Achievo and ATK Moving to Community Governance

The process has started to move the ATK Framework and Achievo projects to community governance from corporate governance.

Update 2012/07/19 – the GitHub organization created for the ATK Framework, ATK Demo and Achievo repositories is the ATK PHP Framework – (the code will be there soon!).

The ATK Framework is an open-source object-oriented full-stack PHP web application framework that enables rapid development of business-oriented web applications, such as HRM, CRM, data management and CMS. iBuildings created the ATK Framework in ~2000 and have closely managed its development project and project infrastructure, including a public web site, forum, wiki, bug tracker and code repository (although only iBuildings has commit access to the repository). iBuildings also controls the development projects of two closely related applications:

  • ATK Demo – a tutorial application demonstrating basic ATK Framework concepts, and
  • Achievo – a fully-featured and extensible resource management application based on ATK (iBuildings had used Achievo internally for managing development projects) .

I became involved in 2004 when I implemented Achievo 1.0RC1 as part of an engineering portfolio project management initiative for a high-tech product development team. Support from iBuildings was excellent, with senior developers responding to my forum posts and the lead developer even logging into my server at one point to help debug an issue related to hosting on Windows. More recently, I have selected Achievo (and the ATK Framework) for prototyping an open-source business support system for the fictional Swift Construction Company.

Over the past few years though, iBuildings’ involvement in the ATK Framework and Achievo projects has seemed to be declining, while community involvement has been growing. After a number of recent pleas from the community for iBuildings to make their intentions public, Tom Schenkenberg (iBuildings co-founder) confirmed our suspicions, but also graciously committed support for moving the ATK Framework, ATK Demo, and Achievo projects to community governance.

“… we took the business decision to no longer participate in active development and stop using this framework for our commercial application development work.”

“I’d like to offer anything and everything belonging to ATK/Achievo to you guys, the true maintainers of these projects. I’m happy to hand over the servers/domains/applications/websites/repositories/etc. to the community. Please help me to get ATK/Achievo in the right hands and in the right place.”

So how does a loose collection of independent developers scattered across the globe turn themselves into an efficient project team? Tom may have offered up the reins, but it’s up to us to decide where we’re going.

Since Tom’s announcement, an informal leadership team has been formed from community members, a GitHub organization has been created for the project code repositories, and documentation is starting to be written on the GitHub ATK project wiki. Once it has been decided how to best migrate the iBuildings svn repos to GitHub, the real fun will begin!

Adding to the excitement is a recent announcement from Ivo Jansch (former iBuildings CTO and now Eugeniq founder) that he was creating a “second incarnation of ATK” called Adapto, to be released under the business-friendly BSD license. Ivo originally conceived ATK, was its lead developer and power user within iBuildings, and is a copyright holder for much of its source. Here’s how Ivo describes Adapto.

Adapto will not be “focusing on anything that is already provided by common frameworks. So I would like to leave caching, view rendering, database connectivity etc. to an existing framework (Zend Framework) and have Adapto … just contain the code that makes it great. I also have ideas to extend the UI beyond just websites (think mobile/tablet apps).

… Another point is that the codebase is quite complex and one reason for that is the 12 years of legacy. By starting fresh and not worrying so much initially about backwards compatibility, we can leave some of that baggage behind.

So while the ATK Framework has a new team who will be focusing on maintenance and feature updates to ATK and Achievo (and documentation), Adapto will be under development as a future solution for concepts proven by ATK.  However, simply from its existence, Adapto also adds to the complexity of the ATK ecosystem. Not only will developers be considering the future of ATK and Achievo, they will also be considering the future of Adapto on ATK.

To provide some possible clarity into the situation, I’d like to offer this roadmap proposal for consideration (and hopefully some spirited debate). Comments are encouraged (but be warned, I will be re-posting relevant comments made here to the ATK forum and/or Adapto mail list).

Watch out for more news, it’s going to be a fun year!


Using “new” PHP with “old” MySQL passwords

I recently encountered this error trying to connect Achievo to an existing corporate project-tracking database:

Critical: Unknown error: 2000 (mysqlnd cannot connect to MySQL 4.1+ using the old insecure authentication. Please use an administration tool to reset your password with the command SET PASSWORD = PASSWORD(‘your_existing_password’). This will store a new, and more secure, hash value in mysql.user. If this user is used in other scripts executed by PHP 5.2 or earlier you might need to remove the old-passwords flag from your my.cnf file).

To understand what’s going on, you need to understand a couple not-so-recent developments in PHP and MySQL:

  • MySQL version 4.0 and earlier used a 16-byte password hash, but starting with version 4.1+ uses a more secure password algorithm and 41 byte hash (although still supporting the older less secure password hash if needed).
  • The original external PHP module for accessing MySQL was mysql, but the current preferred module is mysqli (MySQL Improved).
  • The original low-level c-library that mysql (and mysqli) used to actually interface to a MySQL server was libmysql (included with MySQL), but starting with PHP 5.3 they are typically compiled with mysqlnd (a seperate project). mysqlnd has many advantages compared to libmysql, but it doesn’t support the old 16-byte MySQL password hash.

The database server I needed to connect to was running MySQL v5.0, and was configured with “old_passwords” set to On, which sets password operations to use the older 16-byte password hash (possibly because the original client/server application had been developed with MySQL 4.0 or earlier).

The simplest solution would have been to turn old_passwords Off and reset my password as the error message said (assuming the password column in the mysql.usr table would hold a 41-byte hash, otherwise its width would have to be increased first). However, the dba was loath to change the server configuration in case it broke existing mission critical enterprise applications, so I needed a different solution.

Since mysql and mysqli are compiled seperately, they can use different underlying c-libraries. In other words, mysql can be compiled to use libmysql – which supports the old 16-byte password hash. That would allow using mysql to connect to the corporate project-tracking database, without any effect on using mysqli to connect to other databases.

On a FreeBSD server, it was as easy as:

# pkg_delete php5-mysql
# cd /usr/ports/databases/php5-mysql
# make config  (uncheck support for mysqlnd)
# make install clean

and then edited the Achievo file to use mysql for the corporate database instead of mysqli.

Adding Up SaaS Applications

Incorporating SaaS applications into an enterprise’s business processes can offer a number of advantages, including:

  • focusing internal resources on core strategic strengths instead of infrastructure services
  • being able to pick the best fit from a variety of mature low-risk best-of-breed applications
  • lowered internal IT hardware and support costs
  • well-defined costs

But as always, nothing comes for free and the cost of individual applications adds up quickly. For example, assuming a sales and development SME on a growth track with 100 employees, including a 10-person sales team, a couple senior admin/HR roles, consolidated project management across the organization and a product engineering team who working with part numbers and bills of materials, and using the following SaaS applications:

  • Taleo Recruit for talent recruiting – $500/month (Taleo Business Edition Recruit module, 5 users)
  • Saba People Cloud for basic talent management – $500/month (based on competitor Kapta pricing of $5/person/month)
  • Salesforce for customer relationship management – $1250/month (Enterprise version, 10 users)
  • KnowledgeTree for document management (engineering, legal, administration, etc.) – $2000/month (100 users)
  • Basecamp for project management – $99/month (100 projects, 40 GB storage)
  • Aligni for engineering to manage parts and bills of materials – $199/month (< 10,000 parts)

The total is $4,548/month, and doesn’t include an ERP system for managing financials – which could add another $3,330/month (for either a basic system with limited extensibilty, or the base price for an extensible system before add-ons and customization).

Now, I’m not saying this isn’t money well spent, and for many organizations it is. But bear in mind it’s cash off the bottom line and attention (a rare and precious commodity) taken away from something else in order to learn something new. Carefully consider the complete value – and the complete cost – before signing up for another monthly payment on a credit card, because that’s the easy part.

SourceForge, Encryption, and U.S. Export Control Restrictions

I was registering the Adapto project on SourceForge today, and when I got to the Export Control question, ended up spending more than few minutes researching U.S. export regulations relating to software and cryptography. Be warned though, I am not a lawyer and the following is not legal advice. I urge you to consult a professional for advice specific to your situation.

SourceForge is operated by Geeknet, Inc., a publicly traded US-based company. When someone outside the U.S. downloads code from a SourceForge project, SourceForge is actually exporting the code from the U.S.

Export of software including cryptography functions from the U.S. is controlled by the Bureau of Industry and Security (BIS) according to the Export Administration Regulations (EAR) and the Commerce Control List (CCL). This includes software that only calls encryption functions in an external library, such as the PHP openssl_public_encrypt and openssl_public_decrypt functions.

In 2010, the BIS amended the EAR by excluding software products where the use of encryption is ancillary to its primary function and the primary function is not information security or the sending, receiving or storing of information, where the cryptographic functionality is limited to supporting the primary function of the software product, and when details will be provided upon request to a U.S. authority (see EAR Controls for Items that Use Encryption on the U.S. BIS website).

Adapto is a small PHP framework targeted at creating data management applications with minimal code. Although Adapto includes cryptographic functions (implemented through PHP library functions), they are provided only for potential use by an application program and are not used in the normal operation of the framework. They are also not used in the tutorial demo application included with Adapto, and so it appears export of Adapto from the U.S. is not controlled.

Since Adapto does incorporate encryption, it has been noted in the SourceForge project Metadata, but since it is not controlled based on the above analysis, the project does not require reporting to the U.S. government as noted by SourceForge.