Slashdot Mirror

Something I got wrong: looks like the replacement for is_initialized() is to explicitly cast to bool, using static_cast.

What I don't get is this: suppose Dog inherits from Eater and Walker. If I have a vector of pointers to Eater objects, and I add a pointer to a Dog instance to that vector, and I call eat(dogFood) via that pointer, how can the vtable handle both the Eater and Walker member-functions? Surely they each have an idea of which member-function pointer belongs in which index of the vtable. If we have two vtables, surely we mess up the offsets for one of them. Or do we just bounce all the calls for Eater through a trampoline to handle the offsets?

Looking at Boost.Optional...

Boost.Optional's is_initialized() is now deprecated, presumably you're meant to just implicitly cast to bool now.

Apparently there are some pretty major compiler-compatibility issues with Boost.Optional, including the latest Visual Studio compiler, and GCC 4.5 (but not newer GCCs, happily).

Some StackOverflow discussion and toy examples.

When is C++ going to natively support multiple return types?

You refer to the struct or tuple hacks. PHP and Python use a tuple hack similar to C++'s to return multiple values. Perhaps what you really want is readable syntax for assignment of multiple variables from a std::tuple. And now my own question for Bjarne: When are we getting that?

They are obviously talking about in generalities.

That doesn't mean everyone is doing it. Or that it fits every task.

Here is some random survey from 2012 as an example:

58.9% Javascript
58.9% sql
51.1% jquery
37.6% java
37.6% c#
28.9% php
23.4% python
21.1% c++

The year after:

57.9% Javascript
53% sql
37.9% java
37.6% c#
26.2% php
22.5% python
21.7% c++
18% c
10.3% objective-c
9.8% node.js
9.1% ruby

http://blog.stackoverflow.com/...

I don't know how representative Stack Overflow is or what it means, I just know Javascript is used a lot.

If that means they are using Javascript only on the website front-end or also for other things. Who knows.

Node.js is listed as 'most exciting new technologies':
38.4% node.js
36.1% arduino /raspberry pi
28.4% angular js

So maybe it's used on the server too.

.Net was a promotional name applied to many products at the time, much like XP before that.

Part of this was to align the current versions, and part of it was to emphasize the network capabilities being introduced. This all happened ~2002, and that was a very big thing (from a marketing perspective) at the time.

This post seems to think the main reason was the latter.
Partial list of .NET product names

Like this?

http://stackoverflow.com/a/24090842/3273651

%rpb is the base pointer. The offset is negative because the local variables live below the base pointer (being in-scope only after the base pointer is moved to the current function); -X(%rbp) points to a local variable.

http://stackoverflow.com/quest...

I used to turn to Assembly INSIDE my compilers (Delphi quite often for faster performance) via the Asm directive that allowed me to use assembly INLINE in my code (made faster loops for me quite often, despite the fact compilers "unroll them" to optimize them even).

A good example of this, where some actual research is done to PROVE my statements above actually DO work, has been done, here:

http://stackoverflow.com/quest...

(An interesting read for those doubting you in fact... )

APK

P.S.=> I love hearing from the "oldsters" like you that could pull of the madness & lunacy you did (& hey - I'm 50 yrs. of age man, so I am guessing YOU are older than that)... apk

Only if the master process quit after forking twice. This is not typical

No, this IS typical. The double fork allows the original process to interact with the user ("Enter your private key password:"), then exit and return 0 to the init script so init can print [ OK ] on your console.

The middle process needs to close file descriptors and do other cleanup then fork and die, causing the final process to become re-parented to init. Init then becomes responsible for cleaning it up if it dies, so it won't become a zombie.

Step-by-step "how to daemon" guide here.

How does one embed "JavaScript URLs" in CSS?

Very easily, and because so few people know it is possible, it's a rather nasty vector for cross-site scripting attacks.

Also you seem to have no idea about where the web is headed or have heard about responsive design and SPA.

I'm well aware of responsive design. I think it's an abomination, because all it does is make it take two page loads to view your site instead of one, by ensuring that I have to first load your broken mobile site, then click the "full version" link. Every single freaking time I end up on a "responsive" mobile version of a website, I find myself locked out of features that I regularly use, and end up having to switch to the full desktop version of the site.

If you need much more than a couple lines of JavaScript and a custom stylesheet to support mobile devices, it invariably means that your site is badly designed (too complex) to begin with, and as soon as you release the mobile version of your site, you're almost certainly going to make me hate your guts and curse your name.

And SPA is even worse. If your site loads significantly faster as a web app, there's something wrong with your site. 99% of the time, most of the resources should be shared across pages, and only the text of the page should be changing. There's usually not an appreciable difference between the "load the full page" case and the "load the body of the page" case from a performance perspective unless something is very, very wrong. There are exceptions, such as storefronts that use precisely the same page layout for every page, but these are exceptions, not the rule, and even then, the extra savings in initial page load time just result in a customer sitting there wondering why there's no data on the page, and thinking your site is broken. The real problem is that every web engineer thinks their site is the exception to this rule, but most of those engineers are wrong.

More to the point, if I'm accessing your site often enough to care about performance, I'm going to download your native app instead of using your mobile site, because it will always be much, much more functional, with fewer limitations, more features, and better performance. If I'm going to your website, it's either because I don't care about performance or, more commonly, it is because your native app is missing features that are only on the full version of your site. Giving me a mobile version won't help with the second case, and the first case is largely unimportant for everybody but the site designers who are trying desperately to shave off a few bytes from their data bill.

BTW, it's possible to do a manifested web app (giving you all the advantages of heavy-duty caching of shared content) without using JavaScript for all your navigation. You just specify the base path of the content directory as an external URL (I forget the details) in the web app manifest. This approach is much, much more user-friendly than a SPA in my experience.

I work for a very large multinational company. A corporate social network makes sense for us. There is all sorts of expertise possessed by our employees that isn't normally utilized in their job. This gives us a chance to cross-pollinate, to allow our skills to be more broadly used within the company. Or so that was the intent.

Instead, it's mostly degenerated into a bunch of questions by Bangalore computer programmers that would be more appropriately asked on Stack Overflow, if the subjects they asked about weren't so simple and embarrassing. They're hardly worthy of an American middle-school child. I can't believe we actually hired these people, or that these are the sorts of programmers that take American programming jobs.

The most ridiculous question I've seen was about how to fix a computer in a remote village. Apparently it was completely broken, not coming up at all, but the questioner wanted to know if it could be fixed over the Internet. "Could I maybe use the IP address?" The amount of basic, fundamental misunderstanding that it takes to ask such a question just drives me to tears. And we employ this person. And I've probably lost several potential employment opportunities to people like this.

So after trying to use our corporate social network for its intended purpose...at this point, I've just given up.

What does “static” mean in a C program? (yes, I know the DLL/SO conventions are different; same concept.)

Now go clean up your code kiddies, and after you've got that taken care of, figure out how to randomize memory offsets so they can't just guess hard enough to get it anyhow. Hint: none of this — None. Of. This. — should be sitting around in easily analysed (un)initialized data segments, at the very least.

> VS is perfectly fine & performs well for C#. 2008 and earlier absolutely sucked for C++ (I've not done C++ in VS2013), because of intellisense, which you cannot turn off.

Yes, you can. Microsoft doesn't officially support it but it is not that hard.

http://stackoverflow.com/quest...

IANAL.
For CC, attribution is clearly specified. With their attribution blog post, Stackexchange people are just wrong. They write: "Attribution — You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work)."
However they are wrong, as not the author, but the cc license specifies attribution, you can read the legal code, section 4. c).

So your last point is not very strong, at least not for CC licenses.

No Linux variant has been certified according to the POSIX standards for UNIX, and most variants have subtle ways in which they diverge from the POSIX standards, at least subtly.

Haha. Now you've opened a completely different can of worms. For just one example: why should POSIX matter much these days?

BSD, for example, can essentially (though perhaps not completely technically) be called "Linux with extensions". (They deny it but their own description pretty much gives no technical differences except to say that Linux binaries won't run... and without further explanation that could simply be a compiler dead-man. The only specific difference they point out is licensing.) And the only real reason BSD isn't POSIX-compliant is because they have no interest in paying the fees.

Take OS X for example... it's built on BSD yet it IS POSIX-compliant. Because they wanted to be and paid the cert fees. Big deal.

If OS X and even Windows can be made POSIX compliant (they can), then just about anything could be made POSIX compliant if the owners wanted to bother. They just don't want to.

So now that the waters are thoroughly muddied, I'll muddy them further by saying: today, if you're not an Enterprise shop... you should ask yourself whether you really have any reason to give a shit.

Actually i think that making the permission-list shorter could in many cases improve security... This since most users don't actually read the permission-list but just accepts it, and i can understand that.. Lots of people have no clue what most permissions are about..

http://stackoverflow.com/quest...

What i would like is a better way of displaying the permissions that would, in a easier way, tell non-tech people what they all do instead of just having a really low list of permissions in text-format.

Maybe a compact list of the main features with a few symbols indicating Read/Modify/Use or something like that and then allow us to expand the list for a more fine-grained view.

Contrary to widely held popular belief (especially among marketing types), there's not such thing as "HTML5 Video". There's a Video tag in HTML5 that allows you to embed a video player in a web page, but there's no standard as to what that actually means. When someone says they "support HTML5 streaming", they're spewing you a line of BS, because it doesn't exist. There are currently at least 5 different ways to send video to an HTML5-compliant browser: Apple HLS (supported by Safari, some WebKit browsers), MPEG-DASH (Supported by IE11 and very recent versions of Chrome), RTMP (Supported by Flash), RTSP (Supported by all kinds of things, but no adaptive streaming), and progressive download (Supported by just about anything, but can't do live streaming).

RTMP is flash only. There is no native browser support for RTMP.

The IETF has recognized this codec and even protocol mess, and they try to make a mandatory to implement codec for WebRTC. However, they are not very successful.

WebRTC can be added to your list instead. It also allows unidirectional video, but is not scalable (yet).

Contrary to widely held popular belief (especially among marketing types), there's not such thing as "HTML5 Video". There's a Video tag in HTML5 that allows you to embed a video player in a web page, but there's no standard as to what that actually means. When someone says they "support HTML5 streaming", they're spewing you a line of BS, because it doesn't exist. There are currently at least 5 different ways to send video to an HTML5-compliant browser: Apple HLS (supported by Safari, some WebKit browsers), MPEG-DASH (Supported by IE11 and very recent versions of Chrome), RTMP (Supported by Flash), RTSP (Supported by all kinds of things, but no adaptive streaming), and progressive download (Supported by just about anything, but can't do live streaming).

RTMP is flash only. There is no native browser support for RTMP.

The IETF has recognized this codec and even protocol mess, and they try to make a mandatory to implement codec for WebRTC. However, they are not very successful.

WebRTC can be added to your list instead. It also allows unidirectional video, but is not scalable (yet).

The Apple people do some significant jiggery-pokery to keep the atomic retainCount mutations down to a minimum in the Objective-C runtime.

ARC makes a lot of deallocations deterministic and static, I'm not sure of the usage stats but the biggest graphs people have in running applications are usually either their UI View tree or their model object graph, the retain/release calls for the former generally reduces to a malloc/free after static analysis, and the latter lives almost solely in autorelease pools.

The OS, loader and CPU are minor issues, as they do not have the power to analyze your code.

You mean are not supposed to have. You are being awfully trusting here of un-analyzed code.

And getting a compiler you trust is simple: Write it yourself.

In what universe is that simple? Writing a functional C compiler takes on the order of man-decades. C++ is a factor of 10 longer. For a large team, you'd have to somehow be able to trust your entire team (and your network security!) for that entire time. For a single person, it would be a lifetime's work (or more).

Part the problem you're probably facing is that closures in Javascript are basically broken by the fact you can't trivially explicitly pass by value or pass by reference. This results in some non-obvious variable capture results that you don't see in many other languages because they're much better designed. The only way to work around them is indeed to use horrendous hacks, to, for example, force creation of a new scope which as you say absolutely destroys readability. See here for example, note that jQuery alleviates some of the issues at least by providing wrappers that hide much of such uglyness:

http://stackoverflow.com/quest...

In languages with more sane closure support you can cut out a good few lines of code and a bunch of ugly syntax too from the example there.

I don't know so much about Perl, but Javascript at least, don't let it put you off anything, it's rarely an example of a language that does anything much well which isn't to say it doesn't work, but that it just inherently forces less readable code than many other languages.

My team has already stopped supporting Mavericks because it apparently does not support GDB.

You can get GDB (and pretty much every other open source dev tool) from https://www.macports.org/

https://stackoverflow.com/ques...

Hand-compile, then hand-assemble, and finally poke opcodes into RAM with front-panel switches.

No, I'm not kidding.

For example pretty much every web browser out there can only connect two times to one box.

When was this? I thought browsers had long since given up on RFC 2616's limit of two connections per host. True, RFC 2616 says "A single-user client SHOULD NOT maintain more than 2 connections with any server or proxy." But RFC 2119 defines "SHOULD NOT" to "mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label." For results of the 'careful weighing' that browser makers have done, see answers to "Max parallel http connections in a browser?" on Stack Overflow.

They alleviated some of that with mandated pipeline. But it does nothing for the middle of the page.

What do you mean by "middle of the page"? Even with a two-connection limit and a server that is taking a long time to render a dynamic page, the browser is allowed to use this second connection as a pipeline to retrieve resources referenced by the part of the page that has been downloaded.

This was recently brought up on the Meta Stackoverflow site:

Third-party development support: hosted by Stack Overflow

The Definitive C++ Book Guide and List

This is one of those questions that's going to keep being asked... Perhaps one day I'll be fast enough to get a first post on this that people actually read...

Link summary from last time:

• Stack Overflow's books every programmer must read question (locked since 2012).
• Top Programming Books a more diverse list.
• Top 100 Programming Books by sales stats.
• Top Programming Books a more diverse list than the above.
• Reddit has a Must Read Programming books thread.
• In this Stifflog 2006 interview with Yegge, Torvalds, Hansson, Norvig, Thomas, Van Rossum, Gosling, Stroustrup and Bray.
• One of the Kernel Hacker Bookshelf series on LWN recommends Unix Internals.
• Joel Spolsky's list of books programmers need to read.
• Your Favorite Tech / Eng. / CS Books Slashdot thread from 2008, my comment listing my favourite books.

General comments

• A few people have volumes of Knuth's Art of Programming on their shelves (but it's harder to find people who have read all of them).
• One of the consultants who taught at my University said that the Mythical Man Month and Peopleware were good. I've read these too and can also recommended them (although they are more about managing programmers rather than programming per se). The consultant also recommended Design Patterns (although he said not to read the book cover to cover but rather to just be aware of them so you could refer to them later).
• I've heard the "Dragon Book" (Compilers: Principles, Techniques, and Tools I think is the 2nd edition) being talked of favourably.
• Many people seem to recommend reading Godel, Escher, Bach (I'd say it's about mathematical thinking)...

I've noticed which book answers tend to fall a bunch of categories:

• Books that talk about software engineering/management/teams.
• Books that talk about programming languages.
• Books that talk about Computer Science.
• Books that improve your mathematical thinking.
• Books that programmers like but aren't programming/maths at all.

If you're going to ask someone "which book?" try limit the categories they should give you an answer for...

Still, the DOM inefficiencies are avoided. Efficient drawing plus efficient, JIT-compiled JavaScript.

Also, it sounds like 'web workers' can help with the Spends 99% in painting issue.

This question has been asked, and answerred positively, see http://stackoverflow.com/quest...

crgrace: r.e. micoprocessor simulator, that is a smashing idea... it sounds very cool.
orignal poster (an anonyous reader): Let's assume you're doing this for fun - as a hobby.
car analogy: I read that you don't need to know how an engine works to drive a car, but a good racers will know something about engines.
So... if you want to really learn programming, learn some assembler - doesn't have to be a lot, but every little bit you do learn will help you. Simpler chips are probably better to get started with than jumping into contemporary laptop CPU's. Maybe Arduino? Sounds like you an get plenty of online help with that (example: http://stackoverflow.com/questions/14464713/arduino-assembler-programming-nothing-happens), and they have a 8-bit processor that should make a fine research project for you.
Then learn a compiled language, probably some straight up C.
Once you understand how a cpu works you'll have a deeper appreciation of what CPython's virtual machine is doing, or what 'just in time compilation' is doing for PyPy.

othoh, if just coding Python is fun then have fun. Nothing wrong with that; you don't have to learn assembly... but if you can wrap your brain around assembly, it will certainly raise your game.

I'm not sure you can auto-generate a C header file but you can create a library (.dll or .o) file from Ada source and call it from C. You have to hand generate the C header file.

Create DLL library in Ada

Oh, another good one - if a site is using the oath2 API to pull your name and such.... you can't authenticate without joining Google+! Delete your "page" and you'll lose your oath access as well. See here for more information on this nice little fuck-you from Google.

> C++11 is awesome and has brought it back to modern day relevancy. I

There is that old joke ...

There are 2 problems with C++

1. Its design
2. Its implementation

C++ started out as an awesome C with classes extension! Every C++ programmer should read these 2 classics:

* The Design and Evolution of C++
* Modern C++ Design

Today C++ is an over-engineered design-by-committee that unnecessary includes everything and the kitchen sink (translation: clusterfuck). Basic problems of idiotic archaic baggage such as "long long", lack of a proper binary literal (which took years; over-engineered user literals*), macros that aren't type safe, no standardized name mangling nor run-time functionality to query a mangled function name, etc.

C++ when used sparingly can be a great tool. A balance between the simplicity of C and the power of C++ abstraction is ideal.

* http://stackoverflow.com/quest...

Looking for links to the Sage 50 (formerly Peachtree) SDK turned up this link with a few different leads. Agree with what you've said about the focus on a ridiculous upgrade treadmill. One of my clients continues to use QB Pro 2000 to this day.

Here's a sad post from one year ago:

Is it possible to ensure by a configuration parameter, that curl uses OpenSSL, and not NSS to retrieve https content? I need to ensure this, in order to enforce compliance with FIPS140-2, which RHEL6.2 has certified?

http://stackoverflow.com/quest...

By the way I know NSS does a lot of FIPS compliance, but part of the Heartbleed problem for the "normal" user is that it is hard to tell what openssl is linked into. We had it in our web server daemon even though shell "openssl version" showed a good version.

Rather than get all aggro, I will state that I have tried to find a concrete answer to this question ("is OpenSSH vulnerable/impacted by this?"), and I still cannot. So before someone say "shut the fuck up when you don't know what you're talking about" to me, I'll provide the data (and references) I do have:

* OpenSSH links to the libcrypto.so shared library which is absolutely OpenSSL on most systems: ldd /usr/sbin/sshd followed by strings /whatever/path/libcrypto.so.X (you'll find OpenSSL references in there). Truth: because OpenSSH links to a cryptographic library that's part of OpenSSL doesn't mean it's necessarily using the code that's bugged (see below poster's sig and note function names are DTLS-related (keep reading)), but it also doesn't mean it isn't. When was the last time you ran truss/strace with all flags (for children, all syscalls, fd I/O, etc.) and looked at it closely?

* SSH, as a protocol, is not SSL (but keep reading): http://www.comforte.com/solutions/tls-vs-ssh/ and http://stackoverflow.com/questions/723152/difference-between-ssh-and-ssl (see replies to primary thumbs-up'd answer)

* However, SSH does rely on at least some part of TLS, the one that's known is X.509 (a form of PKI) (but keep reading): http://www.snailbook.com/faq/ssl.auto.html

* ...but then things like this seem to imply the OpenSSH folks don't use X.509 at all and that you have to run a special OpenSSH build for this to work: http://security.stackexchange.com/questions/30396/how-to-set-up-openssh-to-use-x509-pki-for-authentication

* ...but then you find things like this which are open-ended and seem to imply otherwise (and the link mentioned on that blog, by the way, is also worth skimming/reading to see what's being done): http://trueg.wordpress.com/2012/09/06/use-an-x-509-certificate-for-ssh-login/

* The "heartbleed" bug, which refers to RFC 6520, pertains to TLS: http://www.snailbook.com/faq/ssl.auto.html (yes same link)

* There are repeated/continual news references to "use of X.509" (which could apply to either SSH or SSL from the above references) in every single news announcement. I shouldn't need to link them all.

There is nothing even remotely definitive on either the OpenSSL or OpenSSH mailing list, and that's a bit shocking if you ask me. Therefore, to me, the OP's question is quite valid.

Does the answer to his/her question change the severity of the situation? Yes it does. Yes you should still upgrade OpenSSL, but what some of us senior system administrators are trying to figure out is whether or not we need to inform every employee that they need to generate new SSH keys. I think everyone at this point is aware webservers (ex. nginx, Apache, etc.) doing SSL need to have OpenSSL upgraded + the daemons restarted + keys re-generated + re-signed, but the concern here is whether or not any part of OpenSSH's function calls into the OpenSSL crypto library rely on anything related to RFC 6520.

My opinion: the reason nobody has definitive answer with references (and I hope this Slashdot post induces such) is because there's a serious disconnect between using security-focused software (end-users, SAs, companies using security software, etc.), the writing of cryptographic algorithms (cryptologists), and ac

Linq isn't missing from Mono: http://stackoverflow.com/quest... All the WPF stuff definitely is, but a good chunk of .NET 3.5 and up is implemented. They haven't been assaulted by attack-lawyers yet either.

If your spec is "do what Java does", then Java integer division rounds toward zero, and Java integer addition wraps within (signed) 32 bits. This means the naive Python 2 implementation gets it wrong too, and we're back to square one where we're scanning the list for being all ints and using the "act like Java" method if no float or complex types are found in the array.

If your spec is "do what Java does", then Java integer division rounds toward zero, and Java integer addition wraps within (signed) 32 bits. This means the naive Python 2 implementation gets it wrong too, and we're back to square one where we're scanning the list for being all ints and using the "act like Java" method if no float or complex types are found in the array.

http://stackoverflow.com/quest...

Of course Google it your self next time.

The first answer here: http://stackoverflow.com/quest... is an excellent reference as to why your statement doesn't mean what most people think it means.

If you call C code from python the GIL is released

Only if the library explicitly releases the GIL. Pillow (Python Imaging Library), for one, happens not to.

The change of name from LiveScript to JavaScript roughly coincided with Netscape adding support for Java technology in its Netscape Navigator web browser. The final choice of name caused confusion, giving the impression that the language was a spin-off of the Java programming language, and the choice has been characterized by many as a marketing ploy by Netscape to give JavaScript the cachet of what was then the hot new web-programming language.

http://stackoverflow.com/quest...

font rendering issues on Windows

I will point out that it appears work is in progress

It has been "in progress" for so long that stationary might be a better term.

They start adding animations to html elements you can't restyle with CSS

Got a link to more information? I'm not sure what you're referring to.

http://stackoverflow.com/quest...

There were wide-spread issues on their recent releases. You can only auto-update if you are rock-solid.

Link? I certainly never noticed any issues

Read the chrome product support forums or comment rolls on release announcements - its pretty depressing. Countless posts referring to the same set issues crashes, scrolling bugs, inability to pick items from select boxes, flash crashes, modal dialog faults etc.

http://frankcode.wordpress.com...

They already implemented it. It's been used in ChromeOS for a while.

I see. I wouldn't be surprised if this is the root of the problem. They have conflated a web-browser with an OS. No good will come from it except an unfocussed bloated browser and an anaemic OS.

"Couldn't Google just switch to Qt, which is becoming an industry standard?" It is? I haven't seen evidence of that.

On Windows, yes it is.

My employer, traditionally a very dedicated Microsoft toolchain Windows shop, is currently transitioning to Qt for GUIs. The only option MS really supports these days is .NET based, which means a closed-source vendor is forced to buy some expensive bytecode munging utility if they don't want their code reverse-engineerable back to its sources. Its also damned inconvenient if there's some reason your application needs to be "unmanaged".

Our alternatives are to go with way obsolete MFC, or use some other third-party toolkit. Qt appears to have been judged the best available of these.

As near as I can tell, we are far from alone. This appears to be a common logic path that Windows vendors are following to Qt.

The biggest part of this story is that it is now easier to make a trojanized version of a legit app. But it has been possible from day one.

Android apps are written in Java, and Java bytecodes can be decompiled into something remarkably similar to the original source code. Then the source code can be edited and complied back to an app. Hey presto, you have a hacked up version of the app.

http://stackoverflow.com/questions/12370326/decompile-an-apk-modify-it-and-then-recompile-it

But -- and this is important -- the person using this attack has no way to sign the malware with the same signing key as the upstream source of the original, legit app. This means that it is much harder to trick someone into running the malware.

So, if you get an app from the Google Play store, and later someone tries to overwrite your app with a new build that is malware-infected, Android will refuse to install the new app, because the signing key isn't identical.

http://developer.android.com/tools/publishing/app-signing.html

So, if a user gets an email with an attached "free" version of an app that normally costs money, and that user has not previously installed the legit version of the app, and that user sideloads the malware version, then that user will have malware on his/her Android device.

So, as usual, it's easy to protect yourself: get apps from the Google Play store, and don't sideload apps unless you are certain they are clean.

For that matter, if you are browsing the Google Play store and you see an app that has only been up for a day, and claims to be a miraculously free version of a payware app... just say no.

All your data and configuration is intact, down to the desktop background

You say that as if the desktop background is in the top one thousand most important configs to survive an upgrade. It's not. When I upgraded my Mac, suddenly Maven was gone. That's a big failure. Also, several applications apparently weren't compatible, and were moved from where they had previously been (in Applications) to a place where I didn't know to go look for them. That's a big failure. Also, suddenly my Mac refused to open certain text files, claiming they were applications (like opening a .cgi text file with BBEdit, which is not in any way running the .cgi as an application). That's a big failure. Moreover, there is that ridiculous setting that prevents Macs from installing software which isn't personally blessed by the ghost of Steve Jobs -- until you enter a root password to disable the setting. That's a big failure.

Worst of all is the online-only upgrade system. What if I'm trying to scrub a Mac and I don't have an internet connection? Where's the install disk? That's an egregious, unforgivable failure.

I use Macs and think they are pretty good but let's not pretend that they don't have upgrade problems.

http://blog.stackoverflow.com/...

But for me, the thing that finally got me away from emacsfor good was refactoring support in IDEs.

Exactly what refactoring support? I'm not being confrontational; I seriously want to know. Its a large part of what I do as well.

"We know better, and you have no choice".

Here's another good developer example: GUIs. If you are developing an application, you generally have to have one. Now suppose you are developing in C++ or some other modern compiled language, you are targeting Windows, and you want a GUI for your application. How do you do this?

Here are your choices:

1. Instead of Windows, you target Microsoft's VM, and switch to using "managed" C++, or some other "managed" language.
2. You use MFC, Microsoft's ridiculously dated GUI design system that they quit supporting (except as a migration path) more than 10 years ago. If you do this, be very careful not to use new features that Microsoft put no-compete clauses into, as there's no telling when MS may decide to compete with you.
3. You use some third-party toolkit. QT seems to be a favored option, but there are loads of others

Yes folks, you read that right. As of right now there is no standard GUI toolkit targeting Windows. MS has decided everyone should use .NET and Microsoft's .NET compilers, so that's all they are providing any more.