The Amazing Miss Vivian

Miss Vivian was a friend of mine who recently died. She was a Phone Sex Operator at LDW.

When she passed, the following song kept going through my head:

I would like to explain a little about that.

I know Vivian went to the spirit in the sky.

The Jesus of the Bible, okay I’m not a religious person, but it is largely because of how the people who are religious portray Jesus. The Jesus in the Bible isn’t the Jesus that Christians celebrate.

The bits about Jesus being deity born of a virgin etc. I believe are additions to the story, but I do believe a man named Jesus existed and what was recorded about him, he was very socialist and put compassion and the needs of others first.

Just as an example, the Jews of his day were about to stone a Harlot. Jesus came to her defense, and when they had all left, he told her that her accusers were gone. There was no one left to condemn her, and he did not condemn her either.

That’s the Jesus I am a fan of, and that is a different Jesus than the Jesus that Evangelicals claim. Evangelicals live for condemnation, they enjoy telling people they are condemned if they don’t do things their way and see things their way. Evangelicals are the same as those Jesus defended the Harlot against. The person portraying Jesus in the image below, he gets it, he understands.

Jesus holding a rainbow sign that says "I'm cool with it"
Jesus is cool with it

But anyway, I know Vivian went to the Spirit in the Sky. And that is why this song is what went through my head when I heard she passed, and continues to go through my head when I think of her.

I brought up Jesus in the context of Vivian for a reason, not just because the song happened to mention Jesus, though it does.

Vivian, to me, she personified what the Jesus I adore and respect was all about. I would like explain.

The Sheep and The Goats

During Vivian’s memorial service on Cock Radio, I mentioned that Vivian understood what “Whatever you have to the least of my bretheren, you have done it unto me.”

That’s from a parable Jesus told called The Sheep and the Goats. Here is a rather neat song that tells the story of that parable:

Nutshell – there are two kinds of people, Sheep and Goats.

You can argue that is a false dichotomy and you might have a point, but that misses the point of the parable. Oh and for what it is worth, a parable is a story told to make a point.

The Goats – they were people who did not help those in need. The Sheep – they were people who specifically did help those in need.

In the parable, the Son of Man tells the sheep that he was hungry, and he fed them. He was without clothing, and they clothed him. He was in prison, and they visited him.

The sheep can’t recall doing it, and Jesus said “In as much as you have done it to the least of my bretheren, you have done it unto me.”

That’s who Vivian was, she had a very giving and helpful heart. She went out of her way to help the people she could help. In the parable, she would have been in the group identified as sheep.

Vivian is now with the Spirit in the Sky, for the life she lived is what the Spirit in the Sky wants of us.

As Keith Green points out – the only difference between the Sheep and the Goats is what they did and didn’t do. Vivian did.

Who Is My Neighbor?

In Vivian’s memorial service, I also mentioned that Vivian understood what it was to be a neighbor.

That’s also was a reference to something Jesus said. Luke 10:25-37.

A lawyer asked Jesus what he must do to get eternal life (to be with the Spirit in the Sky when he dies) – and Jesus responded by asking him what the law said was important.

The lawyer answered from Deuteronomy 6:5 and Leviticus 19:18. The passage in the Bible focuses on the second part, that’s what was important to Jesus, he was very socialist. Okay second time I’ve mentioned socialism – I don’t mean it the same way others do, to me socialism is the concept of people taking care of each other rather than attempting to compete with each other and drive each other into the ground.

Anyway, Jesus told the lawyer he answered correctly, but the lawyer then wanted Jesus to define who his neighbor was. What followed was the parable of the Good Samaritan, and the meaning of that parable is often misunderstood.

The context of the parable was answering the question of who his neighbor was.

Many Jews did not like Samaritans very much, I can’t stereotype them – after all, Jesus himself was a Jew, his disciples were Jews, most of those who heard him speak and followed him were Jews, it wasn’t until some time after his death that his message went to the Greeks and then eventually spread throughout the Roman Empire.

But to many Jews, Samaritans were seen in the same light many Americans (largely conservatives including many Evangelicals) see Immigrants. They really did not like them. From Wikipedia:

Furthermore, the Dead Sea scroll 4Q372, which recounts the hope that the northern tribes will return to the land of Joseph, remark that the current dwellers in the north are referred to as fools, an enemy people, however they are not referred to as foreigners. It goes on to say that these people, the Samaritans, mocked Jerusalem and built a temple on a high place (Gerizim) to provoke Israel.[17]

Conflict between the Samaritans and the Jews were numerous between the end of the Assyrian diaspora and to the Bar Kokhba revolt. The Tanakh describes multiple instigations from the Samaritan population against the Jews and disparages them, Jesus’ Parable of the Good Samaritan also gives evidence of conflict.[18] The destruction of Mount Gerizim’s Samaritan temple is attributed to the High Priest John Hyrcanus.

In the parable Jesus told, a Jew was traveling to the city of Jericho and robbers attacked him and beat him and left him for dead.

Many “respectable” Jews passed him on the road, but did not stop to help him. They crossed to other side and left him. The list specifically includes religious leaders, a Rabbi and a Levite.

But when a Samaritan passed him, the Samaritan helped him. Took care of his wounds, took him to an Inn, and paid the Inn keeper to look after him.

For many, the point of the story is to help others in need and that is not a bad thing, but that is not the actual point of the story.

The actual point of the story is that it was the Samaritan who was his neighbor, not the “respectable” people that passed him by.

A Samaritan, whom the Jews tended to look down upon. Jesus was making the point that we are to see everyone as our neighbor and as the verse from Leviticus the Lawyer pointed out, to love our neighbor as ourselves.

That was Vivian. She didn’t look down upon anyone, she saw the humanity in everyone, she knew what it meant to be a neighbor and it had nothing to do with social class or any other artificial grouping our species likes to create that divides us rather than unites us.

Vivian knew what it was to be a neighbor.

And now, she is with the Spirit in the Sky.

Thank you Vivian, someday I hope to join you with the Spirit in the Sky, and when I do, it will be a joyous occasion.

Composer Class Manager

Perched colorful bird with a fish in its beak
Original Source: Pixabay

Yesterday I made a rant about the Composer system for managing PHP dependencies.

I went a bit overboard, I understand that. Composer does make a lot of things easier for developers of reusable PHP classes, and also makes it easier for users to install them on operating systems that do not have good quality package management.

My complaint can be solved without boycotting composer as I ranted about.

My biggest concerns are the following:

A) Composer involves an awful lot of trust, you have to trust that every dependency and their dependencies are from package repositories that are both trustworthy and well maintained.

B) Composer does not have a good way to validate the installation of dependencies, e.g. I can not import public signing keys from developers I trust and have composer automatically reject dependencies that are not properly signed by a signing key I trust. And if it did have such facilities, it would be a nightmare to maintain due to the number of different developers. Package A may depend upon Package B and I may trust both, but an update to Package B may gain a new dependency on Package C that I do not have a reason to trust, meaning I can no longer update A if it requires the updated B, and if the non-updated B is insecure I can not update B to the secure update unless I trust C.

C) Installation of dependencies within the package directory is akin to static linking which is dangerous for many reasons. If the maintainer of Package A never updates their code to use the secured version of B but continues to specify an old insecure version of B then Package A is not secure.

My concerns are concerns that really are for deployment system administration.

I plan to solve them by creating a package repository structure for global installation of Composer packages managed by the native package manager of the operating system.

Assuming it will be called CCM (bad name, but the name I want – EMF for Ecstasy Mother Fucker – probably does not have good market appeal. Besides, the band EMF might take issue with it, since it was often rumored that is what their EMF stood for) the base directory for the repository would be /usr/share/EMF er I mean /usr/share/ccm.

Within that base there would be three package directory trees: stable, devel, and local.

The purpose of stable would be to contain latest stable versions of the package by vendor/packagename using the same naming scheme that Composer uses.

The purpose of local would be for cases where an older version of the same dependency really honestly is needed.

The purpose of devel would be for cases where bleeding edge not yet stable releases are needed.

The system administrator could then specify the PHP include path order based upon the needs of the web application using the libraries.

This will not solve all scenarios where a web application does not work with the current stable version of a dependency, but it should solve most.

RPM Packages

I have been packaging RPM packages since Red Hat 5.2 days, and currently maintain both the LibreLAMP and AWEL Media package repositories. I will start fleshing out this idea with RPM but hope that the same packages can be created for other operating systems.

The spec files for packages will need to have some packaging guidelines.

First of all, pristine source with checksum validation in the RPM spec file, similar to what the EPEL Postgresql package does:

( cd %_sourcedir; sha256sum -c %{SOURCE16}; sha256sum -c %{SOURCE17} )

Before it even unpacks the source tarball, it validates the sha256sum of the source tarball. That is classy. I might do it a little different, define the sha256sum in the spec file itself.

The spec file to build a “stable” version will be the same spec file that builds a “local” version. When building a local version of package bar from vendor foo:

rpmbuild -D 'local 1' php-ccm-foo-bar.spec

Defining the local macro will cause it to put its files in /usr/share/ccm/local instead of into /usr/share/ccm/stable and give the resulting RPM the name of php-ccm-foo-bar-local with a Provides of php-ccm-foo-bar = %{version}-%{release}.

Only noarch packages will be allowed, nothing that includes binaries.

When security issues are found, patches can be created that address the issue whether or not the upstream vendor has addressed it. So a security issue in foo/bar that exists in all versions, patches can be made for spec files for all versions so that those who need an older version can do a git checkout of the spec file for the older version and if available it will include a patch that fixes the security issue, even if the vendor did not backport the fix to older versions.

I would like to develop some code review standards. Some are obvious, e.g. any library that does remote includes will have to be patched not to, any libraries that add third party resources to the HTML output will have to be patched not to (even jQuery CDN hosting of jquery is not appropriate), etc.

A yum repository for stable packages will be maintained that is distribution independent.

Here’s the kicker. In Yesterday’s blog post, I said quite passionately that Composer should be avoided. Well, now I instead want to require that libraries packaged for this repository are install-able by composer.

Why? For several reasons.

First of all, I want to use the Composer vendor/package scheme. Secondly, composer really does make life easier for both developers and for users who do not have an operating system with a package manager that will work with this project idea of mine. I have to concede that point.

I fucking hate that Composer has caused many developers to stop contributing to PEAR and I do not want to make this repository have the same impact for people who currently are happy with Composer that Composer had on PEAR. And some people think autistics have no empathy…

Anyway – so that is something I will be doing. I will start by packaging some of the Composer based plugins for Roundcube, and when I have a more solid plan, I’ll do an announcement and seek package contributors and stuff.

Alice Out.

God Part II – A Musical Journey

Profile head photo of Bono Vox singing into the microphone

This post is about my musical journey with one of my favorite U2 songs – God Part II

My interpretation of the song may not be what was intended or accurate, but it is my interpretation – and it has gone through changes. It’s sort of a – a musical journey, really, you know?

Here is the song God Part II

Growing up in a conservative Christian home, secular music generally was not allowed. However when I was fifteen, I had my first seizure, while in a study group for my Calculus class (I went to college young)

A result of having a seizure, I had to have an EEG and I was suppose to stay up all night the night before. I guess feeling sorry for me, my mom let me buy the VHS tape of Rattle and Hum to watch, and the cassette tape too.

I watched that film several times that night, that was actually my introduction to the Rolling Stones song “Ruby Tuesday” which I had never heard before but now is one of my favorites of all time.

Anyway from the Rattle and Hum album, I fell in love with the song “God Part II” – at the time, I thought the title was Bono’s way of pointing out that Christians were missing a major part of what God was suppose to be, it wasn’t until the late 90s that I found out John Lennon had written a song called “God”.

Anyway – here’s my interpretation of God Part II – the song that means more to me than I can possibly put in a blog. And if it seems chaotic, well, this is the Chaos of Alice Wonder.

What the Lyrics mean to Me

Don’t believe the devil
I don’t believe his book
But the truth is not the same
Without the lies he made up

From the first time I heard this, and to this day, I interpreted that to mean the Bible was the Devil’s book. Not that the Bible was an evil work, but rather, that it was being using for evil purposes.

Keep in mind I highly valued the Bible and at the time believed it to be the key to salvation. But I saw how much evil was being justified with the Bible, and it hurt me deeply, and I thought that is what Bono was pointing out. Whether that’s the case or not, I still hear those lyrics that way.

Don’t believe in excess
Success is to give
Don’t believe in riches
But you should see where I live
I, I believe in love

That verse I initially interpreted as expressing their own hypocrisy, hypocrisy being a trait that all humans have. Yes, we are all fucking hypocrites.
U2 has always very much into philanthropy and not because it made them look good, but because it was where their heart was, yet as rock stars that really are in the same class as The Beatles and the Rolling Stones, they have a lot of the same personal wealth that they almost certainly frowned upon when they were younger and without wealth.

I have no doubt it causes them conflict.

Once I knew this song was a response to “God” for awhile I thought maybe that verse was meant for John Lennon – in response to his “imagine” lyrics –

Imagine no possessions
I wonder if you can
No need for greed or hunger
A brotherhood of man

Imagine all the people
Sharing all the world

John Lennon wrote Imagine, sang it with passion, yet had quite a bit of wealth and possessions himself.

Now the way I see the lyrics in God, I see the lyrics as a call to socialism.
Wealth is an addictive disease, the more we have the more we want even more, and that is why capitalism always ultimately fails with either economic crash or a bloody revolution. Individual people may want to help individual poor people to feel good about themselves, but they want to keep their wealth too. They believe the poor and needy should be helped but it is hard to let go of what you have, your personal desire to live in luxury precludes your empathy for what is happening to the poor. A socialist society where the cost of helping the poor becomes part of the cost of gaining wealth is the only solution that actually has a chance of working, otherwise we may say that we don’t believe in riches – because riches are always more than we have, we always want more, even when how where we are living is in considerable excess from the perspective of the poor.

Don’t believe in forced entry
Don’t believe in rape
But every time she passes by
Wild thoughts escape
Don’t believe in death row
Skid row or the gangs
Don’t believe in the Uzi
Just went off in my hand

It’s possible U2 was referencing some song I don’t recognize, but I think they are references the Sermon on the Mount by Jesus.

“You have heard ‘Thou shall not commit adultery’ but I say to you, if you look at a woman with lust in your eye, you have committed adultery with her in your heart. You have have heard ‘Thou shall not commit murder’ but I say to you, if you hate your brother, you have committed murder in your heart”

That’s a paraphrase, I’m too lazy to copypasta the real thing, but that’s what Jesus said in the Sermon on the Mount that is eerily close to what Bono sang there.

Sermon on the mount is in my opinion one of the most mis-interpreted passages from what Jesus spoke. The verse on lust is used to justify preaching that masturbation is evil, that women have to dress a certain way or they may cause men to lust and sin, etc.

What Jesus was saying is don’t think yourself more righteous just because you haven’t committed adultry or killed someone etc. – thoughts of lust and hate etc. are emotions virtually everyone feels, no one can claim to be righteous, moral superiority is a flawed egotistical concept that results in dangerous pride and self-righteousness. But that point does not seem to be obvious to most Christians.

Jesus is saying you can’t be “pure” yet those verses are twisted into creating oppressive rules on how to be “pure” – the exact opposite of what Jesus was trying to say. In my opinion.

I think U2 gets it.

Don’t believe in cocaine
Got a speedball in my head
I could cut and crack you open
Do you hear what I said?

I have never been quite sure what that meant, but a speedball (a cocktail drug always involving cocaine, usually mixed with heroin or morphine) like much of the song is a paradox, a stimulant mixed with a depressant, a paradox that often leads to violence, like many of our paradoxes do.

Don’t believe it when they tell me
There ain’t no cure
The rich stay healthy
The sick stay poor

That is the verse in the song that always meant the most to me.
It speaks volumes of the social injustice and classism that is very much a part of our society.

A lot of poverty is caused directly by illness that either can be prevented or kept in check if you are wealthy.

The lifespan of the average American is in decline, while the lifespan of the top 1% is on the rise. The rich are literally killing off the poor and it angers me so much sometimes I rage and want to go into rich communities and burn their mother fucking houses to the ground.

Commit a crime against the wealthy though and you are fast to be prosecuted. Commit a crime against the poor and no one gives a fuck.

That’s why Martin Shkreli was left alone and even admired by many for radically raising the price of Daraprim – something that radically hurt the poor – and he and wasn’t prosecuted until they found out he had run a ponzi scheme that was stealing from the wealthy who would still be wealthy despite what Shkreli was doing.

The rich stay healthy, the sick stay poor.

Don’t believe in Goldman
His type like a curse
Instant karma’s gonna get him
If I don’t get him first

I did not know about John Lennon’s song “Instant Karma” until a few days ago.
I had heard the song before, many times, the “We all shine on” part was very familiar to me. But I never knew what it was called. Things like buying John Lennon boxed sets etc. is something I just have never really been in the right financial class to afford, and I don’t like to pirate music – piracy is something middle and upper class people do to keep more of their money, poor folks like me, well some of us, we are tired of being taken advantage and not being paid what we are worth, so we don’t like to take advantage of others.

I feel dirty even putting the YouTube videos in this post.

Anyway what I thought it meant – I thought it reference to Goldman Sachs, an investment company where all that matters is money and people hurt in how money is earned isn’t really a concern. That’s what that verse meant to me for years.

But then I found out about this –

With those lyrics as an obvious reference to that John Lennon song, I looked up Goldman John Lennon and found out there was an author named Goldman who wrote a very controversial book about John Lennon, portraying him in a very bad light.

Obvious to me now, that is what U2 was talking about.

Don’t believe in rock ‘n’ roll
Can really change the world,
As it spins in revolution, baby
Spirals and turns

My suspicion is this also is a reference to a John Lennon song but what always comes to my mind is this song by Ten Years After:

Everywhere is freaks and hairies
Dykes and fairies, tell me where is sanity
Tax the rich, feed the poor
‘Til there are no rich no more

I’d love to change the world
But I don’t know what to do
So I’ll leave it up to you

In the 60s and 70s there was a lot of momentum within the hippie movement for social change, but as always seems to happen, entropy has its way and the class division keeps growing with the rich getting richer and the poor getting poorer and rock and roll can’t fix the problem.

Rock and Roll can give us the emotional high we need but itself does not bring about the social justice we so desparately need. Well, the social justice people like me need, those who are rich don’t need it and they have all the power. Men go and come, but earth abides. Generations come and generations go, but the earth remains forever. Rock revolutions follow the same cycle, they come and go, but nothing changes.

Don’t believe in the 60’s
The golden age of pop
You glorify the past
When the future dries up

There U2 speaks the truth. That’s the biggest problem with so-called “conservative” movements. They look at history forgetting ignoring the evils and want to take us back in time, rather than learning from the evils so we can look forward to a brighter future.

A classic example – Roy Moore’s statement on values before the civil war – “I think it was great at the time when families were united – even though we had slavery – they cared for one another . . . . Our families were strong, our country had a direction.”

He’s glorifying the past, and his claim about families is an absurdly white statement. White slave owners intentionally broke up families so that they couldn’t be strong – e.g. Frederick Douglass never got to even know his mother.

“My mother and I were separated when I was but an infant…. It [was] common custom, in the part of Maryland from which I ran away, to part children from their mothers at a very early age. … I do not recollect ever seeing my mother by the light of day. … She would lie down with me, and get me to sleep, but long before I waked she was gone.”

That’s the past Conservatives glorify instead of learning from, because they don’t have a future to look forward to. Rather than learn from the past to make a better future, they try to pretend the past was better than it was and recreate it.

Heard a singer on the radio
late last night
Says he’s gonna kick the darkness
‘Til it bleeds daylight
I, I believe in love

That is a reference to a Bruce Cockburn song “Lovers in a Dangerous Time”

And I think the title to that song is what U2 was reference. They clearly are lovers, but we are definitely in a dangerous time.

I, I believe in love.

Feel I’m falling,
I’m spinning on a wheel
It always stops besides a name,
A presence I can feel
I–I believe in love

That’s the sensation I feel when I have a seizure, I can feel them before they come (so-called Experiential aura)

I know the sensations I am experiencing aren’t real but they still feel real, depth and time perception get way out of wack, things happen out of order – meaning I perceive time in an incorrect order, I see things happen before the things that cause them to happen so it feels like a psychic experience but of course it isn’t, though one time I am sure it was because I saw something happen, reacted to it, and my reaction became the cause. or at least it seemed that way but there is no other explanation. I heard someone yell at me “Are you okay?” causing me to twist and ask them to help me, but according to them, I asked them to help me before they yelled “Are you okay?”

One time, I had a seizure at around three in the morning on the sidewalk of Lake Boulevard. I went to the store to get a snack because I was feeling off and that sometimes helps, I didn’t make it home. I woke up on the sidewalk, I could see the dried blood on the sidewalk and feel the blood on my face. I had been there quite some time, but no one driving by had bothered to call for help.

However a friend of mine Cooper was there. I knew I was Hallucinating her, but at the same time I knew she was real. A paradox like much of this song. I was disoriented and did not know how to get home. Cooper helped me to get home, telling me which way to go, encouraging me to keep going even though I felt like I wanted to crumple up in the bushes and sleep some more until I got my orientation back. When I got home, my hallucination of her said goodbye left and I went to sleep.

I know it wasn’t just a hallucination, her spirit came to help me.

It always stops besides a name, a presence I can feel.
I believe in love.

Step with it.

Thank you for bearing through my tangled neurotic mess,

Alice Wonder

Why I do not like Composer

I really really like PHP.

Drawing of the head of an orchestra composer with arms above his head while leading an orchestra
php composer logo

For several years now, more and more PHP applications are moving to composer for installation and it really bothers me. It is fucking dangerous, and I would like to explain why.

It Encourages Laziness

When installing a web application, a system administrator needs to now the implications of what that web application does.

With Linux vendor repositories, like Fedora or RHEL/CentOS or EPEL – the system administrator at least knows the code has been reviewed by the vendor to make sure it does not do anything it is not suppose to do, but that is not the case with Composer.

The Roundcube webmail client for example, when packages by Fedora, the application in the past was patched to fix some dangerous JavaScript. When installing it as distributed by the vendor, you do not have that benefit.

When installing web applications that System administrators use to need to at least read the README file which gave some indication of things the web application did before you installed it. But now you just run the composer utility, and it installs the application and whatever it depends upon and whatever its dependencies depend upon etc. without the system administrator needing to review shit. That is dangerous.

Poor Package Security

With a proper package manager, only packages signed by repositories you trust are installed. The system administrator has to import the public encryption key from the repositories they trust, and when retrieving packages, the package manager checks the signature on the package. If the package was not signed by a key the administrator trusts, the package does not install.

This is not the case with composer. There is no local database of public keys for vendors the administrator trusts that packages are then checked against.

Someone could hack the server where I host my AWEL packages and put trojan packages there. But those packages would not be signed by me unless the attacker also managed to get my private signing key and knew what my pass phrase to that key was. That protects my users, because they would be alerted that the software packages the attacker put there were not signed or were not signed by the signing key associated with my package repository, and the trojan packages would be rejected.

Composer has no such facilities.

This is code that not only is running on your server, but is serving content to your users. I do not understand why so many system administrators are okay with this. It is reckless.

It encourages Developer Laziness

When dependencies are globally installed on a system (e.g. in the PEAR infrastructure see the developer of the web application has to keep their code up to date, or it will not work on systems that have newer versions of the dependency installed.

That is not the case with composer. Composer pulls the dependency inside the application directory so that the application developer never has to update their application to reflect updates in the dependency.

That sounds very attractive to application developers but it is a fucking security nightmare.

Most dependencies are developed by small teams often in their spare time, sometimes only a single individual. They often do not backport security fixes to older versions or pay attention to security issues in older versions.

Thus if a composer file specifies it needs endroid/qrcode >= 1.6.5 and < 2 – but the developer is working on version 3.5 and has not updated the older versions, the older versions may have exploitable security issues that are never fixed that composer happily installs into the web application.

It is a vector for malware

If GroovyApplication depends upon LibSanity which depends upon ClasslessMatrix which depends upon JunkBoxer which depends upon FenderBender – all those projects are installed when the system administrator uses Composer to install GroovyApplication.

All an attacker has to do is gain access to one of those dependencies, and they can add their malware to what Composer installs.

The developer of GroovyApplication has no fucking clue how well the developers of all those dependencies secure their projects, nor can the developer of GroovyApplication prevent the maintainers of one of those projects from turning development over to someone else who has malicious intent.

The Bottom Line

Bottom line is Composer is a flaws way of doing things, and it really pains me that it is becoming the standard way to do things.

We have seen what happens when shared libraries that are globally installed are not used for decades. The library gets updated to fix security issues but because applications linked against static versions of the libraries, those applications remain vulnerable.

This is why so many Android and iOS apps are exploitable – they do not use shared libraries. This is why so many Linux distributions in their package repositories frown upon or completely forbid packages that static link instead of dynamically linking to dependency libraries.

But that is exactly what Composer does, it is just like static linking because the composer JSON file allows specifying specific versions that often are never patched by their maintainer because the maintainer is working on newer versions.

Bottom line – do not use Composer, it is fucking dangerous.

Minifying Webfont CSS

This morning I wrote a small script to both unify and minify CSS files that define web fonts.

Drawing of Hesperocyon
Artist rendition of what Hesperocyon may have looked like.

Don’t mind the picture, it is an artist rendition of what we think the common ancestor of all current members of the canine family looked like, and it is here so that twitter does not just post a blank image when I share this page there. And because it is cool.

Minifying JS and CSS

When serving JS and CSS, it is a good idea to minify them. They often are needed for the page to be fully functional and minifying them reduces the bandwidth needed to serve them. Minifying makes a big difference to users who have extremely limited bandwidth.

With respect to minifying JavaScript and CSS, I personally normally do it on the fly with a php class I wrote (it makes use of a php class someone else wrote)

What I have is a php wrapper script that the .htaccess file calls. If the JS or CSS filename was requested with a unix timestamp at the end of the filename, it gets minified on the fly by php and served with instructions to cache for a very long time. The wrapper script I wrote also takes care of browser requests to see if the cached version it has is current.

When adding the JS or CSS file to the webpage, the UNIX timestamp of the original is added. That way, any changes I make to a JS or CSS file result in a new timestamp so I do not have to worry about stale versions being served to the user, and the browser can cache it a really long time.

Webfont CSS

When your web application uses web fonts, they are defined in a CSS file. With the exception of this WordPress blog, I prefer to serve webfonts myself so that they are not a source of tracking for my users.

The JS/CSS minification my web applications do does not work with my webfonts though because webfonts are served from a cookieless domain I run different from the server that serves the web applications, so the web application can not check the timestamp on the CSS file to see if it changed. Well it could if I created a way for the web application to ask the font server, but that introduces latency and other issues.

Also, my php class that minifies CSS removes all comments and I can not do that with webfont CSS files because many of the fonts are commercial fonts and need the license information intact.

Before this morning, I had four different webfont CSS files I would server:

  • ywft-webfonts.css (webfonts licensed from
  • floss-webfonts.css (Free Libre Open Source Software)
  • base35-webfonts (Adobe Postscript Level II fonts I licensed eons ago as Type1 fonts for LaTeX – converted to both woff and woff2)
  • lmono-webfonts.css (Lucida Mono family I licensed eons ago from for LaTeX – converted to both woff and woff2)

Four different CSS files, not being minified. The first two could change as I added fonts, the last two never change.

Anyway, SEO analyzers always complained about the number of CSS files and that they were not minified.

With respect to the number, that’s bullshit. Most browsers these days use HTTP/2 and my server supports HTTP/2 meaning a single connection can be used to request all four files (along with jQuery served from the same server).

But they had a point about the lack of minification, and while I could not remove the license related stuff, I did have comments to myself within the CSS files that really did not need to be served to every fucking browser that requests it.

So – early this morning I finally scripted a solution to both issues, using the yuicompressor utility (a command line Java JS/CSS minifier, available for CentOS 7 from the EPEL package repository – yum install yuicompressor will fetch it for you)

When you start a CSS comment block, you start it with /* and end it with */

To tell yuicompressor not to remove it, start it with /*! instead.

The Script

Here is the script, broken into pieces. It is small but I want to explain each piece.

pushd /srv/ > /dev/null 2>&1

I will be running it from cron every fifteen minutes, so we want output of the pushd command redirected to /dev/null or the cron daemon will be e-mailing me the output every fifteen minutes.

rm -f tmp.css && touch tmp.css
rm -f tmp2.css
rm -f tmp3.css
rm -f tmp4.css

Not completely necessary, but just make sure those four files are wiped clean. I could do it in less that four temporary files, but… I like to keep things simple.

for css in ywft-webfonts.css floss-webfonts.css base35-webfonts.css lmono-webfonts.css; do
  cat ${css} >> tmp.css
  echo -e "\n\n" >> tmp.css

Puts the contents of all four files into a single file. The echo is not really necessary, I just wanted new lines between them so I could look at tmp.css and see where one file ended and other began.

yuicompressor -o tmp2.css tmp.css

That takes the unified CSS file and minifies it, but preserving the comments that are marked to not minify.

cat tmp2.css \
|sed -e s?"\/\*"?"\n/*"?g \
|sed -e s?"\/\*\!"?"/*"?g \
|sed -e s?"\*\/"?"*/\n"?g > tmp3.css

yuicompressor compressor does not start a preserved comment blocks on a new line, I want them to start on a new line, that is what the first sed does.

The second sed removed the ! from the beginning of the comment block that told yuicompressor to leave that comment intact.

yuicompressor compressor does not insert a new line after a preserved comment block, the third sed adds that.

sed '/^$/d' tmp3.css > tmp4.css

The result of the sed commands that fixed how I like comments was some empty lines that I didn’t want, one at top of the file and anywhere one preserved comment block directly followed the other. I could have added that to the first chain of sed commands but I didn’t.

cmp --silent webfonts.css tmp4.css || cat tmp4.css > webfonts.css

If the result differs from the existing webfonts.css file and only if the result differs, the existing webfonts.css file is replaced by the result.

That way when browsers check to see if their cached copy is still good, even though the script runs from cron, the inode and timestamp will only be different if the content of one of the four starting files actually changed.

popd > /dev/null 2>&1
exit 0

We’re done.

There is a .htaccess file that lets me request the file by a different name:

RewriteEngine on
RewriteBase /webfonts/
RewriteRule ^webfonts-[0-9]+\.css$ webfonts.css
AddType font/woff2 .woff2
AddOutputFilterByType DEFLATE text/css
<FilesMatch "\.(woff|woff2)$">
Header set Cache-Control "max-age=7257600"
Header set Access-Control-Allow-Origin "*"

<FilesMatch "\.css$">
Header set Cache-Control "max-age=7257600"
ForceType 'text/css; charset=UTF-8'

The web applications just append the YYYYMMDD that corresponds with the first day of the week to the filename, so once a week the browser will always fetch a new copy, and if I add a font and need the web application to immediately fetch a new copy, I can tell the web application to add 1 to the YYYYMMDD so anyone who already cached it that week gets a fresh copy too.

Autism and Empathy

A common myth is that autistic people lack empathy.

I do not know where the fuck the myth comes from but I am not aware of a single peer reviewed academic study that validates the myth.

Peer review is critical to the scientific process and the scientific process is critical to understanding things like autism.

There are some bizarre ways this myth is expressed. In Oregon in the Umpqua Community College Shooting the shooter was autistic. Many people ranted about autistics being sociopaths without emotions, few saw the bigger problem that we are a country without adequate mental health help for those with mental issues yet we make firearms readily available.

Most mass shootings are not done by people with autism, almost all mass shootings are however done by people with some kind of mental illness. Clearly autistic people in society are not the issue that needs to be addressed. Better mental health and better control of firearms designed to kill lots of people in a short period of time are the two problems that need to be addressed.

My personal experience is that autism results in more empathy than neurotypical people tend to have. We do however express it differently, after all our brains work differently, and maybe that is where the confusion comes from.

In a discussion on the government role of helping the poor, I was of course arguing that we NEED to help the poor, that poverty is a cycle, that the wealthy may have worked hard for what they have but most of that time that is only because they had opportunities to work hard that produced profit where someone born into poverty only had the opportunity to work hard to barely survive.

In that discussion I was accused of lacking empathy.

I still am trying to figure what the fuck he meant by that. I suppose the problem was empathizing with the poor, not with this person’s desire to pay less taxes so that people who have nothing can eat.

I have heard the autistic empathy tends to be more systematic than on the personal level and there may be some truth to that, I can understand exactly why it would be.

Autistic people often have problems with social interactions. It is hard for us to ask for help from people we know, let alone people we do not know, asking for help involves very personal social interactions.

Also, a lot of the way I see neurotypical people express empathy does absolutely nothing to solve the problem. Giving a hug to someone who just lost their job does not put food on the table or help them buy new socks and underwear when what they have runs out.

Here’s how I express empathy.

PCs for Single Mothers

Back when I had a good job that payed lots of money, I would build computers for single mothers. My empathy was actually for their children, I knew computers were a key component to quality education, and while others in the group I was with often just refurbished old computers – I did not think it was fair that these kids should be using outdated junk just because they are in poverty.

I would build new computers, using more expensive hard drives that had a low failure rate and quality power supplies that had a low failure rate (hard drives and power supplies are most common components to fail).

Even though the motherboard often had built-in video that was good enough for me, I would put in a quality video card so the kids could play some of the more graphic intensive games.

I did not want my gift to them to be a constant reminder that they were in a social class that was too poor to have nice things.

Most people in the group thought I was nuts, that I should just be rebuilding old computers, as it would be much cheaper. Old computers are often good for many things, but they are old.

Audio Downloads

As many reading this site know, I run the kinky audio site Naughty.Audio.

Part of my motivation for that site, some Phone Sex Operators do not work for the kind of companies that offer a vast Internet network that helps market them.

I feel for the independents that do not have a company behind them that does the a lot of the marketing for them. I want to provide a place that brings callers and operators together without the operator being required to be part of a specific company, to give the independents a chance at some of the same kind of marketing help that operators who work for companies get.

In designing that site, I wanted to make sure it was as accessible as possible to people with disabilities. People with disabilities still often have sexual cravings, but it is harder for them not only because of their disability, but because a night on the town in expensive and people with disabilities often are poor, over 70% live in poverty. Phones Sex allows them to express themselves sexually at a lower budget. As such, the websites related to Phone Sex should be coded to work with assistive technology and it literally boggles my mind that the vast majority of adult web sites ignore accessibility in their web design.

With the audios, people with hearing impairment can still do Phone Sex via sexy texting, even if they are completely deaf. So the audios should have captions so that those users can sample the creativity of the erotic entertainer just like hearing people can.

Audio Downloads

It goes much further than that, though. The site offers audio downloads. For most people, serving the downloaded audio as a .mp3 or .m4a would be best because that is what is plays in iTunes.

But those file formats do not allow embedding of captions that allow a deaf person to read what is being said. Okay technically the MPEG-4 containers used by .m4a audios does, but no one who is deaf that I know knew of any audio players that it actually worked well with. They all just use VLC Media Player where captions are best when in a SRT format in a Matroska container.

So to serve their needs, I need to serve the audios in a Matroska container with the audio captions embedded, even though iTunes does not support Matroska meaning people who do not need the captions either have to use a different player than iTunes or transcode it.

Why not have a separate download for hearing impaired?

Because I do not believe it is ever fair for someone with a disability to be required to disclose that disability to a web server, again my sense of empathy. Many of them may not mind, but why should it be forced upon them?

It is better to have an inclusive audio download everyone can use, and those who want to play them in iTunes should bug Apple, there’s no good reason why Apple can’t support Matroska, they choose not to. Apple wants to control the market.

But neurotypical people don’t complain to Apple, they complain to me. I should conform to Apple’s way, serving files iTunes will play, forcing deaf and hearing impaired users to either not use my service or identify themselves as probably hearing impaired to my server so they can download a different version of the audio.

It isn’t autistic people that lack empathy, often it is the people cursed with neurotypical disorder. Hopefully someday there will be a cure for neurotypical disorder, maybe electro-shock treatment or keeping them institutionalized until they learn.


Google Analytics II

Follow up to me previous post. I went to The Absolute Beginner’s Guide to Google Analytics to see what they said. From that blog:

Here are just a few of the many questions about your website that you can answer using Google Analytics.

  • How many people visit my website?
  • Where do my visitors live?
  • Do I need a mobile-friendly website?
  • What websites send traffic to my website?
  • What marketing tactics drive the most traffic to my website?
  • Which pages on my website are the most popular?
  • How many visitors have I converted into leads or customers?
  • Where did my converting visitors come from and go on my website?
  • How can I improve my website’s speed?
  • What blog content do my visitors like the most?

I would like address each of those.

How many people visit my website?

You can get that from your server logs. The results are probably more accurate from your server logs, because a lot of people block the tracking cookie that Google Analytics uses.

Where do my visitors live?

Again you can get that from your server logs, but be aware that VPNs can obfuscate that data.

Do I need a mobile-friendly website?

The answer to that question is yes. But if you aren’t sure, you can use something like Google or Bing Webmaster tools to see what kind of devices people coming to your site through them use. It will like be over 50% mobile.

What websites send traffic to my website?

You can get that from your server logs, and from analytics techniques that do not require third party trackers.

What marketing tactics drive the most traffic to my website?

You can get that from analytics techniques that do not require third party trackers.

Which pages on my website are the most popular?

You can get that from your server logs.

How many visitors have I converted into leads or customers?

You can get that from analytics techniques that do not involve third party trackers, and honestly, it is better to get that from techniques that do not involve third party trackers. Do you want you competitors to know this information? No? Then why trust a third party to analyze it for you?

Where did my converting visitors come from and go on my website?

If that really matters as much as you think it does, you can get that using analytics techniques that do not involve third party trackers. And more accurate too, since a lot of users block Google Analytics.

How can I improve my website’s speed?

You do not need Google Analytics to find out where your bottlenecks are.

What blog content do my visitors like the most?

You can get that information by asking your visitors.


Well, There You Have It

It seems that Google Analytics is really just a trade of user privacy in exchange for webmaster laziness.