Security Patch Creation at Microsoft

devonshire writes "Officials at the Microsoft Security Response Center have provided a detailed look at the process used to create security patches. From the time the first vulnerability data is received from grey hats to the time a bulletin is shipped, it's a pretty interesting look at how they handle the information flow and patch testing and why it takes so darn long to release an IE update."

Next week's headline:

New Windows worm circumvents Microsoft patching process

Testing is only a priority on closed source apps

[Dancin_Santa]

Windows and IE being no exception. The very fact that users have neither access to the source code nor the ability to build the application sources means that any testing must be done "in-house". This is going to slow down the release cycle by exactly the amount of time it would take to run all the regression tests.

With Open Source, a patch can be released right away and users can compile in the new sources themselves. Any issues can be immediately identified and reported back to the maintainers, often with both the offending source code and potential fixes to the patch. Without the lengthy QA cycle, Open Source patches are much more immediate than any Closed Source shop could ever hope to achieve.

Re:Testing is only a priority on closed source app

With Open Source, a patch can be released right away and users can compile in the new sources themselves. Any issues can be immediately identified and reported back to the maintainers, often with both the offending source code and potential fixes to the patch. Without the lengthy QA cycle, Open Source patches are much more immediate than any Closed Source shop could ever hope to achieve.

Or, in other words, with OSS, everyone is a tester!

Typical corporated programming

[guruevi]

Instead of just believing the people that there is a problem, they have to test it out and develop a plan and then reprogram the piece. I hate that. In my company they have implemented such system too and if you have a problem you have to wait a month before it is planned in (if it is accepted by a group of non-technical managers) and then another month before it is fixed making a problem sometimes last for over 6 months and after an endless amount of pointless meetings there is finally some kind of fix. Programmers in corporation are under a lot of (time) pressure and that is not good as it makes them make mistakes. But they have to be able to make quick fixes (as is with most Linux projects) without any corporate meetings or managers.

Re:Typical corporated programming

[Atrax]

Your company just seems to have a problem of balance. Your company may have a slow process, but equally they'd be insane to lean too much the other way and just let the techies spin out patches willy-nilly without fear or favour.

Striking a balance is the trick, and non-technical managers will tend towards the extremely cautious end of the scale without their caution being necessarily grounded in a realistic appraisal of the problem. They don't realy understand it, so they go slowly and have accountability at every step.

Sounds like you might want a shorter chain of command, with technically knowledgable managers making the calls.

How you get that to happen, well, I really don't know. A new CEO might be a start (it's worked at my old company)

Re:Typical corporated programming

[Tune]

Either you have no idea about how (software) project management works or you have seen some worst-in-class examples at your company. Testing and reproducing a bug is *very* important. Bypassing that step is a guarantee to waste valuable programmer's time on non-issues. In a healthy organization with averagely skilled testers, this part of testing takes a couple of hours at most.

Next is bug fixing. This is by far the most variable and unpredictible part, requiring the best of any programmer. It may take minutes or it may take weeks. Besides good programmers, good process can be of great help here.

Finally comes the release testing, which is what the article is talking about. This phase is essential: *never* trust a programmer if he says its "fixed and I tested it". Generally, programmers are simply incapable of testing their own stuff. I know as a programmer. Release-testing takes a considerable, but predictable amount of time, assuming the programmer did a good job. Skipping this phase will sooner or later lead to disasters like the recent Netscape 8 release.

Now I agree with your complaint on workload and lack of tech-savvy managers, but it's nonsense to say that the process as a whole sucks.

Re:Typical corporated programming

[bonius_rex]

Sounds like you might want a shorter chain of command, with technically knowledgable managers making the calls.

Yeah. You also might want to date supermodels, win a Nobel prize, and hit the megabucks lotto jackpot, too.

Re:Typical corporated programming

[dioscaido]

I don't quite understand your objection... How are you supposed to fix an issue if you don't repro it first? And you object to them making a plan for the development, testing and deployment of the patch? Are you a developer?

Re:Typical corporated programming

[Atrax]

If I hadn't alerady posted to the thread, I'd give you a +5 "Painfully True" for that one.

UDP Floods

I don't think there's a single service on a windows box that can withstand a UDP flood. This has been known to be an effective DoS method for years...roommate using all the bandwidth with bittorrent? Playing Doom3 in the middle of the night with the volume jacked up?

Send a UDP flood to ANY of the services which are actively listening by default, problem solved. Where's the triage team on that one? I guess 99.9% resource consumption isn't a vulnerability in their eyes.

Re:UDP Floods

Try not running an unpatched copy of Windows from 2001. Ever hear of SP2?

Re:UDP Floods

[zootm]

I believe their solution is that, since SP2, there are no services listening by default through the firewall. Windows filesharing maybe, though, although that's only subnet-accessible.

Re:UDP Floods

[rikkards]

Not even filesharing is listening. It takes all the fun out of connecting to open Access Points in my apartment building and seeing what naughty pictures they have

Re:UDP Floods

How do you figure that UDP floods can cause that when the IP stack does NOT respond in the same manner to UDP as it does to the TCP portion of the Tcp/IP stack (which causes DOS/DDOS cpu use to skyrocket in an attempt to validate the fact it heard the initial packet & is sending the response it did... UDP does NOT demand this type of response & is a "one way send" only!

Re:UDP Floods

Playing Doom3 in the middle of the night with the volume jacked up?

Well, how else is he going to find the monsters?

Re:Testing is only a priority on closed source app

[Atrax]

are you seriously suggesting you'd just release a brand new patch into the wild without even cursory testing?

who's going to want to install it? when everyone is a guinea pig, a certain reluctance to jump in first may manifest itself.

1,000,000 monkeys

[weighn]

so, after all we've been led to believe, Windaz patches aren't being written by one-million monkeys?

Re:1,000,000 monkeys

[Infinityis]

Nope. Accodring to Microsoft, it's the open source software that is being written by one million monkeys.

Re:1,000,000 monkeys

[Atrax]

According to Microsoft, it's the open source software that is being written by one million monkeys.

Sometimes, you have to consider the possibility that they may be right

Re:1,000,000 monkeys

[RollingThunder]

If you visit http://www.thedailywtf.com/ you'll find that the monkey to programmer ratio is easily a million to one these days.

Re:1,000,000 monkeys

[paranoidgeek]

The articles listed on the site arent from monkeys but programmers who are given the wrong tools ( VB/ASP seems to be a big one ) and put on the wrong projects ( complex multi user database ) when they have skills in different areas ( small VB apps ) but an interest in some "big" project. So they get creative when they realise although they have no idea how to sort a SQL query they know how to retrive rows one by one .. so they do that ... of cause those of us who just go "ORDER BY `something` DESC" would laugh when they write a loop trying every single "something" in order.

- A DailyWTF reader

Re:1,000,000 monkeys

[eclectro]

No silly, they bork their patches. From TFA;

"In zeeury, ve-a cun releese-a un updete-a veet a petch fery qooeeckly, boot thet's a beeg meesteke-a. Oone-a ooff zee theengs coostumers demund is qooeleety petches. Um gesh dee bork, bork! Zeey dun't vunt tu deel veet foolty petches thet breek zeeur eppleeceshuns und zeey dun't vunt tu deel veet ell zee essuceeeted truooble-a," he-a seeed

Re:Testing is only a priority on closed source app

[Umbral+Blot]

This is only true for big-name projects. Small opensource projects are probably less well supported than their small corperate counterparts. As a lone developer without the hardware and backing of a company I can't patch and identify issues as I would like. As to users giving you feed back. HA! The best I get is once in a while someone tells me that something crashes. I might die of shock if someone sent me fixed source code.

Nice to know that...

Microsoft's non-security is well organised. :-)

Re:Nice to know that...

How the fuck is this insightful? Someone takes a 20 second pot-shot at M$ (LOL DOLLAR SIGN) without justifying their statement in the least, and it gets modded insightful? Oh well here goes...

Linux only still exists because the 283 patent infringements contained within have yet to be claimed by their rightful owners. Furthermore, Open Source is a doomed development model and I frequently rip off GPL'd code for my own commercial products without fear of reprisal.

Now - what to do with all this karma. . .

Re:Nice to know that...

Now - what to do with all this karma. . .

What, ACs have karma now?

Re:Testing is only a priority on closed source app

real OSS projects actually have an organizational structure.. a closer knit group of users associated with the project will test and comment (or fix) problems they see with code. when the code seems to be good, it is released to the public as an actual release.

From the article:

[guruevi]

It's not easy to test an IE update. There are six or seven supported versions and then we're dealing with all the different languages. Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking. 1: languages shouldn't be a problem, that is (hopefully) not completely split up throughout the source code is it? aargh!!!! 2: I know only a 3 SUPPORTED IE versions (IE 5, IE 6 and IE 7)

Re:From the article:

[XanC]

I would imagine that the IE version that runs on each OS (2K, XP, 2K3, etc) is probably unique enough to warrant a full battery of tests.

Re:From the article:

IE on Win98/ME
IE on Win2K/XP
IE on MacOSX
IE on MacOS9
IE on WinCE

And then for each language.

Re:From the article:

[N3Roaster]

You missed the funniest bit:

This is exactly why it can take a long time to ship an IE patch. [snip] We have to make sure it doesn't break the Internet.

So, the next time someone tells you, "The Internet is broken," you can just blame Microsoft for putting out an IE patch too quickly.

Re:From the article:

[timmarhy]

they are a fucking multi BILLION DOLLAR company, dont' they DARE try and cry about being short on man hours.

Re:From the article:

[Neoprofin]

Having a billion trillion programmers doesn't mean you have enough of them working on any given project such as patching IE. Microsoft, like any company, has to strike the balance between having availible staff for sporadic large scale security crisis, and not just having superflous programmers laying around.

Re:From the article:

[Vo0k]

1: languages shouldn't be a problem, that is (hopefully) not completely split up throughout the source code is it?

You'd be surprised. Very surprised.
Things are far more screwed up than you'd think. An article on development of a new OS release would come in handy, but putting things shortly, somewhere between 60 and 80% down the way with the development of the new OS, the code is branched into "local versions" which are independently developed by corresponding local Microsoft divisions. Bugfixes, features etc are usually shared, but only "usually", and the final code base varies wildly. There's no simple way to "translate" a version of Windows, or port features from one to the other. That's why each language has separate service pack and the service packs for them show up at wildly varying intervals - each team has to roll their own. That's why e.g. people in Poland used german version of WinNT instead of polish one on mission-critical positions - because it's more stable. There's way more to "local versions" than plain "local language files". The design is consistent thorough the system, but the code behind it may be completely different, even if it's not really localization-related.

Re:From the article:

[Tune]

Also, a single binary doesn't imply a single test.
Ie, an install may work when connected to a LAN but may fail when off-line. Testing involves numerous configurations. Think laptops, slow hardware, custom OS installs, partitioning, auto-upgrade vs manual upgrade...

Re:From the article:

[LuckyStarr]

Looks to me like a borked drivermodel, unstable hardware-abstraction and a general nonpredictability of the os' behaviour. It (difference of on-line and off-line installs) also looks like a total design failure of the software management facility of the os.

My question is: Why does Microsoft expect its users to do the job of the os?! And by that I include Microsoft in it's userbase. They should have designed a system which requires them to do the test only once. Can't imagine how much time they must burn up every day!

Ah... never mind. Just grumbling.

Re:From the article:

[Tune]

> Looks to me like a borked drivermodel, unstable hardware-abstraction and a general nonpredictability of the os'

Inferior design of Windows is indeed a major part of the problems. However, only a utopian operating systems will make automatic configuration trivial. Anyone who's ever written installers knows about the headaches of damaged directories, garbage due to bugs in previous releases and the general ability of monkeys to misuse even idiot-proof software!

To test if an internet browser will crash when unconnected, you NEED to test with internet down. And every option you allow a user to set (such as choosing the install location) will involve extra complexity on integration with other programs. Although this extra complexity may seems simple at first, it will inevitibly have its own consistency issues that will need to be tested. In the end, complexity never turns out to be simple (hence the word).

Summarizing:

1. some issues can be avoided by good design;
   
2. some can be solved by descent testing and
3. some will never be solved.

So, restating your grumbling - if I may be so bold: why did M$ put so many issues from the first catagory into the second?

Re:From the article:

Of course the comment is simplified from the end-users point of view. To a huge number of end-users, when the browser is broken, the Internet is broken. They don't know, nor want to know, the differences. I've had managers ask me to reboot Yahoo.

Re:From the article:

[MikeBabcock]

I'd say that's a pretty good summarization of why the rest of us should never manage localized versions this way.

IE is the internet?

[gd2shoe]

"This is exactly why it can take a long time to ship an IE patch. We're dealing with about 440 different updates that have to be tested [for different versions]. We have to test thoroughly to make sure it doesn't introduce a new problem. We have to make sure it doesn't break the Internet."

? ? ? ? ? ?

Re:IE is the internet?

[Atrax]

To the consumer, yes. IE is 'the internet'. Besides which, a patch which had a regression flaw and opened something exploitable by a major worm could cause mayhem beyond just breaking windows clients. A massive DDOS caused by a hole in IE? that would be nice, eh?

Re:IE is the internet?

[Infinityis]

They should check with Al Gore before they do anything that could break his internet...

Re:IE is the internet?

[zeridon]

WTF break the net ha ... They must be really kidding

Re:IE is the internet?

[gd2shoe]

True, true, but this slip refers to your first point. Apparently, MSCR's Stephen Toulouse thinks so as well (though he may have phrased it from a users point of view. If it was intentional, there should have been italics or something to mark such.).

Re:IE is the internet?

[Atrax]

to be fair, it did seem to me like an offhand remark, so perhaps the esteemed journos being paid to write the puff should have italicized it. Hard to know without having the original remark handy, but as this was at TechEd, maybe a video or audio piece will become available...

Re:IE is the internet?

No, they probably mean this:

http://www.cnn.com/2003/TECH/internet/01/26/intern et.attack/index.html

Re:IE is the internet?

[rkcallaghan]

I'm a reasonably literate computer user, even for slashdot. All of my machines run linux, happily, even my linksys router. I modify my systems to be useful and I have no stupid blue lights on anything.

With that said at work, I've said things like "the internet is broken". Why? Because I'm there to handle medicines, and not beat my head against the wall trying to explain to my PHB which exploit is in the wild and how to patch it. Forget it.

No one at work knows that I know a damn thing about computers, and I'm keeping it that way.

Re:IE is the internet?

They're probably talking about Cascading Style Sheets. Since IE gets reamed for not strictly supporting CSS2, I'm almost positive that's what they are referring to. If they update IE with a patch and make it strictly support CSS2, a HUGE percentage of websites will "break" -- mostly the web developer's fault, but a broken site due to a patch is still going to immediately be Microsoft's fault.

Re:IE is the internet?

[Lukey+Boy]

Blue lights are stupid?

Re:IE is the internet?

[Viol8]

Even your average Dumbfuck Joe isn't that stupid. Even he knows his PC isn't the internet just like he knows his TV isn't the TV station itself and they're arn't little men inside the set making the programs.

Re:IE is the internet?

[Jakeypants]

I wouldn't be too concerned. I'm assured that MSIE can only take down one internet at a time. Two internets, tops.

Re:IE is the internet?

[Feztaa]

Even your average Dumbfuck Joe isn't that stupid. Even he knows his PC isn't the internet.

I can only wish that were true.

Pick me, pick me!

[Infinityis]

I know the process!

1. Identify holes in current software
2. Release patches that only fix some of the holes
3. Start charging for tools to take care of the rest of the holes
4. Profit!

(If you're from Indonesia, no problem, the software will only cost $1 anyways)

Re:Pick me, pick me!

[Linker3000]

Mozilla process:

1) JFDI

2) er..that's it

Re:Pick me, pick me!

[huge+colin]

(If you're from Indonesia, no problem, the software will only cost $1 anyways)

I think the concept of $1 Indonesian software just got filed between Korean old people and Soviet Russia.

Re:Testing is only a priority on closed source app

[zallus]

Well, Microsoft does have Automatic Update working for them. They may have slower patch creation times, but they can push the created patch to you much more quickly. If you were a corporate executive, would you say that you'd rather immediately install an externally verified patch, or take your own company's time and resources to verify the patch? Sure, for large, computer-intensive operations like air traffic control or medical care, you'd need to verify the patch either way. But if it just means that a secretary wouldn't be able to play Solitare, and especially if your company doesn't have any individually-designated "Computer Security" positions, I think you'd install the patch right away. Also, it'd be ill-advised for an open-source shop to not regression-test patches before release anyway. I don't want to see the size of your Bugzilla database.

I'm Confused

[TheStupidOne]

Microsoft makes security patches? And tests them too?

Re:I'm Confused

And tests them too?

No, they don't. That's where the users come in.

Real world equivalent

Microsoft is adding a patch to a pair of jeans, but it's difficult because after all the previous patches the pair of jeans looks like a spherical ball of patches 10 feet in diameter.

Re:Real world equivalent

And I have been hearing for more than a decade now how Linux was going to "take over the world" (ala Pinky & the Brain)... I have not seen it happen yet, and Linux is even "FREE". If that doesn't do it, and the whole "seize the youth, you seize the future" trying to feed/stuff Linux down the throats of kids in academia didn't help either. No, the "ancient UNIX" crew is on its last legs vs. Microsoft (and it scares the hell out of them imo) & exhausted every possible trick there is to NO avail over a decade now already to make Linux #1, & is no farther ahead than they were 5 years ago. Not that Linux itself is bad (how could it be? It's got 40 years of UNIX behind it, and yes, Linux IS a Unix knock-off, no question about that), but LINUX's not horrible. It's just NOT as good imo. They've gotten past SMP & kernel drivers & kernel function re-entrancy even & many improvements of note in 2.4-2.6 core builds, especially the latter... but imo, what "kills" Linux vs. Microsoft? A lack of the sheer wealth of both HIGH QUALITY end-user and Back Office Server apps that Windows has, payware or not.

The reason

[CrackedButter]

why it takes so long to issue a patch is because it takes 8 days a week for them to get off their ass .

Re:The reason

I tried reading that several times over but could not understand what the hell you meant. Don't bother trying again.

Re:The reason

[CrackedButter]

Beatles reference?

Re:The reason

[DigiShaman]

Naaa. The real reason is the multi levels of bureaucracy in your typical bloated corporation. Just imagine having to get each request approved by management throughout the process of start to finish.

Re:Testing is only a priority on closed source app

[dword]

Again, you keep saying how good OSS is compared to CSS. Now tell me, honest, if you write an application and someone tells you they can sell it for $100/copy and give you 50% of each. Would you still make it open-source? What you said is true, but I'm tired of everyone bragging about how "cool" OSS is. Yes, it's cool, but writing it isn't...

Hahaha.

[BJH]

We have to make sure it doesn't break the Internet.

Don't worry, guys, no matter how badly you screw up it won't hurt the Internet - because the Internet doesn't run on Microsoft boxes. Hard to imagine, I know, but true.

Re:Hahaha.

[baadger]

Yeah because all that matters is you keep them Linux webserver farms up serving next to no requests because 80-90% of clients are dead in the water.

I'm sure the likes of Amazon.com would appreciate that so much. Thanks.

Re:Hahaha.

[MoriaOrc]

Assuming that the ~90% of people who use IE will all upgrade their clients the day of release is just a little far fetched, don't you think?

Re:Hahaha.

[multi+io]

If they accidentally deliver a patch to IE that makes the browser send 256 requests per second to randomly chosen servers, something that's indistinguishable from "breaking the Internet" will happen.

Re:Testing is only a priority on closed source app

[Dancin_Santa]

Isn't the writing of Open Source software the whole point?

If no one wanted to write it, OSS wouldn't even exist.

Re:Testing is only a priority on closed source app

[Renegade+Lisp]

As to users giving you feed back. HA! The best I get is once in a while someone tells me that something crashes. I might die of shock if someone sent me fixed source code.

Remember what ESR wrote about this? "If you treat your users as if they were your most valuable resource, they will respond by becoming your most valuable resource."

In other words, I think this is all about community-building, and I grant you that this may be beyond what you can do as a single developer who simply shares some code with the world. Still, I have found ESR's statement to be quite true in my own projects, and it only takes a small effort to express this attitude in the e-mails you send to your bug reporters.

Re:Testing is only a priority on closed source app

[timbo234]

Linux distro's have automatic updates too and the distro maintainer assumes the role of testing the application with the new patch applied.

The GP was only half-right by saying that 'a patch can be released right away and users can compile in the new sources themselves' is a strength of OSS. In reality only small numbers of users do this themselves, most simply get it through their distro's auto update feature after its been tested and qa'd by the distro maintainers.

Re:Testing is only a priority on closed source app

[Atrax]

real OSS projects actually have an organizational structure.. a closer knit group of users associated with the project will test and comment (or fix) problems they see with code. when the code seems to be good, it is released to the public as an actual release.

So what's different about that compared to the pre-release testers employed by Microsoft? not a lot, it may seem. Besides, my reading of the OP's post didn't indicate this was the meaning at all.

The fact is, going back to the OP's harebrained scheme, that no-one is going to apply a patch to a critical environment unless it's been through major testing. Sure, your l33t box under your desk which you rebuild every week anyway? patch it with whatever you like, but a production database server pushing out data to thousands of clients? I want that bastard tested thoroughly before the patch ever hits the net.

Re:Testing is only a priority on closed source app

I find it strange that open-source application authors never, themselves, sell their product as well. Why wasn't the creator of WINE the founder of TransGaming or CrossOver Office?

multiple code paths

[Gary+W.+Longsine]

Well, there are major sub-versions, too, like IE5.5SP2, etc.

Several times over the years I've discovered multiple code paths in Windows which apparently perform the same function. I discover them because performing what is ostensibly the same act via more than one of the typically myriad interface controls to initiate the given desired action sometimes differ ever so slightly (note the sarcasm in my voice) in result. I've seen these sorts of artifacts all the way up through Windows 2000. This problem exists without looking at multiple languages and how functions may vary on that axis -- who knows.

It's clear that the design of Windows contributes to the difficulty of patching and testing it. Given that, it's impressive that they can deliver interim security patches at all. The track record of not breaking random other stuff when they fix a buffer overflow vulnerability has been pretty good lately.

Oh give the man a break...

[Kjella]

We have to make sure it doesn't break the Internet [web access provided by IE, which as far as our customers go means breaking the Internet]

The Internet wouldn't be broken as such, but I doubt the users would see it that way. To them, it doesn't matter if it is the browser, the connection or the servers (massive worm?) that is broken. They can't do what they want, hence it is broken. It is as simple as that.

Kjella

Re:Oh give the man a break...

[gd2shoe]

Granted. Several things went into my post. First, I thought it funny that an MSRC rep slipped and suggested that IE was as good as synonomous with the internet. Second, I'm tired. That excalates irrational thought.

If he meant to say that customers would see the internet as broken, there should have been some designation of such in the article. It's the lack of italics that an intentional statment should have that makes it funny (don't know if the quote was verbal or written. Hardly matters; still funny while I'm still tired ;) ).

Re:Testing is only a priority on closed source app

[shmlco]

With Open Source, a patch can be released right away and users can compile in the new sources themselves. Any issues can be immediately identified and reported back to the maintainers...

Which is basically a fancy way of saying you're going to treat your user base as guinea pigs and let them test your patch for you.

Hopefully any "issues" they have will not have been fatal...

Re:Testing is only a priority on closed source app

[umkendaj]

I don't think that the biggest point behind the OSS movement is necessarily the cost of the software, but rather access to the source code. In a business environment, a lot more money goes into support for the software, than the actual software. I feel that a lot of applications could quite easily be sold for a profit, even though they are open source.

B*llsh*t !

"Why it take so long" ... because MS does not want to stuff-up the IE team as it is not a immediate profit source.

I am not blaming them, it is a normal enterprise goal : cut cost, increase margin ....

But as we all know MS do not care about IE (anticipated IE7 will be a small improvement only, nothing comparable to Dean Edwards's IE7 fix, by the way), there is no reason for any of us to use their tool.

After having dominated the browser world, Netscape has sunk because they did not care of improving the quelity of the standard support, binging new functionalities and making their product fast&stable. Now it is MS turn to fall in the trap ...

Bye,bye IE ... we will (not!) miss you.

Re:B*llsh*t !

[baadger]

I suspect IE7 will fix most if not all of the existing CSS functionality. A native code fix for them is better than iffy javascript implementations (although admitedly I use it myself) anyday.

Re:B*llsh*t !

[TLLOTS]

If IE7 does fix all the CSS issue's, then expect some rather unhappy users of longhorn when they go to the numerous sites that have worked around earlier versions of IE and all its flaws, and find that suddenly their websites look all funny.

I'm personally not going to hold my breath waiting for Microsoft to implement proper CSS support.

Re:B*llsh*t !

[baadger]

Possibly, but IE does ironically provide a really nice method to allow you to implement a 'good clean hack' - Conditional comments.

They've said themselves they won't implement proper CSS support..but they will most likely fix all the existing documented bugs and make sure new formats, XHTML 1.1 I think has issues atm, "degrade gracefully". Atleast that's my optimistic view.

Re:B*llsh*t !

I suspect IE7 will fix most if not all of the existing CSS functionality.

How can you say that? ieWin5 sucked, ieWin5.5 sucked, and ieWin6 sucked even though the ieWin6 team could look at the source code of two superior browsers, moz and ieMac5, an advantage no other team had.

We've also had ZERO patches for ie6's badly flawed CSS implementation, despite numerous bug reports since the day it was released years ago.

Call the press

[Maven-X]

It's a big publicity stunt - but a needed one at that.

Re:Testing is only a priority on closed source app

"With Open Source, a patch can be released right away and users can compile in the new sources themselves. Any issues can be immediately identified and reported back to the maintainers, often with both the offending source code and potential fixes to the patch."

That might work for your basment project with 3 users, but wont work if you roll out something that companies actually use and rely on, and I bet its more expensive having someone sitting and testing your "Open source patches" then actually pay for it in the first place.

The Big Blue E

[value_added]

"It's not easy to test an IE update .... We have to make sure it doesn't break the Internet."

Sometime a joke doesn't need a punch line.

Re:Testing is only a priority on closed source app

[Dancin_Santa]

As an Open Source developer, I'm not in this for the money. If I were, you can bet the project would be Closed Source.

Rather, I want this project to be open and usable for all. To that end, I license it under the GPL and anyone is free to use it.

So my users are partners with me. They are not my guinea pigs. Though I maintain control over the project, there is no set-in-stone law that no one else may fork the project. In fact, they are encouraged to, if they feel it necessary.

I release the patches, and they accept them or reject them, depending on their own circumstances. I don't rule them with an iron fist. I consider them my Knights of the Round Table where they all have the right to say what they want and none is any greater than the other.

So maybe you think that users are passive slugs, but I'd rather give them the benefit of the doubt.

Re:Testing is only a priority on closed source app

[jalet]

You may want to learn other people's experiences.

I write Free Software, have PLEASURE doing so, and sell it as well.

All this without any third party keeping 50% of it (modulo the PayPal fees).

Granted this doesn't amount to millions, but it is just a side job, since I've already got a full time job. This works just fine anyway.

The proof here.

Re:Testing is only a priority on closed source app

[BigBuckHunter]

The fact isthat no-one is going to apply a patch to a critical environment unless it's been through major testing

At the risk of staying on topic:
The fact is that no-one is going to have a critical environment that uses IE. If you're using wininet or winhttp for your mission critical apps, shame on you.

BBH

Ha!

[KenFury]

"It's not easy to test an IE update .... We have to make sure it doesn't break the Internet."

Here I fixed it for you.

"It's not easy to test an IE update .... We have to make sure it breaks Firefox and Opera."

Better

Re:Ha!

[kaellinn18]

"It's not easy to test an IE update .... We have to make sure it breaks Firefox and Opera."

You didn't get the entire quote.

"It's not easy to test an IE update .... We have to make sure it breaks Firefox and Opera. We don't really have to worry about Netscape because it broke itself, so we were able to get this patch to you in a much more timely fashion."

Re:Testing is only a priority on closed source app

[Atrax]

Was I talking about IE? Was the OP? Surely we were debating the patch process in general, not specifically IE?

Besides which, a hell of a lot of corporates consider their intranet (extranet/web) apps 'critical'. IE (or other browser) is a major component in that mission-critical situation, wouldn't you say?

Are monkeys involved?

[noidentity]

I haven't RTFA, but I'm guessing there will be mention of lots of monkeys banging away at keyboards and one big balding monkey boss who is able to speak one word of English starting with the letter 'D'.

What part...

[BJH]

...of the phrase "the Internet" are you having trouble understanding?

Hint: Internet != WWW

Re:What part...

[baadger]

It's very unlikely IE would ever be broken to a serious extent. "We don't want to break the Internet" was only a half serious exclaimation at the end of a sentence, something in speech would accompany a change of tone. Perhaps you missed that implied tone or my obvious sarcasm in my previous post.

But since we are taking it so seriously maybe you should the impact of such an occurance.

Along with e-mail (especially for business) the WWW is what the average user of the internet at large pay their ISP bill for. What % of resource at your average datacentre is powering WWW orientated services? 80%?

I consider "rendering pointless" as breaking the Web and, since the Web is big part of it, the Internet as well.

It could have an effect equivalent of the Blaster worm - but in reverse. People would stop surfing the web and it would effect revenues of hundreds of online orientated businesses - like Amazon.

Stop ranting that the Web != the Internet, the two terms are widely used interchangeably because the Web is probably second only to file sharing (maybe) and e-mail. Sure you could argue the likes of Skype and IM are making it less so - but what about the new boom in browsers and the likes of Google Maps and other web applications increasing the webs value?

I bet you've even said "surfing the net" or misused it yourself.

So quit exploiting turns of phrase and taking things so literally just because you want to make it look like Microsoft, or rather a mere mortal working, for them is stupid.

Re:Pick me, pick me!...Alternate Patch Process

[darkPHi3er]

Customers Complain About a New Security Hole. The number of complaints reaches Management's "Action Threshold". The Patch Process is started.

1. First, blame the customers' other software packages for the insecurity.

2. Then, blame the customers' for failing to apply services and hot fixes in a timely fashion.

3. Security Focus (or another of the Sec/Priv sites) calls up and threatens to "out" the hole if it isn't fixed.

4. Accuse the complaining entity of having a "partisan" agenda against your company, initiate "Four Corners" Stall -- while you try to figure out if you actually CAN patch the damn thing

5. As the news of the new exploit makes it into IRC and the UGs' Forums you issue an indignant press release stating that it has never been proven that the new exploit has even been used and is principly "theoretical".

6. As your Patch Team frantically works to get the patch out, explain that even though the chances of this exploit being used WERE previously slender or non-existent, now that some details of the exploit have been malicously leaked, HEAVY SIGH, you'll now go ahead and fix it.

7. Issue the patch, take credit for being "Right on Top" of security issues, explain how much money and time you are spending to counter the effects of the "Few Bad People" on the Internet.

8. News start to come in that your patch has broken a number of somewhat older apps -- explain that Users have a responsiblity to use "current" software products and refer them to Sales.

9. News of another exploit comes in --GOTO 1

BTW, this is pretty much AN INDUSTRY STANDARD APPROACH

In Commerical Software, it's the FEW companies that DON'T do some version of this that are the (delightful) and unfortunately RARE exception.

Liars

[cperciva]

Quoth the article:

We respond immediately to the initial vulnerability report and provide the researcher with contact names, e-mail addresses and phone numbers. We make it clear we want to work closely with the researcher to pinpoint the problem and get it fixed. We commit to providing [researchers] with a progress report on the Microsoft investigation every time they ask for one

My experience directly contradicts this on all points.

When I reported the hyperthreading security flaw to Microsoft, I was provided with the first name of the person who was responsible for dealing with it ("Christopher"), but I was not provided with his last name, phone number, or any e-mail address (apart from the generic secure@microsoft.com address which I used to report the problem). Later the issue was transferred to "Brian" -- again, no last name, no email address, and no phone number.

Over the following two months, I heard from three independent third parties that Microsoft was "very concerned" about this issue, and had "several people" looking at it; but they never made it clear that they wanted to work closely with me -- in fact, they ignored all my attempts at co-operation.

Finally, prior to releasing my paper, I sent several emails to Microsoft asking about their progress and asking for a vendor statement for my web site; again, they did not respond.

Re:Liars

Colin,

Despite what the article says, what do you think Microsoft owes you in this case?

Seriously.

The answer to any of your requests for progress reports is going to be (at best) "and you are...?" They've already got your papers, what more do they need? In fact, they've got the inside scoop on the Intel chips and dedicated Intel engineers working specifically on this problem for Microsoft. The two companies are so closely related and dependent upon each other that this is simply the reality of the situation.

You are an academic nobody in their eyes, despite any delusions of grandeur you may possess.

So yeah, they are talking out their ass in the article. SURPRISE!!!

Not.

Re:Liars

[cperciva]

Despite what the article says, what do you think Microsoft owes you in this case?

Nothing. However, I do believe that they owe the public, and their shareholders, the truth about how they handle security issues -- which, judging by my experience, they did not provide in the linked news article -- and I believe that they should take every opportunity available to improve their security, including working with the people who report security issues to them.

You are an academic nobody in their eyes, despite any delusions of grandeur you may possess.

Maybe; or maybe not. I'm not just an academic who happened to stumble across a security problem; I'm also a FreeBSD deputy security officer. I may not have quite as much experience at dealing with security issues as they have, but I don't think I'm a complete "nobody" in security circles either.

Re:Liars

OpenBSD and DragonflyBSD are gay lovers and you get sloppy seconds. Shut up, ket. You suck.

Re:Liars

[tomstdenis]

Ah good ol' anon trolling. What best way to "sting" your victim by posting rubish as anonymously so you don't have to be held accountable for your actions.

Colin is not a "nobody" in the security world. Hell, even I can goto world conferences like FSE or Crypto and be recognized and I've NEVER PUBLISHED BEFORE.

While I'll disagree with the IMPACT of his attack the content is there.

The old timers are really phasing out [when's the last time you saw something interesting from Rivest?] and a score of the next generation are stepping up. Just look at eprint.iacr.org for instance. Quite a few of the papers end up published and I'd be surprised to not see the same names on future papers, etc.

Tom

Re:Liars

[obender]

I don't think I'm a complete "nobody"

You've been modded 5 on Slashdot which means that at least for a few hours your posts will be read by people all over the planet. You might have been a nobody yesterday but you are no longer.

OTOH tomorrow is another day and you might get back to be your usual nobody.

Re:Liars

[daveaitel]

Then again, aside from an enclave of crypies, academic information security research is a dry, lifeless world, without even a nice methane sea to liven things up.

How many truly hilarious papers have you seen where they "solve" the problem of stack overflows by making the compiler put every buffer on the heap? :>

-dave

Re:Liars

[tomstdenis]

I wouldn't say it's lifeless, at FSE I had a great time touring around with COMPLETE STRANGERS in Paris. Got to eat at a fancy restaurant and see the sights..

As for "academics" there are many topics that have not been addressed enough. Side channel attacks is one of them. Efficient crypto primitives and PK schemes is another one that has no end in sight.

The problem with crypto like any academic field [e.g. physics, math, computer science, etc...] is that you have arm chair wizards who think because they read "$X for dummies" they're infinitely qualified to solve any problem in the field.

This is why you get cryptosystems where they store the PASSWORD ON THE USB DISK for later verification as a "security" measure...

Tom

Re:Liars

[cperciva]

While I'll disagree with the IMPACT of his attack the content is there.

Do you disagree with me about the impact of my attack, or do you merely disagree with the media reports?

I've been quite clear throughout that this only affects systems with untrusted users who are allowed to execute arbitrary code, and that on such systems, the impact is theft of information, potentially resulting in privilege escalation.

If you disagree with this, what is your assessment of the impact?

Re:Liars

[njyoder]

I'd disagree with both. Your attack requires a set of very idealistic conditions that wouldn't even exist on a server and even then it doesn't appear that you've actually tested the viability of said ideal condition, unless you left some actual test data on accuracy out of your paper. That would be necessary since it's probabilistic, the timings aren't going to be exact even in the supposedly ideal conditions.

Assuming that it works under ideal conditions, then the only thing that can be running is a single process donig some type of public key operation and all other processes must essentially be idle. That is in no way, shape or form indicative of a server environment, which will have many different things running at the same time.

You really have to construct a very odd hypothetical scenario for this to work even in theory.

Re:MY XP box is still virus free and still not 'ow

[DrSkwid]

so what ?

I have a Win95 OSR2 net connected box here that has never been owned either

LOLZERS!

OMG! IE is not teh internet. AOL is!! every1 noes that d00d! ROFL!!!11

I'd say the difference is...

[Kjella]

...purely political.

Microsoft wants to give you one "bad news" per month. Predictable, patch time is "low" meaning the time between release and installation is low. It is easy for IT staff to work that way, you can schedule it.

OSS will give you a patch per issue, patch time is near instant, but they keep coming at you all the time, whenever you can't afford to waste time installing them. That is why you need a distro to keep you patched at all times.

The rest? Bullcrap. The security patches for Linux don't cause more regression issues than Windows. Like Microsoft, they do audits but instead of one "catch 'em all" release, they do several. In short, it is to make Windows look good.

Kjella

Re:I'd say the difference is...

[SolidGround]

A lot of the 'popular' open source software doesn't deal with patches however, they just release a new version which is of course a whole lot easier to test than an actual patch.

Take something like Firefox where they don't ever patch or fix anything. They do release a new *version* that isn't vulnerable anymore, but if for any reason the new version either doesn't work or breaks an extention, you're out of luck and stuck with the choice of using secure software with a loss of functionality, or keep the functionality but be vulnerable.

More generally, there can be a ton of valid reasons why you'd want to stick to an older version of anything instead of the latest one. The difference is that we all expect commercial vendors to cater to that and continue to offer support even years after the initial release, but OSS doesn't have to provide any backwards support at all.

Since OSS in most cases only choses to support the very latest build (which in a lot cases even happens to be the unreleased development build) and commercial vendors have to support any combination of current builds they sell, the patching processes of the two really can not be compared at all.

Re:Testing is only a priority on closed source app

[cmad_x]

You can sell OSS.

Re:Testing is only a priority on closed source app

[Tune]

Thanks for mentioning the pros of Open Source. I agree, but that's not the point.

Even OSS developers do some testing before they release their code. At least for the larger (multi-developer) code bases. Quality is essential if you don't want to scare your users/co-developers away. And quality is only partially a result of programming skills.

Now you may point at the difference in emphasis between informal release-testing and formal QA in the legal sense. But it's just rediculous to assume that OSS solves everithing to the point where you just merge & release everthing you type and/or every patch submitted to you without even looking at it.

--
It is impossible to make anything foolproof because fools are so
ingenious.

Re:Testing is only a priority on closed source app

[interiot]

Have you heard of Debian Sarge, perhaps? Whose release is so monomumental that, along with the revelation of Deep Throat, the switching of Apple to Intel, and the release of Duke Nukem forever, pretty much portends the second coming of something of terribly great importance?

If Debian isn't the epitome of an Open Source project that's overly obsessed with quality releases, at the expense of frequent releases, I don't know what is.

I'm just so good

[Urusai]

I write code to accomplish what I intend, and I succeed. I don't need to test. What needs testing is other peoples' crappy code that my code depends on. I'm looking at you, GW BASIC maintainers!

Yes

[samael]

For 90% of people, the web is the internet.

For 88% of them, the internet is IE.

Which means that 79.2% of people think that the internet is IE.

Re:Yes

[bogado]

Since your variables are not independent I would say that the total of people that think that internet is IE is 88% (assuming that your numbers are in fact correct). This would be due the fact that the set of people who think that internet is IE and don't think the internet is the web is most likely empty.

Re:Testing is only a priority on closed source app

[noidentity]

are you seriously suggesting you'd just release a brand new patch into the wild without even cursory testing?

You can always release a patch to the patch if any problems are found with it :)

But seriously, it makes most sense to correct most bugs (that will be caught in the short-term) before a wide release, where there is a single copy of the source, rather than after release, where there are as many copies as there are users.

With open-source anybody is free to provide this service. If the author only has the time/motivation to do barely-tested releases, why reject his code? Someone else with the desire can do testing and make releases to a wider audience that are more stable, and users can choose between the two options (or more). These can even form without any direct arrangement between the various parties.

Re:Testing is only a priority on closed source app

[zootm]

Thanks for posting that, I'd mod you up if I had points. Which, typically, I don't.

Open source doesn't eliminate the need for testing, but it can make it easier, and specifically make it easier for knowledgable users to fix bugs themselves and contribute back. As for the testing release issues, it wouldn't be much more trouble for closed-source systems to release nightly builds to the world to test, just less tempting to test.

The fact that users can fix bugs themselves, though, is not an excuse for releasing buggy software. By all means give users who want a bleeding-edge release access to your newest and greatest (but maybe not quite fully-tested) code, but don't go around releasing such code as your official version. Give it some time, test it a bit, before putting that out. Just because people can bug test and fix their own software doesn't mean that they should be made to.

OSS can make testing easier, but it does not, as you point out, remove the need for it. For anything above a "hobby" project, for things you actually expect people to use, it's just irresponsible not to undergo at least some testing. Overuse of "caveat emptor" just makes OSS look unprofessional -- which is fine, but it could cause problems when trying to break into more corporate grounds. The people who say both that companies should use more OSS, and that OSS doesn't need to be tested, really need to re-evaluate at least one of those viewpoints.

I sense I'm ranting, so I'll stop.

why patching ie takes so long

The reason is takes so long to get an IE patch out of the door is because the IE code base is a complete and utter mess. The reason the IE code base is a complete and utter mess is because Microsoft hacked the thing together in a few weeks to put Netscape out of business. Unfortunately having done this they didn't then do the next thing the should have and could have afforded to do - basically junk it and do the job properly. This is also why IE still has more holes in it then your average sieve.

note to /. editors: Some of these "I am a human script" images are, as far as I can work out, impossible for mere humans to read....

Re:why patching ie takes so long

[jonwil]

Why doesnt microsoft just release the source code to the IE rendering engine (either as true Open Source or as some kind of "Shared Source" with restrictions on distributing changes)

If they are worried about projects like WINE and ReactOS using the code, they can have a licence term like "You can only use this code on a legally licenced copy of Microsoft(R) Windows(R)" or something similar.

Although I am sure someone else here might know other reasons why they cant release it...

Re:why patching ie takes so long

IE originally kicked the ass off every other browser, it was much faster, actually handled broken HTML code, and had higher quality rendering (nice image scaling, antialiased fonts etc).

Comparing the other browsers of the time to it was just embarassing.

It's true that IE is showing its age when placed against the next generation of browsers, but if the browser that originally mopped the floor with all the others was "hacked together in a few weeks" then Microsoft is a truely incredible company.

Re:Testing is only a priority on closed source app

[slashdotnickname]

clearly, there are many different types of software users... from those that actively contribute to it's code, to those that test out the latest versions and report bugs, to pure users that just want to use your tool to get their own stuff done.

most users fall in the last category and they'll quickly jump ships if your stuff is too buggy/unusable and/or there's something better out there user-wise... case in point, firefox, where the majority of the 30+ million downloaders were not open-source contributers but rather software users that found something better.

but hey, if you're just interested in chucking untested code out there for your "partners" then more power to you... this "passive slug" will be supporting more serious projects.

Re:patch info

You mod this troll, but it's absolutely correct. The main benefit of subscribing is to view the site mentioned in the article, before it is 'slashdotted'.

Re:Testing is only a priority on closed source app

[The+Great+Wazzoo]

Syntax error: you made statements where you obviously intended to ask confirmation about some random thoughts you had. Next time, try using the question-mark construction. E.g:

"Isn't it true that testing is only a priority on closed source apps?".

Which would of course have been answered with "no". Recommended reading available on request.

Re:Testing is only a priority on closed source app

[xtracto]

Although teorethicaly it is possible to sell OSS, it is not proffitable.

Why would someone want to buy something he can download for free in other place?, if people tend to "download for free" something that they CAN NOT (by law) use for free??

Of course, now you will tell me that RedHat, Mandrake, etc etc are making buisness with OSS, but the truth is they are making buisness SELLING SERVICES, not the software.

Now, I am a programmer (well, I was a programmer before I started my PhD), I really like to program, when I was in the University I was a Linux advocate (although when I was in High School I was a FreeBSD advocate... can you imagine I bought FreeBSD without really knowing what was it... then when it arrived I spent like 3 weeks installing it, I was like 13 or something).

But, after I finished the University I had written some programs which I wanted to sell, hell I DO know how to program...

I put them like shareware on the internet, it was cool, but I also wanted to "contribute" to the OSS, in the "real world" (i.e. outside the net in my life) I was trying to get a job, As I lived in Mexico that was no easy task, so all my income was from my shareware programs and some money my parents gave me.

But I WANT to program for a living, and that is NOT possible with OSS, only people who have a name and are at the top position in this "OSS" power hierarchy can do it.

There where possibilites of open sourcing my programs and then proffiting with the "customer" services, of course the money I would get there was going to be a hell less than the money I won with my shareware (which was not a lot of course) and besides I DID NOT studied any kind of administration or client service degree I AM A FUCKING PROGRAMER and I want to program because THAT IS WHAT I KNOW HOW TO DO!!

So no, it is not possible to live selling OSS, it MAY be possible to live selling a service but not by pure development.

And of course it is possible to get hired in a company which develop open source as a branch (IBM, Sun, Mandrake, etc) and you could say that you earn your living with OSS... but the one that is paying you is the company.

Nowadays I am making my PhD outside Mexico (no, not in the US, in Europe). I have a wider view of this OSS, and althouh I understand it is great for acadamey (in fact I OSS it every day) It is NOT right for the commercial developer... And now as I have seen the Programming buisness is very crowded I have decided to enter the academy buisness, that way when I return to my country with a Europe degree I would be able to enter and teach somewhere at least...

And, I will be able to use and create OSS (of course as a side project JUST FOR FUN). At the end, that is why the OSS projects propsere, people do them JUST. FOR. FUN.

Re:Testing is only a priority on closed source app

[gl4ss]

not everyone. but if you got, say 30 people in the inner testing circle.

you know, that would be the "in house" testing, and if it's a trivial fix, adding of one length check or whatever, it wouldn't matter.

"enter the numbers" images

note to /. editors: Some of these "I am a human script" images are, as far as I can work out, impossible for mere humans to read....

So log in, earn your karma bonus and they'll go away. And you can still post anonymous, like meeeee!

Re:Testing is only a priority on closed source app

[cheaphomemadeacid]

hence the buzzwords alpha,beta,testing,stable,unstable?

And this is why inux is liable to remain Geek-only

[samael]

"Oh, it's ok, we'll release a patch instantly and the users can review/compile it themselves."

I don't know about you, but I have things I actually want to _use_ my computer for - I don't want to have to review any code changes for patches/upgrades/new versions and check them before I do an install.

Not that I even have the technical know-how to do that for the vast numbers of programs out there.

That's the right attitude to take

[samael]

If you don't test the error, how do you know that (a) there really is an error and (b) where/what the error actually is?

Sure, the process should be streamlined so that you don't take months to do that, but then the process described in the article _doesn't_ take months if it's handled properly.

Re:Testing is only a priority on closed source app

Have you ever heard of Linus Torvalds?

Sometimes (at least once) he submits patches without even compiling them!

Re:Testing is only a priority on closed source app

[deepestblue]

As an Open Source developer, I'm not in this for the money. If I were, you can bet the project would be Closed Source.

Um, open source has little to do with charging money for the product.

Re:MY XP box is still virus free and still not 'ow

[NoSuchGuy]

Yeah, I know.

BTW nice photos from your last party.

MOD PARENT UP

[Armadni+General]

+3, Funny

Come on, we don't have to take it seriously.

Re:MOD PARENT UP

Why mod up something that's factually incorrect?

MS patches have knocked systems off of the internet totally.

Or how about the IE patches that broke asp.net in August 2003?

There's nothing insightful in ignorance.

Right

[soloport]

It's closed source; Closed architecture; Closed development processes. They could be throwing code together like monkeys and making all this stuff up for the PR value. Who knows?

I'm not trying to flame-bait here, either. These are the simple facts. Flame-baiting would be saying something like: Haven't they always boosted their value via PR and under-delivered? Or: Doesn't Microsoft lie like sacks enough for you to notice?

That would be flame-baiting. But I'm not flame-baiting.

Re:Right

[DogDude]

It's closed source; Closed architecture; Closed development processes. They could be throwing code together like monkeys and making all this stuff up for the PR value. Who knows?

And how, exactly, am I to be any better re-assured with Open Source? I can't read the code. I don't know anybody who can. And if I do find somebody who says, "There's a bug in application X", how do I know I can believe them? This whole "everybody can check out the code thing" is really just idealistic fluff to make people feel better, honestly.

Re:Right

Are you honestly trying to imply that if you were running a business, you would be unable to find a programmer who you could pay to review patches for you?

If you're not in business and are unwilling to pay someone to review the patch for you, or are unwilling or unable to learn to review the patches yourself, then you're in no better position than with closed source except that you still have the opurtunity to get the patches reviewed at some point in the future if you so wish.

You're not very good at this trolling lark, are you?

Re:Right

[DogDude]

I do run a business, in fact. And yes, I could pay somebody a small fortune to review patches for me. With most applications, TCO is already down the toilet just with the time it would take to *find* somebody who could do it, never mind actually paying the person. Case in point... the last Firefox upgrade broke all of our machines (Firefox quit working on all of my machines... I hope that was all that was effected). IE has never done that. Insignficiant program, true, but what am I supposed to do... hire somebody to review each of Firefox's releases to tell me whether or not they'll work? Am I supposed to spend, what, $10-20K to have a Unix programmer come in to analyze the latest Firefox build and tell me where the problem is? That's insane. Instead, we simply removed Firefox from all of our machines, and went with IE, which was already properly tested before being pushed out to users. Much cheaper. Much simpler. Much quicker time for me to get back to the core of my business (which trying to get broken web browsers to work).

Re:Right

[McGiraf]

"I can't read the code. I don't know anybody who can
"
Choice:

Open source. Use the internet, there are people who can read the code that will talk about it , many people with different opinions , choose which to trust.

Microsoft: trust employees who are paid to say what they say and risk being fired if they tell their true opinion.

Re:Right

[skarphace]

If you did it right, you would have tested it on one machine before you rolled it out to all of your machines. It's common sense in IT to test before a rollout. It only takes 10 minutes of your time.

Re:Right

[mjm1231]

No, the logic is quite simple. While it may be true that you can't personally verify the code, for an open source project to lie about bug fixes would require that everyone who can read code be in on the conspiracy.

Re:Right

[deranged+unix+nut]

Testing only takes 10 minutes if your configuration has no complexity or interdependency.

Note: I test software for a living.

With the complexity of most fortune 5000 companies, for anything integral to networking or used as an interface between mulitple software applications, it could easily take months to make sure that a change doesn't break anything.

Re:Right

[RWerp]

On the other hand:

Open source: made by people in their spare time with no monetary incentive to make it work properly.

Closed proprietary software: made by people who's daily bread depends on the quality and popularity of their product.

I'm not anti-open source, I use it a lot, but I just wanted to present the other side of the coin to you.

Re:Right

[McGiraf]

yes, but the pool of programmers in open source is much bigger (for the popular programs)

Re:Right

You are right.

Please take care that you are not in the "If it don't broke then don't fix" ship.

Re:Right

[iabervon]

It's not particularly hard to get enough understanding of a programming language to follow a detailed bug report and determine that it's accurate and that the patched version doesn't do the same thing. It's a lot harder to actually write new code, and it's hard to identify problems, but it's pretty easy to tell if the code does what the bug report says it does.

Re:Right

[gillbates]

This whole "everybody can check out the code thing" is really just idealistic fluff to make people feel better, honestly.

Except, of course, that it is the same model that the scientific community uses. Granted, you don't have to believe science, either, but they both use a peer-reviewed approach. With Open Source, the source is reviewed by hundreds, if not thousands, of other programmers intimately familiar with the code. While a bug in the code might not be obvious to you, it is easily found by someone who spends their life writing code for a living.

Open Source produces high-quality software because:

• Buggy or poorly written Open Source projects do not become popular. There is no Open Source monopoly bludgeoning manufacturers into using defective or poorly written software. While someone might use a buggy piece of proprietary software to get "the full value of their investment", Open Source software suffers no such false-incentives.
• Open Source software is often written by those with a passionate interest in their work. The authors have a financial interest in producing good code because it will reflect on their professional reputation.
• With Open Source, a disagreement with the developers doesn't necessarily mean that you have to do without a much-needed function or bug fix.

Contrast this with the closed-source, profit-driven model of commercial software:

• The vendor has a financial incentive to do as little testing as possible.
• The vendor has a financial incentive to issue as few bug fixes and patches as possible.
• Should the vendor disagree with you about the existence of a bug, your only recourse is to live with the bug or stop using the software completely. With open source, even if you can't write code, you could at least hire someone to fix the software (and perhaps add features that you'd like).

Re:Right

[DiehardMM]

Look at it like this:

CompanyX: I have invented cold fusion. Pay me $1000 and I'll let you use it. If there are any problems I will deny they exist and make up any excuse possible to this effect, or detract attention from it by screaming FUD upon competitors. Then I might silently slip out a fix in a few months, if you're lucky.

OpenSourceY: We have invented cold fusion. You can have it to do with what you want. Many of my peers who have no association with our project whatsoever, but are experts in nuclear energy have looked at it and identified problems and implemented fixes. If there are problems, then just raise the issue and I'm sure many people will chip in with a solution.

Which version do you think the scientific community would go with? Which version would you, as the end user prefer?

Would you trust expertly peer-reviewed software, or are you prepared to simply believe a company with closed-source software? That is how you can be better re-assured.

Re:Right

[ashayh]

You use IE and FF. That means you use Windows.
So why would you hire an UNIX programmer to look at your FF breakage? Or are you just trolling.
Or maybe the breakage is a result of your imcompetence.
Theres no way a FF upgrade will break MANY machines simply because an FF upgrade is not tied to the underlying Windows architecture like an IE patch might be.
Your claim that IE is tested before you install it by MS and therefore it won't break any machines or configurations is ridiculous.

Re:Right

[MegaFur]

It's closed source; Closed architecture; Closed development processes. They could be throwing code together like monkeys and making all this stuff up for the PR value. Who knows?

I hate Microsoft as much as the next guy, but let's be clear--the next part where you said, "These are simple facts.": those statements you're referring to are not statements of fact, they're statements meant to cast doubt on Microsoft's story. That's great, and true, but it's not statements of fact--rather it's kind of the opposite of a fact--they are, in fact, statements designed to cause fear, uncertainty, and doubt. :-) (well ok, not fear really, but probably uncertainty, and definitely doubt.)

Re:Right

[birge]

You know, this whole notion that open source is good because it's quite possible for closed development to be disingenuous is really kind of naive, if you think about. Give me one example of something that cannot be totally destroyed if a human decides to be completely disingenuous. The quest for schemes whereby one can never be duped is a fool's errand. You're just going to have to get used to the fact that much of your security, both physical and otherwise, is a matter of trust and faith in the general goodness of other humans, whether or like it or not. I'm starting to think that the geek obsession with security and open systems is more a manifestation of phychological neuroses than a rational expenditure of effort.

All I'm saying is I notice that we, as geeks, used to get a hell of a lot more done before we all became obsessed with the chimerical notion of perfect computer security. We'd actually implement useful things instead of patching for vulnerability #23427823, wherein a incredibly evil and brilliant hacker could theoretically compromise a machine by getting you to display a property formatted JPG.

Re:Right

Instead, we simply removed Firefox from all of our machines, and went with IE, which was already properly tested before being pushed out to users.

You are either incompentent, supremely stupid,
or lying out your ass.

Or just working for Microsoft, which makes you at
least two out of three.

Re:Right

This guy is a MS$ troll. First MS$ is not pro active in anything they do. Their patch proccess is only getting better because their compitition is better at it and because they get constant compliants, plus their software completely sucks. They would not even bother updating IE if it where not for Fire Fox. I run Linux servers with PHP and (YES) ASP.NET (Mono) and I never have a problem.
Never crashes and never requires a reboot even with updates. MS$ is fighting a losing battle. When Apple gets on the Intel bandwagen I will wish
MS$ junk the best of luck.

Re:Right

[gordo3000]

or, better yet, you seem to forget that all your reasons are applicable to the other argument in both cases.

Companies with buggy or poorly written software don't grow large in any of the two cases. Guess what, windows was as good on the desktop as any of its competitors at the time for most people.

Good code in a closed source company is still highly valued because your future depends on your ability to write good code. Getting fired is a lot worse than having your boss say "well, this hacked code you put together to grab weather data could be written better" and have a much more detrimental effect on your career(because of the value of past recommendations).

Open source software has no incentive to do any testing. In open source, you release code and hope others are kind enough to test out and search for the hard to find bugs. In open source, you have an incentive to release lower quality code because others can catch and fix your mistakes.

Saying that hiring someone to fix software is a possible recourse is just idiotic. How much do you think it would cost for me to go get someone to learn firefox to fix a bug in it I don't like? I hell of a lot more than I am willing to pay. Private people don't do this. Small companies almost never do this. Only the big boys can really afford that recourse.

So it seems open source isn't a holy grail. Worse yet, the more unpopular an open source project is, the worse it will end up being. None of the programmers have any reason to go above and beyond. But in closed source, there is a definite reason, its called hunger. And it has played out that way many times. It is usually the underdog that quickly innovates and releases a far superior product to earn market share.

And further, it doesn't matter how much you program for a living, if I give you the firefox code for the first time with a mediocre bug, I guarantee that without previous experience you would take a long time to hunt down this bug. It wouldn't be obvious, as you seem to think it is.

There are no holy grails in programming. And there aren't any in science either. Only basic science uses the peer review system ubiquitously.

Re:Right

The pool is much larger, but at the same time, ten mediocre programmers can't match one good programmer. In fact, adding a few mediocre programmers to a pool of good programmers can actually make things worse.

There are some very good programmers working in the open source community, but most of them are paid by firms with economic interests in the projects (which ties them to the goals of their employers, not the projects). The good programmers who are volunteering usually end up getting paid programming work, and abandon their volunteer projects, unless that's what they're getting paid to do, of course (which often happens with the most popular projects, though not necessarily with the ones that are technically the best).

Re:Right

The vendor has a financial incentive to do as little testing as possible.

This is completely backwards. Testing is much, much easier and cheaper than handling support calls, bad publicity, issuing patches for bugs in released products, etc. It's just like any other market, where the interaction of supply and demand leads to an equilibrium where producers produce at the level of quality consumers demand.

The vendor has a financial incentive to issue as few bug fixes and patches as possible.

You're right about this. The vendor has a financial incentive to get it right with the initial release, in order to minimise the number of patches and bug fixes it issues. If the vendor gets it wrong, it will have to issue fixes/patches, or its customers will go elsewhere.

At any rate, what is good practice for scientific research is not necessarily good practice for other endeavours. In many cases, market mechanisms are the most important factor driving improvements (which is why, for example, planned economies were ultimately unable to maintain a return on investment competitive with market economies).

Re:Right

[FlameSnyper]

Open source: made by people in their spare time with no monetary incentive to make it work properly

who _actually use_ the software.

Closed proprietary software: made by people who's daily bread depends on the quality and popularity of their product

who may not give a flying whatever about the product.

Re:Right

This will come as a shock to you: there are people who do things not for the monetary incentive, but for the joy of doing it; and doing it right.

If monetary incentive was first and formost in my life I wouldn't be doing my current job, but one earning 2-5x what I currently earn; and probably for much less hours. So why do I do what I do: because I enjoy getting it right!

Oh, and yes, I have programmed in the past (and still do) - I was the comp dept (including in-house programmer) for a retail company years ago - but the programs I spent most of my time on getting right and developing were the ones I wrote in my spare time for no monetary reward.

Bang goes your argument.

Re:Right

[RWerp]

who _actually use_ the software.

And don't give a damn if it doesn't work for people who do not know the Current Magic Trick To Make It Work (believe me, I compiled some of Open Source programs and tried in vain to make it work properly, while eying in despair screenshots put on the Web by the happy developers)...

who may not give a flying whatever about the product.

Why? because, as I said before, their daily bread depends on the quality and popularity of their product? that's why they don't give a "flying whatever" about it?

Please note, I'm a fan of Linux and Open Source. But I'm not a fanatic.

Re:Right

[RWerp]

You know, I'm a PhD student in physics, so I'm also sticking to what I like, not to what would bring me the most money. But the fact that someone likes Open Source enough to program for it, does not mean he will spend boring hours creating detailed documentation (we all know how sparse, incomplete and chaotic is the documentation for many Open Source projects...), polishing the user interface (another neglected issue in Open Source, as pointed even by Eric Raymond) or taking care the changes in the program do not spell disaster for users of previous versions. This stuff is boring and unattractive for CS students. The programmer is more likely to care about those "details" if he is paid to do it by the company which has to take care of its customers or get off the market. And please don't point me out the example of Microsoft. There are lots of other companies churning out quality software. I could also give the example of computer games -- the software genre so popular among geeks that it should attract many Open Source developers. Somehow, the Open Source games are, frankly speaking, lousy as compared to proprietary games. Why? Because making a good game takes much more than just coding skills. It takes artistic skills, it takes the patience to create a good plot in the game, it takes some knowledge to desing a good game. This is why John Carmack drives a Ferrari.

No, my argument does not go bang. I was not arguing that writing Open Source is not attractive. I was arguing that in creating *quality* software, money can be and is a powerful incentive, which some advocates of Open Source totally ignore.

At the same time, I duly acknowledge and express my deep respect to all the people who wrote those wonderful Open Source programs I use in my work and entertainment.

Re:Right

[hesiod]

> With the complexity of most fortune 5000 companies

No offense to the OP, but for some reason I don't think www.phydeauxpets.com is a Fortune 5000 company.

This explains why Apple is able to innovate

and Microsoft doesn't. I mean .. Apple came up with expose, which is really cool. Spotlight is eally cool .. and dashboard. True aside from Expose these weren't super "original" but they sure got it to work nice.

It's side but very few corporations foster innovation. I think it has to do with the fact htat internally within corporations there is too much back tabbing and politics going on. I don't believe it's inherent in capitalism. Google is able to innovate. Apple is able to innovate.

Microsoft does have people capable of doing the innovation necessary. For example, a research group developed a cool UI called TaskGallery http://research.microsoft.com/ui/TaskGallery/pages /design.htm

Quote: "Instead of confusable and hard to learn icons, open documents and running applications are shown as snapshots, small versions of their actual appearance."

That was back in 1999, yet it was Apple that came out with Expose! And now well M$FT will look really bad copying the idea from Apple.

LOL.

Re:Testing is only a priority on closed source app

Recommended reading available on request.

Yes please. I'm a product of the american skool system.

The process

[tezbobobo]

Security Flaw is discovered Someone else finds Security Flaw Flaw is patched

Do you think if Bill Gates...

[Your+Average+Joe]

got laid in high school, do you think there'd be a Microsoft?

Of course not.

You got to spend a long time stuffed in your own locker with your underwear wedged up your ass before you start thinkin "I'm going to take of the world with computers! you'll see, I'll show them."

Re:Do you think if Bill Gates...

[medgooroo]

From my own experience.. nope. I still want to control the world. That'll show them.

Re:Do you think if Bill Gates...

Yea, maybe... but, it shows sound LONG TERM thinking on his part!

Why? Well:

"King Billy" (as I respectfully call him) now can have ANY woman he wants...

(Heck, many of today's women will THROW themselves @ a guy with his coins/dead-presidents, no questions asked!)

* All I can say is, good for him & the rest of us as well imo!

APK

P.S.=> So, let's assume you're ACTUALLY right on this note: He gave up 20 minutes of fun, for a lifetime of it later, & @ levels most of us will NEVER know imo... apk

The Market Cycle

[soloport]

Once upon a time, musicians gathered in groups and performed on street corners -- just for fun. Often they'd drop a hat, so passers by could show their appreciation. Sometimes they could put on whole performances, rent space and charge admission. Once in a while, they could play for their king and make real money.

Then the record industry was born. Now a song could make a musician a steady stream of money, for many years. However, after decades of "success" the public saw through this sham and invented ways of putting the right perspective on the value of music and performance. And the musicians returned to being performers because the former era was over.

Actually, that's not how the story ends because the rich benefactors of the record industry used their money to create laws to enforce their way.

Once upon a time, computer programmers gathered in groups to share ideas and collaborate on projects -- just for fun. Often they would solve some incredible problem and get recognition for it. Sometimes they'd get paid hourly to solve a specific problem. Once in a while they'd get real funding.

Then the software industry was born. Now an application could make a programmer a steady stream of money. However, after decades of "success" the public saw through this sham and invented ways of putting the right perspective on the value of software and applications.

Actually, that's not how the story ends. It'll be a while before we get to the end.

I sell lots of open source software. Very little of this software have I written. It's easy for a software-savvy person to download and install OSS applications. It's difficult for the majority of the people on the planet to understand how to download and install any application. That's what I charge for.

You probably wouldn't believe how many times a week I'm asked to install CSS applications. These are packaged products that should be easy for anyone to install. Yet your average business owner and their entire staff are intimidated by the prospect of having to install any application (OSS or CSS) -- they'd rather visit the dentist.

Think about it: For CSS applications, the end user often pays twice.

Can a programmer with 20+ years of experience make good money with OSS? I do.

Re:The Market Cycle

[xtracto]

But then again, you are making money by SELLING A SERVICE not by making a program.

I dit not spend my 4 Unviersity years learning how to rightly develop computer systems just to go out and be a seller... or a service provider.

I would had studied Economy or public relations.

Re:The Market Cycle

[xtracto]

I would had studied Economy or public relations.

Can a programmer with 20+ years of experience make good money with OSS? I do.
What a pitty, after your 20+ years of experience in programming what you are doing is being a SELLER... I do not want to end like that I want to DEVELOP SOFTWARE

Re:The Market Cycle

[telecsan]

There's a fundamental difference between the software industry and the music industry.

All I'm going to say is that if Brittany Spears latest album automated mowing the yard for me, I just might spend some money on it.

People spend money on software because the software accomplishes something. (Gaming industry aside, naturally.)

Re:The Market Cycle

OK OK OK OK you have a degree. Sheesh... You don't have to keep repeating it. We believe you.

Re:The Market Cycle

[xtracto]

Mod parent funny :)

Sorry AC but I do not underline it to be pretentious or anything, it is just to try to make people understand that, if they payed (of course, I did not payed as much as someone from the US) to get a CS degree, to learn to develop software (notice the difference between that an mere programming), then why TF would I want to spend the rest of my life as a seller or advocate? or service provider?

This made me remember what a friend of mine told me about the Computer Scientist, or programmers. We as a worker's society failed to protect our market.

You see, when someone is going to make a house, it does not matter if the one that made the sketches (sorry, as I do not know the exact word for the drawings) was an undergraduate which is really good. Those drawings need to be signed by a certified Architect, which will then ask a not so little sum of money, and the guy who did the work would just get some proportional amount (i.e. not too much).

Something similar happens with the Doctors, and lets not talk about the Lawyers which, no matter if their service helped you, they win.

It is something interesting that what we are doing as computer programmers is to develop software in a way that people could use it and not depend in our services. (that is, make software the most user friendly we can).

Those where just some thoughts... we are in this ship now and we like it (I like to program as I said on other comments) and we have to sail.

Re:The Market Cycle

[Phisbut]

Sorry AC but I do not underline it to be pretentious or anything, it is just to try to make people understand that, if they payed (of course, I did not payed as much as someone from the US) to get a CS degree, to learn to develop software (notice the difference between that an mere programming), then why TF would I want to spend the rest of my life as a seller or advocate? or service provider?

That is so true. And if everybody became a "service provider", who'd write the new software?

I also am a programmer, and I develop proprietary software for a living. I also develop OSS, but as a hobby.

General users don't seem to understand the tremendous amount of work there is behind every piece of software they use. Therefore, they're not half as grateful as they should be towards the programmers. When people see a street performer doing some music on the corner, they can do a direct link between the enjoyment they're having on the moment and that guy over there, so they're more willing to put money in the hat. When it comes to software, they don't see the programmer(s), it just came "from the Internet", and they are already paying for the Internet (paying the ISP that is), so they feel like the downloaded software is part of the deal they got with their ISP, so very few will think about donating to OSS projects.

As I said, most users (or most people, since just about everybody is a user of some software) just don't know what a programmer does, and they take all their software for granted. It may sound pretentious, but I do wear this T-shirt every now and then to remind people that there are human beings behind every computer program they use every day, that my job is to make their lives somewhat easier, and that they should be grateful for that.

Re:The Market Cycle

[horza]

But then again, you are making money by SELLING A SERVICE not by making a program.

Unless that service is customising the OSS for a particular business? It's still programming. Written a great bug tracking system? Businesses will pay to have it integrate seamlessly into their corporate intranet or ldap server. Written some call management software? They will want a module that reads callerID to pop up a browser window with the person's contact details when the phone rings.

You need to get out of the shrink-wrap software mind-set. Every company works differently and has their own special needs. Customising to fit *their* work-flow is where the money is.

Phillip.

Re:The Market Cycle

[soloport]

But then again, you are making money by SELLING A SERVICE not by making a program.

As you may not have read my entire post: I am a programmer, of 20+ years. That is what I do for a living. My CPA, Attorney and Doctor make a fine living from me and other clients, who rely on their knowledge. I make a fine, honest living, helping my clients benefit from my knowledge.

What kind of living are you looking to make? A killing, maybe? An Adobe-sized killing? A Symantec-sized killing? Or a Microsoft-sized killing? Well, then I guess CSS is for you. Just remember that along with great rewards come great risks. You never know when the competition (such as a FOSS project) will yank the rug out from under you. CSS fosters a relationship of hostility (see EULA); FOSS, for me and my clients, has fostered a relationship of trust.

So, to site an appropriate movie scene: "Well, good luck with that!" -- SpongeBob

Re:The Market Cycle

[jalet]

> I want to DEVELOP SOFTWARE

Why waste your time on /. then ???

You should be DEVELOPING SOFWARE instead !

Please just do it, and shut the fuck up.

Re:The Market Cycle

[ziggy_travesty]

1) You completely dodged the parent's point about selling products v. services.

2) Your "once upon a time" nonsense reads just like any other fairytale in that it is make-believe. The software industry was born when demand was created by the advent of PCs. It had nothing to do with a mythical band of hand-holding programmers. Keep selling your install services and numbing your mind. I'll keep selling software products.

Re:The Market Cycle

What exactly are you going to do with the software you develop? Shrink wrap it and store it on a shelf in your mother's garage? At some point you will need to sell it.

Re:The Market Cycle

Two fatal flaws in your argument are immediately obvious:

1) Developing modern software is much more complex than writing or playing/recording a song. Moreover, the lifespan of software is much shorter than that of music, requiring constant development to keep a steady flow of income (that's not even bringing patches, support and so on into it).

2) Software, in general, is a tool for getting other things done, and not simply a toy to be played with (games would be an exception). The value of software, then, is related to its effectiveness as a tool. When the task it's used for is a value-producing process, the value of the software is directly linked to how much value it adds to the process.

Re:MY XP box is still virus free and still not 'ow

[DrSkwid]

=)

Re:Testing is only a priority on closed source app

[Toby_Tyke]

The fact is that no-one is going to have a critical environment that uses IE

Really? Thats great news! I'll just go and tell my boss that none of our web based apps are "mission critical". He'll be thrilled that we don't have to worry about them anymore.

Re:Testing is only a priority on closed source app

[TheRaven64]

Your view of software seems very limited. The vast majority of software sold is not off-the-shelf, it is bespoke - either written from scratch or modified for the recipient. In this case it is very easy to make money from OSS. You sell it once, because it is designed for one use. The company you sell it to may decide to release it, or they may not. The point is that they have the freedom to do whatever they want with it.

Free Software is about giving your customers the freedom to do what they want with the code you have written - giving away code for free is not required.

code != bloat

[tomstdenis]

This is why concise, clear and well documented modular programming is a winner. Even Firefox suffers this. It's a huge mess of code that a handful of people could even be bothered to read...

In microsofts case everything has to be implemented upon layers of undocumented C++ classes to which the average microsoft employee [let alone third party developer] can't decode.

Tom

Re:MY XP box is still virus free and still not 'ow

I realize you are trolling but I ran XP home for the past 7 months with a cable modem connection, download ing porn and warez, cracks and never got owend. I also am not an idiot and installed zonealarm, ad-aware, and ms antispyware as well as virus scans with a warezed version of NAV 2005.

Peopl e who ge towned are usually idiots.

"... closely tied to the operating system ..."

From the article:

Toulouse said the quality assurance process has become "very, very complex," especially for products that are closely tied to the operating system.

So, M$ knows that you get a complex QA process (and therefore worse quality) if your products "are closely tied to the OS".

If they are so concerned about security, why don't they try to create components that are less closely tied to the OS?

Grey hats?!? WTF

[thomasj]

Some people submit a vulnerbility report to the brickwall called Microsoft Support. Then after 6 months they release a security opdate. And now they call the submitters "Grey hats"? What do they call themselves? The "Pink hats"?

Re:Grey hats?!? WTF

[Keeper]

They are properly using terminology.

White hat - someone who hacks machines with non-malicious intent; they report the problems and do no harm. Ie: the good guys.

Black hat - someone who hacks machines with malicious intent. Ie: the bad guys.

Grey hat - someone in between a white hat and a black hat. In this case, the hackers are acting as a White hack, as they are reporting the problem. But they're also acting as a black hat by publishing the vulnerability.

Re:Testing is only a priority on closed source app

[Lennie]

> So what's different about that compared to the
> pre-release testers employed by Microsoft?

The OSS groups are open, thus if I really want the fix, I can download and inspect it myself.

Re:Testing is only a priority on closed source app

[Tony+Hoyle]

That's not really true in general.

There are 3 types of users... those that just use the app and, if something doesn't work, go and use something else - these are the majority and you never get feedback from them.

Then there's the ones that are helpful and feedback problems. It's good to build up a core of them.. they're a scarce resource. If you want a subset of those who actually send patches.. well I've had 5 patches since January, from approx, 250,000 downloads.

Then there are the ones who demand a fix *now* and get really pissy that the app they downloaded for free doesn't do exactly what they want it to do (bonus points for those who have deployed in a mission critical app without testing first). There probably aren't more of those than in the second group but they take up a disproportionate amount of time.

I usually reckon for every bug report I hear about maybe 100 people have tried it and not bothered to report it (the ratio is probably much higher). It's kind of annoying when someone finds something 2 months after a release and 50 people add to the thread saying they had the same bug and were waiting for a fix...

Re:Testing is only a priority on closed source app

[xtracto]

Yep, but usually the companies that ask you to make some software ask you for ALL the rights of it.

And, what about selling a company the software and giving them the GPL (something YOU have to do if you are using the GPL as it sates that the software must come with its license).

I wonder what would they say when they discover that the software they are buying at $5000 can be downloaded from sf.net

Or even worst, that their competitors can get it also free.

pretty interesting look at nothing

[necromcr]

It's Microsoft, where are the pictures of happy people smiling at their PC screens???

Re:Testing is only a priority on closed source app

[CastrTroy]

I think this is the power of Open Source software. Bug fixes, little feature enhancements, and all the other little fixes that should be there can get made. With closed source software, you never really know when you're going to get a fix to a certain problem. Think about VS .Net not playing nice with SVN, because it dislikes filenames starting with a ".". In the open source world, this bug would be fixed in days and everybody would have access to the fix. With Microsoft, it's a wonder when, if ever it will be fixed.

Hopelessly intermingled

[QuietLagoon]

Let me summarize what the MS people in the article said.

Our software is so hopelessly intermingled due to the manner in which we tried to get around the anti-trust laws, that simple updates take far longer than they should.

Favorite quote from TFA

It's not easy to test an IE update.

You mean it's been updated? Oh, those are "features", not bugs!

Re:MY XP box is still virus free and still not 'ow

[necromcr]

Running on 1200bps are we? I agree, no netbeui will penetrate that :)

Re:Testing is only a priority on closed source app

[AnObfuscator]

And, what about selling a company the software and giving them the GPL (something YOU have to do if you are using the GPL as it sates that the software must come with its license). I wonder what would they say when they discover that the software they are buying at $5000 can be downloaded from sf.net

Um, the GPL doesn't say that you have to give your code free to everyone on the planet.
It says that you have to give your code free to anyone you sell the binary to... *if* the person ask for the code.

so a company using internal GPL'd code does NOT mean that their code will be avaliable to their competitors, unless they sell their product to their competitors.

Re:Testing is only a priority on closed source app

The OSS groups are open, thus if I really want the fix, I can download and inspect it myself.

And you're deeply immersed in *all* the codebases you run enough to understand what's going on?

I don't see a "Lennie" on the GCC submitters list. So you don't update your GCC?

It is SO TEMPTING...

to mod you flame-bait.

But I won't.

Re:Testing is only a priority on closed source app

[ummit]

Which is basically a fancy way of saying you're going to treat your user base as guinea pigs...

Granted, the notion that you might release a patch without much testing is a heretical one.

But here's another heretical notion: Some changes (to some systems) require less testing than others.

A small, isolated patch to a well-controlled system should not require an exhaustive, timeconsuming, complete test pass. If you have found that every change does require an exhaustive test pass (because of the number of times you've been burned by seemingly unrelated new bugs cropping up as a result of a seemingly-innocous patch), this is a symptom that your project is not well-controlled.

There's also the point that when a patch is to fix a critical security hole for which exploits may already be circulating, users may actively want to deploy that patch ASAP, even if there's some risk of a newly-introduced bug -- a BSOD is not nearly as bad as being 0wned.

And the understatement of the year goes to...

[tzuriel]

"A few weeks later, the Blaster worm ripped through the Internet and Microsoft released MS03-039 with an admission that additional ports involving RPC remained unpatched. That was an experience that taught us a valuable lesson. It's better if we find it before the bad guys figure it out" he said. - MSRC program manager Stephen Toulouse.

Hard to take at face value

[MECC]

Its hard to believe anything MS says about how thorough its security efforts are, given their 20-year ongoing failiure. It really looks as though the continuing security stumbling is an outgrowth of the convenience-over-security+appearances-over-quality philosophy that steers their product development efforts. This seems to be a corporate culture phenomenon, and probably won't ever change, no matter how often they claim it has or will. Kind like an alcoholic, claiming to be on the wagon while still hanging out with drinking buddies.

Just look at patch tuesday. Rather than release a patch when its ready, they wait so it will be easier for customers. Nice and predictable, in a world where security problems are anything but. It has nothing to do with waiting to test thoroughly, it has everything to do with appearances. They won't really improve their continuing security debacle until their OS monopoly is effectively broken, and they have to actually put up or shut up.

Re:And this is why inux is liable to remain Geek-o

[TrappedByMyself]

It's like making the most dismal part of software even worse. Software development processes suck and produce buggy software. The fix to this problem is not to do even less testing and make the end user fix it. It's like GM sending you a catalog of repair equipment instead of recall notices.

User review of code in OSS is a great idea, but it doesn't replace the need for a solid process to happen before the code is released. You can't cross your fingers and hope your end users fix your stuff. Cause what if they don't?

Summary

[823723423]

[1] "We're on all the [security mailing] lists, just like you are, and we investigate everything, even if it's a post about a simple weird behavior in a product," said MSRC program manager Stephen Toulouse [2] Even though Microsoft has recruited external patch testers as part of a formalized Security Update Validation Program, Toulouse said the quality assurance process has become "very, very complex," especially for products that are closely tied to the operating system

Re:Testing is only a priority on closed source app

Who the hell modded this funny?..

'Quality' patches

[halber_mensch]

From TFA:

"In theory, we can release an update with a patch very quickly, but that's a big mistake. One of the things customers demand is quality patches. They don't want to deal with faulty patches that break their applications and they don't want to deal with all the associated trouble"

He's close, but not spot on; customers demand quality software, but are forced to deal with faulty programming and broken applications. Customers wait for 'quality' patches, and deal with the associated trouble of a system that's broken-in-the-meantime. But hey, we've got fade-out windows and drop shadows, and some really neat animated assistants, so I really shouldn't complain?

Re:Testing is only a priority on closed source app

[RoadkillBunny]

You have a choice. Every new patch dosn't mean a new release so normal users will run stable code. But then there are a few that like to live on the edge and download the CVS version, which contains a patch. You would be suprised how many people do that.

Re:Testing is only a priority on closed source app

Or to someone who gives it to the competitors.

Doing just fine on WfW 3.11

Even Windows for Workgroups 3.11 can be set up for broadband. As for dialup, it's just as capable of getting 56k as XP.

What about Firefox's patch process?

[EraserMouseMan]

Does anybody have a link to an article about the process that Firefox uses? I'd be interested to compare the two.

MOD PARENT UP

[kurokaze]

This is actually insightful, and unlike the rest of /., isn't bashing MS like its going out of style.

Re:Testing is only a priority on closed source app

[amliebsch]

so a company using internal GPL'd code does NOT mean that their code will be avaliable to their competitors, unless they sell their product to their competitors.

But it does mean that any products they develop that incorporate your tool must be GPL'ed. And they generally take a dim view of giving products away for free.

Re:And this is why inux is liable to remain Geek-o

[McGiraf]

Use a distribution, they will test for you while you use your computer for thing you want to do.

Sheesh, I am a programmer and i rarely compile/patch a program i want to use, i just install it and use it.

Obligatory Dilbert quote

[goombah99]

Dilbert: As part of your ISO 9000 certification do you have a defined pathing process and what is it?

Elbonian Balmer: We hold a village meeting where we boast of skill and curse the devil spawned enduser.

Elbonian Gates: Sometimes we Juggle.

Elbonian Balmer: The at the last second we slam out some code and go roller skating.

What always cracked me up about that joke is that it is defined process and therefor meets the requirements of iso 9000 certification.

Some causes of recent problems with MS patches

I have several friends who used to do technical support for Microsoft, and according to them many of the recent patch problems are caused by the following things:

1. Microsoft and it's outsourcing companies have started to 'offshore' many of the patch creation and testing jobs to India (and possibly other overseas countries). Now don't get me wrong, I'm sure they have some great programmers in India writing excellent code (I've met some amazing programmers here in the US that came from India), but what quality code can you expect from someone making something like $3.00 an hour (or less!) and being pressured under deadlines.

2. Since many of these jobs have been outsourced or offshored to another country, the staff actually at Microsoft doing patch creation and review has been reduced severely (possibly as much as 1/3 or 1/2 of the jobs since remain here). There are too many patches, too much code, and too much testing for the small number of people left actually at Microsoft to handle.

I'm not saying the previously released patches from Microsoft were anywhere near flawless, but I think there has been a large increase lately (in the past 1-2 years) in faulty patches and then secondary patches to correct problems caused by the first patch. The problem seem to also come from Microsoft's move to patch security holes as quick as possible at the stake of breaking something or breaking third-party software (due to not enough testing), even if that something is major and breaks the whole OS. They are in the mind-set that security patches come first and that they can then go back and use feedback from users to correct bugs in the security patches released to fix security bugs.

By the way, my friends also lost their technical support jobs when their jobs were offshored to India. Sounds like the whole support aspect of the Windows OS is moving overseas.

Re:Testing is only a priority on closed source app

[kurokaze]

With open-source anybody is free to provide this service. If the author only has the time/motivation to do barely-tested releases, why reject his code? Someone else with the desire can do testing and make releases to a wider audience that are more stable, and users can choose between the two options (or more). These can even form without any direct arrangement between the various parties.

Here's a question. What's stopping a malicious hacker from taking half-ass tested patch and inserting a payload into it and then publishing it as "stable & tested"?? How do you know its good when you can get patches from untrusted/unknown sources or someone's personal page?

How many of you actually check that the patch is good before blindly applying it?

Open source leads to accountability

[SirCrashALot]

Maybe you can't but others certainly can, and if you are so inclined, you can learn.
Also the fact that code is open makes the authors more careful, i would think. If I am going to publish code with my name on it, I would hope it doesn't suck.
Closed source could have terrible code style and use all sorts of hacks, and no one would know. Or it could be perfectly written using Hungarian notation. With OSS, if you have bad code, people who can read it, will, and tell others.
Besides, if you want, just do a search for printf and gets in the code -- you might find some bugs w/o having to write a thing.

Re:Open source leads to accountability

[rbarreira]

Please enlighten us with a few examples from famous OSS programs, Mr. Troll.

Re:Open source leads to accountability

Well, "closed source" doesn't mean there aren't competent people outside the producing firm who are allowed to read the code. E.g. the MS Windows code is available to a lot of governments, universities, large corporations and even (from what I hear) individuals selected by Microsoft as 'MVPs'.

More importantly, if open- or closed-source software has problems with functionality or security, you can be certain people will complain about it (publicly, as well as to the producing firm). If the "hacks" or "poor coding style" you're afraid of don't cause any problems for end users, either in terms of functionality or security, I'd say they're not really important.

Re:Testing is only a priority on closed source app

Why?

Closed source application authors doesn't sell them too. Usually they work for the people who sell the programs. At least all the ones I do.

You know, writing code and selling it are complete different matters, that require a complete different set of skills and that usually can't be made at the same time.

Re:Testing is only a priority on closed source app

[Proteus]

sigh. Why is it that when people can't figure out how something is done, they simply say "it CAN NOT be done"?

Firstly, let's get something clear: hardly anyone makes money simply selling software. A perfect example is databases -- for all but the high-end database projects, a free database works just as well (sometimes better) than a commercial, closed-source DB. Yet, people still buy MS-SQL server, and Oracle, and the like for even small projects. Why? They are buying the support of MS and Oracle: not just the telephone support but the "this large company has vetted my software" support. They are buying trust and service.

Now that that's clear, let me explain that I make money by selling OSS solutions, and that RedHat and Novell make money from my work. I contract as an OSS developer/integrator. I sell my development ability and support. But, my clients buy Linux from Novell or RedHat; they are getting support from me, so why would they buy these OS, when they can be had for free?

The answer is simple: people (and to a greater extent, corporations) see value in something they've paid for. If something happens to me, they know someone will stand behind the product. They know that someone they've paid is working on security patches and improvements. And, ultimately, they know the product is less likely to be abandoned.

So, when my clients buy Linux from RedHat, they are buying exactly the same thing as when they buy Windows from Microsoft: trust. Trust that the software has some degree of quality, trust that it will be patched and maintained, and trust that it will continue to be available. With OSS, however, they get the bonus of knowing that migration to another vendor will be relatively painless because the vendors of OSS software have access to each other's code.

It is possible to make money with OSS, but it is a lot harder to start your own OSS business. People don't like buying software (closed *or* open) from one-person organizations.

Re:Testing is only a priority on closed source app

[Bob+4knee]

And this is different from what M$ really does? (I did RTFA but the BS-O-meter pegged several times in the process. M$ users pay to Beta test both the software and the patches).

how they really make security updates

[themuffinking]

10 monkeys, one keyboard, five minutes.

lather, rinse, repeat.

Re:how they really make security updates

No, you're confused. You are actually describing how 99% of all Slashdot posts are made...

I don't understand this line of reasoning

[freeweed]

Although teorethicaly it is possible to sell OSS, it is not proffitable.

Why would someone want to buy something he can download for free in other place?, if people tend to "download for free" something that they CAN NOT (by law) use for free??


You could always sell your software (like regular closed source shops), and provide your source to your customers only (which is all the GPL requires). I could see an OSS license emerging that basically states "you get the source, but you can't re-distribute our software" - no different than closed source, except the customer has the added benefit of the source code. Handy if a customer is willing/capable of tinkering with it themselves.

Oh, as for your other concern: don't worry the slightest bit about it. Well under 10% of software developers actually work on closed source, sellable software. The overwhelming majority of us develop in-house stuff, and open/closed source isn't an issue.

your "security flaw" is ridiculous...

Honestly, if you reported this to me, I'd blow you off too. Even academics admit it is virtually impossible to eliminate side channels. No UNIX does it, and Windows doesn't either. And it doesn't take hyperthreading to communicate info across tasks. As soon as the first OS failed to flush the cache across context switches, this type of window opened.

Any local root exploit will provide more capability to steal info from other processes anyway. And ther are many many of those in Windows and Linux too. EVERY ONE of those would take priority over this problem, which means this issue will probably never rise to the top.

So your research, IMHO, got at least as much attention as it deserved from Microsoft.

Flamebait? Not hardly.

Flame-baiting would be saying something like: Haven't they always boosted their value via PR and under-delivered? Or: Doesn't Microsoft lie like sacks enough for you to notice?

One man's flamebait is another man's informative.

Re:Testing is only a priority on closed source app

[Spy+der+Mann]

who's going to want to install it?

People who, for example, compile Linux builds on a weekly basis to test for bugs. It's always been this way in the Open Source world.

"Oh look, a new patch for WinXP! Let me update my CVS repository..."
"Alright, now it's just time to compile the DLL."
(5 minutes later)
"Okay, now let's make the winxp installer patch"
(5 minutes later)
Reboot.

Yeah it's a pipe dream, I know... :(

It's called "small businesses don't have an IT.."

[d_jedi]

department for testing
(damn restricted length subjects).

Even just for home use, Firefox is a huge pain in the ass to update compared to IE.. so much so, that I'm still running 1.0 or 1.01 on most of the machines I use.

It seems like they do very little/no testing that updates to FF won't break things..

Re:Testing is only a priority on closed source app

[shmlco]

A small, isolated patch to a well-controlled system should not require an exhaustive, timeconsuming, complete test pass...

It should not, no. But unless you're omniscient and can see EVERY possible ramification of your change, especially in a large code base, it should.

And since most of us aren't all-seeing, how hard is it to rerun your unit tests?

No unit tests? Probably not a well-controlled system then, is it?

Specifics.

[khasim]

What are the specific problems you have with FireFox updates?

The only ones I've seen are that (on Windows) it doesn't clean out the old entry in the add/remove listing so you end up with listings for it from 0.8 up to 1.0.4. But that doesn't cause anything to break.

They also don't release "patches" to a version. You get the whole new version and it does a complete install. But that doesn't cause anything to break.

I'm still looking for the specific problems that people are having with FireFox but all I'm getting are generalities about how it "broke" or it isn't as good as IE.

Re:Specifics.

[d_jedi]

A few specific problems:
1) Some extensions don't work (I've since forgotten which ones)
2) When I start up the app, sometimes the "update" icon is right next to the "help" menu item (not where it should be).. and the app is completely frozen. Only restarting FF fixes this (and it sometimes does not)

The fact that they don't release patches (critical security updates, at least!) is a major downfall for FF. Updating IE is singnificantly easier (wtf does a FF update want to change my default settings? And ask me where I want to install?), and in my experience, does not cause any problems.

That said, I am using FF, for two reasons:
1) Ad blocking - there is no similar feature for IE. I've even banished the text ads on gmail!
2) FF is not targeted nearly as much for spyware (that's not to say it's "more secure", from an objective standpoint).

but I may very well jump ship when IE7 comes along.

Re:Specifics.

[DogDude]

If I knew *specifically* what was wrong, I'd fix it, assuming the fix was worth the effort. We're a small retail business, and a web browser isn't critical to what we do, so in my estimate, it wasn't worth the time to even research the problem. Been using it for a while. The app did the little update indicator, we updated, it never launched again. Just hung. Again, open source doesn't help me at all. If it's broken, I'm not even going to look into it, never mind try plumbing around in source code. That's just insane. If a program can't install and launch in this day and age, it's not worth my time. So no, I don't care what the specifics are, any more than I'd try to troubleshoot a $5 alarm clock I bought at Wal-Mart.

Now if it were an *important* piece of software, like our point of sale system, even then, I wouldn't bother looking at the code. I'll call the company up and tell them to get me a fix. Fast. Much, much, much more time(and cost) efficient. (And yes, it happens on occasion, and the fix is always much, much, much easier then me (the owner) learning Java, or hiring a Java coder to look at the guts of the program).

Re:Specifics.

[FCKGW]

It sounds like an extension or theme that didn't support the new release broke Firefox. It's happened to me before. To fix it, start Firefox in safe mode and disable extensions and/or change back to the default theme until it starts again in normal mode.

Personally, I think that the way Firefox extensions and themes are tied to a specific revision is rediculous. The way the browser interacts with addons shouldn't change with every little revision. On Linux in particular, plugins like Java are broken with each upgrade. Also, there needs to be some sort of easy, clean upgrade/patch mechanism, rather than simply installing the latest version on top of the previous one. I completely understand why you were turned off by Firefox and went back to IE.

However, I still use Firefox as my main browser in Windows and Linux, with Opera as a secondary browser. To each his/her own.

Is this a deliberate troll?

[sirReal.83.]

Apparently you've never heard of a Linux distribution. Among other things, they QA shit. Maybe drop your LFS install and get a real distro?

fantastic formatting on my part

[sirReal.83.]

sorry, I'm still waiting for my coffee to be done :(

Windows isn't a failure.

[Socket790]

Because we all know that failures make tons of money. Just look at Paris Hilton. /Just because you have issues with something doesn't make it a failure.

your logic is bullshit.

[spacepimp]

I think you are responding more with anger than with logic. Firstly, whoever did your deployment of firefox, should have tested it before he went to everysingle machine and deployed the update, this is called quality contorl/damage contorl. secondly it is very easy to remoe firefox, and install whichever version you need. From what i gathered in your statement, you are claiming you have never had any down time or senseless tech cycles put towards removing spyware or malware on any of your computers. I do tech support as a consultant for about 20 small businesses. this is by far the most common phone call i receive, "my computer is broken i cant get past these pop up adds, internet explorer keeps crashing its really slow and i cant get my work done" now there are some malwares and spywares you cant get rid of, i've reimaged machines after several hours of attempting to remove some of the newer variants. now let me ask you where did you save the time, and money? was it from the extended hours of firefox, in a deployment cycle, (seriously this should take moments to install and uninstall)? If you think i am exaggerating call Dell or any other computer support company and ask them the number one call they receive, it isnt that firefox isnt working its their entire os, to which they respond put in your restore disk, so they can keep a profit margin. Im not a fanboy, but i do see the weakness behind Internet Explorer, and the fact that microsoft didnt update a thing until they lost ground to Firefox (ie: they had to protect their name) seriously redo your math, and figure out, where your costs lie, if you think the only response is hiring a unix/firefox coder to analyze and fix firefox code, then your techs are incapable, or just plain idiotic,or you should cease doing your own tech cos you are doing more damage than good.but i suppose you just pass the costs along to your customers, as is the american way.

Re:Testing is only a priority on closed source app

[noidentity]

Here's a question. What's stopping a malicious hacker from taking half-ass tested patch and inserting a payload into it and then publishing it as "stable & tested"?? How do you know its good when you can get patches from untrusted/unknown sources or someone's personal page?

Uhhh... don't use untrusted sources? Trust sources only after they demonstrate integrity? Replace malicious with ill-tested, buggy and the same applies.

Re:It's called "small businesses don't have an IT.

You're an idiot.

You spoke too soon

[Dancin_Santa]

Looks like Sarge has got some problems.

Which goes to my original point. Regardless of the amount of testing that goes into your project, at some point you're going to have to release to the real world and all that QA work that you thought you did turns out to be insufficient.

Better to have released early and often and let the real testers (your users) find the bugs. Sarge is hardly the state of the art, but it took so long to finally get released. How is the old buggy release any better than Redhat's up to date buggy release?

Re:Testing is only a priority on closed source app

[Xatter]

I constantly hear people say all the ways you CAN make money doing OSS. The fact is, I have not heard these things from a single person actually DOING them. It's like hearing fat people talk about how you should diet. While there's something to the ideology that they would know more then someone who has never had to worry about their weight... you're still not going to take them seriously. Companies most certainly do buy software from single person companies called Micro-ISVs, if you don't believe me check out Eric Sinks articles on the subject. He is someone who has done it (both open and closed).

Re:Testing is only a priority on closed source app

[tagattack]

It's complete malarkey that testing is only a priority on a closed source application. In fact, the beauty of open source is that many of the lower level products of open source (libraries) are fundemental elements of much larger commercial products. Regression testing at the library level is a very common practice, and some development communities (I'm sure you all dislike perl, it's not my favorite language but this is my favorite example) like CPAN even force atleast some tests to be in place before a library can be distributed through that system.

In many of the large sucessful projects I see test cases are a huge part of the development. Look at mozilla's tinderbox system, it automates lots of tests before patches are even accepted into the development branch. This is after a patch has been either created by or reviewed by one of the core developers.

Open source is not some wild west land where anyone can go around adding any code to any project they want...well I mean they can, but it won't effect the distribution. Distributions are still controlled by the author of the project, and anyone else the author decides to delegate the responsibilities (aka privileges) to.

When I'm building a proprietary application, I often end up building it out of a number of generalized solutions which I abstractify into libraries with carefully thought out APIs in order to promote reuse and flexibility. I do this so that not only I can use them with other applications, but so with some careful evangelizing with my customer(s) I can convince them it is in their best interest to allow these generic elements of the application to be distributed in the public domain.

One thing people keep missing about open source is that it's a developer's method of doing things. It doesn't mean we can't create great user desktop software, but it does mean that open source isn't an approach to replacing vendors who develop and support software. It can be a model for sharing all generic parts of an application to give it good code review, increase its stability, and for developers to collaboriate indirectly on a very large scale.

I think OS-X is a great example of this at work, Cocoa being *just* as proprietary as windows, but the actual underlying system is just as open source as linux. Obviously Apple's developers know how to build a great user interface and have the infrastructure necessary for enterprise quality support, where the open source community has the ability to build flexible, powerful, innovative solutions that could not take shape without having thousands of prying eyes on the source code. The result is a solution that's easier to use, harder to break, more flexible and more powerful than anything that could ever come out of Redmond.

Now if only we could get Apple to quit being selfish and make the daring move to becoming an OS Vendor as well as a computer manufacturer, maybe there could be a viable desktop software solution for the average person who thinks of a computer as an appliance. From what I've seen, Microsoft's software is far to easy to break for these kind of people, and the literally computer illiterate stuggle with it horribly. And speaking from experience, developers used to more sophisticated ways of doing things (such as by following standards and whatnot) find MS software hard to work with.

BBC: Microsoft warns on security fixes

Microsoft warns on security fixes

Microsoft has issued an alert about a bumper package of security updates for Windows.

A total of 10 updates will be released on 14 June to fix a variety of flaws in the operating system.

YHBT

[MyLongNickName]

No message.

Re:Testing is only a priority on closed source app

[BigBuckHunter]

Was I talking about IE?

No, hence my comment about bringing the thread on topic (the article was about IE).
a lot of corporates consider their intranet (extranet/web) apps 'critical

Yes, hence my references to IE, wininet, and winhttp. None of these three should be used on the backend. I'm down with IIS and it's infrastructure (ISAPI, ASP, ASPX), but custom apps relying on win32 dlls to provide outbound web functionality (once again wininet, winhttp, and IE) is just begging for trouble.

On the client side, people can use whatever they want. They're clients after all, and are not "running" the app. The server is. If they're a fat client (rmi over iiop esque), then all their browser should be doing is kicking off the client, and the VM should do all the rest.

BBH

And now I will clarify that.

[khasim]

#1. "Some extensions don't work (I've since forgotten which ones)"

Sorry, that isn't "specific". That is vague and unhelpful. Disregarded.

#2. "When I start up the app, sometimes the "update" icon is right next to the "help" menu item (not where it should be).. and the app is completely frozen. Only restarting FF fixes this (and it sometimes does not)"

What app? Again, "specific". Not general. Disregarded.

#3. "The fact that they don't release patches (critical security updates, at least!) is a major downfall for FF."

They DO release patches and critical security updates. They just release them as a completely new build. Disregarded.

So, all of your complaints are of the type most often seen on /., vague, undefined and some of them you just don't even remember.

Great.

In the meantime, I'm running 1.0.4 without any problems and the auto-update feature of the extension system just told me that there's a new version of ie-view available. It's already installed and all I have to do is re-start FireFox.

Re:And now I will clarify that.

[d_jedi]

1)
I THINK: Single Window, Sort bookmarks, close tab on double click, last tab. I believe that's the list.

2)
What do you mean, what app?
FIREFOX of course. (FF isn't good enough for you?) To be specific Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

3) New version != security patch.
Especially when:
" Prior to installing Firefox 1.0.4, please ensure that the directory you've chosen to install into is clean and doesn't contain any previous Firefox installations."
and clicking on the update button DOES NOT:
a) warn you of this
b) uninstall the previous version.

Re:Testing is only a priority on closed source app

[Quantam]

Holy shit. If MS incorporates that quote into their Get the Facts campaign, no business will ever use OSS again.

And the final post.

[khasim]

#1. "I THINK: Single Window, Sort bookmarks, close tab on double click, last tab. I believe that's the list."

I'm not going to waste my time on each of those. Here's the URL for "close tab on double click".
https://addons.mozilla.org/extensions/showlist.php ?application=firefox&category=Tabbed%20Browsing
Search for the phrase "Tab Clicking Options supersedes Close Tab On Double Click".

So, when the functionality provided by an extension is provided by FireFox in a later version, and the coder maintaining that extension posts that, you feel that there is a "problem" when that extension no longer works on the newer version of FireFox.

Hey, lots of luck getting IE7 to work on Win2K.

2. "FIREFOX of course."
Hey, don't blame me if your writing isn't clear. So, sometimes FireFox freezes when you launch it.
Sometimes a reboot fixes that freeze ...
Sometimes it doesn't ...
Which means that, sometimes, FireFox freezes and not even a reboot will get it unfrozen ... yet you still seem to be using FireFox ... even though it is frozen.

Right. Whatever. Good luck with that.

3. "New version != security patch."
Ummmm, yes it does. The installation might not be as easy as you'd like, but it is still a security patch.

Anyway, lots of luck with your Microsoft experiment. I'm sure my firewall will be blocking the loads of spam that your pwn'ed machine will be spewing.

Buh bye now.

Re:And the final post.

...and people say that the Open Source community isn't helpful... look at this beautiful, steaming pile of help given right here. Wow. It makes me all tingly just reading it. I want to do nothing else but go download some broken open source applications and ask asshats for help getting them to begin working. Um, yeah. Buh bye yousrself, asshole.

Re:patch info

[airrage]

Coolio!

Re:Testing is only a priority on closed source app

[Proteus]

Did you read my comment? I *am* making money with OSS. And I never said that companies don't buy software from single-person vendors, just that, in general, they don't like to.

In other words, companies prefer to buy from large vendors, and will only buy from smaller vendors if there is a significant advantage for them.

"M$ patches are like sausages...

...it is better not to see them being made."

[Apologies to Otto von Bismarck.]

Re:Testing is only a priority on closed source app

If the customer own the code, they can licence it however they wish. The developer contracted to produce it has no right to choose the licence, assuming the contract was drawn up by competent people.

Re:Testing is only a priority on closed source app

[Mechcozmo]

With Open Source, a patch can be released right away and users can compile in the new sources themselves.

CHOOSE ONE:

A. Too bad that 'patch' swapped bits around when it read the filesystem, so now your computer is toast.

B. Too bad that 'patch' broke your compiler.

C. Too bad that 'patch' conflicts with the next patch to fix the current patch, causing your head to blow up and your computer to crash.

Too bad that 'patch' wasn't tested, eh?

Re:Testing is only a priority on closed source app

[ummit]

...how hard is it to rerun your unit tests?

It shouldn't be hard, no, and if you've got 'em, clearly you should.

No unit tests? Probably not a well-controlled system then, is it?

It's one of those strange, Catch-22-like paradoxes, isn't it? The more test suites you have (and the more they're automated), the less likely it is you need them.

...unless you're omniscient and can see EVERY possible ramification of your change, especially in a large code base...

But in a (hypothetical?) "well-controlled" system, you can see every possible ramification of a proposed change, pretty easily, and without being omniscient -- because having modularity that works, so that changes are isolated, is one of the hallmarks of a well-controlled system!

Are we supposed to feel sorry for them?

[evianhat]

From the article:

• In some cases, particularly when the Internet Explorer browser is involved, the testing process "becomes a significant undertaking," Toulouse said. "It's not easy to test an IE update. There are six or seven supported versions and then we're dealing with all the different languages. Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking."
  
  "This is exactly why it can take a long time to ship an IE patch. We're dealing with about 440 different updates that have to be tested.
  
  

Hmmm, so Microsoft is so big that in order to fix a problem, they have a huge number of things to check...

Am I supposed to feel bad for them? Sorry, I don't. Their software runs on ~ 95% of all desktop computers. They have a war chest in the tens of billions of dollars. Their president has a net worth close to $50,000,000,000.00.

I don't think it's unreasonable to expect them to pay, say, 10,000 people $100,000 / year to work on all of the fixes/patches and the testing. That would come out to only $1,000,000,000 per year. I think they can afford that.

Imagine warehouses and warehouses filled with people/hackers searching for the problems, finding them, and then testing the solutions.

Now, I know that realistically you can't just throw thousands of people at a set of coding problems and expect to get a thousand-fold efficiency increase...I'm just trying to illustrate the point that Microsoft can easily afford to bring to bear a humungous amount of resources to these problems.

The way the guy was talking in the article, he makes it sound like "oh, poor me...my team and I have to test (gasp) 440 different updates."

For an ordinary company, that would indeed represent a very daunting task. But Microsoft is *the* giant. It *should* be able to handle the consequences of its successes.

If not, then they're really...dumb.

IE Can break things that are important

[tudza]

Direct experience. People at work upgraded to IE 6 when it came out and at Microsofts suggestion. That is, not when it first came out, but when Microsoft thought it was good enough for everyone to use and started advertising IE 6 existence and suggesting people upgrade.

Suddenly, they started receiving empty emails in Outlook.

After a whole day of ruling out things and reading through Microsoft help pages, I find the fix. A couple days earlier and there would not have been a fix to find.

Microsoft doesn't "break the internet"

[HackerAce]

Here is a Microsoft quote from the eweek website. I wasn't aware the Microsoft "could" break the interent. But, if Al Gore can invent it than perhaps Microsoft can break it. "We have to test thoroughly to make sure it doesn't introduce a new problem. We have to make sure it doesn't break the Internet." http://www.eweek.com/article2/0,1759,1825805,00.as p