Slashdot Mirror

Linux has much better documentation

Take Redhat/Linux, for example (please :-). Most of what Redhat ships is undocumented, and that which exists is severely underpowered compared with BSD.

For example, let's suppose you'd like to learn about the interface to the system's terminal drivers. That's in tty(4).

redhat% man 4 tty | wc -l
66

redhat% find /usr/man/man4 '*.*' -type f -name -print | wc -l
62

openbsd% man 4 tty | wc -l
299

openbsd% find /usr/share/man/cat4 '*.*' -type f -name -print | wc -l
371

And that's just part of it. Here's a bug list on Redhat docs that I've submitted, along with programs to automatically detect these problems. You should really read those over to start to get a feel for how bad it is.

I'd like to make clear that redhat has done a very great job at fielding these bugs and trying to do something about them. I am completely happy with their customer service. I'm not trying to knock that.

Some of the tools I used for this are:

• cfman - make sure manpages have accurate SEE ALSOs
• no3man - identify which library calls aren't mannable
• noman - identify which commands are installed without manpages
• scatman - find turds in mantrees

My point of view is that it isn't fair to the user of your system for you to ever include something that isn't documented. When I have been part of releases, either the old Unix releases from years ago or even the new Perl releases today, the rule was simple: if it isn't documented, it isn't shipped. No excuses.

I strongly believe that the Linuces should do the same. Let no program or library be shipped which is undocumented. It's the very least a systems integrator can do. That's just part of what we mean when we say that BSD distributions are more "solid" than Linux distributions. The commercial Unices and the free BSDs take this kind of thing seriously. The Linuces, so far, do not. I have hope that this will change, and Redhat has a truly positive attitude about all this, but right now, you just can't compare them.

Linux has much better documentation

Take Redhat/Linux, for example (please :-). Most of what Redhat ships is undocumented, and that which exists is severely underpowered compared with BSD.

For example, let's suppose you'd like to learn about the interface to the system's terminal drivers. That's in tty(4).

redhat% man 4 tty | wc -l
66

redhat% find /usr/man/man4 '*.*' -type f -name -print | wc -l
62

openbsd% man 4 tty | wc -l
299

openbsd% find /usr/share/man/cat4 '*.*' -type f -name -print | wc -l
371

And that's just part of it. Here's a bug list on Redhat docs that I've submitted, along with programs to automatically detect these problems. You should really read those over to start to get a feel for how bad it is.

I'd like to make clear that redhat has done a very great job at fielding these bugs and trying to do something about them. I am completely happy with their customer service. I'm not trying to knock that.

Some of the tools I used for this are:

• cfman - make sure manpages have accurate SEE ALSOs
• no3man - identify which library calls aren't mannable
• noman - identify which commands are installed without manpages
• scatman - find turds in mantrees

My point of view is that it isn't fair to the user of your system for you to ever include something that isn't documented. When I have been part of releases, either the old Unix releases from years ago or even the new Perl releases today, the rule was simple: if it isn't documented, it isn't shipped. No excuses.

I strongly believe that the Linuces should do the same. Let no program or library be shipped which is undocumented. It's the very least a systems integrator can do. That's just part of what we mean when we say that BSD distributions are more "solid" than Linux distributions. The commercial Unices and the free BSDs take this kind of thing seriously. The Linuces, so far, do not. I have hope that this will change, and Redhat has a truly positive attitude about all this, but right now, you just can't compare them.

Linux has much better documentation

Take Redhat/Linux, for example (please :-). Most of what Redhat ships is undocumented, and that which exists is severely underpowered compared with BSD.

For example, let's suppose you'd like to learn about the interface to the system's terminal drivers. That's in tty(4).

redhat% man 4 tty | wc -l
66

redhat% find /usr/man/man4 '*.*' -type f -name -print | wc -l
62

openbsd% man 4 tty | wc -l
299

openbsd% find /usr/share/man/cat4 '*.*' -type f -name -print | wc -l
371

And that's just part of it. Here's a bug list on Redhat docs that I've submitted, along with programs to automatically detect these problems. You should really read those over to start to get a feel for how bad it is.

I'd like to make clear that redhat has done a very great job at fielding these bugs and trying to do something about them. I am completely happy with their customer service. I'm not trying to knock that.

Some of the tools I used for this are:

• cfman - make sure manpages have accurate SEE ALSOs
• no3man - identify which library calls aren't mannable
• noman - identify which commands are installed without manpages
• scatman - find turds in mantrees

My point of view is that it isn't fair to the user of your system for you to ever include something that isn't documented. When I have been part of releases, either the old Unix releases from years ago or even the new Perl releases today, the rule was simple: if it isn't documented, it isn't shipped. No excuses.

I strongly believe that the Linuces should do the same. Let no program or library be shipped which is undocumented. It's the very least a systems integrator can do. That's just part of what we mean when we say that BSD distributions are more "solid" than Linux distributions. The commercial Unices and the free BSDs take this kind of thing seriously. The Linuces, so far, do not. I have hope that this will change, and Redhat has a truly positive attitude about all this, but right now, you just can't compare them.

Linux has much better documentation

Take Redhat/Linux, for example (please :-). Most of what Redhat ships is undocumented, and that which exists is severely underpowered compared with BSD.

For example, let's suppose you'd like to learn about the interface to the system's terminal drivers. That's in tty(4).

redhat% man 4 tty | wc -l
66

redhat% find /usr/man/man4 '*.*' -type f -name -print | wc -l
62

openbsd% man 4 tty | wc -l
299

openbsd% find /usr/share/man/cat4 '*.*' -type f -name -print | wc -l
371

And that's just part of it. Here's a bug list on Redhat docs that I've submitted, along with programs to automatically detect these problems. You should really read those over to start to get a feel for how bad it is.

I'd like to make clear that redhat has done a very great job at fielding these bugs and trying to do something about them. I am completely happy with their customer service. I'm not trying to knock that.

Some of the tools I used for this are:

• cfman - make sure manpages have accurate SEE ALSOs
• no3man - identify which library calls aren't mannable
• noman - identify which commands are installed without manpages
• scatman - find turds in mantrees

My point of view is that it isn't fair to the user of your system for you to ever include something that isn't documented. When I have been part of releases, either the old Unix releases from years ago or even the new Perl releases today, the rule was simple: if it isn't documented, it isn't shipped. No excuses.

I strongly believe that the Linuces should do the same. Let no program or library be shipped which is undocumented. It's the very least a systems integrator can do. That's just part of what we mean when we say that BSD distributions are more "solid" than Linux distributions. The commercial Unices and the free BSDs take this kind of thing seriously. The Linuces, so far, do not. I have hope that this will change, and Redhat has a truly positive attitude about all this, but right now, you just can't compare them.

You can do a lot to fight spam. Junkbusters has a site devoted to getting these intrusions out of our lives. I've used their anti-junk snailmail system, and it really does work well. They've also got a nice page on stopping computer UBE crud, too.

Personally, I never hide my mail address. It's dishonest, and, technically, against the rules. My real address, tchrist@perl.com, is sitting right here in this message, on the header for this comment, and is also posted in a hundred thousand different places--if not more. But you know what? I don't see much spam. I auto-bounce at least fifty pieces of spam per day. And most days, not more than a couple make it through -- but only once.

Some of them get bounced using sendmail's anti-spam features. I'm a big fan of the Realtime Blackhole List, which sendmail can be configured to access.

Some spammage get bounced because the sender is on my own blacklist of forbidden addresses, which lately includes things like /\b\d+\.net/. Others are bounced because they look like spam, or because they're mime-encrypted. This is all taken care of by a custom receiving program, plus some other scripts to dynamically update the blacklist.

I don't automatically bounce mail that violates reasonable netiquette, but I do have a periodic posting about the idiotic Jeopardy mail.

And yes, now and then a few innocent men are sent to the gallows. This is the price we pay on the war against spam. If it's important, they'll figure out another way to mail me.

You can do a lot to fight spam. Junkbusters has a site devoted to getting these intrusions out of our lives. I've used their anti-junk snailmail system, and it really does work well. They've also got a nice page on stopping computer UBE crud, too.

Personally, I never hide my mail address. It's dishonest, and, technically, against the rules. My real address, tchrist@perl.com, is sitting right here in this message, on the header for this comment, and is also posted in a hundred thousand different places--if not more. But you know what? I don't see much spam. I auto-bounce at least fifty pieces of spam per day. And most days, not more than a couple make it through -- but only once.

Some of them get bounced using sendmail's anti-spam features. I'm a big fan of the Realtime Blackhole List, which sendmail can be configured to access.

Some spammage get bounced because the sender is on my own blacklist of forbidden addresses, which lately includes things like /\b\d+\.net/. Others are bounced because they look like spam, or because they're mime-encrypted. This is all taken care of by a custom receiving program, plus some other scripts to dynamically update the blacklist.

I don't automatically bounce mail that violates reasonable netiquette, but I do have a periodic posting about the idiotic Jeopardy mail.

And yes, now and then a few innocent men are sent to the gallows. This is the price we pay on the war against spam. If it's important, they'll figure out another way to mail me.

You can do a lot to fight spam. Junkbusters has a site devoted to getting these intrusions out of our lives. I've used their anti-junk snailmail system, and it really does work well. They've also got a nice page on stopping computer UBE crud, too.

Personally, I never hide my mail address. It's dishonest, and, technically, against the rules. My real address, tchrist@perl.com, is sitting right here in this message, on the header for this comment, and is also posted in a hundred thousand different places--if not more. But you know what? I don't see much spam. I auto-bounce at least fifty pieces of spam per day. And most days, not more than a couple make it through -- but only once.

Some of them get bounced using sendmail's anti-spam features. I'm a big fan of the Realtime Blackhole List, which sendmail can be configured to access.

Some spammage get bounced because the sender is on my own blacklist of forbidden addresses, which lately includes things like /\b\d+\.net/. Others are bounced because they look like spam, or because they're mime-encrypted. This is all taken care of by a custom receiving program, plus some other scripts to dynamically update the blacklist.

I don't automatically bounce mail that violates reasonable netiquette, but I do have a periodic posting about the idiotic Jeopardy mail.

And yes, now and then a few innocent men are sent to the gallows. This is the price we pay on the war against spam. If it's important, they'll figure out another way to mail me.

You can do a lot to fight spam. Junkbusters has a site devoted to getting these intrusions out of our lives. I've used their anti-junk snailmail system, and it really does work well. They've also got a nice page on stopping computer UBE crud, too.

Personally, I never hide my mail address. It's dishonest, and, technically, against the rules. My real address, tchrist@perl.com, is sitting right here in this message, on the header for this comment, and is also posted in a hundred thousand different places--if not more. But you know what? I don't see much spam. I auto-bounce at least fifty pieces of spam per day. And most days, not more than a couple make it through -- but only once.

Some of them get bounced using sendmail's anti-spam features. I'm a big fan of the Realtime Blackhole List, which sendmail can be configured to access.

Some spammage get bounced because the sender is on my own blacklist of forbidden addresses, which lately includes things like /\b\d+\.net/. Others are bounced because they look like spam, or because they're mime-encrypted. This is all taken care of by a custom receiving program, plus some other scripts to dynamically update the blacklist.

I don't automatically bounce mail that violates reasonable netiquette, but I do have a periodic posting about the idiotic Jeopardy mail.

And yes, now and then a few innocent men are sent to the gallows. This is the price we pay on the war against spam. If it's important, they'll figure out another way to mail me.

You can do a lot to fight spam. Junkbusters has a site devoted to getting these intrusions out of our lives. I've used their anti-junk snailmail system, and it really does work well. They've also got a nice page on stopping computer UBE crud, too.

Personally, I never hide my mail address. It's dishonest, and, technically, against the rules. My real address, tchrist@perl.com, is sitting right here in this message, on the header for this comment, and is also posted in a hundred thousand different places--if not more. But you know what? I don't see much spam. I auto-bounce at least fifty pieces of spam per day. And most days, not more than a couple make it through -- but only once.

Some of them get bounced using sendmail's anti-spam features. I'm a big fan of the Realtime Blackhole List, which sendmail can be configured to access.

Some spammage get bounced because the sender is on my own blacklist of forbidden addresses, which lately includes things like /\b\d+\.net/. Others are bounced because they look like spam, or because they're mime-encrypted. This is all taken care of by a custom receiving program, plus some other scripts to dynamically update the blacklist.

I don't automatically bounce mail that violates reasonable netiquette, but I do have a periodic posting about the idiotic Jeopardy mail.

And yes, now and then a few innocent men are sent to the gallows. This is the price we pay on the war against spam. If it's important, they'll figure out another way to mail me.

You can do a lot to fight spam. Junkbusters has a site devoted to getting these intrusions out of our lives. I've used their anti-junk snailmail system, and it really does work well. They've also got a nice page on stopping computer UBE crud, too.

Personally, I never hide my mail address. It's dishonest, and, technically, against the rules. My real address, tchrist@perl.com, is sitting right here in this message, on the header for this comment, and is also posted in a hundred thousand different places--if not more. But you know what? I don't see much spam. I auto-bounce at least fifty pieces of spam per day. And most days, not more than a couple make it through -- but only once.

Some of them get bounced using sendmail's anti-spam features. I'm a big fan of the Realtime Blackhole List, which sendmail can be configured to access.

Some spammage get bounced because the sender is on my own blacklist of forbidden addresses, which lately includes things like /\b\d+\.net/. Others are bounced because they look like spam, or because they're mime-encrypted. This is all taken care of by a custom receiving program, plus some other scripts to dynamically update the blacklist.

I don't automatically bounce mail that violates reasonable netiquette, but I do have a periodic posting about the idiotic Jeopardy mail.

And yes, now and then a few innocent men are sent to the gallows. This is the price we pay on the war against spam. If it's important, they'll figure out another way to mail me.

You can do a lot to fight spam. Junkbusters has a site devoted to getting these intrusions out of our lives. I've used their anti-junk snailmail system, and it really does work well. They've also got a nice page on stopping computer UBE crud, too.

Personally, I never hide my mail address. It's dishonest, and, technically, against the rules. My real address, tchrist@perl.com, is sitting right here in this message, on the header for this comment, and is also posted in a hundred thousand different places--if not more. But you know what? I don't see much spam. I auto-bounce at least fifty pieces of spam per day. And most days, not more than a couple make it through -- but only once.

Some of them get bounced using sendmail's anti-spam features. I'm a big fan of the Realtime Blackhole List, which sendmail can be configured to access.

Some spammage get bounced because the sender is on my own blacklist of forbidden addresses, which lately includes things like /\b\d+\.net/. Others are bounced because they look like spam, or because they're mime-encrypted. This is all taken care of by a custom receiving program, plus some other scripts to dynamically update the blacklist.

I don't automatically bounce mail that violates reasonable netiquette, but I do have a periodic posting about the idiotic Jeopardy mail.

And yes, now and then a few innocent men are sent to the gallows. This is the price we pay on the war against spam. If it's important, they'll figure out another way to mail me.

You can do a lot to fight spam. Junkbusters has a site devoted to getting these intrusions out of our lives. I've used their anti-junk snailmail system, and it really does work well. They've also got a nice page on stopping computer UBE crud, too.

Personally, I never hide my mail address. It's dishonest, and, technically, against the rules. My real address, tchrist@perl.com, is sitting right here in this message, on the header for this comment, and is also posted in a hundred thousand different places--if not more. But you know what? I don't see much spam. I auto-bounce at least fifty pieces of spam per day. And most days, not more than a couple make it through -- but only once.

Some of them get bounced using sendmail's anti-spam features. I'm a big fan of the Realtime Blackhole List, which sendmail can be configured to access.

Some spammage get bounced because the sender is on my own blacklist of forbidden addresses, which lately includes things like /\b\d+\.net/. Others are bounced because they look like spam, or because they're mime-encrypted. This is all taken care of by a custom receiving program, plus some other scripts to dynamically update the blacklist.

I don't automatically bounce mail that violates reasonable netiquette, but I do have a periodic posting about the idiotic Jeopardy mail.

And yes, now and then a few innocent men are sent to the gallows. This is the price we pay on the war against spam. If it's important, they'll figure out another way to mail me.

``Anyone who slaps a `this page is best viewed with Browser X' label on a Web page appears to be yearning for the bad old days, before the Web, when you had very little chance of reading a document written on another computer, another word processor, or another network.''
--Tim Berners-Lee in Technology Review, July 1996

We shouldn't be surprised that once money makers got involved that the web became just another casualty in the war on our minds. Information is less important than image. Literacy is less important than economics. Critical reasoning is less important than feel-good emotive response. Welcome to our brave new world; we hope you like it, because you don't have any choice. Best to just lie back, close your eyes, and think of England--er--America.

Neil Postman's non-fiction book, Amusing Ourselves to the Death, is a disturbing report of this phenomenon that offers no real solution. Bruce Sterling's science fiction novel, Distraction, is not just a decent story; it's also filled with social commentary about a world in which media image is paramount. I heartily recommend both books. Huxley's Brave New World wasn't that great a read, but he was scarily on-target about a lot of this.

Here are two links to resources related to this disturbing trend. The first is to the Any Browser Campaign, a definite must-read for designers. The other is a far less ambitious work, my own short treatise on Diversity in Web Design. Both are replete with links to further resources.

There's also a subtle connection between the themes of bad keyboard strategies and bad webpage design. In both cases, we have people who think they're making things better for one portion of the populace at the cost of making things worse for another portion.

``Anyone who slaps a `this page is best viewed with Browser X' label on a Web page appears to be yearning for the bad old days, before the Web, when you had very little chance of reading a document written on another computer, another word processor, or another network.''
--Tim Berners-Lee in Technology Review, July 1996

We shouldn't be surprised that once money makers got involved that the web became just another casualty in the war on our minds. Information is less important than image. Literacy is less important than economics. Critical reasoning is less important than feel-good emotive response. Welcome to our brave new world; we hope you like it, because you don't have any choice. Best to just lie back, close your eyes, and think of England--er--America.

Neil Postman's non-fiction book, Amusing Ourselves to the Death, is a disturbing report of this phenomenon that offers no real solution. Bruce Sterling's science fiction novel, Distraction, is not just a decent story; it's also filled with social commentary about a world in which media image is paramount. I heartily recommend both books. Huxley's Brave New World wasn't that great a read, but he was scarily on-target about a lot of this.

Here are two links to resources related to this disturbing trend. The first is to the Any Browser Campaign, a definite must-read for designers. The other is a far less ambitious work, my own short treatise on Diversity in Web Design. Both are replete with links to further resources.

There's also a subtle connection between the themes of bad keyboard strategies and bad webpage design. In both cases, we have people who think they're making things better for one portion of the populace at the cost of making things worse for another portion.

Are all the core libraries (libc5, glibc2.x, gtk, gnomelibs, kdelibs, maybe even the kernel api) licensed such that you can link a non-GPL program to them?

Take, for example, Enlightenment.

% ldd enlightenment
libFnlib.so.0 => /usr/lib/libFnlib.so.0 (0x2aac0000)
libttf.so.2 => /usr/lib/libttf.so.2 (0x2aac8000)
libesd.so.0 => /usr/lib/libesd.so.0 (0x2aadd000)
libaudiofile.so.0 => /usr/lib/libaudiofile.so.0 (0x2aae3000)
libm.so.6 => /lib/libm.so.6 (0x2aaf5000)
libImlib.so.1 => /usr/local/lib/libImlib.so.1 (0x2ab11000)
libjpeg.so.62 => /usr/lib/libjpeg.so.62 (0x2ab3d000)
libtiff.so.3 => /usr/lib/libtiff.so.3 (0x2ab5c000)
libungif.so.4 => /usr/lib/libungif.so.4 (0x2ab89000)
libpng.so.2 => /usr/lib/libpng.so.2 (0x2ab91000)
libz.so.1 => /usr/lib/libz.so.1 (0x2abae000)
libXext.so.6 => /usr/X11R6/lib/libXext.so.6 (0x2abbd000)
libSM.so.6 => /usr/X11R6/lib/libSM.so.6 (0x2abca000)
libICE.so.6 => /usr/X11R6/lib/libICE.so.6 (0x2abd3000)
libX11.so.6 => /usr/X11R6/lib/libX11.so.6 (0x2abea000)
libXtst.so.6 => /usr/X11R6/lib/libXtst.so.6 (0x2ac8e000)
libghttp.so.1 => /usr/lib/libghttp.so.1 (0x2ac93000)
libdl.so.2 => /lib/libdl.so.2 (0x2ac9b000)
libc.so.6 => /lib/libc.so.6 (0x2ac9f000)
libjpeg.so.6 => /usr/lib/libjpeg.so.6 (0x2ad91000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x2aaab000)

Very bad things.

We end up with a vendor who gets burnt by free software. Beautiful. Whether we have a court battle or a vendor withdrawing their product, or both, this will be the Kiss of Death.

What can be done? Here are three pro-active suggestions:

1. Have the FSF make a blanket statement that the GPL on a library does not infect the resulting executable through mere use of that library, as many of us already maintain.
2. Create condoms for all the currently virus-carrying libraries.
3. Change the build process and the libraries so that a loader error is produced if you accidentally generate an infected binary without having specified some option that says you don't mind that. For example, if the default were to tolerate it, you could create a gcc --free flag to blow up in case something viral were used. On the other hand, if the default were to complain (as I believe it should be), you could create a gcc --viral flag to not blow up if you accidentally created a viral library.

You have discovered a very, very important point, and that unless we want to see Linux die back to a niche system without any commercial software available for it, that this issue must be addressed, and as soon as possible.

If I write a shell script that calls out to getopt(1fsf), that shell script is still my work, and their virus has no hold upon me. The FSF will be quick to agree to this.

Now, if I write a program that links to readline(3fsf), it is certainly my work.

I know this. You know this. Even the FSF knows this. But then they realize that they're about to let the cat out of the bag, so they backpeddle. They try to pretend that the foofunc(1fsf) program doesn't infect the calling program or script, but that the equivalent foofunc(3fsf) does. That's where they screw up.

When I use foofunc(3fsf), they would really, really like all the world to believe that they've now infected me, that they get to tell me what I can and cannot do with the software I wrote.

Guess what? That's bunk. They haven't infected me. I'm merely using a library function in the way that library functions are meant to be used: they're an API, and you link to them. It is of no consequence whether it's statically linked at link/load-time, dynamically linked at start-up, or accessed at run-time during execution via any one of myriad forms of RPC. It's API only, not material inclusion. APIs aren't viral.

This is really no different than the situation with the Linux kernel: its GPLness doesn't infect privately-held commercial device drivers linked against the kernel. This is good. Sure, it pisses off the FSF (read: Stallman, as with nearly any reference to the FSF). But so what? Lots of things piss him off. Tough. Linking to drivers like this only makes Linux more useful to more people.

BSDI found this out a long, long time ago. They wanted to completely open source, but couldn't get the drivers they needed that way. Vendors refused, important vendors whom they really needed. So they made an exception. I think folks have forgotten that lesson.

The FSF pretend not to try to control an API. They pretend not to try to control fair use. Very well. These false pretenses are a two-edged sword. Nice people don't play with knives, but since they're waving theirs around, so be it. It can cut them, too.

Most Linux operating systems ship with all of these various functions, like strlen(), getopt(), or readline(). It is ludicrous to believe that some infect and some do not. It's complete hypocrisy with no basis in reason. Libraries are for using. You can't control use through copyright. No copyright will let you require someone who buys your book to shelve it only with other books you approve of, or to read the book only under a full moon, or to stop you from reselling the book at a used bookstore.

It was this that this hypocrisy that inspired me to expose the fact that libraries cannot be infectively GPL'd, because that's trying to use copyright to dictate use. Thinking of the issues of getopt(1fsf) and getopt(3fsf), I as a simple demonstration, liberated readline from its erstwhile nonfree state.

And there was much rejoicing.

No, really--there was. I've received a good bit of joyful mail for this blow against tyranny and for freedom. I don't think it was as heroic an act as the mail often phrased it, but it was something that definitely needed being done. I also learned that at least two (and I think three) other implementations exist, so it's all water under the bridge now. You've an API you can link to freely. Enjoy. That's what freedom's for.

People needed to see that you cannot control employ the GPL to dictate use of libraries. And you shouldn't want to. That's not free. That's coercive. Be charitable. Set your software free.

The other concern is the 'viral' nature of GPL code. Can anyone clarify for me, is it the case that if you use a library that is GPLed, your code must also be GPLed? If that is the case, that makes it impossible for a closed source project to use GTK for example (unless the library's originator licenses it to you under special license - does anyone know of a famous example of this?). I personally don't think that limiting the amount of software written with a library is a good thing.

Remember the Perens interview in which he essentially confessed that in an RPC-centered world, full of COM and CORBA and dynamic linking and client-server bits, that libraries aren't really going to propagate the GPL the way the FSF would like them to? I forget the words he used, but it seems to me it might have been "loophole". And of course, there's the freeline technique demonstrating this and removing the string from viral libraries, making them to their real work -- being callable code -- not conveying the homeopathic GPL curse.

It forbids you from using GPL'd software in conjunction with commercial software like Oracle libraries. Your other points are arguable, but this is totally false. The GPL only covers redistribution; in fact, the license text says so explicitly. You can link it to as many non-free libraries as you want, although free (non-profit or commercial) ones are preferred.

Sure, there are ways around this. You can point out that the amount of derivedness is immaterial--the courts might well support you here, since they have in other forms of intellectual property. Or you could argue that a library was meant to be used. Or you could use the FSF's own mendacious "free" rhetoric back on them explaining why something that you can do anything you want with something that's free.

Or, of course, you can use the freedline mechanism, but the FSF will just complain bitterly that this mechanism violates the spirit of what they're trying to do. Whether it's immoral to disobey an immoral command is something you'll have to work out for yourself.

The 'infectous' nature of the GPL is one of it's strongest points, that it is guaranteed to stay free.

Once more: YOUR CODE IS GUARANTEED TO REMAIN ALWAYS FREE. The GPL is not the way to make that happen. The BSD licence does that, too, but the GPL does something else.

The GPL is a way to immorally coerce others into making the choices that you want them to make. The LGPL, being non-infective, is much less evil.

Remember that there are many ways to avoid GPL'd libraries, too, so the library might was well be LGPL'd. Notice how the bc program is handled on OpenBSD. It manages to use the GPL'd program without contamination.

If you give something away, it is free. If you tell them what to do with it, it is not. Free is better.

If you'd like an online tutorial, you might want to check out The CGI Resource Index, which is made by the same guy as Matt's Script Archive. Between the tutorials on the Resource Index, looking at the source of Matt's script, and reading the O'Reilly books, you can learn just about anything you want to know about Perl.

Others have responded that Matt's scripts aren't really a good source of information on how to program perl idiomatically, or maybe even correctly. :-)

But to add something to this thread, I'd like to point out that you really, truly can learn much more about Perl than you'd ever get from Matt's Script Archive by going to the Perl home page at www.perl.com

After you've spent a couple of weeks digesting that, it is possible that you would want to know even more, so you can go to Tom Christiansen's Far More Than Everything You've Ever Wanted to Know About... web page, if you haven't already. Oh yeah, and you can buy O'Reilly books, too. :-)

If you'd like an online tutorial, you might want to check out The CGI Resource Index, which is made by the same guy as Matt's Script Archive. Between the tutorials on the Resource Index, looking at the source of Matt's script, and reading the O'Reilly books, you can learn just about anything you want to know about Perl.

Others have responded that Matt's scripts aren't really a good source of information on how to program perl idiomatically, or maybe even correctly. :-)

But to add something to this thread, I'd like to point out that you really, truly can learn much more about Perl than you'd ever get from Matt's Script Archive by going to the Perl home page at www.perl.com

After you've spent a couple of weeks digesting that, it is possible that you would want to know even more, so you can go to Tom Christiansen's Far More Than Everything You've Ever Wanted to Know About... web page, if you haven't already. Oh yeah, and you can buy O'Reilly books, too. :-)

Of course, there are ways around that, effectively converting the GPL into the LGPL as applied to libraries. Better not to use the viral version in the first place, though.

While reading your post, I couldn't help think of the Perl's mantra there's more than one way to do it. Skilled Perl types can look at code and, quick as a flash, code up something that does the same thing but looks vastly different.

Python on the other hand positively begs for everybody to do things in a similar way, if not the same way. This makes six or 12 month old code very readable and developers can continue to develop instead of helping maintainers maintain. But does it make small chunks of copyrighted Python code the building blocks for copyrighting the whole language? It's as dumb as copyrighting a sentence but we live in dumb times when it comes to technology.

I know that's an extreme thought but who would have thought that Sun -- of all companies! -- would stick it to a seemingly non-threatening entity?

With mouseless movement via keyboard mouse emulation you don't have fine-grained pointer control. It's extremely awkward to move around. It's like using arrow keys instead of a mouse to play a fast-action game like xbill.

A more fundamental flaw that cannot be fixed through physical reconfiguration is that non-drawing programs that make overly heavy mouse use usually misdesiged. Sure, if you have a bitmap, you want a high precision pointer device. But for most other things, you don't. Nonetheless, somebody got this insanely fucked up idea that if it's got a mouse interface, it's easy to use for a novice. This just isn't true at all. And even if it were so, optimizing for a novice instead of a long-time user is nutty. You're only a novice once, and then for a very short time. You have to spend the rest of your life as a non-novice suffering with the design decisions made for people who don't know what they're doing. It doesn't have to be this way, because you could design a program to help both sorts. But nobody does. They forget that the experienced user is more important than the novice, because his annoyance will be compounded across the time interval. If you have to design for only one, choose the real user, not the novice. If you can design for both, better yet.

The proper solution is for a program to be designed to allow the user to describe what he wants to do using a richer command set. There's a reason it's called a "point-and-drool" interface: it's been expert-proofed. Witness Motif text widgets.

You can't retrofit a keyboard-simulated mouse on an overly mousey program and ever manage Extreme Keyboarding. This takes careful design in the program so that you hit the right abstraction levels, not mere pointer emulation. We don't see much of that these days.

Any POSIX conformant system will have essentially the same API. By that way of thinking, OpenMVS, OpenVMS, Solaris, AIX, Irix, Tru64 Unix, BSD, Linux, and yes, even the crippled NT subsystem seems quite similar. If the Hurd attempts to conform to the POSIX spec, then it would seem very similar to Linux or Solaris or BSD, which also make the same attempt. write(2) and read(2) et alia are pretty much the same everywhere. MS-DOS, on the other hand, seems quite different, because it is not standards conforming.

Of course, to someone hacking on the kernel source code, you, Daniel, are completely correct. A regular Unix kernel hacker will look for a long time for bdevsw in something running on top of a microkernel and never find it.

It's really a matter of perspective.

Yup, it's called Topaz

I also talk about the book on www.perl.com where I explain why I think Perl is great for people who haven't programmed any other languages before.

Simon

KDE's documentation, btw, is perfectly proper, and if you want man pages, you can generate them yourself from the SGML source. Everyone else can hapily [sic] use html, same as always.

I do not expect to go hunting through fricking alta vista to find something out. Documentation must be integrated. Don't make me hunt. Don't make me look one place for docs on this thing, and that place for docs on that thing. This hodgepodge scattering of documentation to random places on my system or the net all requiring distinct interfaces all ignorant of one another is a fundamentally brain-damaged Winix evil. You would never get away with this crap from a real vendor.

Just have make install generate and install proper manpages in proper. Anything else is wrong. If it's so damned easy, just shut up and do the right thing.

And remember, "elitist" is ignoramus-speak for "competent professional". I'll be happy to don that moniker and eschew its antonym. Anyone who touches a computer is severely handicapped if they can't type. Stop screwing over those of us who can by choosing a single-bit interface when there's a concerto just waiting to unfold beneath the expert's fingers.

You clearly lack the ability to understand why reliance on cascading and nested menus for command execution is fundamentally evil. You can't search them. You can't automate them. You can't ever get any better than the buffoon you were when you first got there. I could write an entire paper on why forcing this moronic model down all our throats is brain-numbing and counter-productive.

And please don't waste any more of my time trying to get me to tell the difference between whether you're a troll or whether you're a loon. Right now, you're batting 50-50, but guess what? I don't care which it is. I'm sure you'll have to bitch a little followup to everything I say, but go for it. I enjoying watching you waste your time flailing around like this, but as I've never seen anything particularly insighful from you (I've looked at your karma), and you never seem to actually learn from others, your rants will fall on deaf ears, and I shan't be responding to your trollings. Go ahead -- waste your life.

However, this particular incident only shows that Linux is doing well in the server market.

But what about the desktop market???

There are no servers. There are no desktops. There are only computers, networks, and programs. If the computer is on the net, and you can talk to it, then that doesn't mean it's a server. If it can talk to you, that doesn't mean you're a client.

Throw off the shackles of Microsoft's feudal system of lords and serfs. Start thinking about a free world of equal peers.

It seems that MS still holds the reins in the PC market, and Linux is only barely making its entry there.

Sigh. Maybe Babelfish should offer a Microsoft-to-hacker translation service, and Slashdot can provide a link.

As a proof (or rather, vague indication) of this, perhaps we could do a poll here on /. on how many people still dual-boots to Windows. I think I can almost predict the results..

The answer is never. Never ever ever ever ever. I never did, and I never will. In two decades of computer use, I have not once had an MS-damaged computer. I've never touched the stuff, and neither have most of my programmer friends.

We are the masters of our own computers, independent wayfarers without enslaving ties to the local master, Lord Bill. To him we pay no taxes, nor from him do we hope for rescue in our hour of darkness. We grow our own food, defend our own homes, write our own tales, seek our own solutions. We are freemen, not serfs.

Perl and Python, of course! The former is of course more widespread but the latter is much more elegant (in my humble opinion).

no, virus, with the u pronounced long, and with good precedent. Virii would be the plural of "virius".

These guys think that there is no Latin plural, but I have to respectfully disagree. I would analogise "prospectus", which is quite definitely long u plural as well as being a second declension neuter not mentioned in the link.

jsm

A library licensed under the GPL requires the app to be GPL, so we see an obvious advantage given to Free developers. Readline is GPL'ed right? So, if you wish to take advantage of all the conveniences it gives you, well you have to GPL your program too. Having more free software doesn't hurt us much, now does it? Do I have any weight if I yell, "I want to use Readline in my closed source app but I can't. Therefore Readline and whoever wrote it are evil incarnate! Burn them! Burn them!!"

The next piece of good news is that I freed the encumbered readline library using my innovative freedline package.

Another piece of good news is that by this device have all the GPL-encumbered libraries everywhere been freed, rendering them useful again as LGPL'd libraries (L standing for Library, of course).

Finally, my last piece of good news is that since then I've found that there are at least three other readline implementations out there, which means that you needn't even use my device. But it would still prove efficacious in freeing other libraries encumbered with the GPL.

Be free! Be happy!

You: What tactics? Telling the truth?
No, spreading Fear, Uncertainty, and Doubt in an attempt to "prove" an opinion, and insulting me and whoever else disagrees with you. To wit:

You: I keep thinking you'll understand if I speak slowly, or something.
I'm not going to dignify that by replying in kind.

The words which you deemed an insult were in fact reflective of sentiments that were anything but.

You then continued to write:

Me: The GPL is designed to ensure that the source code for a piece of software remains available to everyone at all times. That is all. Nothing more, and nothing less.

You: Many licences do that, the LGPL, BSDL, and AL being amongst those.

Incorrect. The BSD license (AFAIK: reference) and the Artistic license both allow distribution of binary-only, modified versions of the original source code. This is not necessarily a bad thing, although some think it is. However, regardless of whether it is good or bad, both the BSDL and AL do not include the protections against "embrace and extend" and freeloading that the GPL does.

That really wasn't the thrust behind my comment. What I was trying to express was that if you put any of these OSI-style licences on a bit of code, then that code will always have that licence. You can't just take a bit of AL'd code (or whichever licence) and throw away the old licence and re-license it as you feel like. The originally licensed code stands, and it stands forever--or at least until the owner himself releases it under an alternate licence. That means that the original code is not going to "go away" or be "taken over". You can't do that with the original code. It's got a free licence on it, and that's that. The difference is that free licences other than the GPL allow you to license your own software that uses the original stuff in any way that you care to. Even if you do so, the original remains inviolate. Nothing can happen to it.

That's what I meant when I said that the other free licences make sure that the code "stays free". Surely you must see that they do this. But you're talking about something else: code that wasn't in the original. Yes, you're right, the other licences make no claims upon that code the way the GPL does. But this hardly changes the original code.

(Yes, some of that was redundant.)

Microsoft's old strategy of "embrace and extend"--which in fact is often "embrace, extend, and extinguish"--is going to be with us no matter what we do. Look at the whole MS-HTML fiasco. This was an open standard. That didn't stop Microsoft from using it to screw the world into reliance upon them through Microsoft-only extensions. Do you really think getting a copy of their exact code to handle this crud would make any difference? I don't think it would. I don't see that licensing could make any difference here. Even if you define in the standard that extensions would make the result no longer be standard [whatever], as for example, I have heard said about XML, I can't see this stopping the Microsoft juggernaut from attempting to give you a "better" version. They'd say, well sure, MS-ML isn't XML (or whatever), it's better, and it's fully compatible with simple XML (or whatever). Think about POSIX, again.

So I think your fears about "embrace and extend" are well-founded, but your apparent conclusion that the GPL would adequately address this issue, and do so in a way that other free licenses would not, seems incorrect.

You: It [the GPL] sneaks its viral fingers into code

This is FUD. There is nothing sneaky about the GPL. Indeed, many (myself included) think certain people are far too vocal about why the GPL should be the One True License. Calling the GPL "viral" is about the same as calling Perl an "unreadable" language. Both have an element of truth, and neither are fair.

It is worth pointing out that FUD (Fear, Uncertainty, Doubt) is not the same as a lie. FUD must have some truth in it, or it is easily refuted as a lie. FUD exists in the margins of error that human language and understanding allow, and in areas of opinion and subjectivity.

They don't do that. Therefore, they don't mind that it tricks people. Hard to see how using "sneaky" is inappropriate there.

As for "viral", this, too, has a long tale behind it, and it was hardly I who first made the observation and coined the term. I don't care that the term should discomfit the FSF. There are clearly ways in which the term is descriptive of the action. Yes, it has a negative connotation. Yes, I intended to use a term with a negative connotation. I did so, quite simply, because to my mind the term fits. I did not do so to cause people to fear something they did not understand, nor to be uncertain about the reality of the matter, nor to doubt for some nebulous and amorphous reason the intentions of the parties involved.

But let's get back to the matter at hand. Does the GPL infect code you write? No.

What it does is prevent you from taking GPL code and including it in your own works.

Nevertheless, this prevention that hardly seems sporting, not does it? I can barely think of a potent disincentive to code reuse. And code reuse frees programmers from needlessly reinventing the wheel.

You still retain complete and total ownership of your code.

One can of course avoid this through linking. The FSF really hates this idea, and they routinely cluck enough about its legal viability that fair-minded people everywhere are uncertain about the true effects. But in the client-server days of RPC, CGI, DLLs, CORBA, OLE, COM, mobile agents, and other segmented forms of computation, it becomes increasingly obvious that the GPL cannot possibly be as infective/effective at reaching across those boundaries as the FSF wishes it were. That's how I made removed the virus from all GPL'd libraries and made them LGPL'd. Even Bruce Perens has confessed here in this forum that such separations are going to happen in the computing models we see today, and that the GPL does not address them. My recollection is that he called them "loopholes".

The restrictions come from the inability to distribute the other, GPL code. Your code is not affected!

The only problems arise from the copyright violation that would occur if you redistributed the GPL code in your own code, without credit and return.

In any event, that's not what the issue is. The issue is that the FSF feels that their code affects my code, that their licence on their code spreads to everything their code touches, meaning my code, and that this process continues in perpetuity, without regard to dilution or proportionality. It is this very complete silliness that they espouse which has engendered the notion of the GPL being an infectious virus. If you prefer another way of thinking about how silly it is, consider it as an application of digital homeopathy.

What is this credit and return business? Basically, the GPL is designed to help promote open source/free software/whatever, and to ensure that closed-source developers do not get a free ride. Again, all it "forces" anyone to do is keep the original code free.

Can you imagine how silly it would be if a book were published whose copyright included a restriction that the book could not be used by black people, or in a public library, or placed on the same shelf as a book by a different author? Imagine if a song were published under a restriction that it could not be played a station that also played a song by a competing musician, and that any other songs played by that station fell under the same restriction as the first song? Really, it's completely silly.

In an effort to keep open source going, the GPL prevents another company from using GPL'ed code to create a proprietary, sourceless product.

I think -- and this is strictly my personal opinion -- that it is reasonable that, if I am going to take the time and effort to create some software, that some other company should not get a free ride from me, or take my code and lock it up in their product.

According to the FSF, this is not free source, open software, or anything else you care to call it, because it's got anti-commercial restrictions. And then they tell you that their restrictions which bar anyone from using their software in what any businessman would be call a commercial sense (traditional fee-for-licence schemes) is not anti-commercial. Who but George Orwell could be so proud of the boldness of this spin job?

It would be more honest of the FSF to get out of the business of word games and related spin. But they are, fundamentally, a politico-economic foundation, not a technical one. They wish that all software were GPL'd, because they could thereby impose their morality upon others by the--what word do you want me to say here other than the completely honest "infective nature" or "viral nature"--perhaps "collateral damages", then--of the GPL.

I must confess that I have on a few occasions in the past, and doubtless several in the future, contemplated places where I would dearly delight in seeing the GPL installed and enforced. Oh, you do not know how sorely tempted I have been! One example is with Microsoft's operating systems products, because if they were court-ordered to slap the GPL on their OSes, that would be a likely end to their strategy of putatively "integrating" into the OS any application area that they care to monopolize.

But you know what? This is a personal weakness of mine, and I must overcome the urge. Tempting though it may sound, I must reject the temptation. I must. That's because it is fundamentally immoral to coerce others to behave in accord with your own sense of morality. It doesn't matter whether your morality happens to be the best around, or even the best there can ever be. Coercion is by its very nature by definition immoral. As with the paradox of having your cake and eating it too, morally you simply cannot enforce your own morality on others without sacrificing that very moral high ground which you would claim to occupy. Without free will, there can be no morality at all.

The reason that I believe Microsoft could crack the GPL like an eggshell is because I saw how they castrated POSIX. If they can do that, what do you think they can do to anybody, anywhere, any time? Yes, I believe that the GPL's infinite infection attributes are ignorant of copyright case law and wouldn't stand up based on that. And I've shown how GPL'd libraries no longer exist for purposes of linking. But the real source of my comment is that I believe Microsoft could disregard the GPL if they wanted to. And I doubt you want to see that.

NT 4 is POSIX 1003.1 compliant.

If you truly believe that this alleged POSIX compliance is in the least bit useable, then please compile up trn or perl or nvi on that system. It's part of a sick and twisted joke, and the joke is on the American taxpayer, too. Read Heinz's article.

NT is POSIX compliant, no?

The only way to counteract this is to encourage Unix in the desktop

Anyway, let's look at this "familiarity" thing. Why are professional programmers and other power users in scientific, research, and academic situations more apt to use Unix than are people in non-technical positions? Once we dispense with the sound technical reasons, plain old familiarity is the remaining answer. Power users, professional programmers, and related geeks have historically been exposed during their critical, formative years to Unix systems at university. That's what we're used to, so that's what we're most productive with. And those are the sectors where we tended to land jobs, so that's what we brought with us. As we moved into purchasing roles, or even advisory ones, we knew what we wanted. The importance of how universities fostered the Unix mindset (tool-and-filter resuable component philososphy, simpler is better, separate privileges, infinite configurability and hookability, full source access, etc.) in this set of technologists cannot be understated. This customs and comforts of our original experiences with computers forged our utlimate worldview, one that as much rejected IBM and their drones then as it rejects Microsoft and their drones today.

In the early 80s, while I was first fiddling around with BSD running on PDP-11s and later VAX-11s (with complete source, mind you; what a difference that made!), those same computers at less research-oriented or technology-oriented institutions were still running their original proprietary DEC operating systems--as did my high school, where we had RSTS/E to play with. If you went to UW-Madison, you got DEC hardware running Unix. If you went to a smaller, more business-oriented school (or my high school; sigh) you got the same computers running closed systems instead. They were grooming aye-tee professionals, after all, not programmers. :-(

In the the boring, cravat-choked business world where once we had IBM, MVS, IBM mainframes, Cobol, and DP-drones doing 3270 screen layout, we now have in their respective slots Microsoft, WinXX, IBM PCs, BASIC, and IT drones doing CGI screen layout. Well, some things haven't changed all that much, eh? :-)

It concerns me to see students receiving degrees in MCS, ECE, and yes, even CS without anything but Microsoft experiences. Yes, it's really happening. I've seen schools, colleges, and even universities where that's all the students see.

The students produced have no under-the-hood experience. They don't have source code. They don't know how to go from a directory of C source code and turn that into an installed program. All they know about is buying "applications". They aren't used to rearranging their operating systems to suit their needs. They aren't used to remote administration or complete automation. They're used to using MS-this and MS-that, even for programming. They're used to pushing cutesy hieroglyphic happycons. They're used to traversing seventeen levels of menus vgrep-style in a futile hunt-and-peck. And of course, they're accustomed to doing repetitive tasks again and again and again redundantly and repetivively.

This is what they expect. This is what they want. This is what they demand. And if you expect to "win over their desktops", you'll have to give it to them. And thereby infernally frustrate the rest of us.

And these are next generation of so-called computer people. Be very afraid. I know I am. Go to your educational institutions, from junior high schools on, and show them Another Way. The Jesuits were right, and Bill Gates knows this.

How does one define a hard drive? Does a RAID count? [...] How is the hard drive license enforceable and how are partitions dealt with?

1. controller
2. disk
3. disk controller
4. disk drive
5. drive
6. file system
7. logical disk
8. mount point
9. partition
10. physical disk

The first erratum is that when I said " everybody is unassailable", I of course meant that "everybody else is unassailable".

The other is that immediately prior to the sentence beginning "Consumer-targetted systems", you should insert this:

If on Unix, you don't have the source, then you can't the program on all your diverse systems. And if Unix programmers do not provide source, they cannot hope to have their program as widely used as it would otherwise be.

Finally, I fixed the latro links at the bottom, so you'll be able to see the real program. And yes, it works. Like nmap and other, um, security tools, this should of course only be used to verify the security of those systems that you yourself directly administer and have responsibility for. Not that it's apt to be sufficiently well logged to know what's really going on. It seems that POSTs never get their content logged. Play nice, and don't pick on the WinVictims. :-)

viruses is more commonly used in the States while virii is more common in Europe

It's not like it's all the same, though. In English (assuming you deem England to be part of Europe :-), you have viruses, but in German, you have viren. Most curious of all, you in the Romance tongues have an invariant virus even in the plural, as in French les virus or Italian i virus. Given the historical provenance of the Romance tongues, I'd say that this invariance lends credibility to those scholars who opt for a 4th declension explanation of events.

I am getting tired about hearing how Linux is immune to computer viri [sic; you mean viruses], it simply isn't. The main thing preventing people from writing a Linux virus is good-will towards the operating system.

You are correct that it is no mean trick to write a program that can damage the system it runs on, largely irrespective of what kind of system we're talking about. And so long as you can hoodwink some unwitting user into executing that program on their system, that program can, of course, cause damages commensurate with the privileges and capabilities of that user.

What you've failed to consider is how the dramatic cultural differences between Unix and the much-maligned consumerist toys serve to affect the issue to our benefit and their detriment.

Probably the most important of these cultural differences is that Unix has historically been a source-only world. Programs are distributed in the form of source code, code which shall be configured, built, and ultimately installed on the target machine. Programs solely accessible in machine language form fall immediately under a taint of mistrust.

Think back to the last time you read a notice from someone whom you've never heard of before that was asking you to go fetch some random binary program from some random place on the net and then to run that program under full sysadmin privileges? I can already see the incredulous Unix sysadmin reading that and bursting out in uncontrollable guffaws. Because the de facto standard for program interchange in Unix is as source code, a Unix programmer will be far less likely to fall for your ploy than would your average Prisoner of Bill, who has been lulled into gullibility by a binary-only culture.

But for the sake of the argument, let's say that you've found a way to effect this trick. Suppose you're an employee of some reasonably respected company that happens to produce a binary-only distribution of their commercial software, and you decide to sneak something wicked into the binary image. You manage to replace the standard, clean copy on your company's ftp or http server, or even floppies or CDs, with your own naughty version. People are accustomed to downloading from your company, or using your company's floppies, so they do as they've always done, run the installation as the superuser, and you thereby have your way with their system.

If this scenario were to play out, just how dangerous--how destructive--could it really prove? Whom could you harm, and who would be immune to your ploy? The answer is that you could only hurt those folks running the exact platform for which your binary had been compiled, and everybody is unassailable. By platform, I mean the whole feature vector that includes processor chip (eg Sparc vs Intel), operating system (e.g. SGI vs BSD), shared libraries (e.g. libc vs glibc), and site-specific configuration (e.g. shadowed vs non-shadowed password files.

Let's not get too full of ourselves and pretend that the Unix culture's predilection for source-only program distribution derives only, or even mainly, from altruism. We have no choice in this matter. Consumer-targetted systems from Microsoft or Apple are two instances are a static monoculture, as vulnerable to mayhap as a field of cloned sweet corn. It only takes one genetically engineered virus to bring down the whole field. Unix is different.

In his acclaimed essay, In The Beginning , Neal Stephenson writes:

It is this sort of acculturation that gives Unix hackers their confidence in the system, and the attitude of calm, unshakable, annoying superiority captured in the Dilbert cartoon. Windows 95 and MacOS are products, contrived by engineers in the service of specific companies. Unix, by contrast, is not so much a product as it is a painstakingly compiled oral history of the hacker subculture. It is our Gilgamesh epic.

What made old epics like Gilgamesh so powerful and so long-lived was that they were living bodies of narrative that many people knew by heart, and told over and over again--making their own personal embellishments whenever it struck their fancy. The bad embellishments were shouted down, the good ones picked up by others, polished, improved, and, over time, incorporated into the story. Likewise, Unix is known, loved, and understood by so many hackers that it can be re-created from scratch whenever someone needs it. This is very difficult to understand for people who are accustomed to thinking of OSes as things that absolutely have to be bought.

There is no one thing called Unix. Instead, Unix comprises a diverse set of subtly (and often not so subtly) variant platforms. A nefarious binary laced with exquisitely designed evil bullets hidden inside it can hurt only a few of us. When Apple and Microsoft laugh at our diversity, be sure to remind them that is it their lack of the same that contributes to their incredible vulnerability--and to our strength. Hybrid vigor ultimately wins out over a monoculture, for the latter is too in-bred and fragile to prove long viable.

Let me now return to your particular suggestion, that of a malignant Perl program activated by a Makefile rule at installation time. Because you're talking source code, and because Perl tries rather hard to attain a high level cross-platform intercompatibility, this form of subterfuge would appear exempt from the inherent protections stemming from diversity in variant Unix platforms. So, could your trick be done? How much of a problem could this really be? What might happen?

The answer is that of course, it could be done. And in point of fact, a demonstration model is already available, courtesy of Abigail. Guess what? There's no reason to run around like a chicken with its head cut off: the sky isn't falling. This sort of approach stands little chance of making a big splash, because you aren't going to insinuate it into a place that can affect a lot of people. Sure, you might catch a few folks, but just how long to you think this kind of thing will go unnoticed? Remember, it's in source code. That means anybody who wonders what happened can just look at it. There's a very low barrier to entry. And even if the naughtiness removes itself from your copy once its dirty deeds are done, that naughtiness is still sitting there in plain view for easy inspection back wherever you got your copy from.

Is there a way around this? Well, yes, if you're as clever as Ken Thompson. Fortunately, you aren't, and neither are the crackers. If they were, they'd doubtless receive more Turing Awards for their vaunted efforts. :-)

The only way you're going to get good propagation is if your nastiness into a copy that a lot of people will download and install. There's a very fine reason why so many archives contain a checksum of the image. It's to help with this problem. Security of course depends on several matters, including the strength of the algorithm and the integrity of the authenticating agent. But better that than nothing.

Let's talk about propagation some more. I assume that the goal is to have a notable impact, which means you need to spread your bad code as widely as possible. A hacked up install script, even if all goes to your liking, just doesn't have a very high rate of reproduction. First of all, how often do how many people install this software? Secondly, how do you plan to trick them into doing so? It's not really much of a challenge to get one person to this, especially if they trust. If that's your goal, maybe you'll succeed. But the risk of being traced and apprehended is high.

So how come this stuff can spread like wildfire amongst the OS-challenged? Can't whatever mechanism that's used there be used to get at the rest of us, too?

Over the last few years, a frighteningly frequent conduit of contagion for viral infection on toy systems has been the implicit, automatic execution of code with little or not manual intervention on the part of the box's owner. DOWN THIS PATH LIES MADNESS!. That this can ever, ever happen is as a plain a symptom of complete and total cretinization in the toybox world as you are ever going to see. It's stupid, it's crazy, and it's dangerous. Any programmer who even suggests it needs to go back to flipping hamburgers. Any user who asks for this feature needs to be quietly taken into the back room by the doleful men in long trenchcoats, where he will be told in no uncertain terms that his request is not only in the best interest of no one but criminals, but that he also now has a permanent record even for asking about it.

No, I don't care that a customer asked for it. Customers are idiots, just like any other user. So what if they pay you? They're still idiots, and it's your professional responsibility to act responsibly, to refuse to go along with their madnesses. The customer is not always right. In fact, they're very often wrong. A physician or a lawyer doesn't do whatever the customer requests, and neither do you. They, meaning the customers or users, simply don't have the background and training; they don't have the experience of seeing why automatic execution from untrustable source is the work of the Devil.

It's not as though we in Unix have never seen this issue before. In fact, we've seen it time and time again. And guess what? We recognized the problem and we addressed it. And we don't cater to that kind of lunacy anymore.

Here are a few concrete examples.

Remember when vi would--or at least, could--automatically execute macro commands embedded in a file in a specific way? That was a dubious feature called modelines. On my OpenBSD systems, if I type :set modeline, the program comes back and says set: the modeline option may never be turned on.

Another example of learning from our mistakes is the issue of shell archives. Instead of automatically running the sharfile through /bin/sh, there are specially made unshar programs that will do the common things, safely, and nothing else.

When CGI was first getting big, owners of toy systems would blindly install compilers and interpreters in such a way that these would easily execute arbitrary content coming in off the wire. Despite my pleas, both Netscape and Microsoft were actually advocating this! After a year of warning admins not to do this, and sending mail to the companies who were saying to just go ahead, nothing changed. So I released latro. Then and only then did various companies retract their suggestions, even though they'd been aware of the nature of the problem for a long, long time. Sure, you could be equally stupid on Unix, but for some reason, we weren't. History counts.

Implicit execution of untrusted material is simply stupid beyond words. And for some reason, the toybox people keep falling for the same chump moves, from MIME attachments to word processor and spreadsheet macros to embedded active scripting controls. I don't know quite why they just keep doing this crap. My hunch, and it's only a hunch, is that this is happening because Microsoft and their moronic minions simply cannot for the all the tea in China ever manage to think outside of their quaint but completely fictional little single-user universe. Maybe they don't hire people who come from a background in multiuser and/or networked computing systems. Maybe they don't hire people with real experience at all, just script-kiddies trying to make a buck legitimately but with no true understanding. Maybe the software makers simply can't say no to a customer request, no matter how suicidal they know that request to be. I don't know.

Whatever the cause, decades of history are completely and repeatedly ignored. They keep making the same mistakes, and they don't fix the underlying causes. Sure, there are things that are hard. Denial of service attacks are hard. People who know exactly all the ramifications of IP who go sending maliciously hand-crafted packets aren't much fun either.

But these highly technical ploys aren't why most folks on their toyboxes are being screwed up, down, left, right, and sideways. They're being screwed because of very simple matters. They don't have the notion of a protected execution mode. They don't have file permissions or memory protections. They automatically execute content willy-nilly, often with complete access to the whole machine. They expect a program to show up in binary not source form. They don't compare robust checksums from a strongly authenticated sources. They live in an infinitely vulnerable monoculture. They expect things to just magically happen for them without a thought or a care, and guess what? Their wishes are duly granted, much to their eventual dismay.

It is possible that mass-market factors may someday end up plaguing Unix systems in ways not so far removed from the stupidities that the toy boxes are riddled with. We just have to tell them no, and to condemn in the strongest and loudest possible terms any backsliding into insecurities that if we ever had, long ago banished. Looking at the Winix phenomenon, in which a dozen different vendors put together and ship their own Linux operating systems, all specifically constructed to be user-obsequious and Unix-hostile all in order to appease the lowered expectations of a hundred million Windows idiots, who, despite their numbers, really can still be wrong. The stupidity of the masses must never be underestimated.

PS: Congratulations for reading this far. :-)

I am getting tired about hearing how Linux is immune to computer viri [sic; you mean viruses], it simply isn't. The main thing preventing people from writing a Linux virus is good-will towards the operating system.

You are correct that it is no mean trick to write a program that can damage the system it runs on, largely irrespective of what kind of system we're talking about. And so long as you can hoodwink some unwitting user into executing that program on their system, that program can, of course, cause damages commensurate with the privileges and capabilities of that user.

What you've failed to consider is how the dramatic cultural differences between Unix and the much-maligned consumerist toys serve to affect the issue to our benefit and their detriment.

Probably the most important of these cultural differences is that Unix has historically been a source-only world. Programs are distributed in the form of source code, code which shall be configured, built, and ultimately installed on the target machine. Programs solely accessible in machine language form fall immediately under a taint of mistrust.

Think back to the last time you read a notice from someone whom you've never heard of before that was asking you to go fetch some random binary program from some random place on the net and then to run that program under full sysadmin privileges? I can already see the incredulous Unix sysadmin reading that and bursting out in uncontrollable guffaws. Because the de facto standard for program interchange in Unix is as source code, a Unix programmer will be far less likely to fall for your ploy than would your average Prisoner of Bill, who has been lulled into gullibility by a binary-only culture.

But for the sake of the argument, let's say that you've found a way to effect this trick. Suppose you're an employee of some reasonably respected company that happens to produce a binary-only distribution of their commercial software, and you decide to sneak something wicked into the binary image. You manage to replace the standard, clean copy on your company's ftp or http server, or even floppies or CDs, with your own naughty version. People are accustomed to downloading from your company, or using your company's floppies, so they do as they've always done, run the installation as the superuser, and you thereby have your way with their system.

If this scenario were to play out, just how dangerous--how destructive--could it really prove? Whom could you harm, and who would be immune to your ploy? The answer is that you could only hurt those folks running the exact platform for which your binary had been compiled, and everybody is unassailable. By platform, I mean the whole feature vector that includes processor chip (eg Sparc vs Intel), operating system (e.g. SGI vs BSD), shared libraries (e.g. libc vs glibc), and site-specific configuration (e.g. shadowed vs non-shadowed password files.

Let's not get too full of ourselves and pretend that the Unix culture's predilection for source-only program distribution derives only, or even mainly, from altruism. We have no choice in this matter. Consumer-targetted systems from Microsoft or Apple are two instances are a static monoculture, as vulnerable to mayhap as a field of cloned sweet corn. It only takes one genetically engineered virus to bring down the whole field. Unix is different.

In his acclaimed essay, In The Beginning , Neal Stephenson writes:

It is this sort of acculturation that gives Unix hackers their confidence in the system, and the attitude of calm, unshakable, annoying superiority captured in the Dilbert cartoon. Windows 95 and MacOS are products, contrived by engineers in the service of specific companies. Unix, by contrast, is not so much a product as it is a painstakingly compiled oral history of the hacker subculture. It is our Gilgamesh epic.

What made old epics like Gilgamesh so powerful and so long-lived was that they were living bodies of narrative that many people knew by heart, and told over and over again--making their own personal embellishments whenever it struck their fancy. The bad embellishments were shouted down, the good ones picked up by others, polished, improved, and, over time, incorporated into the story. Likewise, Unix is known, loved, and understood by so many hackers that it can be re-created from scratch whenever someone needs it. This is very difficult to understand for people who are accustomed to thinking of OSes as things that absolutely have to be bought.

There is no one thing called Unix. Instead, Unix comprises a diverse set of subtly (and often not so subtly) variant platforms. A nefarious binary laced with exquisitely designed evil bullets hidden inside it can hurt only a few of us. When Apple and Microsoft laugh at our diversity, be sure to remind them that is it their lack of the same that contributes to their incredible vulnerability--and to our strength. Hybrid vigor ultimately wins out over a monoculture, for the latter is too in-bred and fragile to prove long viable.

Let me now return to your particular suggestion, that of a malignant Perl program activated by a Makefile rule at installation time. Because you're talking source code, and because Perl tries rather hard to attain a high level cross-platform intercompatibility, this form of subterfuge would appear exempt from the inherent protections stemming from diversity in variant Unix platforms. So, could your trick be done? How much of a problem could this really be? What might happen?

The answer is that of course, it could be done. And in point of fact, a demonstration model is already available, courtesy of Abigail. Guess what? There's no reason to run around like a chicken with its head cut off: the sky isn't falling. This sort of approach stands little chance of making a big splash, because you aren't going to insinuate it into a place that can affect a lot of people. Sure, you might catch a few folks, but just how long to you think this kind of thing will go unnoticed? Remember, it's in source code. That means anybody who wonders what happened can just look at it. There's a very low barrier to entry. And even if the naughtiness removes itself from your copy once its dirty deeds are done, that naughtiness is still sitting there in plain view for easy inspection back wherever you got your copy from.

Is there a way around this? Well, yes, if you're as clever as Ken Thompson. Fortunately, you aren't, and neither are the crackers. If they were, they'd doubtless receive more Turing Awards for their vaunted efforts. :-)

The only way you're going to get good propagation is if your nastiness into a copy that a lot of people will download and install. There's a very fine reason why so many archives contain a checksum of the image. It's to help with this problem. Security of course depends on several matters, including the strength of the algorithm and the integrity of the authenticating agent. But better that than nothing.

Let's talk about propagation some more. I assume that the goal is to have a notable impact, which means you need to spread your bad code as widely as possible. A hacked up install script, even if all goes to your liking, just doesn't have a very high rate of reproduction. First of all, how often do how many people install this software? Secondly, how do you plan to trick them into doing so? It's not really much of a challenge to get one person to this, especially if they trust. If that's your goal, maybe you'll succeed. But the risk of being traced and apprehended is high.

So how come this stuff can spread like wildfire amongst the OS-challenged? Can't whatever mechanism that's used there be used to get at the rest of us, too?

Over the last few years, a frighteningly frequent conduit of contagion for viral infection on toy systems has been the implicit, automatic execution of code with little or not manual intervention on the part of the box's owner. DOWN THIS PATH LIES MADNESS!. That this can ever, ever happen is as a plain a symptom of complete and total cretinization in the toybox world as you are ever going to see. It's stupid, it's crazy, and it's dangerous. Any programmer who even suggests it needs to go back to flipping hamburgers. Any user who asks for this feature needs to be quietly taken into the back room by the doleful men in long trenchcoats, where he will be told in no uncertain terms that his request is not only in the best interest of no one but criminals, but that he also now has a permanent record even for asking about it.

No, I don't care that a customer asked for it. Customers are idiots, just like any other user. So what if they pay you? They're still idiots, and it's your professional responsibility to act responsibly, to refuse to go along with their madnesses. The customer is not always right. In fact, they're very often wrong. A physician or a lawyer doesn't do whatever the customer requests, and neither do you. They, meaning the customers or users, simply don't have the background and training; they don't have the experience of seeing why automatic execution from untrustable source is the work of the Devil.

It's not as though we in Unix have never seen this issue before. In fact, we've seen it time and time again. And guess what? We recognized the problem and we addressed it. And we don't cater to that kind of lunacy anymore.

Here are a few concrete examples.

Remember when vi would--or at least, could--automatically execute macro commands embedded in a file in a specific way? That was a dubious feature called modelines. On my OpenBSD systems, if I type :set modeline, the program comes back and says set: the modeline option may never be turned on.

Another example of learning from our mistakes is the issue of shell archives. Instead of automatically running the sharfile through /bin/sh, there are specially made unshar programs that will do the common things, safely, and nothing else.

When CGI was first getting big, owners of toy systems would blindly install compilers and interpreters in such a way that these would easily execute arbitrary content coming in off the wire. Despite my pleas, both Netscape and Microsoft were actually advocating this! After a year of warning admins not to do this, and sending mail to the companies who were saying to just go ahead, nothing changed. So I released latro. Then and only then did various companies retract their suggestions, even though they'd been aware of the nature of the problem for a long, long time. Sure, you could be equally stupid on Unix, but for some reason, we weren't. History counts.

Implicit execution of untrusted material is simply stupid beyond words. And for some reason, the toybox people keep falling for the same chump moves, from MIME attachments to word processor and spreadsheet macros to embedded active scripting controls. I don't know quite why they just keep doing this crap. My hunch, and it's only a hunch, is that this is happening because Microsoft and their moronic minions simply cannot for the all the tea in China ever manage to think outside of their quaint but completely fictional little single-user universe. Maybe they don't hire people who come from a background in multiuser and/or networked computing systems. Maybe they don't hire people with real experience at all, just script-kiddies trying to make a buck legitimately but with no true understanding. Maybe the software makers simply can't say no to a customer request, no matter how suicidal they know that request to be. I don't know.

Whatever the cause, decades of history are completely and repeatedly ignored. They keep making the same mistakes, and they don't fix the underlying causes. Sure, there are things that are hard. Denial of service attacks are hard. People who know exactly all the ramifications of IP who go sending maliciously hand-crafted packets aren't much fun either.

But these highly technical ploys aren't why most folks on their toyboxes are being screwed up, down, left, right, and sideways. They're being screwed because of very simple matters. They don't have the notion of a protected execution mode. They don't have file permissions or memory protections. They automatically execute content willy-nilly, often with complete access to the whole machine. They expect a program to show up in binary not source form. They don't compare robust checksums from a strongly authenticated sources. They live in an infinitely vulnerable monoculture. They expect things to just magically happen for them without a thought or a care, and guess what? Their wishes are duly granted, much to their eventual dismay.

It is possible that mass-market factors may someday end up plaguing Unix systems in ways not so far removed from the stupidities that the toy boxes are riddled with. We just have to tell them no, and to condemn in the strongest and loudest possible terms any backsliding into insecurities that if we ever had, long ago banished. Looking at the Winix phenomenon, in which a dozen different vendors put together and ship their own Linux operating systems, all specifically constructed to be user-obsequious and Unix-hostile all in order to appease the lowered expectations of a hundred million Windows idiots, who, despite their numbers, really can still be wrong. The stupidity of the masses must never be underestimated.

PS: Congratulations for reading this far. :-)

Virus, well, wasn't.

Some sources report it as being an irregular 2nd declension neuter, like pelagus and vulgus. Other sources report that it was a 4th declension neuter, like status, impetus, or hiatus. None report that it declined as though it were a 2nd declension masculine, like dominus and abacus.

Check out the rest of the story. It contains links to the wonderful Perseus Project, which is devoted to on-line access to the Classics, including word searches and definitions. I think you'll like it. Here's my favorite entry point to them.

Every time I read the malformation *virii, my brain pronounces it as it does viri, which in English sounds pretty much just like "weary", which also describes my sentiment. :-)

From the Otto is a Rat Bastard Department:

Found this interesting tidbit yesterday. The plural form of virus is "viruses". viri is the nominative plural form of the Latin vir, which means man. See: http://doriath.perl.com/misc/virus.html

Okay, firstly, that URL is wrong. It should be http://language.perl.com/misc/virus.html ...

Secondly, while I think Tom Christensen is a genius, I must say that in this case, he's just being annoying.

Thirdly, anyone who corrects my speech in front of me generally loses a tooth. I don't stand for that crap from grown adults. :-)

Language is a flexible, growing, evolving entity. It's not static. It's not about "correctness". It's about communicating your thoughts from one person to another. If I say the word "virii" and the other person understands me, then to hell with the OED.

Frankly, I find that people who care about the correctness of a certain word (I find "ain't" to be a damn useful word), *generally* don't have the intelligence to understand much of anything else anyway. Especially those bastards that try to correct your pronounciation of a word. Oooh, those guys piss me off.

FWIW, Dell should do what everyone else does. Create a base install, virus scan the hell out of it, then ghost the sucker onto every machine needed. If they're actually installing software in the normal fashion, I'd be awfully surprised.

---

Anyway: I can't condone the use of viruses (or viri, but not virii), but I did laugh. Hard.

Either way, no amount of virus protection will stop all virii.

From the davie is a Pedantic Weasel Department:

Found this interesting tidbit yesterday. The plural form of virus is "viruses". viri is the nominative plural form of the Latin vir , which means man. See: http://doriath.perl.com/misc/virus.html

From the referenced URL:

The crucial problem here is that, classically speaking, there appears to be no recorded use of virus in the plural. It was a 2nd declension noun ending in -us, which is rather common, but it was also a neuter, which is rather rare. I could only come up with three such 2nd declension neuters: virus (some poison), pelagus (the sea, usually poetically), and vulgus (the crowd). None appear to admit plurals. Perhaps this is because they are mass nouns, not count nouns. [3]

FWIW, maybe Dell should consider using Linux or BSD boxes to do their installs from now on. No guarantee against transporting infected files, but at least there's a smaller chance (near-zero?) of infection of the actual host machines.

I don't agree. I think its not the attention that brings these particular brands of viruses (virii?).

But lest you think these people peculiar in this, notice please how virtually every definable sub-group delights in forming their own invented jargon, and that these sociopaths (crackers) are no different in this regard. Why? Because an "in-speak" serves to separate the "them" from the "us". Anybody who thinks about it for half a second can come up with numerous examples in each of the discrete groups that they belong to. It's just something that we humans do. We like to know who's who, and who's not. It's part of defining the sub-group. The use of the k3w1t0k (yes, that word is an autolog :-) *virii is one such marker.

the fact that MS left the door wide open that keeps these 'viruses' circulating

Class action lawsuit, anybody? :-)

I looked through the vira entries that your cite referenced as well, but of those that one could pull up via a link, none actually used that form. I don't have the non-linked source at hand. How do you explain Ammian?

I'm still looking for more sources, and will happily update my document if and when new research turns up, as it did recently.

And I'll still use viruses when writing English. :-)

There are no "cross-platform virii". As tchrist just pointed out, you mean viruses.

Virii (Viruses?) that do this ...