Tatham Oddie

Following some useful feedback from Clayton James (attended the Brisbane session) I’ve posted an updated version of the .zip file at http://fueladvance.com/Downloads/AtlasTalk.zip.

technorati tags: atlas, asp.net

I have noticed some people writing code like this to get a decimal in their code:

decimal amount = decimal.Parse("10.00");

It’s not that obvious, but you can write this which is better:

decimal amount = 10.00M;

If you don’t include the M then the compiler thinks you are typing a double which is why it won’t compile.

technorati tags: c#

Over the coming weeks/months I’ll be posting a series of product reviews here. Starting that process is SSW Code Auditor. As many of you know, I have an ongoing relationship with SSW however I’m not getting paid off for this series of posts. Those who know me better would also know that even if I was getting paid … that wouldn’t stop me from publicly bashing something I don’t like.

For anyone who’s hasn’t come across SSW in their time, you might understand why this tool exists if you take a look at their almost limitless number of standards. They range from the infamous Rules to Better Email to the SQL Server Stored Procedure Naming Standard. With more writing time being spent on these standards than the average magazine publishing house it quickly becomes hard to difficult to enforce and track their implementation; thus Code Auditor, SQL Auditor and Lookout were born.

The Code Auditor sales pitch touts the product as “[using] the power of Regular Expressions to audit your code”. I’d like to rephrase that to something like this:

Code Auditor is a regex runner on steroids combining a regex editor, tester, pre-built rules databases, VS.NET integration and lots of other wacky features like being able to process MDB files.

A pre-built rules database is provided with the product that follows along the lines of SSW’s published standards, however this can be easily customized if you’d like to name your exception variable something other than ex or want to enforce standards that your organization has already developed.

So far it sounds like the dream product … and I’m sure the product homepage could do an even better job of selling it… but I still only see Code Auditor as part of a wider toolset. With me spending 99% of my time in the .NET space, I’ve always been a heavy promoter of FxCop. With the release of VS2005 we now have this functionality in the OOBE which is even better. SSW addresses this, however I’d like to rebut some of their comments:

FxCop has a good set of rules however there are some problems:

FxCop works against compiled assemblies and uses metadata to get information about the code. SSW Code Auditor on the other hand looks at the source code itself.

I never realized you could do a code review by reading the versioning or security information of an assembly. I guess they meant MSIL instead… however it helps to understand a product before comparing it. (Update: this has been fixed on their site)

FxCop only works against .NET assemblies. SSW Code Auditor on the other hand works against any plain text files.

Correct – but I don’t have a problem with this. I personally don’t use Code Auditor for anything other than my C# code. If two pieces of C# code compile to the same IL then I don’t really have a problem with what the source code was. The runtime runs IL not source code.

Many of the rules of FxCop are obscure. SSW Code Auditor on the other hand has rules that are more 'general developer' oriented.

In my opinion an FxCop rule like “Review unused parameters” is more useful than “Times New Roman should not be used”. Unused parameters generally indicate either an incomplete method implementation or a badly designed method signature. Code Auditor is unable to check for this, although can happily tell me that I’m not allowed to use Times New Roman.

Many people consider FxCop’s rules to be obscure (somewhat understandably) when they get an error thrown on something like “Static holder types should be sealed”. This is a pretty simple rule though – if all of your members are static then you have no instance members. If you have no instance members, you have nothing to override if you inherit from it and it just becomes a marker rather than a base class, which is a perfect situation for attributes. (PS: This rule is now redundant in C# 2.0 with the addition of a “static” keyword for classes.)

FxCop rules are fixed. SSW Code Auditor can easily be extended via new rules (using regular expressions).

FxCop rules are anything but “fixed”. David Kean has written and released a great set of custom FxCop rules. (Update: this has been fixed on their site)

FxCop only provides one type of report. SSW Code Auditor on the other hand provides a report that is flexible and shows the data in different views.

SSW Code Auditor is designed to be scheduled so you keep your code projects clean all the time.

Granted – this has been seen as big limitation with the .NET 1.1 version of FxCop as it would required team managers to have an updated copy of the source code on their machine before being able to run a scan. With Code Auditor you could have the scan running on a schedule on some backroom server and just get it emailed to you. For me though, this argument falls apart rapidly: you’d expect a team manager who is reviewing code to have a copy of the code anyway; FxCop can be automated by integrating it into a continuous build solution like CC.NET.

Code Auditor sits well as one part of a wider auditing and review process. If I was short of time but had to perform a review, I’d be doing things in this order:

1. Get experienced developer to look at the code
2. Run FxCop
3. Run Code Auditor (with a rule set tailored to the organization, not the packaged one)

I would not be performing the following unless I was incredibly bored for an extended period of time:

1. Run NUnit (this should be happening on a regular basis by the developer, and in some form of CI scenario)

I continue to rely on ReSharper’s extremely powerful abilities to check and fix my code formatting, and thus I disable all of Code Auditor’s rules in this area (but at least I can do that). (Update: I reported this and ReSharper integration is now on its way)

The consensus is:

• Code Auditor is one part of a wider auditing and review process.
• It’s in my top 3, but experienced developers and FxCop still rank higher.
• The regex builder is great – leading many people to consider buying the product just for this functionality.
• In comparison to other tools, heavier upfront customization is required resulting in higher implementation costs. This is a result of the rules being more specific that most – so it’s really about upfront pain for long term gain – still something that needs to be considered though.

Rocky H has also posted a review of Code Auditor on his blog which includes a screenshot based walkthrough and some interesting discussion in the comments.

I've put a copy of the slides and demos for my upcoming Atlas series at http://fueladvance.com/Downloads/AtlasTalk.zip as I usually find that if I don't put them up before the presentation I never get around to doing so afterwards. As I imagine the presentation will evolve over at least the first few talks, I'll endeavour to update the ZIP over time.

The talk dates are:

• Newcastle, 5th April
• Wollongong, 12th April @ 18:30
  
• Brisbane, 18th April @ 17:30
• Brisbane, 19th April @ Mincom (TBC)
• Sydney (North Ryde), 17th May @ 18:00
• Canberra, 20th April @ 12:30
• Canberra, 20th April @ 16:30
• Auckland, 27th June @ 18:00
• Wellington, 28th June @ 18:00
• Christchurch, 29th June @ 12:00
• Dunedin, 29th June @ 18:00

For details about exact locations (and times where not specified) your best bet is to contact the local usergroup in that city as I still don't know most of the details myself!

There's no talk scheduled for Sydney (my home base) as there have been a number of high quality presentations through the local usergroups on the technology already. If you're interested in hearing the talk anyway, either drop me a line or contact one of the usergroups.

I'll also mention now that I'm going to be presenting at Code Camp Oz this year with an introduction to source control systems. The presentation is in the introductory track, so primarily aimed at people who haven't used source control before, or have only used a basic VSS setup. It'll cover:

• what are the two different models (checkout-modify-checkin vs. copy-modify-merge)
• what is branching, merging and tagging?
• what systems exist and what criteria you should evaluate before you choose one

Update: Sydney has been added to the list.

Update: Added the extra presentations in Brisbane and Canberra, as well as adding some links for the details.

Update: Added more times.

Update: Bumped Sydney to the next month.

Update: Moved Auckland back a day. 

technorati tags: presentation, asp.net, atlas, codecampoz

Today was the first real day of what’s most likely going to be my busiest month this year. In the last 24 hours (in roughly the right order):

• 5 hours of sleep
• 3 showers (’twas a warm day in Sydney)
• 3 cans of Red Bull
• 2 uni assesments
• 1 uni exam
• 1 yoghurt and 1/2 a box of jatz
• 2.5 hours in Newcastle for my presentation (and 4.5 hours getting there and back)
• 1 coke at the Newcastle Uni Bar with Hamish
• 1 McOz burger somewhere along the freeway on the way home
• 1 stop at the Greengate Hotel to find that nobody else had bothered coming to trivia this week
• 1 stop at Jake’s house to abuse him for not coming to trivia
• 15 work minutes in the data center at 1 o’clock in the morning

Can’t wait until I have my Brisbane, Sydney and Canberra presentations all back to back! Seriously, it’s going to be a fun month but i’m going to be dead by the end of it. 

It’s still not perfect … but this is a bit of code another developer and I came up with a while ago for finding contrasting colours.

/// <summary>
/// From a given colour it works out a suitable colour that will sit on top of
/// it so that the contrast is suitable for readability.
/// </summary>
/// <param name="baseColor">Color to get the contrasting complement of</param>
/// <returns>Contrasting color</returns>
public static Color GetContrastingColor(Color baseColor)
{
    HSB baseHsb = ColorToHsb(baseColor);
    int newSaturation = baseHsb.Saturation;
    int newBrightness = baseHsb.Brightness;

    if ((baseHsb.Saturation >= 40 && baseHsb.Saturation <= 60) && (baseHsb.Brightness >= 40 && baseHsb.Brightness <= 60))
    {
        newSaturation = (baseHsb.Saturation <= 50 ? 100 : 0);
        newBrightness = (baseHsb.Brightness <= 50 ? 100 : 0);
    }
    else if (baseHsb.Saturation >= 40 && baseHsb.Saturation <= 60)
    {
        newSaturation = (baseHsb.Saturation <= 50 ? 100 : 0);
    }
    else if (baseHsb.Brightness >= 40 && baseHsb.Brightness <= 60)
    {
        newBrightness = (baseHsb.Brightness <= 50 ? 100 : 0);
    }
    else
    {
        newSaturation = 100 - baseHsb.Saturation;
        newBrightness = 100 - baseHsb.Brightness;
    }

    if (baseHsb.Saturation == 0)
    {
        newSaturation = 0;
    }

    HSB newHsb = new HSB(baseHsb.Hue, newSaturation, newBrightness);
    return HsbToColor(newHsb);
}

I’m in love … with Flock. It’s yet another browser on the scene (just so web devs don’t get off too easily) … but it does have some really cool bits.

It’s not for the mainstream – it’s more of an experiment with the idea of social browsing. It has RSS, blogging, maps, photo sharing and favourties sharing all baked into the browser – not as extensions. Better yet, they’re integrating with existing services like Yahoo Maps, Flickr, Shadows, and del.icio.us instead of rebuilding them all for a small, isolated community of users. The blogging works with a whole range of different APIs meaning you can point it at any half decent blog site and it’ll work.

It’s a basically an awesome rich-client based mashup. Check it out!

It’s built very tightly around the Firefox codebase (and by some of the same people) so it’s not another reinvention. They are intending to maintain a continued partnership, and not a completely isolated development fork.

technorati tags: Software, WebBrowsers, Web2.0

A cool JS effects library for galleries and the like: Lightbox JS v2.0

technorati tags: webdev

If you’re in the mood for some stat’s … these are pretty interesting: Interesting Facts About Domain Names

(I probably shouldn’t be posting something like this … but hopefully it’s now generic enough that it can sit in the ‘funny story‘ category instead of the ‘oh-my-god he published that!?‘ category.)

Earlier in the week I had a small issue with a "security device" that I have – basically it wouldn’t work as it insisted I didn’t know the magic combination. Sure, it was annoying but at least it was defaulting to locking me out so this gave me some confidence in the system. Getting a new access code issued for the device isn’t a simple process, and requires you to actually appear in person at one of the organisation’s installations.

I arrived at the security checkpoint for installation A, holding a security pass for installation B. Even though this entire story falls under the one organisational umbrella, the design of the security passes is completely different between installations.

Me: Hi there. How’s your day been?

Security: Alright so far … how ’bout yours?

Me: Can’t complain. Anyway, I haven’t  actually been to this installation before as I usually work out of installation B, but I need to get to an XYZ office and apparently you have one of these.

Security: We sure do … it’s just down that way.

As I walked into the installation, I realised I hadn’t even shown my ID. I’d walked past the big red signs saying "ID must be shown on entry and exit." Even though I’d told the guard that I wasn’t familiar with the installation, I had apparently demonstrated that I was meant to be there.

The best bit happened in the XYZ office:

Me: Hi … I’m having a small problem with this device today. I’ve tried it at two separate terminals and it’s not accepting my password on either.

Girl: Ok … let me take a look at it. 

<girl takes security device and connects it to her system>

Girl: Hmm … there doesn’t seem to be anything here to indicate it’s disabled. Are you sure you aren’t just getting the password wrong?

Me: Hope not … can you give me a new one now?

Girl: No – it’ll take 24 hours to do that. How about I give you what you’re after now, you try again yourself in 24 hours and if it’s still an issue then we’ll issue you a new device?

Me: Great – thanks.

At this point I exited the installation.

A summary:

• I entered a secure installation without being checked for ID, purely because I had engaged in conversation with the guard and used enough lingo to express that I might actually have a legit reason to be there. Even the post-uni boardies+t-shirt look didn’t highlight that I was a bit different to everyone else there.
• I accessed a highly secured resource using a security device that I didn’t know the password for and without providing any other ID or even saying my name. In the process of this, the girl even read out several of my details.
• I exited the installation without being checked for ID, even though this is a clearly stated procedure.

This scenario renews the confidence I have in some of the organisations I trust every day – not!

technorati tags: Security