI provides nvelocity intellisense when writing views for monorail.

I did some testing of some earlier releases last week and it's looking good, hilights include:

• New installer which supports 2005 and 2008.
• Basic XHTML intelisense.

It also includes some fixes which means the intelisense now works when the templates are not in a web application project (useful for those of us writing applications where we have pluggable modules) and fixes for multi-level inheritence, so helpers and view components with multiple levels of base class i.e. FormHelper (which now inherits from AbstractFormRelatedHelper) will be included in the list of classes, something which bugged me with earlier releases on 2005.

Great work Jono!

Architecture Chat Tomorrow... Some possible things to talk about:

Subversion 1.5 - and it's new merge tracking features.

WCF/WF Features in .Net Framework 3.5 SP1 - a blog post caught my eye with things I hadn't noticed before mostly around DataContract Serialization i.e. ability to serialize graphs (not just trees), an attribute-free mode for the serializer and a suite of strongly typed classes to make implementing AtomPub easier (i.e. Workspaces etc.).

P/Invoke Interop Assistant - handy little tool, about 5 years too late for me :)

Umbrella Project - Interesting project, take a look at Ayendes involved post for an overview.  The ExtensionPoint<T> approach for making extensions more discoverable is interesting - something we discussed right back when the first beta's of VS2008 were on the horizon.

I'd personally also like to talk about some thoughts people have on the bare minimums for a usable language and domain specific languages in particular - i.e. debugging, native support for comments etc. and some experiences with a rather hostile Model driven architecture transformation language I've had to deal with over the last couple of weeks :)

As usual, if anyone has any topics - feel free to leave a comment, send me an email etc.

Notes from previous meetings and directions etc. can be found here on my wiki - anybody is welcome to come along.

If you recall many moons ago I posted a series of articles on the Castle Project's IOC Container "Windsor" teaching the fundamentals of IoC with a practical bent - lots of people liked them, and I still get feedback every now and then from people starting to use windsor and finding them useful.

At any rate Michael McGuire was once such person who read those tutorials a year or so ago and has now started a series of his own - mirroring my castle container tutorials but with the P&P Unity container instead - you can find it here.

As someone who has not given Unity much more then a brief skim it's a nice way to quickly get up to speed on some of the key differences.

So far after reading a couple of articles I've learnt.

• You need to implement your own type converters for things like arrays or dictionaries in configuration.
• Configuration syntax is not particularly human-friendly, obviously designed for management via a tool  - requiring the entry of full types all over the spot like "Microsoft.Practices.Unity.Configuration.TypeInjectionElement, Microsoft.Practices.Unity.Configuration" - just to register a component!
  
• Default lifestyle is transient... hmmm.. personally I think singleton is more-often the norm for me when writing applications, but it really depends on how the container is being used/abused I guess.
  
• Support for multiple configurations looks a little more baked in - but this is trivial stuff to implement in most containers.
  

I'll be interested to see how decorator chains etc. are implemented in Unity.

Good work Michael.

5 people turned up This week.

Peter kicked off the discussion with a review of the Agricultural Field days in a disheartening lack of anything IT there, this sparked an interesting discussion around
what's holding back adoption of technologies such as RFID's for animal identification and some possible inhibiting factors, like the cost to early adoptors, education etc.

After this we returned to more mundane things... first off we Discussed Velocity a bit, comparing it to memcached and some of the interesting features like tagging and the current lack of push functionality in the CTP.

Silverlight 2 beta 2 was next... talked about the new visual state manager and designer integration into Expression Blend.  I noticed after the chat that Ivan has posted an interesting discussion around why he believes the Visual State Manager isn't a great idea - during the chat we did puzzle a little over why silverlight is diverging from WPF, and just how cross-polination between WPF and Siliverlight will occur.

Other things that interested us about the silverlight 2 beta 2 release were Inking & Stylus support (and incidentally second-hand tablet PC's are becoming dirt cheap, so no excuse not to have one lying on your desk!).

Multi-tile source, which could prove interesting for providing information generated on the fly or integrated with existing GIS sources etc.

Cross-domain support, background thread support for networking and duplex WCF communications - I could see this providing interesting possibilities, i.e. a silverlight control that makes the web client a temporary member of a grid network, perhaps distributed virally as a facebook app.  Not to mention the more mundane business applications.

After talking silverlight for a while Jamie then mentioned the OAuth library I'd written - so I went through what OAuth is/does vs. OpenID (there seems a bit of confusion in some peoples minds of what each of these projects aims to achieve) and then what's been implemented, and what is yet to come - for more info on the OAuth library check out this wiki page.

A rambling discussion sparked off by Peter mentioning IBM having broken the "petaflop barrier" and the gradual approach towards a platform for an accurate simulation of the human brain, I made some references to "I am a strange loop" and everyone talked about the general difficulties with artificial inteligence and the current predictions regarding when computers will have enough horsepower to emulate brain function.

Thanks all for coming - see you all in a couple of weeks (Thursday 26th June).

Version 1.0.0.0 of splicer (the little video/audio composition library that leverages DirectShow which I started a few years ago) is now available on Codeplex here this marks a milestone in stability, and probably the main "feature" of this release is 64bit support, something that's been bugging me for ages as I could only work on the project in a VM!

A quick list of changes since the last release are:

• Now uses DirectShow.Net 2.0 (thanks to felix, a fellow NZ'r).
• RenderProgress event.
• Renderers are disposable.
• Support for 64bit operating systems.
• Vista fixes/support.
• Additional samples (i.e. SampleTimeWatermarkParticipant, and a few others).
• Tests updated for NUnit 2.4.7.
• Solution upgraded to VS2008.

What's splicer?

With this library and a little imagination you can:

• Encode video or audio suitable for use on a website.
• Create slide shows from images, videos and audio.
• Apply effects and transitions to audio and video.
• Grab System.Drawing.Image clips from a video at certain times.
• Modify individual video frames during encoding via standard C# mage Drawing code.
• Add new soundtracks to existing video clips.
• Watermark videos.
• Build a video editing suite, if you were so inclined.

There is an Architecture chat tomorrow, 12th June, 11:30am at Garrisons, Sylvia Park.

Some thoughts of possible discussions:

• HttpListener vs. IIS
• Velocity CTP
• Siliverlight 2 Beta 2
• Sandcastle removed from codeplex.
• Lightspeed 2.0
  

I'm also interested in picking peoples brains around Use cases vs User stories and mapping them to test cases etc.

Look forward to seeing you all there.

OAuth for Beginners

For those unfamiliar with OAuth, here's a very short run-down... I'm skipping over some of the details but I think this should give you a taste for what it's all about - for a more well rounded introduction, check out this article on the OAuth.Net website.

The participants

Consumer - "weitu.googlepages.com" - that application that wants to see protected information the provider has for a user.
Provider - "google.com" - the keeper of a users protected information.
User - a user who stores protected information with the provider (say contacts in gmail)

The goal

To allow the user to give a consumer access to their data on the provider without the user having to disclose their credentials (username & password) and to allow for fine-grained control over access granted to an individual consumer - i.e. putting power in the hands of the user to revoke access when they want to, and having it only affect one consumer.

A consumer needs to be known to a provider before they can request a token.

How it works

(For this example we'll use google, for more info on the google implementation see this thread)

The provider publishes 3 Urls for their service and documents them on their site somewhere:

• Request Token Url - https://www.google.com/accounts/OAuthGetRequestToken
• User Authorize Url - https://www.google.com/accounts/accounts/OAuthAuthorizeToken
• Access Token Url - https://www.google.com/accounts/OAuthGetAccessToken
  

The consumer is known to google by it's consumer key (which in the case of a google api is normally a host address, like www.test.com) and this relationship is established in a proprietary manor (i.e. it's not covered by the OAuth spec).

Getting a Request Token

The start the ball rolling the consumer makes a request to the Request Token Url, they get back some form-encoded parameters in the body of the response which contains the token information.

As an example, here's an http request to get a new request token:


And here's the response:


Notice the oauth_signature and other oauth_ etc. parameters - as part of the OAuth core specification it requires that requests be "signed" so that a provider can ensure they haven't been tampered with - this is one of the aspects my library will take care of for you (signing and verifying requests).

User Authorization

At that point the consumer now needs to send the user off to the providers site - this involves using the second of the 3 urls, the User Authorize Url... we just append the scope (required by google, identifies the service you wish to access - not part of OAuth spec itself) and the request token (CMiJx-LdFxD56bOXAQ)

Note that the User Authorize Url isn't signed like the other requests... this is because this step may be manual i.e. a user typing or copying a link into their browser or some hand held device.


In this case, google takes us to a universal login page:



Once authenticated it then takes us to a page where we can authorize the consumer to have access:



By granting access at this point the consumer can then use the last of the 3 Urls, the Access Token Url, to exchange their request token for an access token. Upon granting access a few things should happen:

• An access token should be created.
• The access token should be related to the request token.
• The currently logged in user should be associated with the access token.
  

The last point is important - because you're passing tokens around, rather than account names, you need to have the provider implementation record the association between the access token and the user granting access - and it should be easy for your API implementation to fetch the associated user when a protected resource is accessed.

Exchanging Tokens

Once the user has authorized the consumers access request, the consumer can then exchange their request token for an access token - generally a request token can only be used once - so if the request failed for some reason they would need to start the authorization process again from scratch.

here's the http request for exchanging tokens:


And the corresponding response from the google server:
 

Accessing a Protected Resource

Now that the consumer has an access token they can then make requests for protected resources - they just need to use the access token, here's an example of doing just that:


Obviously once the request has been validated (i.e. valid signature, valid token, valid timestamp range, nonce is unique etc.) the provider implementation needs to fetch the user associated with the access token, so it can then return the correct data back to the consumer - normally you would want to automatically associate the token's user with the current request / controller / channel so that OAuth is basically transparent (i.e. it's just like getting a request from a user who's authenticated normally).

Risks & Issues

One obvious risk is that of phishing... if the consumer sends you to a site that looks like googles authentication page, but isn't google then you're in trouble.  Of course this kind of phishing is more a general problem, then something isolated to OAuth.

Another potential risk are that some signature methods are risky/flawed to the consumer due to implementation i.e. if you have a flickr uploader winforms application, and you use RSA-SHA1, the uploader will need to ship with the x509 certificate (including the private key) in their application ... this basically invalidates the strength of that certificate, because anyone could extract and use the private key themselves (so it's as bad as a plain text signature) - on the flip side for a website RSA-SHA1 is very strong because the private key is kept private.