Open Source EzWinScore

[Skydiver]

Moving the discussion of doing Open Source EzWinScore to this thread to keep the other purely about how people use EzWinScore in the real world.

If I missed any unanswered discussions about the OSS for EzWinScore, please feel free to tack on this thread.

[Skydiver]

Any scoring program supported as an official USPSA product must be built from source code by HQ staff. This requirement is in place to assure that USPSA can maintain any such program.

Do you mean "can be built" or "must be built"? If it is the latter, I'm not an open source license expert, but I think the precludes the use of some open source libraries.

I can foresee the code being open for everybody, to see, tweak and contribute, but each branch has a signature in it's output files. This way, when match results and classifiers are uploaded, USPSA can filter which ones to accept for major matches for example.

My opinion on the above is the following:

Screw any perceived rules by uspsa. The sum total of their interaction with a club's scoring system is a flat file for classifier updates, and the output to send in classifiers, etc. It's not like you submit encrypted serialized binaries or something. Everything else is inertia and the rulebook. After seeing the process with them acquiring rights to distribute the steel scoring program, I certainly wouldn't want to have that process in between me and getting work done. HQ isn't filled with copyright attorneys, it also isn't filled with software project managers either. A project like this is way outside their area of expertise, and their approach to being organized about it could very easily kill off any volunteery enthusiasm pretty easily.

My take on it is if something is going to be done, to just go open source, make a product, and let someone else worry about if it is officially associated with any particular organization. It might also be nice if we could take steps to solve the problem that the palm platform is essentially dead too. There's a lot of really cheap (around the $100 mark), small (screens between 4" and 7"), tablets on the way in theory, they might be worth looking at. One thing I can safely say is that none of them will be running microsoft OSes, it might not be the best choice to go MS centric on the development tools either.

As for paranoia about back doors and forking when going OSS, I'll argue that USPSA HQ doesn't really have the resources to do a code audit on something closed source. Is that something they honestly do now? Also in general, I don't think anyone is running a persistent networked scoring system that is worth hacking. Heck, why would I bother with that much effort when I can just alter flat files with a text editor? Flat files are what come in and out of HQ, not encrypted serialized binaries. As for forking, that happens when you have too many volunteers who argue with each other. This is a one or two man sized project that will be lucky to get one or two volunteers. You make one of them the dictator for life, and that person passes on being dictator for life when they find someone stupid enough to take that job. Or run screaming. Or die.

[Skydiver]

Do you mean "can be built" or "must be built"? If it is the latter, I'm not an open source license expert, but I think the precludes the use of some open source libraries.

"Built from source" means using the standard tools - virtually every program uses standard libraries not compiled as part of the program.

I understand that virtually ever program uses standard libraries not compiled as part of the program. What I was trying to allude to was that a lot of open source licenses specifically say that anybody should be able to get the source and be able to build the same product. The sentence "Any scoring program supported as an official USPSA product must be built from source code by HQ staff." from which I pulled the source from made it sound like only USPSA HQ would be the only one allowed to build and distribute the product.

And it's not "can be built from source", but "IS built from source". Until you actually do it, you don't know if it will compile - something as trivial as an include directive that references a file by absolute rather than relative path (pointing to a file not in the distribution) can prevent a build and be totally unintentional.

Oh, yeah, I completely agree. I remember old projects I worked on where I sync'd up to the latest code and the build would fail. The last person who checked in simply says "Works on my machine". Argh! Then the hair pulling begins as I try to unravel what changed in the build that suddenly put a dependency on the last person's checkin. If we go open source, we definitely want to be like most open source projects out there than can be built from scratch after enlisting in the project.

It's not like you submit encrypted serialized binaries or something

Great idea. I'll add it to the list. Just kidding

Actually in all seriousness, digitally signed XML would be a good way to exchange the data between the club and USPSA. The data would be mostly human readable, but the digital signature attached would prevent any hacking of the data. Anybody who wants to do special post processing of the data for display on a club web page, or do trend analysis can parse the XML, but the data will be secure from tampering.

The real issue with OSS is not "hackery" but a proliferation of versions each with a special feature a club wanted. First problem - people start calling Sedro for support on these unofficial versions. Then, the cute code introduces a bug that causes a hickup in the process and USPSA staff has to track it down.

USPSA's first question to the person should be, "What is the MD5 hash of osswinscore.exe? ... Oh, we only support the main trunk build and not branches. Please export your match data, and import it into a main trunk build of osswinscore.exe. ... Oh, osswinscore.exe crashes due to division by zero error? That must mean your private branch inserted invalid data to solve Flexmoney's 'Noodle on this problem.' So sorry, we can't help you. ... Oh, but you should be using the main trunk build when you are running a level II match, I'm sorry that you just lost a day and a half's worth of match data from 200 shooters."

If that's not enough, consider what happens if USPSA fixes a bug or changes the output file format to add more data, and a club ups the file format version without incorporating the bug fix or adding the new data.

Funny, I've been thinking about this exact problem. Part of my solution for this is what has been steering me to recommend using Mercurial for source control instead of git or subversion. Mercurial considers history to be sacred, and so each branch knows it's full lineage. If somebody fails to pick up a set of changes it won't be in their branch, and their revision ID will be different from everybody else who does pick up the changes. If the product is built with the current revision ID built into binaries, and when that binary generates a file, the pedigree of the program that generated the file can be examined, much like the way digital signatures and certificates can be examined.

Yes, a determined hacker who wants to spoof the revision ID can do so (since they'll have the full source including the build scripts), but if somebody is good enough to spoof USPSA, they should be good enough to write code that doesn't blow up, and ensures that their code doesn't generate data that will make other branches of the code to blow up when that data is imported. Otherwise what would have been the point of spoofing if you can't get code to run?

If OSS ever became popular, and MD5 checksum (or one of the newer better ones) could be added to the output files, and the version distributed by USPSA would use an undisclosed seed value.

Good idea. Let me recommend instead of using an MD5 checksum, using real x.509 certificates for digitally signing the data. As you know, these use public key encryption for signing, you are suppose to keep the private part of the key secret.

The only thing that never gets checked into source control will be the public and private keys. If somebody downloads the source, the code is written such that if it given a key-value pair, it'll use it for digitally signing the XML. If it's not given such a pair, then it just generates the XML without a digital signature.

Going with certificates will also open up the possibility of USPSA signing a club's certificate, so that when a club uploads it's data, the club password doesn't need to be entered, the digital signature just needs to be checked for validity.

No, but when someone calls in and reports a bug with version 3.1415 or whatever, Roger knows EXACTLY what code they are running.

See my comments above about what is steering me towards suggesting Mercurial as the source control system, as well as the "What is the MD5 hash of osswinscore.exe?"

[Skydiver]

Rob... the USPSA staff has to track down some bug? Hell, if that were the case we wouldn't be talking about this now. That's like saying MS must track down every bug a driver has with regard to the MS OS. Their answer is, reload it. USPSA would have a standard version and any mod for local stuff or betas would NOT be supported.

We go from not being able to pay one or two code people to supervising a team of '"7-8 devolpers?" Where do you get that from? What I was talking about is those who have been working on it in the past, watch over a couple of coders and guide them. Since they no longer have to code, their work load should be less than coding. If that is too much for them to handle, perhaps, we need to bring in some fresh blood.

A wise man once said, from the time you take on a project, you should be training your replacement...........

If we can take on something like the Steel Challenge, we can figure a way to get this done. Instead of thinking of five reasons we can't do it, let's agree it needs to be done and find a way to do it.

[Skydiver]

Roger has said that even with the "free" SQL servers, there are licensing issues when you redistribute for sale. I don't know, I'm not a software attorney.

Yes, of course there are enqueue/dequeue issues with multiple people updating the same database. (Same record? Not likely, as there's only one scoresheet per stage per competitor, but still possible for other things in the database, of course.)

Powerbuilder is still pretty expensive, and I've looked at it, and the only good reason I can think of to stay with it is the time and expense required to write it again in something else.

Yes this quite true. A lot of the open source databases are dual licensed. If your product is distributed as free open source, then the database is free. If your product is redistributed for sale, then you need to pay for a license.

[wgnoyes]

And ezwinscore IS redistributed for sale. $25 at the USPSA store. Don't know how many people actually buy it when the clubs already get a copy sent to them, but there it is.

[Skydiver]

And ezwinscore IS redistributed for sale. $25 at the USPSA store. Don't know how many people actually buy it when the clubs already get a copy sent to them, but there it is.

I am not a lawyer, but it looks like these DBMS's (including DB2 that you spotted) support distribution even for products that are for sale:

MS SQL Server 2008 Express: http://www.microsoft...stregister.aspx

Oracle Database 10G Express: http://www.oracle.co...e/xe/index.html

IBM DB2 Express: http://www-01.ibm.co...ta/db2/express/

Firebird: http://www.firebirdsql.org/index.php?op=doc&id=idpl

[Byrons]

I've read the licensing for redistribution of SQL Server 2008 Express carefully and it seems clear to me you can distribute it freely with conditions such as distributing the entire original distribution, showing your own copyright, holding Microsoft blameless, etc. I browsed the one for Oracle and it seemed about the same. I think there are several candidates for a new database engine. To choose one comes down to features, OS type and resource requirements, and available talent. I think we can agree it would have to run on Microsoft Windows XP (maybe even 2000) and later with modest hardware requirements.

I've worked extensively with SQL Server 6.5 through 2005 and a little with 2008. Starting with 2008 they added a Compact version that does not need to run as a service, though you give up multi-user, stored procedures, and other nice things. I've also used Oracle 11G a little (the free version is 10G), but not enough to compare it to anything else yet except to say that its various components don't feel as well integrated as SQL Server and it takes much more configuration to install. It has some very impressive high-end features, but they would not be required for a EZWinScore type application.

Of course you could always just use XML or a flat file and avoid the DBMS issue altogether if you were willing to stick with a single-user system, though I wouldn't recommend it. In .NET you can serialize and deserialize with a few lines of code.

You can certainly start a geek religious war over DBMSs, though probably less so than programming languages. Luckily, anyone not using C# cannot be smart enough to pose much of a threat.

And ezwinscore IS redistributed for sale. $25 at the USPSA store. Don't know how many people actually buy it when the clubs already get a copy sent to them, but there it is.

I am not a lawyer, but it looks like these DBMS's (including DB2 that you spotted) support distribution even for products that are for sale:

MS SQL Server 2008 Express: http://www.microsoft...stregister.aspx

Oracle Database 10G Express: http://www.oracle.co...e/xe/index.html

IBM DB2 Express: http://www-01.ibm.co...ta/db2/express/

Firebird: http://www.firebirdsql.org/index.php?op=doc&id=idpl

[raz-0]

I've read the licensing for redistribution of SQL Server 2008 Express carefully and it seems clear to me you can distribute it freely with conditions such as distributing the entire original distribution, showing your own copyright, holding Microsoft blameless, etc.  I browsed the one for Oracle and it seemed about the same.  I think there are several candidates for a new database engine.  To choose one comes down to features, OS type and resource requirements, and available talent.  I think we can agree it would have to run on Microsoft Windows XP (maybe even 2000) and later with modest hardware requirements.

I've worked extensively with SQL Server 6.5 through 2005 and a little with 2008.  Starting with 2008 they added a Compact version that does not need to run as a service, though you give up multi-user, stored procedures, and other nice things.  I've also used Oracle 11G a little (the free version is 10G), but not enough to compare it to anything else yet except to say that its various components don't feel as well integrated as SQL Server and it takes much more configuration to install.  It has some very impressive high-end features, but they would not be required for a EZWinScore type application.

Of course you could always just use XML or a flat file and avoid the DBMS issue altogether if you were willing to stick with a single-user system, though I wouldn't recommend it.  In .NET you can serialize and deserialize with a few lines of code.

You can certainly start a geek religious war over DBMSs, though probably less so than programming languages.  Luckily, anyone not using C# cannot be smart enough to pose much of a threat.

Sequel server 2008 - I know MS just got done shaking up their small, freely redistributable licensing terms and products. Before going that route, I'd seek the advice of someone heavily involved in the SQL server world. I'd want to be sure they are done with the shakeup and not in a transitional mess. 

Oracle express - No. think of it as more for learning and experimenting developers or preliminary development. WAY too cumbersome, especially on a windows machine. At les the last time i looked at it, it is not in a state to be bundled with a product very well. 

Firebird looked like just the right kind of product last I looked into it, but like with all OSS things, things can change quickly, and there may be more better OSS offerings. Bonus is that it supports windows, OS X, and linux. 

There are also a number of free DB-like frameworks that are geared at being embedded in a program that needs lightweight database-like access to data stores. You definitely don't need a full zorch RDBMS to get the job done for scoring. 

As for the language, I like c#, anyone up to date on how well the various cross platform c# projects are coming along?