Sunday, December 20, 2015

Ready to drop Gentoo

I was a Gentoo user since 2010. For me, it was, at that time, a source of fresh, well-maintained packages, without the multimedia related US-lawyer-induced brain damage that plagued Debian. Also, by compiling the packages on my local PC, it neatly sidestepped legal problems related to redistribution of GPL-ed packages with GPL-incompatible dependencies, and trademark issues related to Mozilla products. Also, it offered enough choice in the form of USE flags to sidestep too-raw technologies.

Today, I am re-evaluating this decision. I still care about perfect multimedia support, even if relies on technologies that are illegal in some country (even if that country is my own). I still care about Firefox identifying itself as Firefox in the User-Agent header, as to avoid broken sites (such as https://room.co/), but I don't want to use binaries from Mozilla, because they rely on outdated technology (i.e. are appropriate to something like RHEL 5). And, obviously, I care about modern and bug-free packages, or at least about non-upstream bugs (and, ideally, upstream bugs, too) being fixed promptly.

Also, I rely on a feature that is not found upstream in any desktop environment anymore: full-screen color correction, even in games. Yes, I have a colorimeter.

This was necessary with my old Sony VAIO Z23A4R laptop, because it had a wide-gamut screen (94% coverage of Adobe RGB) and produced very oversaturated colors by default. This is also necessary on my new laptop, Lenovo Ideapad Yoga 2 Pro, because otherwise it is very hard to convince it to display the yellow color. Contrary to popular claims, it can display yellow, even in Linux, given the exact RGB values, but even slight changes (that would only produce a slightly different shade of yellow on normal screens) cause it to display either yellowish-red or yellowish-green color.

So, it must be easy for me to install extra packages (such as CompICC) from source, and, ideally, have them integrated into package management. And, the less the number of such extra packages needed for full-screen color correction, the better.

Now back to Gentoo. It still allows me to ignore lawyers, too-radical Free Software proponents, and their crippling effect on the software that I want to use. It, mostly, still allows me to take suspicious too-new infrastructure out of the equation. For full-screen color correction, I need exactly one ebuild that is not in the main Portage tree (CompICC). But other packages started to suffer from bitrot.

Problem 1: MATE desktop environment stuck at version 1.8. Probably just due to lack of manpower to review the updates. This is bug 551588.
Problem 2: Attempt to upgrade GNOME to version 3.18 brought in a lot of C++11 related breakage that wasn't handled promptly enough, e.g., by reverting the upgrade. This is bug 566328.
Problem 3: QEMU will not let Windows 8 guests to use resolutions higher than 1024x768. Upstream QEMU does not have this bug - it is an invention of overzealous unbundling that replaced a perfectly working bundled version of VGA BIOS with an inferior copy of Bochs VGA BIOS. This is bug 529862.

I don't yet know which Linux distribution I will use. Maybe Arch (but it requires so much stuff from AUR to build CompICC! maybe I should use Compiz-CMS instead), maybe something else. We'll see.

Sunday, October 18, 2015

Still using icims.com for recruiting? Think again!

If your company has open vacancies and uses some system for pre-screening candidates (e.g. by giving them questions), I have a "small" task for you. Go to your system, answer the questions as if you were a candidate, validate the answers as you would expect from a candidate (e.g. actually perform the actions that the answer describes), and then save the results. Look at the whole process. Make a conclusion for yourself whether your system is usable for the stated purpose. Communicate it to your management, if needed.

If you are using icims.com for hiring technical candidates, the answer is most probably "not suitable at all".

The most annoying bug that icims.com has is that it does not allow the candidate to enter certain characters in certain positions. The exact error message is:
Q3 2 Contains invalid characters. You cannot use the characters: ' " \ / or ` in an enclosing instance of <>, <<, >> or ><.
 This triggers at least on the following types of input:
  • XML or HTML
  • Command redirections, e.g.: echo "foo bar" >> baz.txt
  • Sequences of menu items to click, e.g.: "File > New > Folder", if a bad character happens to be before that
So, you cannot ask questions about HTML, shell scripting, or even general questions about using GUI-based applications.

This error message probably means that they are concerned about XSS attacks. However, filtering out invalid characters is a very sloppy way of protection against such attacks. And it imposes completely unreasonable restrictions on the user input.

In fact, any kind of input (including XML, bash scripts or text about clicking the menu) should be suitable, and can be made to display safely and properly in any browser, just by escaping the special characters when generating the HTML page. Many template engines exist that do this escaping for you automatically. Today, there is simply no reason not to use them.

If a candidate sees such error, he/she becomes demotivated. It is a stupid barrier before getting the correct answer to you. It also indicates that you don't care about your customers (by choosing business partners that allow such sloppy practices). Worse, some of your candidates (who see icims.com for the first time) can think that it is your product, or your internal system, and that you (not icims.com) have web developers with insufficient skills. I.e. that your company is not good enough to work in, because you don't weed out underqualified workers.

You don't want to lose candidates. So you don't want to use icims.com. Really.