Slashdot Mirror

you're guessing at the number of lines? too lazy to run sloccount? It's in the packages repository on a lot of distros.

/sarcasm We invented Microsoft Bob! And, uh, Basic! That has to count for something, right!? Why are you guys laughing?

Seriously though, there is a good list here:
http://www.dwheeler.com/innovation/microsoft.html

e.g.
* Direct3D was started after Microsoft bought RenderMorphics in 1995
* Excel started after Visicalc

Microsoft is always late to the party. They are just another "me too" company.

i.e.

http://www.dwheeler.com/innovation/microsoft.html [dwheeler.com]

And who can forget this ?

And BTW, Mountain Lion is going to be $20. I think that officially qualifies as "reasonable" to nearly anyone but die-hard neckbeards.

> Wow, you're basically the only Non-AC guy who mentions Zune.
Thanks. Not sure why people seem to leave out important details like that. I'm not a fanboy of either Microsoft or Apple so I try to understand the success AND mistakes of BOTH companies to better understand them.

> Apple crushed the phone market with the iPhone
But why did it take Apple to show the world that phones don't have to suck? ;-)

Bringing this back on topic to the tablet for a minute:

There is a reason why a pencil + pad is the number one creative tool in the world. Simplicity + nothing to get in the way!

Looks like Microsoft had a chance to bring about a digital version but since they care only about one thing: profit, aka no cannibalization, it had to be killed. Customer demand and Innovation be damned if it cuts into their existing products. Apple on the other hand sees devices _augmenting_ their revenue, products, and platforms.

Their tablet 'Courier' was killed because it had no email (?!?!) "Gates' response by explaining that Microsoft makes billions from Exchange, and so a product with no e-mail is a problemâ"a machine that doesn't do e-mail isn't going to help shift Exchange licenses."

Now granted a tablet without email probably would of died anyways, but why was this even considered in the first place. "Hey guys! Let's ship a tablet -- but it won't let people to be able to communicate with others." WTF?

See: http://arstechnica.com/information-technology/2011/11/killing-courier-the-right-decision-maybe-not-the-right-reasons/

> This feels like a Bet the Farm move.
Yup, I would agree with that assessment.

For some real fun, look at how many people are in the Microsoft Store vs the Apple Store. It is "cool/hipster" and fun to be in an Apple store. I don't see too many people "bragging" to their friends that they went to the MS store. One almost feels sad for MS. They try so hard and yet fail so bad.

Microsoft doesn't just understand "sexy marketing", sorry, branding, the way Apple doe, mainly because, aside from the XBox 360, their products are perceived as being BORING.

About the only thing Microsoft invented was MS Bob and Windows NT Almost every other software product they originally bought off a 3rd company and slapped their name on it.
Internet Explorer .. Spyglass Mosaic
Direct3D .. RenderMorphics

Microsoft is always late to the party. They are just another "me too" company.
i.e.
http://www.dwheeler.com/innovation/microsoft.html

> Remind me to look up the news 4 years from now when the fake urgency wears off.
Yup, will be interesting in a few years that's for sure! Especially the upcoming ARM & Intel fight, and Intel vs nVdia & ATI/AMD !

Will MS be able to re-invent itself? IBM was sort of forced too at one point. MS is exactly in the same position as IBM was.

One thing MS could do to reverse their negative image would be to stop fucking consumers over by gouging them $100+ for their OS and charge a reasonable $20 - $40. OK, so OSX isn't that cheap but you get the point.

Sorry, didn't mean to go on for so long but damn, you raised a nice point and got me thinking. ;-)

Not quite. It's true that a work of a U.S. federal government employee, performed as part of their official duties, cannot normally have copyright in the U.S. HOWEVER... most software developed for the government is developed by contractors, at least in part, and those parts DO have a copyright. (There are even a few exceptions for government employees, but they practically never apply.) Also, the term "public domain" has multiple meanings, presumably you mean public domain in the copyright sense (not the export control sense, which is different).

To see when contractors or the U.S. government can currently release software as OSS, see Publicly Releasing Open Source Software Developed for the U.S. Government by David A. Wheeler (me), Journal of Software Technology, February 2011. That's the current state of affairs.

I agree with the poster above: When "we the people" pay for software, then by default "we the people" should get it. I even posted an entry about that in 2010. Sure, there need to be exceptions, but they should be exceptions; it's not obvious why accounting software developed by the government is treated this way! I also agree that we should use clearer terms like intellectual rights (and intellectual works) - not "intellectual property" - because "intellectual property" is a fundamentally misleading term.

Not quite. It's true that a work of a U.S. federal government employee, performed as part of their official duties, cannot normally have copyright in the U.S. HOWEVER... most software developed for the government is developed by contractors, at least in part, and those parts DO have a copyright. (There are even a few exceptions for government employees, but they practically never apply.) Also, the term "public domain" has multiple meanings, presumably you mean public domain in the copyright sense (not the export control sense, which is different).

To see when contractors or the U.S. government can currently release software as OSS, see Publicly Releasing Open Source Software Developed for the U.S. Government by David A. Wheeler (me), Journal of Software Technology, February 2011. That's the current state of affairs.

I agree with the poster above: When "we the people" pay for software, then by default "we the people" should get it. I even posted an entry about that in 2010. Sure, there need to be exceptions, but they should be exceptions; it's not obvious why accounting software developed by the government is treated this way! I also agree that we should use clearer terms like intellectual rights (and intellectual works) - not "intellectual property" - because "intellectual property" is a fundamentally misleading term.

The sun's energy output will increase until there will be no liquid water on the surface in about 1 billion years (unless there's some kind of intervention). Personally, I think we should plan on moving spaceship Earth before then.

Fun! This 6502-assembler-in-LISP looks similar to Henry G. Baker's "COMFY" 6502 compiler (described in "The COMFY 6502 compiler", SIGPLAN Notices, 1997). You can check out the COMFY-6502 implementation that uses Common Lisp (sadly this appears to be entrapped in the ACM non-commercial-use-only license, though for 6502 code that isn't very limiting). One cool thing about the approach of using LISP as an "assembler" in general is that unlike many traditional macro assemblers, this approach can easily do stuff like choose the optimal instruction set for branches because it can determine if it's in range for a short branch and use them when available. You can do it other ways, of course, but it's pretty elegant in LISP. Those interested in this sort of thing might like my page on 6502 Language Implementation Approaches or my page on making LISP-based languages more readable (especially sweet-expressions).

Fun! This 6502-assembler-in-LISP looks similar to Henry G. Baker's "COMFY" 6502 compiler (described in "The COMFY 6502 compiler", SIGPLAN Notices, 1997). You can check out the COMFY-6502 implementation that uses Common Lisp (sadly this appears to be entrapped in the ACM non-commercial-use-only license, though for 6502 code that isn't very limiting). One cool thing about the approach of using LISP as an "assembler" in general is that unlike many traditional macro assemblers, this approach can easily do stuff like choose the optimal instruction set for branches because it can determine if it's in range for a short branch and use them when available. You can do it other ways, of course, but it's pretty elegant in LISP. Those interested in this sort of thing might like my page on 6502 Language Implementation Approaches or my page on making LISP-based languages more readable (especially sweet-expressions).

The Energy department should not have wasted a dime of public money on a specialized search engine built into their website. Yet it looks like they did just that. Government agencies should focus on getting the documents posted in standard formats (e.g., PDF) and then let commercial engines do all the work. You get bonus points if you mark the documents with key metadata (title, authors, abstract, date), but even without that, most commercial search engines can find lots. I'm not the first to note that, several articles have noted this.

If an agency just HAVE to have a search engine on the page, they can just reuse a commercial one. For example, if you want to reuse Google, just follow the instructions here: http://www.google.com/sitesearch/ which just inserts a few lines of HTML. From then on, all done. You can see an example on my website front page at www.dwheeler.com. I don't actually do the searching... I just redirect to Google. And users don't have to use Google, they can use any search engine they find convenient.

Take a look at my book on secure programming: http://www.dwheeler.com/secure-programs/. I wrote it after I saw software getting broken into, again and again, for the same old reasons.

This is really promising, but don't celebrate QUITE yet.

There's a lot of promise here. Apple is releasing BOTH the encoder AND the decoder as open source software, instead of the "decoder-only" trick some organizations use. The Apache licence means that Apple has granted a patent license to use the encoder and decoder software they've released, as well as derivatives of them. And since Apache 2.0-licensed software can be put into GPLv3, GPL2+ and GPLv3 code can use this too. (The Apache 2.0 license is compatible with lots of other software.)

BUT... there may be OTHER organizations who claim to hold a patent that covers ALAC. If they won't license those patents on the same terms, AND a court says that the patents are valid, then this isn't enough. However, there's great hope. Apple has a lot of lawyers; I doubt they'd release this code unless they were pretty confident that no one else held VALID patents covering this. Also, the US courts are just starting to actually have criteria for patents, instead of presuming that anyone who hands the PTO some money should get a patent, so patents that claim to cover this might get rejected in the US now.

Well, one way to increase trust would be to build the source-provided compiler with two different compilers

I'm glad to see someone else remembers David A. Wheeler's diverse double-compiling dissertation.

You really need to read this essay about filenames, as well as these two bits about parsing the outputs of ls and ps. In short: correct and secure work with filenames is made difficult by certain features of shells and their default configuration, and the output format of common tools (including ls) makes their output literally impossible to parse in a correct and secure manner. Parsing the output of ps is a very bad idea for similar reasons. It's fine if you're just doing one-liners for simple, everyday interactive work in the shell, but if you write shell scripts and don't understand these issues, you've likely been writing buggy, incorrect, insecure and exploitable code.

I've personally never used PowerShell. My solution to these difficulties has always been to learn to do things properly regardless of the difficulty. While I don't know enough about it to be convinced that it would be a proper solution, I can imagine many ways in which the idea of passing objects instead of text may make things easier. If you can't see why, you need to learn a lot more about shells and their issues. I'm not trying to be patronizing here or anything; it's just that shell scripting is a lot more complex than people typically realize, and such misconceptions cause security holes.

What exactly have you been doing with your shell? I have never had anything that approaches this sort of problem; on a few occasions I wind up forgetting which of a handful of columns from the output of "ps" or "ls -l" is the one I want to sort by.

Hmm, some examples looking back through my history:

I've got things like:

• grep processor /proc/cpuinfo | cut -d: -f2 | tail -n1 to extract the number of processors (after which I decided it would be better to replace the cut/tail with wc -l). You could replace cut -d: -f2 with something like select Number.
• There was the time I tried to get a list of all files that were transitively included by some file, so I tried a few variations of gcc -fsyntax-only -H sharedptr.cc | cut -f2 "-d " before giving up and using sed. If GCC gave objects as output, I could have said select FileName or something instead.
• There was the time I wanted to send a signal to some occurrences of a process, so I had something like ps | (some greps) | cut -c10-15 | xargs -n1 kill -sCONT.

I sort of feel like "replace cut" is a typical example of this, but it's not the only one. I'm not sure what else to look for in my history though.

you are still stuck having to remember dozens of fields for whatever class you are dealing with.

Which is easier? Remembering "the PID is in the column named

Pid

" or remembering "the PID is in columns 10-15. Oh, unless the width of the first column depends on the maximum username length being displayed, in which case it might change."

And even if you forget, you could run ps and it would tell you, as opposed to you having to count fields.

Do you have an actual example that you could share? Again, this is a problem that I have never encountered, and I have been using GNU for a long time.

If you want a full discussion of the problems you can face, see here. (My executive summary is that "if you've used xargs, you've probably used something that is broken -- or at least not general.")

Browser: Self-compiled Fennec.

"But why are you trusting the compiler? Haven't you heard of the 'trusting trust' attack?" That attack is obsolete. Bootstrap your compiler with diverse compilation and it becomes much harder to slip in a trojan.

I wrote PhD thesis using Open Document Format (ODF) and it worked out very well. I used OpenOffice.org, but I expect that LibreOffice would work at least as well. You can translate to many other formats (e.g., with "Save As" or external tools).

As with any big writing effort, one key is to separate formatting from content. You should FIRST set up a template with that does all the formatting, including all the paragraph types you'll need and the right format for them. Then write your document, selecting the paragraph types for each paragraph as appropriate. Do NOT embed formatting commands in the document itself - paragraphs should NOT have font settings, etc., but instead these should be controlled by the paragraph's paragraph type. In my case, I created an OpenDocument template for George Mason University (GMU), and gave it to GMU so others could share it. If you create a template, please share it with others.

I've also switched from GNOME 3 (esp. GNOME shell) to XFCE. I didn't know that Torvalds was switching to XFCE, but I made the same decision for similar reasons. I've learned that lots of people are doing this, in fact. For me, it comes down to two issues: (1) GNOME 3’s shell makes it much harder to do simple, common tasks, and (2) GNOME 3 shell often hides how to do tasks (it’s not “discoverable”). See my post for more.

Torvalds says that, to get a second terminal, you have to press Shift-Control-N. Actually, there's another way in GNOME 3 shell: you can press CONTROL when you click on the application. That works for any application, not just Terminal. It's good that there's a way to do it, but this is still stupid. This incantation is not discoverable; you have to read the manual. But why should you press a magical, not-obvious key, just to do the right thing? It's also annoying; it's NOT a reasonable default behavior. If I wanted to reopen a currently in use window, I'd just click on that.

GNOME 3 can be fixed, but it'll take commitment by the GNOME 3 developers to actually fix it.

For small use FLTK
Or more options here

That's ONE.

Yup. And you could also add, IBM, HP and countless of others smaller companies.
FL/OSS *is* economically viable.

Bottom line is it's hard to make a lot of money in open source. Great for consumers, bad for investors.

Given the data, it's not impossible to make money in opensource.
It's bad for rent-seeking companies, it's good for everyone else.

Obligatory David A. Wheeler's "Fully Countering Trusting Trust" piece link: http://www.dwheeler.com/trusting-trust/

The "trusting trust" attack is a nasty attack, but there is a counter-measure. Diverse double-compiling can detect compiler executables subverted by the "trusting trust" attack. See my paper for more, if you're curious.

Obviously software cost depends on what you measure it in. For example Linux kernel is estimated to cost near 1.4 billion US dollars (at the bottom), but IF you measure this in chickens.... it could cost 35,008,752.2 chickens.

In ounces of gold it would be around 1,040,041.6 ounces. In DOW it would cost approximately 127,186

It is also possible to estimate its cost in terms of Libraries of Congress, man years and many such wonderful things, however note that many Keynesians say that gold has no value but what is 'speculated' to be value while they do not see the same thing about their cherished and printed fiat, so then we could argue that Linux kernel is worth nothing if 1,040,041 ounces of gold priced at current levels in USD are worth nothing.

It's all a matter of point of view.

You're talking about the trusting trust attack, which was made famous by Ken Thompson.

Thankfully, you can counter the "trusting trust" attack using a technique called "Diverse Double-Compiling" (DDC). See the linked PhD dissertation for details.

See Ken Thompson Reflections on Trusting Trust.

Now that there are multiple independent implementations of a C compiler, such as Clang for LLVM, TCC, and GCC, the trusting trust attack can be defeated with a compile farm.

Even after 15 years, illegally tying MSIE to Windows is still happening. This anti-competitive activity has hurt standards, hurt competition, hurt the economy and held back the net.

There is even a form to report ongoing anti-trust violations, there are so many.

If M$ executives and employees would have ditched MSIE if security or performance were an issue. Opera and even Safari are far and above superior, if closed source is an obligation. Keeping MSIE in place AND keeping pieces of it throughout the OS show that there is no intention of MSIE being there to benefit the end-user in anyway. If we add up the cost over 15 years of all the MSIE malware in one column we will have an astronomical sum. If we then total the combined costs of all Opera, Netscape, Cameleon, Safari, Firefox, Mozilla, and Konqueror malware in another column and subtract that total of non-MSIE costs from the MSIE costs, we will still have an astronomical sum. Based on quarterly malware damage, the sum is probably in the range of 100's to 10's of thousands of billions of dollars. The Apollo program to the moon itself only cost 25 billion and we got integrated circuits out of that. Even for the unrealistically low sum of 1 billion dollars, what kind of rocking Free Software distro, applications or infrastructure could have been created? Even building a full distro from scratch we could have a full kernel, drivers, utilities, desktop, services, and applications for less.

You can put a stop to this and advance technology, economy and security by not feeding the Windows monopoly any more market share. Tagging this one as "antitrust".

Ken Thompson would show you how you'd fail in this anyway.

The Trusting Trust attack as Ken Thompson described it can be worked around using "diverse double compilation". To defeat this, a compiler virus would have to know how to infect GCC, TCC, Clang, and every other popular Free compiler for a given language, including non-self-hosting compilers (those written in another language entirely). Bruce Schneier explains, as does David A. Wheeler. Likewise, in the case of writing firmware to a flash memory, the would have to know how to infect a Willem programmer, a Wellon programmer, and every other popular flash programmer.

You stated that "the vast majority of users have Adobe Reader installed to view PDF files, and they will not know why or how they should change to something else". That may be true, but that explains why we have so many security problems in the first place.

The more people that say, "Product X has too many security problems, I will switch to product Y", the faster the maker of product X will wake up and eliminate security vulnerabilities. Or disappear, leaving room for whoever makes product Y. Making a secure program is not rocket science; the principles have been known since the mid-1970s, and there is lots of freely-available information on how to do it (e.g., see my Secure Programming material). But developers will only do that if there is a reason to do so.

If most users accept whatever product they have, as if it appeared by magic from the heavens, then unsurprisingly, the maker of that product will not improve the product.

People should be rising up and saying, "Your product keeps having security problems, ones your competitors don't have. So I'm switching to a competitor". If enough people do that, security problems will be a rare event. So, let's get people to say "I'm not going to take it any more!!" Then, Adam Smith's invisible hand will cause products to either get better in a hurry, or disappear into their rightly-deserved rubbish bin.

I feel like Microsoft has never developed a key software innovation and is not that good at predictions. I guess a lot of people feel the same as me. They are excellent at marketing their products and at keeping a healthy business although.

I searched Google with the terms "Microsoft innovation" and "Microsoft best innovation" to try to prove myself wrong but I did not find anything. Try it for yourself.

The best innovation from Microsoft I could think of is DOS, but it was originally written to IBM specs then Microsoft recycled it into MS-DOS which is more a profiting after the fact attitude.

So here we go slashdotters: What is the best innovation Microsoft has brought to us and/or which Microsoft prophecy turned out to be the best prediction ?

http://www.dwheeler.com/innovation/microsoft.html

I agree that handling weird filenames can be tricky; see Fixing Unix/Linux/POSIX Filenames for more. The biggest problems aren't specific to shell, though, but are general complications that apply to all languages: Control Characters (such as Newline), Leading Dashes, and non-UTF-8 characters.

As far as using shell to handle filenames with spaces, double-quotes, and so on, the answer is pretty simple.

First, always begin shell scripts with: IFS=`printf '\n\t'` This means that the "space" character is no longer special, and this eliminates 99% of your problems.

Second, whenever you USE (instead of set) a variable, use "$variablename" instead of $variablename. If variablename can only contain alphanumeric characters, you don't need to do this (though it doesn't hurt).

Third, when you want a list of "filenames in this directory", use for x in ./* instead of for x in * so that filenames beginning with "-" won't get you (this is a problem for all languages, not just shell).

Follow those rules, and the vast majority of "problems" go away. You can have filenames with double-quote characters, for example, as long as you reference them with "$variablename" instead of $variablename, it's not a problem (shell is smart enough to not interpret them twice).

Of course, if you want things even easier, support the idea of limiting filenames in Linux/Unix as I discuss in Fixing Unix/Linux/POSIX Filenames for more.

I agree that handling weird filenames can be tricky; see Fixing Unix/Linux/POSIX Filenames for more. The biggest problems aren't specific to shell, though, but are general complications that apply to all languages: Control Characters (such as Newline), Leading Dashes, and non-UTF-8 characters.

As far as using shell to handle filenames with spaces, double-quotes, and so on, the answer is pretty simple.

First, always begin shell scripts with: IFS=`printf '\n\t'` This means that the "space" character is no longer special, and this eliminates 99% of your problems.

Second, whenever you USE (instead of set) a variable, use "$variablename" instead of $variablename. If variablename can only contain alphanumeric characters, you don't need to do this (though it doesn't hurt).

Third, when you want a list of "filenames in this directory", use for x in ./* instead of for x in * so that filenames beginning with "-" won't get you (this is a problem for all languages, not just shell).

Follow those rules, and the vast majority of "problems" go away. You can have filenames with double-quote characters, for example, as long as you reference them with "$variablename" instead of $variablename, it's not a problem (shell is smart enough to not interpret them twice).

Of course, if you want things even easier, support the idea of limiting filenames in Linux/Unix as I discuss in Fixing Unix/Linux/POSIX Filenames for more.

Please support proposals such as the proposal to the National Science Foundation (NSF) called "Public funding = Public viewing" (by voting for them, making positive comments, etc.). This proposal recommends that publicly funded projects must be published as open access and all data and code shared as open source software. If "We the people" pay for research and development, then "we the people" should get the results. If there aren't existing proposals for certain agencies, please add them.

As I've commented before, Government-developed Unclassified Software should be default be released as Open Source Software, and U.S. research should be open access. The current model, especially for research and development, isn't working.

Please support proposals such as the proposal to the National Science Foundation (NSF) called "Public funding = Public viewing" (by voting for them, making positive comments, etc.). This proposal recommends that publicly funded projects must be published as open access and all data and code shared as open source software. If "We the people" pay for research and development, then "we the people" should get the results. If there aren't existing proposals for certain agencies, please add them.

As I've commented before, Government-developed Unclassified Software should be default be released as Open Source Software, and U.S. research should be open access. The current model, especially for research and development, isn't working.

In fact can anyone think of anything technically innovative that Microsoft ever put their name on, that wasn't originally bought, copied, 'embraced', assimilated, or blatantly stolen from some other company? I can't.

For those wanting a reference, the article "Microsoft, the Innovator?", Mar. 2001 by David Wheeler would seem to agree with your assertion, as does Microsoft: Hall of Innovation (not original link - original article seems to have been taken down). Both generally accord with my personal recollection.

Honestly, if you think you can just slap a few open piece of software togeather and have a secure functioning browser, you're smoking something. There's a reason there's only 4 browser engines, and that's because it's *hard*.

Firefox is NOT doing well at producing a secure browser. They patch faster the IE, but every Mozilla 3.5 release has between 2 and 6 critical(read likely exploitable) security flaws. They have had 35 flaws total in the last 7 months. http://www.mozilla.org/security/known-vulnerabilities/firefox35.html

Chrome is doing somewhat better, but they have only 2% market share, and not as many people hunting for bugs. Still a number of critical bugs fixed last year.

Just ran sloccount on firefox 3.5.7 source tree, and it says there are 2.7 million lines of code. For comparison, the Linux 2.6.32.3 has 8 million lines, so Firefox is only 1/3 the size of the full Linux kernel, including all drivers.
The average code has about .5-1 security bugs per 1k lines of code. That means we can expect 1350-2700 security bugs in Firefox.

Just so this isn't all about Firefox, Chromium (the open source branch of Chrome) largely reuses software as much as possible, and has 4.5 million lines of code. That's a huge project. They seem to have less custom parsers, but upstream bugs still do affect them.

The point of this isn't to say that Firefox or Chromium is worse then IE, it's just that modern web browsers are *complicated*. Security is hard even for small projects, and 2.7-4.5 million lines of code is not small. You can hate on IE all you want for web standards support (SVG and XHTML are two nice places to start), but they're actually not doing much worse then the other players for security at the moment. Yes, IE 6 is a piece of crap, and if you're still running that then you deserve what you get, but IE 8 is decent.

The current patent system presumes that "everything worth inventing, that has been invented, already has a patent". That wasn't really true in the late 1700s, and is completely nonsense today.

Eben Moglen made an interesting point about patents back in 2009. Today, any time the government wants to create a new rule/regulation, they must normally ensure that the public can participate/review/comment on it. Also, the government must show that the benefits of the rule/regulation exceeds its costs. All of this is courtesy of the Administrative Procedure Act of 1946 (aka the APA). The APA is no garden of perfection, but it has helped. The big exception is the patent system, which predates the APA, and thus patents are exempt from the APA. In the patent system, there is no opportunity for the public to participate/review/comment on each patent, and there is no requirement to show that the benefits of granting a patent exceeds its costs. Which is weird, because patents (as government-granted monopolies) can have as wide an effect as any other rule or regulation. We need to get rid of software and business method patents, at least, but changing the patent system to require public review and a demonstration that costs exceeded benefits would help too.

The current patent system presumes that "everything worth inventing, that has been invented, already has a patent". That wasn't really true in the late 1700s, and is completely nonsense today.

Eben Moglen made an interesting point about patents back in 2009. Today, any time the government wants to create a new rule/regulation, they must normally ensure that the public can participate/review/comment on it. Also, the government must show that the benefits of the rule/regulation exceeds its costs. All of this is courtesy of the Administrative Procedure Act of 1946 (aka the APA). The APA is no garden of perfection, but it has helped. The big exception is the patent system, which predates the APA, and thus patents are exempt from the APA. In the patent system, there is no opportunity for the public to participate/review/comment on each patent, and there is no requirement to show that the benefits of granting a patent exceeds its costs. Which is weird, because patents (as government-granted monopolies) can have as wide an effect as any other rule or regulation. We need to get rid of software and business method patents, at least, but changing the patent system to require public review and a demonstration that costs exceeded benefits would help too.

If you're running Windows, you might take a look at this page on securing Microsoft Windows. It might not SOLVE the problem, but it might help.

the GPL, a widely used (including by the Linux kernel) free software license

Good thing they cleared that up. I never would've known what the GPL is without this explanation.

I wonder if its time to stop referring to the GPL as a "widely used free software license" and refer to it as "THE most widely used software license".

A combination of

http://www.dwheeler.com/sloc/

and

http://en.wikipedia.org/wiki/Source_lines_of_code

would seem to indicate "around 180 million LOC in Debian" vs maybe 50 MLOC for windows. Not everything is in Debian (believe it or not) and not everything MS is in Windows, but everything else that is MS licensed probably doesn't add up to more than 3 times the size of windows... Also, some stuff in MS products is BSD licensed and has to be subtracted.

The number of lines of GPL licensed code is probably larger than any other license, free or nonfree...

I make a similar argument in "Government-developed Unclassified Software: Default release as Open Source Software" - if "we the people" paid to develop software, then by default "we the people" should get it. This was one of the proposals in the open government dialogue, and many people voted for it.

I don't think that EVERY program funded by the government should be released to the public. If it's classified for good reason (say, its purpose is to explode a nuclear bomb), then I think it should definitely NOT get to the public. But if we made openness the DEFAULT, that would eliminate a lot of nonsense.

Really? How, pray tell? Do you have a program that can determine whether two non-identical executables do the same thing? Will it also tell me whether those executables have infinite loops?

In general, the attack is considered very subtle and difficult to defend against. The best counter I'm aware of is diverse double compiling, which isn't exactly trivial. Perhaps more importantly, it's not actually in general use. Theoretical attacks are interesting, in part because someone else might actually be using them; theoretical solutions that aren't actually used don't protect against much.

My point was more about what is common practice than theoretically possible: most people don't understand most software they use. Similarly, most people don't verify their compilers through diverse double compiling.

This is documented, and in multiple places. My Program Library HOWTO, section "Shared Libraries", says the following, and it's dated in 2000: "Beware: do not run ldd on a program you don't trust. As is clearly stated in the ldd(1) manual, ldd works by (in certain cases) by setting a special environment variable (for ELF objects, LD_TRACE_LOADED_OBJECTS) and then executing the program. It may be possible for an untrusted program to force the ldd user to run arbitrary code (instead of simply showing the ldd information). So, for safety's sake, don't use ldd on programs you don't trust to execute." Now I'd agree that it would better if ldd were changed to NOT do this. If the result of this article is a change in its code to not do this, that would be a great result. But it's simply not true that this is undocumented.

Bruce is quite right. License incompatibility can be a real problem; by sticking to a small set of certain widely-used licenses, you avoid the problem. If you're interested in license compatibility issues, you might look at The Free-Libre / Open Source Software (FLOSS) License Slide and Make Your Open Source Software GPL-Compatible. Or Else

Bruce is quite right. License incompatibility can be a real problem; by sticking to a small set of certain widely-used licenses, you avoid the problem. If you're interested in license compatibility issues, you might look at The Free-Libre / Open Source Software (FLOSS) License Slide and Make Your Open Source Software GPL-Compatible. Or Else

Sure, some lawyers twist the meaning of words... so let's call them on it. But the U.S. government (USG) already has an official definition of "open source software", and it is NOT "you can read it". Office of Management and Budget (OMB) M-04-16 defines the term "open source software", saying that "Open Source Softwareâ(TM)s source code is widely available so it may be used, copied, modified, and redistributed". It's really the "Free Software Definition", but the OSI definition and the Free Software Definition are very, very, very close in practice. And that OMB memo is an official document.

IBM makes piles of money from patents, so no one should be surprised that IBM is for getting more money. But that does not mean it is good for the country. What's more, the Supreme Court has NEVER held that software algorithms are patentable, and the U.S. experiment into software patents has shown that the Supremes were wiser than the patent lawyers. Whether they're willing to make that stick now or not is the big question.

It's not clear that the odds are great, but it would be great if someday the U.S. eliminated the madness of software patents.

Ken Thompson's "Reflections on Trusting Trust" is a recurrent Slashdot link but people never link to the counter argument article David A. Wheeler's "Countering Trusting Trust. It doesn't give a complete view to leave out the second article...

How many copies of XP were sold? If Microsoft has sold 300 million copies, than at $150m development cost they could sell the OS for $2 and make a $150m profit.

Yes, but the quote was $150million for 100,000 lines of code.

XP had over 40 million lines of code, so assuming the costs scale linearly (which is optimistic IMHO), it would cost $60 billion dollars to develop a "bug free" version of XP.

For reference, Red Hat 7.1 contains approx 30 million lines of code

ISO (among other organizations) creates international standards, but not all standards are open. If you're adding the adjective "open" to the noun "standard", then presumably the adjective modifies the noun in some way. Yes, we then get to argue about what the term "open" means when attached to the term "standard", but clearly it can't just mean "it's a standard", or we wouldn't add the adjective.

If implementers have to make royalty payments, then that excludes many possible suppliers, and thus such a standard cannot possibly be open. That isn't just my idea; the EU, for example, agrees. In "European Interoperability Framework for pan-European eGovernment Services" (Version 1.0, 2004, page 9), the IDABC division of European Union adopted a definition that said that to be an open standard "The intellectual property - i.e. patents possibly present - of (parts of) the standard is made irrevocably available on a royalty-free basis." The South Africa definition already requires royalty-freeness as well. My paper Is OpenDocument an Open Standard? Yes! analyzes one standard (OpenDocument) to determine if it's an open standard, by using several definitions of open standard. Two of the three most popular definitions of "open standard" of the time, as determined by Google, required royalty-freeness as a necessary condition (Perens' and the EC's). Since Google's pagerank algorithm prefers pages that more people link to, it's reasonable to believe that most people, when they say "open standard", include "royalty-free" as part of their definition. In the case of Europe and South Africa (at least), that definition even has official sanction.

If "most people" use a term in a particular way - especially when that use is formally approved of by many governments - then that's what the term normally means. After all, that's how language works in general; the mapping of sounds to meanings is arbitrary, but we have to agree on the mapping to communicate in a particular language. It's understandable why some companies would like to redefine this term, or at least confuse its meaning. But we don't need to agree with them.

It's true that "GPL" is not the same as "open". But a good test for openness of a standard is "can you implement it using the GPL?". In short, if a standard CANNOT be implemented by GPL'ed software, then it CANNOT be an open standard. Why? That's because the GPL is by far the most popular open source software license; nothing else even comes close. And increasingly, major market niches have an open source software implementation as the #1 or #2 implementation. A standard that locks out major implementations cannot possibly be an open standard. The whole point of a software patent is the power to exclude implementation (without paying royalties, etc.), while the whole point of a standard is to allow arbitrary use - they are fundamentally incompatible. Digistan has a more reasonable definition of open standard - and why you would want one.

FTP is still fine for providing big files that don't need to be protected by a password. But yes, if you're CHANGING data, raw ftp is usually a bad idea.

If you're uploading files, I heartily recommend using rsync+ssh. It's incredibly fast, since only the files that CHANGED are uploaded, and ssh makes it all secure. It can be a pain to set up on some cheap hosting sites, but I've figured out how to make rsync+ssh work even on some cheap hosting sites. Hope that helps.