Is Netscape's Code Falling Apart At The Seams?

bobby writes: "There a commentary on SecurityFocus that has me thinking: they argue that the infamous Brown Orifice holes in Navigator are examples of a new type of security hole that results, not from bad coding practices, but from coders haphazardly interconnecting disparate components without considering how they'll work together. 'The most dangerous, well-concealed, complex, and noteworthy security flaws in the future will be of this sort,' they write, adding that only the Mozilla project can save Netscape. "

I may be mistaken,

[eastMike]

but doesn't AOL more or less own netscape? I have never heard AOL even *mention* netscape since their "partnership" (or whatever it is) took place. This seems like a pretty good sign that AOL doesn't expect anything worthwhile out of netscape. Or perhaps they're just waiting for mozilla? Either way, netscape is in poor shape, a nd I'm distraught over what seems to be its impending doom. I really *don't* want to have to use IE.

"It is well that war is so terrible, lest we grow too fond of it."

Re:I may be mistaken,

[Spoing]

A data point: AOL ran _Netscape v.6_ commercials a few weeks ago on cable. Bad timing or a trial baloon? -- you decide.

Re:Seriously, though...

[zocky]

If your classes and objects are organized right, this shouldn't happen and it fact often doesn't with small projects. However, as projects grow, little mistakes and wrong decisions made at the beginning tend to turn into wide cracks.

The answer to this would be, as some others noted, to write it from the scratch. This, however can not be the general fix - that's why people invented OO and modular programming.

I think that the time will come when the programming tools (and math behind the whole thing) will be so advanced that it will become easy for a good programmer to start the project right and develop it in any direction, thus reducing risks of this sort to a minimum.

I say "good programmer" cause we all know that an idiots with power tools just tend to produce rubbish at a greater rate.

z.

Agreement from Alan Cox

[The+Pim]

Alan Cox noted this aptly a few months ago:

The evidence from the MS world is that buffer overflows are the _least_ of your worries in a component based environment. Complete inability to build a coherent security model combined with people who wave their arms around when asked hard questions about it are most of the problem.

Nobody in the windows world is much into buffer overflows right now, you dont need them to tear apart a windows system. There's a lesson there for gnome.

http://www.uwsg.iu.e du/hypermail/linux/kernel/0007.3/1305.html

Re:Agreement from Alan Cox

[The+Pim]

And how is related to the article?

Either you didn't read the article, or you didn't understand it.

Brown Orifice exists because the people who understood the different components did not or could not see how the interaction of these various pieces could cause trouble.

If you've followed BUGTRAQ lately, you'd know that this malady seriously affects Windows systems, and that examples have included Microsoft-Microsoft, Microsoft-third party, and third party-third party component interactions.

It it too hard for you to conceive that the particular case (Netscape 4) is but an example of a general theme? If so, you should probably refrain from programming or entering any field that requires abstract thought.

Re:Agreement from Alan Cox

[krmt]

There's a lesson there for gnome.

So what does this say about GNOME security? Realistically, with all the debate we've been hearing about GNOME vs. KDE, is GNOME going to be as vulnerable to these kind of component based bugs as MS stuff? I mean, we keep hearing Miguel praise MS and the component model idea, but will it just create more problems? And if so, would there be any way to really provide a lot of background security for each component?

I don't use GNOME, but I happen to like it, and I would really like to see them be a secure desktop and not fall prey to the kind of attacks that we all know and love in Windows ;-)

"I may not have morals, but I have standards."

Re:Agreement from Alan Cox

[Pinball+Wizard]

I'm gonna have to play devils advocate here, because I see lots and lots of references to how awful Windows NT's security is, yet no specific examples. I'm not saying I disagree, but I want to see some examples. I'm not talking about the Loveletter virus. Tell me a reliable way I can hack my way into Administrator-level account with a Windows NT or 2000 default setup. The exploits I've read about all rely on external programs like ASP or SQL Server. Then again, I've read about lots of Sendmail and Bind exploits as well.

From my(limited) understanding of the situation, getting Administrator access is a very hard thing to do.

Re:Agreement from Alan Cox

[WNight]

Sure, and hacking root on a closed down Linux box is nearly impossible...

Unfortunately you need to turn services on with both OSes, thus increasing the chance that you can break into them.

IMHO, the greatest resource of the security world is thousands of script kiddies... They make sure that any exploit found is so overused that security people can't help but know about it, thus fixing it.

If it wasn't for script kiddies we'd have a smaller number of black-hats but they'd have twenty years of unpatched exploits available and nobody would be able to stop them.

The script-kiddy situation is worse for those on IRC (etc) who attract their attention, but at least with the exploits being made public, banks, the military, ISPs, and other organizations that need robust security can have it, provided they have an administrator that keeps up with their job.

Re:Agreement from Alan Cox

[segmond]

Yeah, I have to agree, component based environment are going to be the scary thing in the future, when everything is DCOM or CORBA, and you are depending on tons of middleware, Gawd damn, It will be a nightmare.

Re:Agreement from Alan Cox

[The+Pim]

I'm gonna have to play devils advocate here, because I see lots and lots of references to how awful Windows NT's security is, yet no specific examples.

You really should read BUGTRAQ (or, if you can put up with the somewhat lower level of discourse, NTBUGTRAQ). I don't know NT well, but I believe that this recent vulnerability gives a local user admin-level privilege. For remote root, the IIS buffer overflow found by EEye some months ago comes to mind.

But go browse security focus yourself.

Re:That's not the problem

[nosferatu-man]

I'm sorry sir, but you're over the limit with this one, and you'll have to throw some of those fry back into the stream.

(jfb)

Part troll, part truth

[Ars-Fartsica]

I see a small bit of trolling in your post, but the fact is that partly you are right - it is shameful how badly AOL, Oracle and Sun have whored themselves to the government.

Each of these companies is hugely powerful on their own, dominating their respective markets.

What it should show people is that corporations could care less about fairness and competition - left to their devices they will work to diminish and eliminate competition at the earliest possible stage (even if it is not in their own long-term interests). This is why the government has anti-trust laws and oversight.

Re:Eiffel (flamewar request)

[talks_to_birds]

fsck it..

Third chime's a tarm

t_t_b
--
I think not; therefore I ain't®

Comment removed

[account_deleted]

Comment removed based on user account deletion

default

[ArchieBunker]

I don't know what you're talking about but during the IE5.5 install you can pick exactly what you need. A bare browser minus java is about 6 meg, smaller than netscape. The configuration in IE5.5 is a tree view just like netscape. Maybe you should do some checking before posting. I happen to like IE because it doesn't crash daily and renders about 10x faster.

Re:default

[JourneymanMereel]

I'm sure once Netscape 6 is out, there will be a Navigator only install (or Install Minimal, as it often called).

mozilla-win32-installer.exe is 6.75 meg today. That includes Navagator Mail/News, IRC, and Composer. It also includes support for more far more W3C standards than IE (standard that MS helped to right). Once ompitmized, Mozilla will be much smaller, faster, and stable than it is today (and being that it's not that much worse than IE right now (in it's Alpha stage), I guess we can assume it will be much better than IE by year-end).

Re:mozilla makes open source look bad

[autechre]

I'm glad you feel that way. But you forgot to post the link to the perfect, freely available web browser that you wrote from scratch in less than 2 years. Oh, what? There isn't one?

Well, you can always download the mozilla source and compile just the browser component. Or, you could check out a project like Galeon, which has already done the work for you.

Really, writing any decent sized app from scratch is not the easiest thing in the world, and web browsers are quite complex. Even if mozilla made their browser 100% standards-compliant, people would still complain since most of the web isn't that way, so they have to code for that, too. How long in the making is Internet Explorer? I don't suppose you'd care to remember how much it utterly SUCKED until version 3.0, with version 4.0 being the first that actually rivalled Netscape. And you know, it takes up at least the same amount of space as Mozilla, and it _is_ just a browser.

Roar. Sorry, but I've been using Mozilla since M9 and I love it.

Re:That's not the problem

[AntiTuX]

Logo? so in other words, you want Netscape to drop C completely, and re-code the whole thing from scratch. Uh, I've seen the netscape source, and it's FUCKING HUGE. Re-coding all that is quite pointless.
Another thing which you might want to remember is the fact that those bugs were JAVA-BASED. The java implimentation from sun had bugs.
I work for netscape, and have friends who are on the browser group. I know what the problem was, apparently you don't.
What about Microsoft's current problems? should they rewrite the everything in logo too?
-Just my .02

Fred Brooks

[cpeterso]

Adding more programmers fragments the knowledge, but not if they're open source programmers, because they have the magic ability to "review each others' code", which is impossible if you have the wrong kind of license. And Brooks' Law doesn't hold because Eric Raymond said so.

In the first edition of "The Mythical Man-month", Fred Brooks fought against David Parnas' black box modules. Brooks says that he ran the System 360 project with the goal of making all implementation details public. They printed huge spec manuals and printed reams of updates everyday, which would be dropped off at each programmer's office. In the second edition of "The Mythical Man-month", Brooks admits that he was wrong and Parnas was right. Implementation hiding was the right thing. The programmers for System 360 couldn't understand the whole system. These days, open source advocates claim that source code availability solves the "fragmented programmer knowledge" problem. I don't think it solve it (though it admittedly helps in some ways).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:XPCOM/COM doesn't equal security holes

[RickHunter]

And one would hope that the Mozilla authors are responsible enough to remove any feature that does wind up being proven to have such a huge security hole (or at least disable it by default) until its been fixed. I don't know of any right now, but I'm sure some will be found eventually.

-RickHunter

Re:Correct Observation, Wrong Solution

[cpeterso]

This is the same reason I don't run Microsoft products at home. They're not engineered well. No one spends a couple years developing a solid model (flowchart) of how the software is supposed to work.

Hmmm, so how many Linux kernel developers "spend a couple years developing flowcharts"? Which commercial software company for that matter? By the time your flowchart is ready, the market has already moved and you haven't even written any code yet..

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Correct Observation, Wrong Solution

[MrBogus]

Microsoft makes hundreds of shrinkwrapped products. Are you sure they build all of them like a novice VB project?

P.S. Netscape v2 was a crashy POS, it just didn't matter that much because you weren't on the web 8 hours a day back then.

IE 4 was also a crashy POS, but it was generally engineered correctly (full DOM renderer just like Mozilla). On the other hand, Mozilla's XUL themes can't be considered correct engineering, except in the 1959

Re:Correct Observation, Wrong Solution

[locust]

More and more software is being developed haphazardly without a clear design, coherent engineering or a well defined development roadmap.

From everything I hear MS puts a lot of emphasis on the software process. This doesn't prevent them from succumbing to the same failures. Complexity is the enemy of security, and paraphrasing Brook's law... The complexity of a piece of software goes up as the square of the number of modules (features?) involved. Examining a product like Netscape, or IE, even good engineering practice cannot prevent such an extremely complex systems from behaving chaotically at some point. Now add to this short deadlines, and insufficient knowledge: of programming, of the off-the-shelf modules being used; and of the design of the system by the programmers writing it and you have holes waiting to happen. It is a credit to the people writing the software that such holes are not discovered more often.

--locust

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Awe man! I hate IE

[Syber]

What about usability? Until version 4.01 SP1, IE was very unstable. I mainly used Netscape, but found occasion to use IE 3.02 for certain web sites. IE 5 and subsequent releases have not caused the major headaches of earlier versions, but still has serious problems. The ftp browser is a nice feature, which allows drag and drop, but often fails or gets hung up. IE itself, gives up too soon on webpages. These are the reasons why I still use Netscape as my primary browser. Netscape generally loads pages faster and waits longer for the server to respond and load pages.

Bad coding practices

[Jerky+McNaughty]

examples of a new type of security hole that results, not from bad coding practices, but from coders haphazardly interconnecting disparate components without considering how they'll work together.

If you don't consider how components will interact when used together, then that is bad coding practice. If it's easy to use a component incorrectly, to the point of causing security problems, then I would venture a guess that the component in question has a bad interface. When we write code at work, my co-workers and I strive to have classes which are pretty much impossible to use incorrectly. Contrast this with something poorly designed and implemented like MFC which, when functions aren't called in exactly the right order at exactly the right time, it ASSERTs. If anything, it just sounds like the developers should revisit the ways their classes interact with each other and tidy it up a bit.

It's all just bad coding practices as far as I can see...

Re:Bad coding practices

[Evangelion]

That would actually be 'bad design practice'...

Bad coding practice would be using sprintf instead of snprintf - about which the design says nothing.

--

Programming for Security

I've seen a lot of computer book titles over the years. But I've never seen one called "Programming for Security". I wonder if colleges offer such courses? I've never heard anyone refer to such a course on /. or anywhere else for that matter.

Re:Awe man! I hate IE

[StarFace]

I am not the original poster, but I'll add a point or two against IE. Ever since 4.x they have completely trashed any sense of powerful configuration. To configure IE you are required to select vague tabs, hunting around, wondering what M$ decided to call file associations this time. Then you get to the last config tab and it looks like they just gave up on creating an interface and threw everything into a huge randomly ordered list.

Thankfully, IE 5 for the Macintosh spurned this 'innovation' and stuck with the hardened method of a config tree with sub-categories. I can install a fresh version of the browser and have it all configured in a few minutes. I still don't have the Windows version of IE configured the way I want it.

Another thing is that integration between the OS and the WWW is probably one of the creepiest, low-browed things I've heard of. There are just too many security problems associated with the internet to have a major part of your OS interface completely linked with it. This is ironically the problem they are noting with netscape.

I want to be able to browse in an encapsulated environment on a browser that 'utilizes' as few of the exploitable WWW technologies that exist. For this reason I use Lynx or w3m for 90% of my browsing. I fire up Mozilla for those inept pages who have no other way to use it except for javascript.

That right there is the largest concern I have with IE, the tight integration with the OS and filesystem. Not to mention mail, news, office documents, and the core scripting languages of the OS itself. Yes, you can turn a lot of that stuff off, but does it come that way by default?

Couldn't agree more.

[dkh2]

As browsers go, NS 4.x is merely OK. The rendering engine is almost first rate but, it still lacks a lot of DOM compliance and don't get me started on CSS issues.

NS6 PR2 is actually a step backwards from PR1. A lot of things that worked in PR1 were broken with PR2. Sure, all the glitzy toys are fun but, does the damned browser work? NO!!!

I have a very short, very simple wish list for the folks at Netscape:

• Real support for CSS
• Document rendering that resembles the code according to the recognized definitions of HTML

Anybody from Netscape can feel free to contact me for examples.

Re:Couldn't agree more.

[drunken+monkey]

The speed of the NN4 rendering engine sucks. It's very clear when it comes to rendering complex tables. the browser freezes up several to 30 seconds even, while trying to figure out how to dipslay a complex table layout.

Mozilla kicks ass in this respect. Can't wait.

Re:Couldn't agree more.

[chacha]

my personal wish list for netscape is simply that i don't want the browser (and the email client on occasion) to crash EVERY time i use it. that wouldn't even be so bad, but then the "Feedback Agent" pops up, and while it looks helpful, i personally can never ever get it to actually send my little "here's what i was doing when your product crashed (again)" report.

Re:Couldn't agree more.

> Document rendering that resembles the code according to the recognized definitions of HTML
> Anybody from Netscape can feel free to contact me for examples.

There is something called bugzilla. If you search hard enough on the web, you may even find it.

In that thing, there is a concept called bug reporting.

You can use it to actually submit a bug report. You could even set up web space somewhere, with you example of bad rendering. And, you know, you could put this URL in the bug report.

At this time, something incredible occur. Netscape engineers (which a weenies, as everyone knows) and mozicoders, look at the bug report, and check it. They even make a priority. Rendering according to the standard is considered important by some of those people. Strange uh ?

After that, some magic take place (which involves sacrifying some goats[.cx]) and the things may get fixed.

Maybe they should set up another way of doing the things, that would involve having engineers lurking on slashdot, sending mail to random guys according that have problems with the 'recognized definitions of HTML' (note the plural). I beleive you could even suggest that to the mentionned bugzilla.

Cheers,

--fred

Re:Couldn't agree more.

[davew]

[Disclaimer: I don't work for/on Netscape or Mozilla, I just reported a few bugs]

You got examples? Fantastic! That's useful info for the developers. So why are you crippling yourself by using PR2?

PR2 is cool, but it's a packaged beta, and it's already old code.

You can prepare useful reports on reproducible bugs. Get the latest binary, check if the problem still exists, then report it straight to the developers.

Seriously. You don't need to put Some Faceless Corp between you and the coders anymore. You've got a direct line!

Have fun,
Dave

--

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:So what does this say for Internet Explorer?

[d.valued]

Can anyone say 'deprecated'?

I knew we could.

A lot of the legacy code is there so that the newer bastard son of code works with stuff written for the older bastard son of code.

Hey, I still use "center" instead of the newer spec for centering text.
"And they said onto the Lord.. How the hell did you do THAT?!"

That thing with the turtle?

[solios]

Any programming language that consisted of giving a little turtle command to do stuff is alright by me- and if you didn't like the turtle, you could change him into a dump truck, or a helicoptor.....

Seriously, a beautiful way to teach programming to grade school kids: I learned it on an Apple ][ in fourth grade, and it was a blast.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Pretty mindless advocacy

[Kitanin]

I know, I know, I shouldn't encourage him... Oh well. :-)

It always makes you think when you see the words "ego-free" and "Eric Raymond" in consecutive paragraphs.

Well, let's try this out... ``Eric Raymond has stated that open-source programming is often an ego-free activity.'' Look! They're in the same sentence! By your logic, that sentence is an even larger load of bollocks than the original article. Pity that it's true. And that the sub-clause (``Open-source programming is often an ego-free activity.''), while not proven, certainly seems to be true in practice. (Yes, there are exceptions. See that word often up there?)

And Brooks' Law doesn't hold because Eric Raymond said so. Better still, he quoted someone else saying so.

He stated that Brook's Law doesn't hold---as originally stated---for debugging---in an open source project. He then provided a justification that holds up under current information theory (there isn't a direct link to the explanation in CatB, but it's on thi s page. Exercise for the reader, I guess. (Anyone know why the comment system keeps sticking a space in ``this''? I'd look it up, but I'm working on my resume, which is slightly more important to me right now.)). And then, he provided an empirical example (Linux). And then, he tested his theory (fetchmail).

The outright lie; Mozilla has been coded "from the ground up".

Agreed. That's a lie. Of course, you're the only person I have ever seen say this. To the best of my knowledge, nobody involved with Mozilla says this. Even the flakiest of news sites never seem to make this mistake. The article this discussion is about doesn't make this mistake.

Multiplatform AOL

[Andrew+Dvorak]

Remember that supposed "AOL for Linux" download we saw a few weeks ago? ("Gamera") (url: http://slashdot.org/articles/00/ 08/13/137233.shtml) Gamera makes use of Mozilla for browsing the internet on a platform MSIE, AOL's choice browser for windows, doesn't support.

As much as we would all love to hate AOL for supposidly "killing" Netscape and Mozilla, I hope Gamera will aid in its increasingly widespread use. In addition to this, AOL will aid in the popularity of everybody's beloved Linux OS.

To summarize:

• Gamera uses Mozilla as its integrated web browser
• Such support of Mozilla in AOL for Linux will aid the effort to improve Mozilla and increase support for Linux.

Javascript, not C/C++

[marat]

Honestly, the reason that Netscape is so S-L-O-W is that it's actually running on Javascript (which is written on C/C++ of course).

BTW, you're reading this message with Netscape, aren't you?
---
Every secretary using MSWord wastes enough resources

Re:Javascript, not C/C++

[DrXym]

JS is partly the reason, but mainly it's due to the code not being optimized fully yet. Most of the JS functionality confines itself to places where speed is not that important.

Where speed is important, the JS drops back into C++ helper objects and whole chunks such as the rendering engine are entirely written in C++.

Mozilla is never likely to be as fast as NC 4.x in terms of perceived speed but hopefully faster rendering times and progressive rendering will make it appear more responsive.

Entropy

[JayBonci]

Systems move towards entropy.

Thats it. Thats the number one rule of long term software development. No matter what you do, no matter how good your coders are, entropy happens.

People forget, people leave the project. The coyboy coder stays up all night and in an evil cackle resorts to inline assembly. Stuff like this plagues prodcuts, even ones with the best of software enginnering, paradigms, and tools.

Take netscape for example. There are not that many engineers on it anymore id imagine. Its an OLD codebase. You probably just cant scrap it all and start over. That would take a long time, and people need to get paid for a living...something has to pay the bills.

There are two basic types of software products...Quality driven, and release driven. Release driven is such as Microsoft Office, products put out to meet customer demand, to compete against other products making headway, and to work towards strategic initiatives...not to mention fix bugs, improve UI, etc. Quality is a variable in this release, but time is the number one factor.

Quality driven products are ones like Linux (referring to the linux kernel), or Mozilla. "Its done when we feel its done." It hopefully produces better prodcuts, but more than likely, if you fix every bug that comes down the line, you'll never get it out the, and you'll NEVER pay your bills.

While netscape is sitting and stewing in development, IE can have free reign over features, new functionality, and overall the general market. However, netscape may come out with fewer bugs.

Its a moral dilemma that i think is at the heart of the open source development paradigm. is it better to keep your source closed, private, and singularly maintained to have a trimmer development process, or do you open source it to help flush out those hard to find bugs.

What neither paradigm catches are those integration bugs. Just looking at how all of this comes together will not save anyone from the myriad of hassles that integration of engines, algorithms, and interfaces brings. Teams of coders can be hundred of people big, and still not catch all the bugs.

Systems move toward entropy. I once read somewhere that "NT is so huge no one person understands it all" There will come a time when everything on the planet is like that. Stuff will get bigger, and it will become too difficult to understand all of the code on such a low level that you are going to have to trust the wisdom of coders that came before you.

My thoughts as a software developer
--jay

Re:Mozilla release schedule?

[FigWig]

Making bugzilla accept milestones greater than 30 would require a COMPLETE code rewrite.

Re:Sounds a bit like a dodgy B film

[Money__]

[mouth stops]"Oh my god it's farring apart at the seams" [mouth moves]
[mouth stops] "Only mozzira can save us now" [mouth moves]
[Cue big green monster]

Re:So what does this say for Internet Explorer?

[dpilot]

The referenced article speaks of COM being messed up. I don't have enough personal experience, other than seeing security holes fly by on CERT and BUGTRAQ. There are numerous citations of the inadequate security model of ActiveX. Perhaps I err by equating COM with ActiveX, but I thought it was a market-driven renaming, not anything fundamentally technical.

Is Netscape's Code Falling Apart At The Seams?

[AFCArchvile]

Do birds fly?

This is something that I've been trying to tell the bible thumpers on Slashdot for a long time - ever since I started posting comments on Slashdot. Now my arguments have been proven by a whole story. Netscape is legendary for being a memory hog (in comparison, as I'm typing this, IE5 is using up 8,448K of memory). Furthermore, Netscape will never let you view the source of a webpage with only a few clicks (in the right-click menu in IE, there's an option, "View Source," that opens the HTML/SHTML/PHP3/etc. page in Notepad. Kinda cool, if you ask me, cause you can see what they used to create pages, the javascipt, and so on. Also, sometimes when you want to download something with Netscape, instead of saving the file, it saves the link! That's just not right. I think a total UI rewrite is overdue for Netscape, as well as a total code rewrite.

Re:Is Netscape's Code Falling Apart At The Seams?

[bluephone]

I use NS4.75, and am using it as I speak. As for RAM, yeah, it uses more than IE, but then again it's more secure, and more than half of IE is loaded at boot time anyway, so that memory use is masked. But as to not being able to view the source, I have no idea what you're talking abotu. NS has a context menu just like IE, and "View Source" is right there. Right click on the page, left click on View Source, and there you go.

Re:Is Netscape's Code Falling Apart At The Seams?

[RallyDriver]

Furthermore, Netscape will never let you view the source of a webpage with only a few clicks (in the right-click menu in IE, there's an option, "View Source,"....

Have to call bullshit on this one - in fact, it's one of the rare things NS it does better than IE: "View - Page Source" from the menu in NS 4.x, and you can also do right button on a frame and view it's source, both with a single mouse action.

Give 'Em a Break

[icezip]

The coders over at Netscape work hard, and they are only human. There's going to be bugs in everything. The discovery of these bugs enables us all to learn from these mistakes and not incorporate them in our own programs. Maybe instead of trashing Netscape, we should dedicated some time in helping.

--Dave

Re:Awe man! I hate IE (OT)

[StarFace]

We are getting highly off topic here, so I've changed the subject line accordingly.

One last thing, and on a more personal side, would you mind clarifying some of your personal objections on Microsoft? Do you really honestly equate them to selling hard drugs?

I do not equate the dealings of MS with that of hard drugs. I was making an analogy, it is a weakness of mine. :)

On the grand scale of Bad Things You Can Do to people though, I do feel that Microsoft, (indeed, other software companies in their position as well.) has put themselves up there. One can only guess exactly how many billions of corporate dollars have been spent on these software companies. Such high-level losses bring down losses upon us all, in the long run.

I believe that the practice of closed software development and sale (expecially per-license sale) has gouged the industry. While we look around things appear to be moving along at an incredible clip. Why in just 5 years we've gone from a television to reading www.insert chocolate company.com on candy wrappers and billboards. As fast as its gone, I wonder how much faster it would have gone without the harnass that has been placed on it by the software enterprises.

I don't target Microsoft alone on this, they are not the only guilty party, they are merely the most obviously guilty party right now, and thus they are being used as a scapegoat for a lot of malpractice going on out there.

I should say here, I do not have a problem with software that is purchased. As a developer, I know that bread needs to be passed around. What I have a problem with is establishing a closed or protected code base. Since humans, and ultimatly, the corporations they puppeteer are in fact very greedy, inevitably those closed code-bases will be used to lock out other corporations and businesses at the expense of progress.

Please, take the time to read the court transcripts, there is more than enough evidence placed on this case to show that progress has been slowed, and will remain slowed as long as individuals hold the keys to their code.

Now, all of the moral stuff said, I still do have gripes with the way Microsoft products work. You have mentioned that you tire of folks berating Microsoft quality. I'm not going to be one who says everything they produce is rotten. I'll go so far as to say it is satisfactory. I cannot with a clear head though, say that the level of quality I experience using Windows is on par with the MacOS or any *NIX that I've used.

On my computer at home, I use 100% 'free-speach' software. I do this because it makes me feel good to do that. I not only use, but I contribute to these projects, and that makes me feel good too. I feel like I'm a part of a community; a valued member. When I got to work and I have to use NT, or any other 'corporate' software I feel like a 'user' or a 'client' I'm not actively involved with it. I'm just a consumer and I get treated that way by them.

So, do I feel like I have chosen to use inferior products just to spite the corporations? No, not at all. For me I don't feel like I'm stooping down. Expecially once I got over the psychological barrier of using software designed with a different mentality. I found that much of this stuff is GREAT quality. It may not look as pretty, one program many not do all 62,000 things that MS Word does, but so what? I can accomplish all of my tasks using a variety of specialized tools that are lean and stable. So honestly, for me it isn't a sacrifice.

If that makes me rare, then so be it, I've never been accused of being normal before. :)

Re:That's not the problem

[The+Pim]

4) The blasted turtle never does what you want.

The "turtle does whatever the hell it wants" bug is only present in the "our users are dumber than turtles" release of Microsoft Logo.

Re:That's not the problem

[FigWig]

I thinnk a LOGO based OS is what the world needs right now. Windows style OSes are obviously not that great, and we need to break the rest of the world out of the stagnation that UNIX domination has brought.

If netscape did do a rewrite in Logo, every web page would have a turtle on it. Just think of the glory of those millions of little green turtles scuttling around!!

Actually, my PhD thesis is going to be rewriting Linux's TCP/IP stack in Logo. Should be fun.

So what does this say for Internet Explorer?

[dpilot]

And what does it say for the kitchen-sink concept of software definition and development, in general.

To go one step further, what does it say for the concept of pay-for software?

Outside of games, developers of pay-for software generally keep buyers coming back year after year for upgrades by adding new features. Somehow it just doesn't cut it just fixing bugs. Those shouldn't have been there in the first place, and admitting that you're just fixing bugs means that you should be giving it away.

Now we're seeing a claim that in a rather fundamental fashion, feature accretion is not a good thing.

Now to take a 180, sometimes feature accretion just may be necessary. So how do we do it in a secure, reliable fashion? Is COM the answer? Does MS really have it licked? I say that with tongue in cheek, because I believe MS values speed to market and profits over ALL else. But maybe they have a kernel of a good idea. Of course, I was in the OpenDoc camp, in the old days.

Re:So what does this say for Internet Explorer?

[Kaa]

And what does it say for the kitchen-sink concept of software definition and development, in general.

Like EMACS, right?

To go one step further, what does it say for the concept of pay-for software?

Why, nothing. Nothing at all. May I remind you that Netscape was free (beer) and Mozilla will be free (both).

and admitting that you're just fixing bugs means that you should be giving it away.

Well, with the exception of Win9x series, patches are usually free, are they not?

Now we're seeing a claim that in a rather fundamental fashion, feature accretion is not a good thing.

Maybe now you are seeing it. It's a very old debate in the design and programming community. To give you an example of two approaches, compare the original UNIX to Emacs.

Kaa

Re:So what does this say for Internet Explorer?

[dpilot]

But I tried to say, but didn't really get out, that sometimes MS has good ideas, but architects and implements them poorly. In other words, maybe MS took the right approach with COM, but messed it up.

Component aggregation trouble is nothing new

[Old+Man+Kensey]

dpilot wrote:

Now we're seeing a claim that in a rather fundamental fashion, feature accretion is not a good thing.

This is nothing new. A brief scan of the RISKS Digest archives shows many, many cases going back years where a working system and a new, working-as-intended component were combined with disastrous results. (It always amazes me how many engineers and developers have never read RISKS Digest or the book that Neumann published; one developer at a major Northern Virginia Internet applications developer asked me "Is that a local list in your area? I never heard of it.")

If you don't know what RISKS is, check out comp.risks (the USENET feed of the digest); if your ISP doesn't carry it, either get them to, or change ISPs. It's well worth a few bucks a month more if it comes to that.

I propose a new version of Brooks' Law: "Adding components to a buggy piece of software makes it buggier."

Say no more

[Gladiator]

And according to The Cathedral and the 'Bizarre' this sort of development model is supposed to lead to better and more secure software.
Open source yes, bazaar no.

Re:Awe man! I hate IE

[zocky]

Save Netscape, down with AOL

hey, this should be moderated as "Funny" z.

AOL refuses

[alacrityfitzhugh]

AOL refuses to release the Gecko browser until the Microsoft case is over. They want to be able to whine in court that Netscape was destroyed by Microsoft when, in fact, Netscape is alive and well. Netscape has had a good standards compliant browser for over a year (Gecko). But Sun/AOL won't allow them to release it because they desperately feel a NEED to hurt Microsoft with Anti-trust DOJ goons.

Sun/AOL/Netscape decided they will never compete on product merits again. From now on Sun/AOL/Netscape will use Government Goons to do their competing for them.

Re:AOL refuses

[iceT]

Interesting perspective, but I'm not sure I agree with it. AOL doesn't need NS6/Mozilla to prove it's case. If anything, releasing Gecko seems to add STRENGTH to the DOJ monopoly argument, becuase it shows that you have to have the resources of a company the size of NS/Sun/AOL/Time Warner to even RELEASE a competing product, let alone distribute it, and etc. How can my little $1M company compete with that?

Re:Right on!

[AFCArchvile]

I highlighted on one of your points (the inferiority of open-source projects) in one of my other posts, and I'll paraphrase from that one:

Linux Bad.

Okay this premise IS due to the fact that Linux is free. Because of this, the Linux coders have little time to code, and so they do a slapdash job and label it "Beta 1." All they really want is for their creation to work, not necessarily to work well. Hell, they don't care if the program doesn't even do what it was designed for, they only go back to the drawing board if it crashes (Case in point: GNOME and the Linux kernels above 2.4.XX)...

...As for Netscape, they get a buttload of cash from advertising. However, they're more infatuated with Java, hence the reason for Netscape's lag of 25000 milliseconds when accessing a webpage, even on OC3.

I think that the Mozilla project is just making a bad browser worse. Kinda like a chef tenderizing a filet mignon with maggots.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Speed is also an issue.

[fredrik70]

Not sure about how it is now, but didn't mozilla have problems attracting developers in the beginning? Basically it was a too big piece of code to swallow for most developers, especially if you hadn't been involved from the start....

Hope it's better now, at least it *looks* damn much better (the status of the browser - that is...)!

Read the Risks Forum (on web or news:comp.risks)

[goingware]

I'd like to take this opportunity to recommend you read The Forum on Risks to the Public in Computers and Related Systems, also available as comp.risks

What's discussed there is quite relevant here; poor engineering or attempting to overextend what may have originally been a good design appropriate to simpler tasks will result in terrible software problems - security holes, safety hazards and the like.

Also recommended is the book Computer Related Risks by Risks Forum moderator Peter Neumann (ISBN 020155805X). It draws on material from the forum but discusses it in greater detail.

Re:Awe man! I hate IE

[fsck]

Example:
Media Player 7 is configured by default to "phone home" about the type of music and media you play. Supposedly it's anonymous, but I haven't checked. You have to wade your way through drop down menus and checkboxes to find it and un-check it.

Media Player 7 comes with Windows 98 Third Edition (Also known as Millenium, ME).

Re:Correct Observation, Wrong Solution

[Chalst]

I think you have misunderstood the point being made. The article is
saying that Netscape consists of pieces X, Y, Z developed in different
companies which are independently well written, but because the
developers on each team to do not have much insight into the work done
in the other teams, when it comes to stitch them together a hash is
made of the job. The advantage of an open development model is that
the political dimension that prevents openness between the teams is
gone. Rarely are there developer meetings that you just have to
attend to know what is going on, instead everyone can follow the
developers lists and follow the work being done on the related pieces.

The point doesn't have much to do with quality of developers, but
is to do with the circumstances under which they work.

Re:Awe man! I hate IE

[fsck]

Apparently there were some Windows 95 installs that you could dial-in your registration over the phone lines. Some of these installs, if you had a modem, tried to dial the number for no reason at no particular time and without the user having prompted it. Hence the name "phone home" software.
Apparently it was fixed.

Re:XPCOM/COM doesn't equal security holes

[MrBogus]

Huh? The local SYSTEM account has access to almost everything in a default installation. It's essentially Local Administrator minus networking.

Perhaps you can change this, but my guess is that doing so would break a large number of services that depend on system having rights. It would make more sense to have COM run under an admin-controlled user account.

Re:Awe man! I hate IE

[fsck]

..why is it a big deal to remove VBScripting and Windows Scripting Host?

I did uninstall the Scripting Host after reading about some vulnerability.
Not long after the install on demand pop-up appeared because the web site required it. So much for customizing and uninstalling thier proprietary crap.

It's the OS, stupid.

[Animats]

It's not the browser. It's the OS. Over 95% of a web browser should be running with essentially the privileges a Java sandboxed applet is supposed to be limited to. But available OSs don't let you lock down a process that hard. That's the problem. Trusting some gonzo app is never going to work. Serious security theorists realized this twenty years ago.

This constant discovery of huge holes may finally generate a push for serious operating system security. One can hope. Although neither the Linux nor Windows worlds have done anything that really solves the problem, FreeBSD's Jail(2) call has real promise. Note that unlike chroot(2), which is for root only, user processes can call Jail(2), which makes it much more useful.

So get busy, get something like Jail(2) into Linux, and reorganize Mozilla so most of it runs in jail mode. That will kill the problem, instead of just injuring it slightly.

It's just incompetence

[Th3+D0t]

'The most dangerous, well-concealed, complex, and noteworthy security flaws in the future will be of this sort,'

Only from incompetent non-college educated programmers who don't properly take into account the emergent properties of a system. Seriously, this is inexcusable and clearly the result of blatant incompetence and a hacked-together system with little, if any, formal design other than AOL insisting on icons to go to their shopping site, instant messenger, and a well-planned feature to report to AOL all the websites you visit. They'll get no sympathy from me.

Yes, I'd have to agree, if the Mozilla team can stop hacking in worthless features instead of concentrating on meeting the basic requirements of a functional web browser, they could save netscape from itself. But my bet is that Microsoft, using its unfair trade practice of producing a superior product, will end up dominating the free browser 'market'.
---

Re:Mozilla ?

[Admiral+Lazzurs]

No, Mozilla does not rule, have you had a look at the size of the thing, IT IS HUGE!!!! I really wish that mozilla did rule, but it is just too big, that is why Galeon was started, now there is a browser that rules. There is no reason that a web browser should deal with mail/news/irc/everything!!! Lets not go down the IE route with Mozilla and make it an OS!!!

XPCOM/COM doesn't equal security holes

[DrXym]

XPCOM/COM is just an object technology and in itself doesn't make a product any more or less secure than if it were written with Corba or with plain-old DLL exported methods.

What makes IE so insecure is it's application of this technology to equal what Java was touted to do:

1. It allows 3rd party COM objects to install and run with complete abandon on your PC. Once installed, that control owns your ass.
2. It's security model is hopeless - any object marked safe for scripting can be created by any HTML. Even if the control isn't malicious it can be made to do malicious things when you visit a website.

While Mozilla contains a number of XPCOM components it is not possible for standard HTML to instantiate or exploit any of them. Standard HTML can only instantiate the standard set of Javascript objects and everything else is off-limits.

Only chrome can create arbitrary XPCOM objects and that's the implicitly trusted "application" that your Mozilla engine is running. AFAIK skins are treated as untrusted content.

Does that mean Mozilla doesn't contain bugs? Of course not, but it is designed to be safer than ActiveX controls in IE from the outset.

Re:XPCOM/COM doesn't equal security holes

[DrXym]

Yes it does allow controls to run with complete abandon. Once they are installed and on your machine you have no option but to disable ActiveX control support in IE if you want to stop them running. Once they are running they can do anything they like.

The medium security level (the default) does at least offer you the chance to prevent third party controls from installing themselves, but that doesn't stop safe for scripting controls getting onto your machine in other ways. For example, if you install MS Office, you'll get several controls like the infamous office assistant which was subject to a security alert not long back.

So why not bump up the security? Well that's great except it stops other features such as Windows Update and Microsoft's internet-based installers from working properly.

Your comments about W2K are also misleading. The ActiveX controls (and all in-process COM objects) run with the privileges of the host application since a control is contained in DLL. If you use Run As with IE (the host app) to prevent it access to certain folders then the controls will not have access either. Great, except that W2K still doesn't lock things down on installation. Only a knowledgable user will bother to manually lock things down and even then things could be touch and go.

For the other 99.999% of users, they're still lumbered with a fatally broken security model.

Re:XPCOM/COM doesn't equal security holes

[platypus]

And there's another interesting problem with that infamous "runas". It's directly related to COM, and it shows that it's not easy to get an intuitive view for the user concerning the security of these "components".
You can read about it here. Especially interesting is David Leblancs mail and that of Russ.
Where do you draw the border when _elevating_ rights with runas (for instance installing something from ms which nowadays often automagically involves Internet Explorer _and_ requires Administrator privileges).

Church and Bizarre Our New Religion!

[alacrityfitzhugh]

We didn't bother to read all of the foolish ranting by that 9th grader and we can't understand what he could not, in his ignorance, put on the page. We are mindless but willing sheep who will follow anyone spouting what we think we want to hear.

"Information Wants... stuff! Lots of stuff!" Information just doesn't want to pay for it. Information thinks the world owes it a place to live for free and free food too. Information shouldn't have to pay for anything because it is way above working. Information is l33t!


"You can't even speak your own fucking language!" - Frank Zappa

Re:Awe man! I hate IE

[cyber-vandal]

Don't forget Galeon and Konqueror. The choice is quite good now, Win32 you have IE, Opera, Mozilla and Kmeleon, and for Linux you have Netscape, Mozilla, Opera Alpha, Galeon and Lynx. Opera on Win32 is my fave, it's quick, small and standards-compliant, and it's finished, unlike all the others above (IE is NOT finished until it doesn't crash without dragging down the rest of Win98)

Huh?

[nphinit]

Er, I must have missed something.

Haphazard code causes the holes, and yet a haphazard open source project is going to fix this? Eh?

Mozilla release schedule?

[Psiren]

At the bottom of that article is says that Netscape 6 is due for release soon. We are only on M18 of Mozilla.. and I believe the milestones go right up to 30 or so? So if we have 12 milestones to go before Mozilla is stable, how can Netscape 6 be coming out soon? Or is this soon as in a years time?

Re:Mozilla release schedule?

[mbyte]

No. M20 should be the final one.


Samba Information HQ

Re:Mozilla release schedule?

[Psiren]

Hmmm.. then how come it lists M1-M30 as milestones in the query page for buzilla?

Re:Mozilla release schedule?

[niklaus]

mozilla.org says M22 is the final one

Re:Mozilla release schedule?

Probably for scalability purposes. They didn't know how many milestones there were going to be when they coded BugZilla. Plus, if say, 1.0 is M20, then the first milestone of 1.1 could be M21.

Re:Mozilla release schedule?

[syrynx]

Since when has stability been a prerequisite for a Netscape release?
--
syrynx

Re:Mozilla release schedule?

[Psiren]

You're not telling me that the versions are hard coded into BugZilla are you? That would be insane.

Re:Mozilla release schedule?

[ChristTrekker]

Rumor is the cutoff for PR3 (nsbeta3 in Mozilla-speak) is middle of this month. So, I expect it to be released alongside the M18 or M19 milestone. Supposedly, PR3 is the last one before NN6 final.

So my speculation is that M20-22 will be what ships as NN6 final. The milestones out to 30 will be further features and refinements for 6.1, etc. Maybe M30 will be NN7. Probably somebody at Netscape realized the importance of getting a browser out the door, whether or not all the bells and whistles (like CSS2 and 3) are there.

Re:That's not the problem

[DrXym]

I hope you're joking to suggest Logo!

Honestly, the reason that C/C++ is used by Mozilla and practically other large piece of PC software is that it is the only way to get acceptable performance. Java, Smalltalk and other object oriented languages which throw away the nitty gritty details tend to run like a slug as a result. And nitty gritty is exactly what you need when you're writing something as complicated as a webbrowser.

Pretty mindless advocacy

[streetlawyer]

It always makes you think when you see the words "ego-free" and "Eric Raymond" in consecutive paragraphs. And indeed, this article is a complete piece of boosterism, thin on facts and think on rhetoric.

Doublespeak: Adding more programmers fragments the knowledge, but not if they're open source programmers, because they have the magic ability to "review each others' code", which is impossible if you have the wrong kind of license. And Brooks' Law doesn't hold because Eric Raymond said so. Better still, he quoted someone else saying so.

The initial premise is dodgy too; to support the thesis that the component model is to blame, he uses the example of Brown Orifice which comes about because of three things: Java, the Java Core and the Netscape JVM. That's one thing, in my book. Why stop at three? The Netscape JVM is coded in C, so that's a fourth "component". And the Brown Orifice hole serves your files via IP, so that's a fifth. Bollocks.

The outright lie; Mozilla has been coded "from the ground up". Like hell. If this is the case, why does it have anything to do with Netscape at all? Why, indeed, did the OPen Source Community need to wait for Netscape to open the code base, if there were all these people around who could code a browser "from the ground up". Mozilla has been coded, at best, from the scaffolding.

And then we get told that all problems will be sorted out in 6.0, for that is based on Open Source. Great. If, say, ZDnet put out an article on Microsoft security and concluded it with "But the next piece of vaporware coming out will surely solve all of these problems", they would be castigated to hell and rightly so.

A serious lack of critical judgement.

Re:Pretty mindless advocacy

[SEE]

The outright lie; Mozilla has been coded "from the ground up". Like hell. If this is the case, why does it have anything to do with Netscape at all? Why, indeed, did the OPen Source Community need to wait for Netscape to open the code base, if there were all these people around who could code a browser "from the ground up".

None of the current Mozilla/NS6.0 codebase was used in any previous version of Netscape, and the architecture is completely different. That's what he means by "from the ground up."

2/3 the programming team are full-time coders employed by Netscape; that's why it has to do with Netscape and why the "Open Source Community" had to wait for Netscape before they had the people who could build it "from the ground up".

Steven E. Ehrbar

Re:Pretty mindless advocacy

[dveditz]

That's a slight overstatement. The architecture is indeed completely different but a few bits of Communicator do remain, The Javascript engine and NSPR are perhaps the biggest chunks.

Re:Pretty mindless advocacy

[Nezumi-chan]

The outright lie; Mozilla has been coded "from the ground up". Like hell. If this is the case, why does it have anything to do with Netscape at all? Why, indeed, did the OPen Source Community need to wait for Netscape to open the code base, if there were all these people around who could code a browser "from the ground up". Mozilla has been coded, at best, from the scaffolding.

That's actually wrong, but it's easy to see why you'd think so.

The fact is, Mozilla was initially intended to start wtih Netscape's code, which is why they waited for the code to be opened. they, like pretty much everyone else at the time, thought it would be a massive waste of time and effort to start from scratch.

However, as has been mentioned on /. over and over again, they abandoned the Netscape code and rewrote it. Starting, as they say, from the ground up.

To use your analogy, they didn't so much use the scaffolding as tear it down and reuse some of the same planks when they built new scaffolding

Who cares if it's secure...

[Wakko+Warner]

I just want netscape to go an hour without crashi

Bus error
--

"One World, one Web, one Program" - Microsoft promotional ad

Re:Who cares if it's secure...

[ink]

Turn off Java in the advanced section of the preferences. Works wonders.

The wheel is turning but the hamster is dead.

Re:Correct Observation, Wrong Solution

[gstamp]

Mozilla is a good example of an over engineered solution. This is why it's still not available. Instead of going for a simple design they became a bit too clever.

Less is more.

This is not a bad coding practice?

[X]

How could, "coders haphazardly interconnecting disparate components without considering how they'll work together." not be considered a bad coding practice?

But this doesn't lock up IE 5.5.

[Jim+Mitchell]

But this doesn't lock up IE 5.5.

Your script basically looks like an infinite loop which causes the brower window to stop responding for a while. IE eventually pops up a message box saying that your script is poorly written. Whoop-de-doo. MS 1, Linuxgod 0. I'm not impressed, jd.

var color = new Array;
color[1] = "black";
color[2] = "black";
for(x = 0; x

And I find it ironic that the linuxgod homepage is hosted by a FreeBSD machine.

Re:But this doesn't lock up IE 5.5.

[linuxgod]

show me what freebsd machine!!
Im on a slackware 7.0 box dummy.

Re:That's not the problem

[rackrent]

While Logo's happy turtle had its merits, I still prefer the "Smiley Face" icon featured on early versions of IBM PCs. Imagine the increase in programmer and worker productivity if that smiley face appeared instead of an "Illegal Operation."

===========
Your code looks great, but there's too many brackets

No, I don't think you're mistaken.

[rkent]

... adding that only the Mozilla project can save Netscape.

This is the kind of hyperbolic statement I wish would stop. I don't mean to troll, but isn't netscape pretty much dead anyway? Communicator 4.x is based on a years-old code base which has barely even been tweaked since 1998. And I saw some of this code before release (under NDA for a porting project) -- whoo-ee! It was a mess.

Which is why they switched codebases for the mozilla project. A bunch of netscape hackers couldn't even make the old netscape engine go. So they dumped it. It's gone. Le Netscape est mort; vive le Mozilla!

I don't want to use IE, either, even though it's been easier to develop for for the last couple of years (face it - DOM is a lot cleaner than the layer model). But let's stop clammoring for a netscape ressurection. In fact, since the Netscape brand is now just another AOL product, I don't think I'll use it at all. Straight up Mozilla for me, thanks, with a side order of hot-swappable skins.

Re:That's not the problem

[Alternity]

Whatever the language you are using to develop large software, true scalability can easily be achieved by using either COM/CORBA or another similar component architecture.

These components offer a great scalability and abstraction. With those technologies you can easily code in whatever language suits your needs and reuse objects/components that were developped in any language. When used adequatly they are terrific tools/development methods.

Those are IMHO the way to go and will be for many years due to the exstensibility of these technologies...

Re:mozilla makes open source look bad

[jjeff]

Here you go dude konqueror its open source, supports https (which mozilla doesnt seem to yet) supports all netscape plugins e.g flash etc. and is pretty damn fast im using it now and unlike any of the gtkmozembed browsers i have used, remembers cookies correctly so i dont have to login to slashdot every time i wanna post something. i do like where mozilla is going but its still too slow for me at the moment.

Rendering speed

[skoda]

This is just personal observation on my home computer. I've got a P3 450 w/ 96 MB RAM, and NS Nav 4.7 is visibly faster than IE 5 at loading & rendering pages. It feels like nearly 2x faster.

I was surprised because the benchmarks I'd seen said IE was faster in general. But NS is clearly faster on my system.

If someone tells me how to do timed benchmarks, I'd be happy to run a few for some hard numbers.
-----
D. Fischer

Re:Awe man! I hate IE

[StarFace]

.. here you are, very likely an experienced linux user (based on lynx, w3m, and mozilla) or at least a seemingly adept Mac/Win user. So why is it a big deal to customize IE for you? Or why is it a big deal to remove VBScripting and Windows Scripting Host?

I don't think you understand where I'm coming from. While I am in fact an experienced Linux user, I also use the MacOS, Windows95, and WindowsNT Server more often than I use Linux. This automatically places me outside of the scope of this rebuttle since I can just as easily turn those features off.

The point I was making is that for the general population, the combination of a hard to configure interface mixed with insecure defaults is a Bad Thing. For guys and gals who can get in there and adjust things, its okay. It isn't preferable, but it is okay. For the ones who are just learning that Microsoft Word is not the OS, it's bad.

My biggest problem is when people insist on using Mozilla or Netscape just because its not IE and not MS. They actually go out of their way to use a product that they usually admit is inferior in many ways just not to use MS. It doesnt make sense.

So then, if a company sells liquid detergant, also has a blackmarket industry of selling hard drugs, and you don't ethically agree with selling hard drugs -- you are telling me you would go ahead and purchase their liquid detergant anyway with the glaze of saying "well I use the best detergant, it doesn't matter WHO makes it."

I'm sorry, but I, and many others, find that type of comment much more offensive than the amount of offense you seem to take towards somebody stating that they will not support a company with a bad record, even if it means using a slightly inferior product.

You've gotta love amateur-source

[franksbiyatch]

From a consumer's point of view, Mozilla makes no sense as an open-source project. It was already free.

Give the people the power they want and they screw it up by giving more emphesis to skins than to archetecture.

amateur-source rants/news/general kvetching

Re:AOL Netscape sucks

[DrXym]

What the hell are you talking about? The "Seamonkey" release (not "Gecko" which is the name of rendering engine) has not been "sitting on the shelf for over a year already" - it's been active development for the last 2 1/2 years. You could have downloaded it and its sourcecode at any point.

Perhaps you could point your incoherent whinging in the direction of Microsoft next time asking where the source code for IE is.

Re:Flash animations (OT)

[uebernewby]

As someone who *designs* rather than programs websites (mostly) I have to disagree with you somewhat. Yes, clients are often kinda clueless and insist on exploding buttons and dancing banner ads, but it's (IMHO) the designer's task to gently steer them away from such foolish notions.

That said, Flash can be useful: it works (and looks!) the same in every corporate browser (most clients don't care if Linux geeks can't see their site) and it allows for their TV commercial on the web to stand out. Finally, if your designer is *good* at Flash and can actually get some tiny programming done with it without having to resort to PHP or ASP, it frees up *valuable* programmer time for other, more complicated tasks such as database management and the like.

As with most technologies, the person employing them needs to know what he or she is doing, and often this is not the case. But to say that Flash is by its very nature a great evil is absurd.

Re:Awe man! I hate IE

[Bake]

Well, what I like about Netscape is that when it dies, it does just that, whereas IE dies and takes everything down with it.

Sure, the explorer shell comes up again but it fails to load them tiny app thingies that are loaded on startup. That sucks for me since I use a program for switching between virtual desktops in Windows and it sits in the right corner of my taskbar and it gets hosed whenever explorer.exe decides to jump off a cliff.

Ps. If you think that Netscape is a big memory hog, explain to me why IE consumes more memory than netscape (even though I'm surfing the very same webs in either browser).

Re:That's not the problem

[fatphil]

Two man carrying a huge mixing bowl, but what's that poking out of the front.
Mummy, I'm scared!

FatPhil

Re:Flash animations (OT)

[fhwang]

That said, Flash can be useful: it works (and looks!) the same in every corporate browser (most clients don't care if Linux geeks can't see their site) and it allows for their TV commercial on the web to stand out.

1. The emphasis on severely consistent look -- down to control at the pixel-level -- is, I think, an image-centric corporate way of looking at things. I don't think it's particularly relevant to the web. (Though, of course, good luck convincing a corporate client that.)

2. People who want to watch commercials don't go online to do it. That's what television is for.

I can concede that Flash can have legitimate uses, but in practice the overwhelming majority of Flash is useless eye candy.

Francis Hwang

Re:Flash animations (OT)

[dpilot]

But Linux geeks CAN see Flash animations. Netscape for Linux has shipped with Flash since 4.74, and the plugin was available before that.

What frosts me are the sites that ASSUME that because you're not running Windows, you can't do Flash, and deny access.

There's some rather amusing (God and Devil Show) available on Flash.

30 Kloc OS?

[operagost]

You must be joking. Windows can barely crash in only 30K lines of code. You must be talking about DOS 5.0 or something. Let's not even get started with *nix.

Re:Awe man! I hate IE

[dpilot]

In addition, I don't TRUST IE just because it's from MS. MS has shown a pattern of "phone home" software that began with Win95 (to the best of my knowledge) and has never stopped, including the phone home Word documents that popped up in the last week.

I've got the whole MS ClassB network firewalled out, both incoming and outgoing, with only a hole for Expedia : port 80, so we can check airline reservations.

Re:Flash animations (OT)

[SimonK]

Actually there is now a Linux player for Flash, though I'm not sure it does everything it certainly works OK for the usual annoying front page graphics.

Re:AOL Netscape sucks

[ERICmurphy]

It is not 100%. The agreement is that AOL uses IE in exchange for an AOL icon on the Windows desktop, or something like that.

Maybe AOL will not want to give that up, and they will keep using IE.

Re:Microsoft hates skilled users

[Squorch]

Odd... when I run explorer (start -> run -> explorer) and select the "detail" view option, I get more or less the old file manager layout. Just FYI. :)

Re:Fuck that. IE has a BAD one too. Ya, even 5.5

[linuxgod]

Netscape works fine on it. Try NS 4.75.
You will see a difference between it and the previous versions of NS. The ones b4 4.75 usually cause the system (Linux) to run kinda hard in X.
All it is is a infinite Java loop.

Re:Awe man! I hate IE

[dpilot]

In the past week it came out that HTML bugs can be inserted into Word documents that can phone home when the document is read into Word, and there is no user interaction of notification involved.

To be perfectly fair, I have to add two things:
First, it's a basic capability, so it's done by the originator of the document, not necessarily MS.
Second, the same 'feature' is in one of the other Big Word Processors, StarOffice, I believe.

On a quick perusal I can't find the story, I'll have to look through some of my saved stuff at home.

One doesn't even need to assign evil to all of this. MS simply has a rather cavalier toward security, and for a company of their size, that supplies software to some of the customers they supply to, that's dangerous. Also in the past week, there's a problem in the IP stack of Win9X that they have no intention of fixing, because it's too "troublesome".

Re:Correct Observation, Wrong Solution

[GregWebb]

I can't say I find IE5 anything other than buggy. And I'm using it right here, right now, under Windows 98, to post this.

Let's use slashdot itself as an example. It cuts off most stories part-way through. If I have mod points, it smears the comboboxes all over the screen when I scroll, misplaces them and then finally gives up rendering them altogether. Still, not very relevant as I can't use them - when it cut off early, it took that 'Moderate' button with it...

It frequently screws up so badly it won't let me swap windows properly. It will intermittently refuse to follow links. And it eats resources like nothing else you can imagine. It's just horrendous what it can do to your system and it'll fall over with a fraction of the number of windows I can open from Netscape.

Communicator 4.0x was a lovely, stable, feature-packed browser. 4.5 was atrocious and could reliably crash the machine totally. They've been getting slowly better since and it's now mostly usable again. Unfortunately, IE has been getting steadily worse for some time...

Roll on Mozilla.

Re:IE and Netscape were from the same family tree!

[MightyMicro]

Er, not quite. IE came from NCSA Mosaic via Spyglass. Netscape's browser was "clean room" developed to avoid using any Mosaic code -- although Netscape employed ex-NCSA people. Wrong bastard.

teehee

[King+of+the+World]

Check out Holloway's writeup on Logo. Pity everything2 has turned into such a police state and he left though.

Re:Speed is also an issue.

[nevets]

This is late, so I don't expect you to see this.

You sound like one of our "Process Group" people. But the underlining problem usually comes from the proposal group trying to win the bid. They are only responsible in winning the bid and not for the success of the project. This is where I find the problem. A proposal manager is rated well if they keep wining proposals, but it doesn't matter if each of the proposals that he/she won failed. That is the problem of the poor project manager that gets the proposal after they win it.

If a proposal manager does not win bids, because they took in account all of the actual costs, then that manager may be fired.

I have been lucky to see what goes on early, and I have been able to stay clear of the "doomed" projects. My company is basically the way it is straight out of the Dilbert comic.

Steven Rostedt

Eiffel (flamewar request)

[mcc]

I would like to state upfront that this post contains no content; i know nothing on this subject. My reason for posting is that i hope people who do know things will reply.

Anyway: Isn't this exactly the kind of thing Eiffel is meant to solve? I mean, i haven't looked at it closely yet, but Design by Contract was basically designed for the problem of large, poorly organized projects in which the components were written by people who were not totally certain what the other components were doing, right? The have horror stories in which different components make incorrect assumptions about how the other will work and do Bad Things were what lead to eiffel, right?

Would the concepts behind design by contract/eiffel have helped with the problems facing netscape, in that objects would be constrained to doing only those things they should be allowed to do? And at the least, those interactions would be clearly defined-- i mean, wouldn't being forced to think out the components and classes specifically in terms of interaction lead to those interactions at least being in some low level way documented-- because at least the question of how should this fit into this has been asked?

Am i just confused? Please help with any knowledge you may have..

Re:Eiffel (flamewar request)

[talks_to_birds]

eiffel what?

"Coming Soon!

We recently registered our domain name at...

Register.com!

Additional Services"

Ah,yes: "Check those url's"

How 'bout if you just try 'em?

Or maybe you mean eiffel.com?

Who knows?

t_t_b
--
I think not; therefore I ain't®

Re:Eiffel (flamewar request)

[talks_to_birds]

...of course, typing helps, too.

Maybe this is what I meant ;-)

t_t_b
--
I think not; therefore I ain't®

Re:Eiffel (flamewar request)

[tumeric]

I've never used Eiffel, but I know the pre/post condition ideas help with local interactions and can keep an object in a sensible state. However, in a big universe of objects they reach their limitations.

For instance, to use engineering analogies, a perfect screw that is totally specified can still be dropped by a fallible human into the workings of a machine and a perfect missile can run out of fuel if its pointed at the wrong target.

Scripting languages and haphazard combination of objects introduce the problems. I don't see a simple solution apart from being really careful. Trying to keep things simple (and not being the programmer in the famous toaster story) is also a good defense as people using a smaller framework have less to think about.

Re:Correct Observation, Wrong Solution

[MrBogus]

(kinda interesting that got modded up, considering it was supposed to be flamebait, but I hadn't had enough coffee to operate the submit button correctly...)

On the other hand, Mozilla's XUL themes can't be considered correct engineering, except in the 1959 Cadillac tail-fin sense.

mozilla makes open source look bad

[Gerk]

mozilla this, mozilla that....I don't see what all the fuss is about. Just another fine example of extreme bloatware, and a project that has been going for how many years now? 2? This is pitiful....what ever happened to a web browser that was just a web browser?

I don't want a be all and end all software suite that can do everything under the sun for me in terms of using the internet...I have all the tools I need except a decent graphical browser...having just under 3000 files linked ain't my idea of streamline and/or useful.

If you want a real browser, try links (not lynx...links)...

Re:Whatever.

[Tassach]

Bad HTML locked up your browser? Boo hoo. Good software should be able to deal with invalid input without crashing / locking up. Netscape crashes with invalid input, but Lynx complains but keeps working -- which sounds like the better-engineered program to you?
"The axiom 'An honest man has nothing to fear from the police'

Re:Mozilla ?

[jilles]

It's a 6.5 MB download (win32 installer), once installed the programm takes approximately 15 MB of your harddrive (complete install, including 2 skins). The install does not include the optional jre or any plugins (e.g. flash).

Once running, your mileage may vary, between 20 and 30 MB used memory in win32 is normal.

Not bad for an alpha product. It is now nearly feature complete. Due to limitations of linux, the linux version still feels a little slow. However, the win32 builds are quite snappy.

There are still a lot of minor (i.e. non fatal) bugs left. No doubt these bugs will get the full attention for the next few milestones. As far as I can see, mozilla is nearly (like 99%) feature complete. Some features are a bit shaky.

The nightly builds are quite good, but you should check with mozillazine before downloading one. Occasionally, after bigger changes, there are some regressions. Don't judge the builds by that because this type of error is usually fixed within a few days. Last week for instance there was a problem with skin switching. Yesterdays build was much better.

People on slashdot don't understand mozilla. They complain it is bloated, takes too much memory and contains too many features. What they don't seem to understand is that mozilla has to replace communicator and compete with internet explorer and outlook express. All this must be done while remaining cross platform and easy to maintain.

Mozilla is not a browser, it is a platform. The killer app for this platform happens to be a browser. But there are lots of other interesting applications that it supports. Mozilla's architecture is brilliant. It supports all of the above. That by the way includes a small, fast browser as the Galeon browser proves. The Galeon browser would not be possible without gecko and necko. Once finished these components will find their way to PC's, unix workstations, pda's, settopboxes and maybe even mobile phones.

I must admit that there were times that I have doubted mozilla was such a good idea. But I've seen the nightly builds. I know it is just an alpha build but still I sometimes forget I'm not using IE. As for IE, my biggest fear was that MS would continue to 'innovate' and 'improve' ie. Yet, all they have done since version 4 is bug fixing and standards tweaking. In essence the 5.5 version looks and feels pretty much the same as the 4.0 version.

Re:Mozilla's code SUCKS

[DrXym]

When you have the source in front of you, you can make Mozilla as bloated or as light as you want. There's plenty of stuff that doesn't get compiled in unless you specifically ask for it. For example if you don't want mail news support then just set the build flags to not build that part. If you don't want PNG, XSL, SVG etc. then turn off those bits too.

Neither Mozilla.org nor Netscape is responsible for the BeOS version. If it's slow and buggy blame, or rather help the independent BeOS developers who are porting it their platform.

Assuming that BeOS has a decent set of GNU development tools (make, gcc etc) it wouldn't be insurmountable to make it work properly on BeOS. I believe that BeOS has some issues with dynamic library loading (or lack of surport for them) but that's more of a build and configuration issue than anything inherent in the source code. There are efforts afoot to address these issues.

Correct Observation, Wrong Solution

[Carnage4Life]

I read the SecurityFocus article and was impressed by how the article pinpointed what I have begun to fear is a major blight on software development. More and more software is being developed haphazardly without a clear design, coherent engineering or a well defined development roadmap. This is will only get worse with the growing number of people who refuse to go to college and learn how to engineer software and instead believing hacking code is all there is to software development.

Unfortunately instead of the article to then discuss ways to attack the cause of the problem (badly engineered software), it describes ways to attack the symptoms (release the source so bugs can be found).

There is more to creating robust software than simply testing most the bugs out of a system. Proper engineering practices need to be set in place to allow the extensibility and modularity of the code. Releasing source code may catch buffer overflow exploits and the like but it doesn't solve problems like improper interfaces/protocols being chosen and several other bad design decisions.

Mozilla has already proved this with the fact that it is a complete rewrite of the original Netscape code. After a year wasted hacking at the code, the Mozilla developers realized that all the Open Source in the world could not change the fact that Netscape Navigator was badly engineered software. Mozilla is better than Netscape not simply because it is Open Source and all bugs are shallow but because it is being properly designed and engineered instead of being a series of unmaintainable hacks like Netscape's Navigator.

As the saying goes you cannot make a silk purse out of pig's ear.

Re:Correct Observation, Wrong Solution

Have you ever shipped a software? It takes a lot, it is so easy to blah about how a lot of software is badly engineered. The problem I see is that a lot of people today do "computer programming." They write tons of code, reinvent the wheels, etc. Instead of "Software Construction", using well proven and existing solutions. "Software Construction" is about about gluing parts of different software together, this is very good engineering pratice. The bad thing about it, is that you cannot be sure of the modules you are using when you are using 3rd party products, and this is the problem we are beginning to see. The Java problem is Netscape is not totally netscape's fault, They could have contracted Sun or Microsoft for a java engine, in that case Sun or Microsoft is to be blamed. If Netscape has also designed to use an image graphics library, and it could be exploited, who is to be blame? What about when the use an audio libary? DCOM, CORBA, etc. It gets pretty complex.

Uzo

Re:Correct Observation, Wrong Solution

[lythander]

Well said, but...

Isn't the modularity, and therefor the reuse of code at the root of this problem. Well engineered modules may work very well, but a great deal of care must be taken in the engineering of their reuse as well. It's the hidden or unexpected interactions between modules not originally written to work together (although designed to be reused and well documented) wherein lie particularly insidious bugs.

Re:Correct Observation, Wrong Solution

[Nagash]

Excellent point/post.

You know, I've thought the same thing. I can only be a really good software engineer (they are not one and the same with programmers!) if I study software engineering practices.

This is why I am going to be a computer scientist =).

Woz

Re:Correct Observation, Wrong Solution

[Lxy]

This is the same reason I don't run Microsoft products at home. They're not engineered well. No one spends a couple years developing a solid model (flowchart) of how the software is supposed to work. It's kinda like first we build the window manager. Then we build some cool widgets to click on. Then we manage it with the registry. Then we make a cool startup screen. Then we add this extra networking feature, etc.

Netscape 2.0 was a fantastic browser. It blew the crap out of every browser on the market. NS 3.0 threw in some cool enhancements that although buggy, made it far superior once again. Then IE 4 came out (also badly engineered) and added many more features. Both browsers were equally buggy, but IE4 implemented more features. From then on, both browsers became more fascinated with tweaking the previous version just a little bit more. Mozilla started over, and re-engineered the browser from the ground up. When they finally release M22 (the bug fixed version according to their roadmap) in the year 2039, it will be the most stable browser because it followed a solid engineering process.

"You'll die up there son, just like I did!" - Abe Simpson

Re:Speed is also an issue.

[Gurlia]

My experience at work also shows that tight schedules also cause problems. We all have access to the code of our peers but when we are forced to ship the product quicker than as-soon-as-possible we don't take into account what the other programmer is doing. There are those that design the tool that are supposed to prevent this, but if the requirements are lacking, then programmers will do things one way that will cause problems when integrating it to a tool another way.

Yep, the IDY syndrome. (IDY = It's Due Yesterday!)

Another problem comes when requirements change. Just recently I was on a program that changed a few requirements near the end, and this caused a major design change. With the tight schedule it was impossible to completely test the change to what it should be done. But management seems to think things are some when you change a "simple" requirement and doesn't give a proper budget.

"Oh, surely adding this neato little pop-up talking paperclip won't take that much! The fundamental idea of a word processor is still the same! This feature won't cause any fundamental problems!"

The open source world doesn't worry too much about schedule. It is willing to produce something better than get the PR of a quick product. I believe open source produces code quicker, but for the quality it seems slow, where closed source can produce quicker than the open source because it hides the things that should have been fixed before the shipment. So this is only a perception that the closed source version was produced quicker.

Well, this depends on which open source project you're talking about. Remember, a lot of the advantages of open source hinges on the large numbers of users/developers who will (not just can) look at the code. While large open source projects have this benefit, smaller projects often don't get enough attention. I mean, a project that only 4-5 people use won't get bugs fixed very quickly, 'cos bugs won't be found that fast. Of course, we all hope these little projects grow, but that doesn't always happen.

(Obligatory disclaimer: I am not trying to put down open source, I'm all for it. Just want to point out some things to we take for granted a little too often.)
---

Re:Flash animations (OT)

[the+coose]

What frosts me are the sites that ASSUME that because you're not running Windows, you can't do Flash, and deny access.

Actually, for me at least, that's a good thing. Since I'm stuck in the stone age (dial-up, 56K access) downloading a flash page takes too ridiculously long. Give me the text any day.

Re:XPCOM, IE

[the+coose]

Microsoft ships a working, complete IE for Linux

But, why would they? If you really want to run MS software try Win4Lin. A friend of mine installed it last night and said that it's a lot faster than VMWare. I haven't tried it myself but I've been considering it just so I can run IE for those times when I run across pages that crash Netscape 4.7x. (Usually Java-ized pages do it.) Yes it's not free, but for US$35, it ain't bad.

Re:Speed is also an issue.

[segmond]

Schedules are predictable, with very good process, you can keep to your schedule. If you ever feel you are being pushed faster than you can work, then you have a big problem with your process. If you have your detailed design done, then you should be able to closely approximately how fast you can ship, and stick to it. Speed or rush of schedule is not the cause of it, it is there inability to stick to a solid process, adding tons of bloatware. etc.

Re:That's not the problem

[jlg]

I better go update my resume!

Re:AOL Netscape sucks

[Torin_1]

Actually Aol didn't use the netscape browser because of a longterm contract that Aol and Microsoft have together, as soon as that contract is up, you should see Aol being powered by Netscape, or Gecko, whatever it is whenever that happens..

Re:AOL Netscape sucks

[cswiii]

What crack smoking moderators keep moderating up this guy's pollo loco absurdity? This is the second post he's made regarding Netscape/AOL shelving some mysterious, shiny saviour in a box.

Lay off the paint chips, man.

Re:Awe man! I hate IE

[skoda]

I agree. I started with a late version of Mosaic and used Netscape Nav through 4.7. I liked it for philosophical and productivity reasons. But with 4.7, I kept having weird crashes that required reboots.

I got sick of it, switched to IE 5, and after a week of grumbling, found that IE 5 has a better interface, better features, and is far more stable than NS Nav. The one thing still in NS's favor is that it renders much faster than IE 5.

But I prefer slow stability over fast crashes.

I played with Opera briefly, but $30 for a program that seems to do less than my MS "freeware" isn't a good deal. When and if Mozilla produces a stable, full featured browser, I'll switch, but for now, I'm sticking with IE.
-----
D. Fischer

The idea isn't entirely new

[dsplat]

Vernor Vinge suggests something of this sort in his latest Hugo and Prometheus award winning novel A Deepness In The Sky. One of his characters speculates on the power of providing the underlying layers of increasingly componentized software. Furthermore, Ken Thompson, in his classic article Reflections on Trusting Trust, discusses a mechanism for hiding a back door in such a way that it will be replicated with each revision of the software, and the source code for it cannot be found.

The point I am driving at is that currently these security holes are believed to be accidental. We are not far from seeing instances of them that are deliberately created. Open source offers some protection from that, if the source is actively read by numerous competent people. But when the code is linked from many sources, the program becomes vulnerable to the weakest link in the chain, the least well reviewed library.

Mozilla ?

[xonix7]

Mozilla rules. Even in Milestones (M16,M17), it's extremely stable. I suggest that you give it a try. Mozilla. Of course, there's always Lynx. IMO, most important information can still be transferred by plain text. There's absolutely no reason to use Flash animations to get messages across to people and indeed, web sites that do this sort of thing....well...you have to wonder? Is this content really useful information, or is it more a "Fun Thing"? I'm not so sure anymore. Anyway, even on the GFX side, there's always Mozilla - it's coming along very nicely, IMO.

Re:Mozilla ?

[JourneymanMereel]

I'm not a fan of the Internet Exploiter, but at least it sticks with the HTML specs better than Netscrape.

My friend, you really need to learn what the term specs means. Mozilla (Netscape 6) is the only APP currently in existance that actually adhears to the W3C's HTML and XML and CSS specs. (Specs which MS helped to create, BTW). Admitadly, Mozilla doesn't handle non-standard HTML the same way as IE and Netscape 4, but if you coded a simple page to the 3.2 HTML specs, it would look similar (if not identical) in all three browsers. The only time you're going to have problems is when you start using propritary extensions (either NS or MS).

Re:Awe man! I hate IE

[UlfH]

Change OS instead! Then you don't have to reboot when i single program abend.

Reminds me of something else...

[1984]

You know what, I think they're right. But there's a better example of how connecting things together without serious regard for what (unwanted) new interactions might occur, and not understanding the security implications:

The internet

Re:That's not the problem [OT]

[GypC]

LOL!

I love your sig.

Sorry, I just had to comment on it as it brought back many fond memories of gory valentines from my cats.

"Free your mind and your ass will follow"

XPCOM, IE

[1010011010]

Mozilla and InterNet Explorer are both built from components. IE is a collection of COM objects, Mozilla is a collection of XPCOM objects. We've all heard about ActiveX troubles on IE. I imagine we'll see this type of bug for a long time, even after Mozilla "saves Netscape."

So, which do you think will happen first?

• Microsoft ships a working, complete IE for Linux
• Mozilla and/or Netscape ships a working, complete browser for Linux

I really hope I'm not going to be using Netscape in two years.

---- ----

Re:XPCOM, IE

[dash2]

Well, I would say that Mozilla's browser is already working and complete - so long as you can get the SSL from NeoPlanet to work :-(. It does pretty much everything you want it to do, and doesn't crash. But, it is rather bloated. Itself now runs pretty fast, but slows my 64M machine up a lot.

Re:Awe man! I hate IE

[AbbyNormal]

Why don't you like it beside the fact that it is from M$? I have never had IE5x crash on me, but with Net Comun. 4.61 I EXPECT a crash about once an hour. I mean yeah IE does have some bloated features (actually, A LOT..but oh well) but I really haven't had any problems with it. Just curious thats all..this ain't a troll.

Why AOL bought Netscape

[yerricde]

It has been said that AOL bought Netscape because it wanted the Netscape.com portal.
<O
( \
XGNOME vs. KDE: the game!

Maybe Mozilla's not so late

[petard]

This makes me happier that Mozilla decided to do a ground-up rewrite of Netscape's code. If, as the author maintains, the Open Source development process provides the best framework for avoiding this sort of bug and software that's "falling apart at the seams" then it seems to me that it's worth the wait to have a browser that's

1. Developed in this fashion
2. A ground-up rewrite

If the existing codebase was such a steaming pile of dung as the author says (and I believe it was) then IMO it's worth the wait to get it done right.

Seriously, though...

[zocky]

hehe... my browser died after that. serves me right:)

seriously though, this type of thing may or may not be the typical security hole of the future. in fact, if all the components (at one level, say, in netscape) are fully encapsulated and none of them have internal security flaws, it's hard to imagine how a combination of these would allow any breaches.

however, you can assure this only in the components you're writing or at least have the source code to, which means that open source can make quite a difference, but not because of the "way that components work together", but because if anyone can see how a component works, it will be much more probable that someone will find the hole.

you can not control all the levels, though. even if we (in few years) get to the point where your computer (used for serious stuff by a fairly advanced user) can be run entirely by OS software, there's still the question of hardware... do we REALLY know what those CPUs are doing? maybe what we need is an open source CPU and chipset?

z.

Re:Seriously, though...

[HiQ]

That's not quite right.... The same problem appears in OO-programming. Writing the different methods for your objects is not too hard, must of the time it's quite simple, and the methods themselves are all small and easy to debug. The real problems arise when you try to let the objects interact, and you have all sorts of methods calling each other. I find that most of the debugging time is not spent on the methods themselves, but instead on the interaction between the different methods and objects. That's where the complexity lies!
How to make a sig
without having an idea

Windows anyone?

[jmenezes]

Here we have a large, main program that has been taken, and had several third-party components sown toguether, tryion to add functionality, or maybe just some bells and whistles. Now people are finding holes that compromise security, because of the way thse separate parts of code interact.
This goes to show the problems with the gee-whiz-gizmo addition that incorporates most bloatware of nowadays..
Windows anyone?
with windows, we have a main operating system, DOS, that is just having these bells and whistles added. First we have a GUI, we have the WIN32 API layer, we have the preemptive multitasking, we have the (slightly) protected memory..
Now, we also have an internet browser, a JVM, and several other components added to it.
and for some reason, there are constant security holes and various other bugs in windows...
I wonder why?
This is a growing problem, as companies seeking to get that software-upgrade money, try to tack toguether completely diferent programs, and try to make it the next must-have feature, to fool the novice consumer and PHB to get the latest and greatest.
in other words:
Fight the bloatware! ;)

Re:Awe man! I hate IE

[JourneymanMereel]

99% of people who develop for the web dont follow the rules

First of all, I think 99% is a bit high, but we'll run with it...

So because 99% of the people on the road, don't stop completely at stop signs we should take 'em all out? Or should there be no speed limit ('cause I'm sure more than 99% of the people have broken that one).

The rules exist for a reason. It's so I can design a page and know it will look right, on Windows using IE; on Mac, using MacIE; on Linux Mozilla; on my Cell Phone and/or PDA using an embeded form of Mozilla... whatever, wherever.

Both Netscape and IE handle non-standard HTML different. I know, before I realized what a standard was I spent hours going back and forth from Netscape to IE trying to get the page to look right in both.

Microsoft hates skilled users

[llywrch]

Geez, the subject line of this post says it all, I guess. ;-)

Seriously, my attitude has come from the fact that every couple of years I decide I'm being childish & stupid, & I make an attempt to give MS products ``just one more try". And usually within a matter of hours of making this resolution I find I want to drive up to Redmond & adjust the attitude of their design teams with a heavy, blunt object. Or just shoot the lot of them.

My most recent example: IE's incestuous relationship with Windows 2000. Now I'll admit that I rather liked how information was set out in the File Manager that came in Win 3.1: on one side, you had the directories on the drive set out in a tree metaphor, & on the other side, each file was presented on its own line, with the full file name, file size, time & date the file was last written to, & attributes all in a row. Lots of information at a single glance. And if you were scared to see all of this information, well with a few clicks of the mouse you could change it to a window full of icons.

A simple, intuitive setup. And Microsoft proceded to start hosing it up.

First MS started deprecating winfile, in favor of ``Windows Explorer". Since I'm not against change, I grumbled a little, wondered about some of the design implimentations, & ended up learning how to work with this program. I could get my winfile interface, I get the information I wanted how I wanted.

So life went on. Now in Win2k, though, the Windows Explorer has been replaced with IE. Now I'm no longer looking at a list of files & their characteristics, but at an unnecessary HTML page I don't want. Resize one window the wrong way, & instead of seeing all of the columns, I get a help page I don't need & didn't ask for. Every time I go to another directory, I'm back to a window full of meaningless icons -- as far as I can see, there's no way to set & save my preferences globally. And if I'm reading a page on the web when I decide to verify some files on a local drive . . . let's just say I've been warned about my vocabulary at work.

Huh? What's that? Why don't I RTFM?? I have, boyo. But that M is truly F'ed. Click on help, & you get choices like about the World Wide Web, or ``Microsoft and the Internet." (But I'm just trying to manage files on the drives in my employer's computer, not experience this irrelevant paradigm!) Using ``Search" on their help pages to get useful information is about as useful as trying to meet Ms. Right with a poorly-written personal ad. The answer is probably out there somewhere, buried in a hint mentioned in an aside while talking about something totally unrelated.

Microsoft must believe every computer user is a moron, because they work hard writing their user interface down to a moron's level. Everyone else gets confused & either (a) believes she/he is an idiot because she/he can't figure this mess out, or (b) gets just that much more resentful at MS, & resolves to work harder at finding & using a competing -- any competing -- product for their needs.

Too bad MS is a monopoly. That makes it hard to find competing products in many catagories.

Okay, okay, I'm done ranting. I've got all of that off my chest, & can go back to work now.

Geoff

Re:That's not the problem

[An+Onerous+Coward]

As a programmer who spent several years working with Logo (specifically, fourth to ninth grade), I can tell you that Logo suffers from several fundamental issues that must be overcome before it can become the language of the future:

1) Lack of multithreading/multiprocessing capability.

2) Memory allocation is very non-intuitive.

3) Exception handling is almost non-existant.

4) The blasted turtle never does what you want.

I would suggest (and I think my views are shared by a large percentage of the computer industry) that a better programming language for large-scale, team based software design must combine the data abstration of COBOL with the versatility of INTERCAL.

Why are they doing this to me?

[decipher_saint]

I have supported Netscape since version 3.0 hit the shelf, but ever since the Communicator bundle came out it seems as if Netscape is trying to destroy their own product. Netscape is going to hell in a handbasket.

Goodbye old friend, Opera, here I come.

Capt. Ron

To be expected of large open source projects

[Junks+Jerzey]

As much as I hate to say it, this is the case with most big open source projects. I work on a very large system during the day (400,000+ lines of code), where everyone is in the same building, and team members are constantly breaking things because they didn't full understand why something was the way it was. "It looked like an easy optimization." "I'll just add this special case code in here to make it work." "I didn't realize that I needed to make call X before call Y." "Oh, _that's_ what that field is for." And this is with lots of whiteboard scribbling and explaining. Heaven help us if we couldn't do that.

One of the tenets of open source has always been that anyone can go in and fix a bug or make an improvement. Yes, having the source code available is a *good* thing, because it makes a program less likely to disappear as a result of the whims of business, but the whole supposed truism about ease of fixing bugs is not true. As an experienced programmer, I would be scared as hell to track down a bug inside of a program the size of The Gimp or an X server. The odds of breaking something are extremely high.

Re:Mozilla's code SUCKS

[xyster]

Instead of bitching about how bad the code is, why not DO SOMETHING about it and help out?? Complaining will get you no where, so stop yapping and start coding.

Re:Speed is also an issue.

[Protozoa]

There seems to be an interesting mechanism which keeps these project management problems to a minimum in Open Source. While there usually exists some person or group in the capacity of "leader" or "committee", the management is really done more-or-less by consensus. If a lead developer or somebody starts to get their head in the clouds wrt adding neat-o features at the last minute, the others can usually bring him back to earth.

The same goes for release dates - at least in my observation, open-source software doesn't tend to get too far behind proposed schedules (as long as the developers aren't completely blindsided by a difficult problem, which happens in both the open- and closed-source worlds). Users of an open product start asking louder and more repeatedly, "When's the new release arriving??". This kind of ego-market pressure seems to work at least as well as financial-market pressure.

Maybe we'll have to write a separate article about this phenomenon...

-kme

Comment removed

[account_deleted]

Comment removed based on user account deletion

That's not the problem

Netscape's problems with maintaining a stable and secure codebase are not to do with a haphazard software design methodology. Their problems are more fundamental than that. In my opinion, Netscape's problems stem from the fact that they coded Navigator/Communicator in the wrong language.

There have been several recent articles in some of the major software engineering journals, which question the feasibilty of using C or C++ for large projects. C/C++ have been demonstrated to be unsuitable for todays huge software projects, and all other software companies who persevere with C/C++ will eventually run into the same problems as Netscape.

So what is the solution? The academic community's research advocates the use of a new programming language, Logo, in order to solve the problem of scalability. The amazing levels of abstraction provided by Logo mean that Logo is certain to become the major programming language of the future.

Re:Awe man! I hate IE

[OCatenac]

You know the choice isn't just between Mozilla and IE. There are other browsers available. You ever tried Opera? How about Lynx?

Flash animations (OT)

[fhwang]

As somebody who works in an interactive agency, my two cents is that Flash animations are there to satisfy the client, not the user. You'd be surprised how many clients don't actually use the web that much themselves, so they're easily wowed by something that looks like a TV commercial (the Flash presentation) as opposed to something that people will use.

Francis Hwang

Re:Flash animations (OT)

[Spoing]

The Linux version is out of date and is Flash only -- not Shockwave. Very annoying.

Re:Awe man! I hate IE

[LizardKing]

I hope they fix it soon

It's fixed in 4.75.

Chris

Speed is also an issue.

[nevets]

I'm not saying that the article is wrong. In fact I agree with everything the author states. But I want to add the issue of "speed" to get the product out.

My experience at work also shows that tight schedules also cause problems. We all have access to the code of our peers but when we are forced to ship the product quicker than as-soon-as-possible we don't take into account what the other programmer is doing. There are those that design the tool that are supposed to prevent this, but if the requirements are lacking, then programmers will do things one way that will cause problems when integrating it to a tool another way.

Another problem comes when requirements change. Just recently I was on a program that changed a few requirements near the end, and this caused a major design change. With the tight schedule it was impossible to completely test the change to what it should be done. But management seems to think things are some when you change a "simple" requirement and doesn't give a proper budget.

The open source world doesn't worry too much about schedule. It is willing to produce something better than get the PR of a quick product. I believe open source produces code quicker, but for the quality it seems slow, where closed source can produce quicker than the open source because it hides the things that should have been fixed before the shipment. So this is only a perception that the closed source version was produced quicker.

Steven Rostedt

Wow, are you naive. Why AOL -REALLY- bought NSCP:

[Ars-Fartsica]

John Doerr told them to. He saw his investment in NSCP going down the tubes, so he asked another KPCB company to buy them thus converting his huge number of NSCP shares into AOL shares.

Why do you think AtHome bought Excrete?

Yes folks, huge swaths of this industry are manipulated by a few people. There are many good reads that illustrate the incredible influence a few VCs have over large parts of the industry. Try Perkin's Internet Bubble.

Re:ESR coded the world!

[crisco]

Of course, you gotta mention it in context, he goes on to compliment Linus and acknowledge their differences of opinion based on their different abilities and backgrounds. A good read, the interesting part is about 2/3 of the way down that page.

Don't use branded Netscape

[autechre]

Seriously.

I've been using Mozilla M17 since the day it came out, and like every other mozilla release, it just keeps getting better. However, I have heard nothing but horror stories about the Netscape6 Preview release2. So...don't use it. Stick with the real mozilla. If AOL wants to ruin the Netscape branded browser, then that can be their problem; I'm very happy with mozilla straight from the source.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I'm having a vision of a website...

[zocky]

with a few forums (=webified news groups) for people to report (= mention) that there might be a bug or that they might know how to get rid of it.

and then, there are moderated discussions (running slashcode) of ways to get rid of a bug and on implementing the good riddance.

The moderators (=mozilla or another project bug managers) decide which of the bugs mentioned in the forums are really bugs (and have not been reported before), stick them in bugzilla and, if not trivial, start a discussion about it.

Here the developers (core and others) come in and discuss the stuff and in the end it gets implemented.

could work.

z.

INTERCAL

[Craig+Davison]

Thanks for finding that link. Although if I learned INTERCAL I'm sure I'd still hate COBOL more.

Re:Bugzilla

[dkh2]

Been there. Done that. The problems with CSS in Netscape continue to be rampant and, get this, I'm not doing anything special, strange, unique, or otherwise abnormal with CSS. (maybe I should though.)

The fact is, the Netscape 6 implementation of CSS is, in some cases, a step backwards from the marginal CSS support built into NS 4.x. Additionally, valid tags that are fully developed and documented by the HTML 4.0 specification are not implemented. I absolutely do NOT allow any of those proprietary (MS) HTML extensions in any of my documents yet, IE continues to be a superior rendering engine and interpreter.

These HAVE been reported via BugTraq and have only gotten worse with successive builds.

Yes, I will continue to use BugTraq.

No, I will not continue to expect it to do any good.

Just give me a functional browser that doesn't have its birth certificate filed in Redmond!!!

Eiffel mindshare is just too small

[Ars-Fartsica]

There aren't enough competent Eiffel programmers to bother.

Of course, a project like this would be a great way to start up interest in a worthy alternative, and it couldn't have slowed down any more than it already is.

You have to wonder how long C/C++ are going to continue to hold reign. It looks like at least another thirty years (no joke) at this point.

Nothing new here, move along

[roca]

This article has nothing interesting to say. Ever since people started trying to modularise their software, we've recognised that interactions between components are a major source of bugs, because that's where the complexity is. Anywhere you have a lot of bugs, you have a lot of security worries. There is nothing especially insightful about pointing this out again.

Open source software is no different, of course. Over time it may achieve generally better quality because more people can examine the code, but architecturally it is no different to any other kind of software. Mozilla isn't magically going to be free from security problems.

The sad, boring truth is that there is no easy way to make complex software secure. Avoiding componentization won't make things better, except that it will probably prevent you from building complex software at all, thus dodging the issue :-). You can swear off complexity and use Lynx on Linux 2.0, but most people want features that are fundamentally complex. Print out all the RFCs and W3C Recommendations for everything you need to get an HTML4/CSS1 Web browser working, and you'll see what I mean.

Intelligent design, elbow grease and lots of eyes are the only weapons we have. We'd better use them well.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Sounds a bit like a dodgy B film

[grahamsz]

"Oh my god it's falling apart at the seams"

"Only mozzila can save us now"

[Cue big green monster]

AOL Netscape sucks

[alacrityfitzhugh]

Netscape gave up on their browser when AOL would not use it. AOL wouldn't use it because it was not componentized. So Netscape produced Gecko. But they refuse to release it because they hope to manipulate the courts in the Microsoft antitrust case. No sooner than that case is settled AOL/Netscape will release te Gecko version which has been on the shelf for over a year already.

After the way AOL/Sun has tried to manipulate the courts to go after Microsoft, nothing would please me more than to see AOL/Time Warner heavily regulated in the Broadband access and in Instant Messaging and hopefully in other areas as well. Nothing could please me more except maybe seeing Microsoft get the monopoly ruling reversed after AOL becomes regulated. It leaves out Sun, the ring leader of the Gang of Two (AOL, Sun, Netscape)but I have a feeling Sun's comeuppance is in the works even as I speak.