Microsoft Port 25 interviews Miguel de Icaza

Ben Galliart writes "Microsoft's Port 25 blog, the voice of MS Linux Labs and a spin-off from the MS Channel 9 blog, has an interview with Miguel de Icaza where they discuss the Gnome and Mono projects. It is a nice change of pace to see Microsoft go from attacking Novell and Linux to interviewing a Novell employee about a Linux desktop system. Port 25 has come under some fire since they can not always be trusted. Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and a security guide attacking Red Hat for not providing security updates for Red Hat v9 despite that Red Hat ended support back in 2004. They have also released a password synchronization daemon for Red Hat, AIX, HPUX and Solaris that must run as root and makes several calls to strcpy() (which violates Microsoft's guidelines for doing secure coding)."

Worthless drivel

What the fuck kind of insane summary is that? Even for Slashdot, that steps over the line.

Re:Worthless drivel

[MustardMan]

No kidding - forget secure coding guidelines... how about some "writing in English guidelines"?

Re:Worthless drivel

[Fearless+Freep]

More a slam on Port 25 than a summary of the interview

Re:Worthless drivel

[Iguanaphobic]

Like this?

Re:Worthless drivel

[GIL_Dude]

Totally agreed.

Re:Worthless drivel

[cerberusss]

I like that mindless drivelling. It reminds me of that hottie from Sex and the City.

Re:Worthless drivel

[zaajats]

Umm... what interview?

Re:Worthless drivel

[JackieBrown]

The resource cannot be found. Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. Requested Url: /archive/2006/08/11/Let_2700_s-talk-Mono_3A00_--Sa m-interviews-Miguel-de-Icaza.aspx

revelaed

miguel is the liebermann of open source

Re:revelaed

[grammar+fascist]

More like the Howard Dean, I thought.

Re:revelaed

[sproketboy]

"It even helps them"... Yes it does since apparently a growing number of morons out there delude themselves into thinking that they can go cross-platform with mono. --- mono is a disease - Java is the cure.

Re:revelaed

[PartyOnTheSand]

but isn't it true somehow?
it might not be as elegant like using c++ together with some explicit cross platform libraries, but it seems possible to go cross platform over mono, not?
which problems do you see in this approach?
that novell will stop developing mono? for a specific platform?
thx for clarification

Link to interview doesn't work.

[RingDev]

Just goto http://port25.technet.com/ and click the link on the front page.

-Rick

Re:Link to interview doesn't work.

[neonprimetime]

Win a million dollars if you can spot the difference! The link doesn't work cause of the funky character after 3A00_ and before Sam.

Re:Link to interview doesn't work.

[RingDev]

The -- (two hyphens) is resolving to %E2%80%94

The link should be: http://port25.technet.com/archive/2006/08/11/Let_2 700_s-talk-Mono_3A00_--Sam-interviews-Miguel-de-Ic aza.aspx

but some ass hat probably pasted it into MS Word to spell check the summary, and word resolves -- to it's funky double wide hyphen character.

-Rick

Re:Link to interview doesn't work.

[thethibs]

but some ass hat probably pasted it into MS Word to spell check the summary, and word resolves -- to it's funky double wide hyphen character.

The "double wide hyphen character" is called a dash—not funky at all—and it's common punctuation among the literate. Word's substitution is handy in place of Alt+0151. When you see a double-hyphen in Ascii text, the writer is asking you to read them as a dash.

Quite a few fonts will connect a pair of hyphens to look like a single dash. The technical term is em-dash and the HTML entity name is —.

In any case, the substitution is only done during typing, and even then only where it's used correctly. So you can't blame Word for this one.

Re:Link to interview doesn't work.

[prockcore]

word resolves -- to it's funky double wide hyphen character.

By "funky double wide hyphen character" you mean industry standard UTF-8 representation of em-dash?

Re:Link to interview doesn't work.

[cortana]

You mean, the fault of the idiot web developer who didn't mark the page as being encoded in windows-125x.

There's nothing inherantly wrong with the Windows character sets, they're just an encoding!

Server Error in '/' Application.

Server Error in '/' Application.

They forgot to put a '.' after the '/' !

Microsoft employee-wannabe

[dskoll]

Miguel makes no secret of his admiration for Microsoft and is really a MSFT-employee-wannabe. All his talks I've ever heard were about how UNIX sucks and how Microsoft got the desktop right.

Yawn...

Re:Microsoft employee-wannabe

[dedazo]

I don't know about "Unix sucks" (which sounds more like FUD to me), but if you have some sort of argument about why Microsoft did not get the desktop right (at least in comparison to GNOME/KDE), I'm sure we'd all love to hear it.

I mean, beyond "yawn".

Re:Microsoft employee-wannabe

[megaditto]

Well, not to troll, but wasn't it said that Gnome was ripping off Windows UI? or MacOS, I forgot.

Remember VMS desktop before Windows 95 release? A POS!
In that respect, Microsoft can be said to get the Desktop right

Re:Microsoft employee-wannabe

[mspohr]

I'm not a Linux expert but have installed Ubuntu Linux on about 10 machines (desktops and laptops) over the past two years. I haven't had to do any "wrestling". They all pretty much "just worked" with the full application suite. Even WiFi just works... and printers... etc. Full install is an hour or so.

In contrast, I have had to re-install Windows on various machines about 5 times in the past year due to viruses, spyware, etc. (two college daughters...) and each time it was a full day marathon of install, patch, drivers, application install, patch, firewall, anti-virus, etc. with many reboots... PITA!

I don't know what you are doing that you need to wrestle Linux but it certainly sounds like you could use some help from "clippy".

Re:Microsoft employee-wannabe

[DShard]

Yeah... and I've never had to do that with windows on lets say, 3.1, 95, 98, nt 4, 2000 _and_ XP... In fact, I have never had a version of windows that wasn't borked on some hardware by their installer (unless you count service packs, but I won't). I would imagine you would have to go Mac to avoid that experience, since they so tightly control the platform. From a developer perspective, win32 is a kludgy nightmare. I have no idea why any developer would enjoy it. Gnome seems at least sane... and has more languages supporting it than you can shake a stick at. The user experience on any PC just plain sucks. I have yet to find a gui that didn't feel like it was made to torture me.

Re:Microsoft employee-wannabe

[Planeflux]

Sorry to rain on your parade, but your own lack of competence with linux installations is a silly excuse for stating that "Microsoft has made the better desktop". Obviously various linux distros have their own quirks and issues, but if you can handle those, a linux system makes a great general-purpose desktop environment and is, in my opinion, way ahead of anything Microsoft has to offer at the moment. I am not biased or trying to stab Microsoft here, I just choose the best tool to get the work done. That said, it is far from perfect, and if Microsoft would come up with a better alternative, I'd gladly use that.

Re:Microsoft employee-wannabe

One has to wonder about Slashdot when an obvious troll (admiration of MS is apparently a mortal sin and de Icaza is a "wannabe") like this from someone who links to "roaringpenguin.com" is modded up to +5.

Yay for intelligence and all that.

Re:Microsoft employee-wannabe

[Burz]

And he takes abuse from MS too:

http://linux.sys-con.com/read/124218.htm

Interesting bit of history there. It really disturbs me that Miguel is leading a column of FOSS enthusiasts into the maw of MS patent enforcement, especially when he could have used his talent on something unencumbered like Parrot.

Re:Microsoft employee-wannabe

[drinkypoo]

All his talks I've ever heard were about how UNIX sucks and how Microsoft got the desktop right.

Well, if you're looking at usability, then he's right on both counts. If you're looking at reliability, then he's full of shit.

Even the Microsoft CLI is more friendly than Unix, what with the "help" command. Yes, that is an irrelevant thing to you and me, but not to the teeming masses. And, it might be added, there are things that we still must go to the GUI to do on both.

The Linux desktop has become quite usable - but it got there by copying Microsoft, and that is no shit. I've been watching people argue about this as long as it's been happening, but make no mistake, it's been happening. I was there since before the beginning, when the only people to actually have a Unix desktop, as in a place you can throw your icons and shit, was fucking SCO, and they were followed up by Caldera, with the Caldera Network Desktop - which I actually ran. I believe it was based on redhate 1.0 or something?

KDE and Gnome are both pretty hardcore ripoffs of Windows, although GNOME also manages to copy MacOS at the same time.

So, I don't entirely disagree. Unix has some pretty major failings in the usability department, although it certainly has gotten better. Unfortunately, it only got there by copying Windows, which kind of blows the whole usability argument to kingdom come.

Re:Microsoft employee-wannabe

...but if you have some sort of argument about why Microsoft did not get the desktop right (at least in comparison to GNOME/KDE), I'm sure we'd all love to hear it.

1. No select->middle-click->paste buffer.

2. Ctrl-C/V/X behave inconsistently (it is entirely too easy to lose everything on the clipboard).

3. No tools out of the box to automate user tasks like bash or perl.

4. Crappy handling of file types.

5. No virtual desktops. (The powertoy hack called MSVDM doesn't actually work.)

6. Lack of support for standards: PostScript, PDF, MP3, DVD, NFS, SSH, SCP.

7. The Registry.

Re:Microsoft employee-wannabe

1 and 2. Of course Linux has a clipboard. Why would you think it doesn't?
3. WSH would be nice if it actually worked. Luckily, Cygwin can be installed to avoid Microsoft's shortcomings
4. Rename a virus-ridden .wmf to .jpg, and watch it still be opened as a .wmf to trash your computer
5. It's very needed complexity for everybody out there that uses more than one window at a time. The only reason OS X doesn't have them is they couldn't make them pretty enough in time for 10.4 (they're in 10.5)
6. Postscript and PDF are standards. MP3 and DVD are de-facto standards. Windows can't even read those out of the box, and even with extra Microsoft tools installed can't read OpenDocument files or vector graphics.
7. The registry is required for the desktop to run, and is thus part of the desktop.

Furthermore, Windows is unable to do many useful things like thumbnailing movies, store files larger than 2 gigabytes, read any archive format other than .zip. It can't even read E-Mail without expensive add-on software!

Re:Microsoft employee-wannabe

[goonerw]

7. The registry is required for the desktop to run, and is thus part of the desktop.

Huh? That's just as sane an argument as the filesystem is required for the desktop to run, thus it's a part of the desktop, and so is the BIOS.

Re:Microsoft employee-wannabe

[larry+bagina]

Considering his track record, that's actually an improvement. C#/.NET is at least somewhat standardized and thought out. GNOME is a complete mess. Had that effort gone into GNUStep (which is standardized and thought out), OS X users would be envious of Linux.

Re:Microsoft employee-wannabe

[dbIII]

That isn't normally a problem - but writing things off on the platform you are developing on is, as is not really understanding why the platform does the things it does. Let me first say there is a lot about gnome I like before I get into heavy criticism below.

I think a large part of at least early gnome was to try to do an MS Windows on linux - complete with the registry (extremely stupid idea) but far worse since you get one per user, and you have a mix of config files and this registry thing. If a user changes their screen resolution to something stupid with the gnome tool where do you find the gnome setting to fix it for that user after you have fixed it for all other users in xorg.conf? You have a mix of traditional config files and the registry thing within gnome itself and changes to other config files outside gnome (like xorg.conf) are not picked up by gnome. The single user non-networked approach of parts of gnome highlighted this, as well as ignoring major aspects of the platform (ignoring sockets to do an MS windows style of communication and making things executable that don't have executable file permissions!!). Other aspects were a good idea - but yes the linux sux (and don't care about other *nix) and let's do an MS windows that we can write attitude really came through - we still have to live with gconf and settings that can't be exported to other users even on the same machine until sabayon is finished to allow exporting gconf registries. Gnome outgrew him and works on multiple platforms now instead of just being a linux only thing as it was.

That said - depite the initial silly politics and name calling and a couple of poor design decisions gnome grew into a very useful environment with only a few little quirks that make it lock up occasionally in a networked environment (still doesn't handle windows from other hosts well, which means the entire point of X windows has still been missed by some people there). The ideological opposition to man pages is something I still can't understand and I put it down to people coming from the MS Windows environment where you are expected to be able to do things without decent documentation.

Re:Microsoft employee-wannabe

[ciggieposeur]

Even the Microsoft CLI is more friendly than Unix, what with the "help" command.


~$ help
GNU bash, version 2.05b.0(1)-release (i386-pc-linux-gnu)
These shell commands are defined internally. Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.

A star (*) next to a name means that the command is disabled. ...


The Linux desktop has become quite usable - but it got there by copying Microsoft, and that is no shit...KDE and Gnome are both pretty hardcore ripoffs of Windows, although GNOME also manages to copy MacOS at the same time... Unfortunately, [Unix] only got there by copying Windows, which kind of blows the whole usability argument to kingdom come.

I disagree. Windows never had selection buffer, virtual desktops, or remote desktop, items I absolutely require to be reasonably productive on X. KDE/GNOME brought us unified widget sets and control panels, and both were certainly inspired by both Windows and MacOS, but they go so far beyond Windows in overall functionality it's not even funny.

Re:Microsoft employee-wannabe

[adolfojp]

The MSFT-employee-wannabe that you speak of is the father of the GNOME desktop. Without GNOME, QT might not have been open sourced in the first place. Without a man like Miguel to give GNOME a forward direction, we might still be using Motif. When your contributions to the open source movement become a tenth of what Miguel has done then your rant might have more merit.

If there is one Microsoft technology that deserves admiration is the .NET framework. If there is one man who has the objectivity to look beyond the zealotry to see technologies for their merits is Miguel. MONO is an excellent development environment for Linux. It bridges the gap between high performance but difficult to use languages like C++ and low performance high RAD languages like Python.

Re:Microsoft employee-wannabe

[i.of.the.storm]

Not only that, but their zip folders implementation blows compared to any 3rd party app. It's neat that they open in Explorer, but when you try to unzip any file of some significant size (>20MB or so) it takes upwards of half an hour to unzip. I've never actually timed it, but it seems that way. WinRar or 7-Zip are both orders of magnitude faster.

Re:Microsoft employee-wannabe

[e2d2]

He's probably done more for open source before noon then you've done in your whole life. Prove me wrong and I'll take it back.

Re:Microsoft employee-wannabe

[Jay+Carlson]

My favorite thing to bash Linux bigots with:

OLE Automation.

(Or whatever they're calling it these days; I think it was absorbed into the ActiveX branding.)

Just about every Unix vendor had this dream of turning their entire desktop environment into a sea of programmable objects.[1] The one I got to laugh at was Sun, with DOE, although you formerly-MacOS-bigots got to see it replayed in AppleScript and OpenDoc.[2]

Well, Microsoft delivered. I can write a script (in my choice of languages) that opens up a Word document, finds any bold text at the start of paragraphs and then HTTP POSTs it to a URL. And if I feel really annoying, I'll increase the volume level on the sound device, and read it to you. In a page of code.

It's really amazing what you can script this way. OK, yes, there's a reason I'm typing this on a Linux box, and why I have cygwin installed on any Win32 box I care about. But through marketing muscle and a desire to create opportunities for small VARs, Microsoft let little software authors poke around inside big applications. And created some nice tools for those little authors to write code with.

Shame it breaks in such obscure ways.

[1]: ARexx doesn't count. That's just DDE.

[2]: Obligatory joke about whether "the" is optional at some point in hypercard syntax here. Apple has been getting better, though.

Re:Microsoft employee-wannabe

[andreyw]

Uh, bullshit. You can store >2GB files on NTFS volumes just fine.

Re:Microsoft employee-wannabe

[andreyw]

1. C-c and C-v. You can enable quick edit in cmd.exe (which is the only place where you might care anyway). 2. Wtf? 3. WSF and Monad. 4. Care to elaborate? Nothing crappy about it. Its system pervasive, too. 5. no comment 6. Mp3, DVD, NFS not supported? What drugs are you on? Plus what do the rest have to do with the OS? Core Linux OS doesn't include GS or a PDF viewer either... 7. Yes, but not for the reasons you think.

Re:Microsoft employee-wannabe

[jonbryce]

You could read your email using the supplied Outlook Express if you were really desparate. Otherwise, Mozilla Thunderbird is free.

Nevertheless, the lack of decent email clients for windows is a big problem.

Re:Microsoft employee-wannabe

[killjoe]

Why does .net deserve admiration? It's just another VM. There are lots of them out there. It's not even that great of a VM.

Sure the fanbois love it because it's better then the crap they are used to but it's nothing remarkable. Just a ripoff of java with a couple of additions. Yawn. Who cares.

Re:Microsoft employee-wannabe

[killjoe]

"Well, Microsoft delivered. I can write a script (in my choice of languages) that opens up a Word document, finds any bold text at the start of paragraphs and then HTTP POSTs it to a URL. And if I feel really annoying, I'll increase the volume level on the sound device, and read it to you. In a page of code."

You could do this with linux. Not with word docs of course which have propritary formats but with OO docs you can. Hell you could probably do it on a command line with sed and wget.

Re:Microsoft employee-wannabe

[dskoll]

At the Ottawa Linux Symposium in 1999 or 2000, Miguel had a series of slides about why UNIX sucks. Those were his words. Check it out yourself.

As for why MSFT didn't get the desktop right, I'm not really qualified to answer, because in my entire career, I've used Windows only for a hellish 5-month stint back in 1996 (Win95). The things I hated about the Win95 desktop:

• No window manager. If an application hung, there was no way to move its window temporarily, because applications had to cooperate to move or close windows.
• Cumbersome cut-n-paste compared to X.
• No decent command-line tool. (My perfect desktop is a wall of xterms. :-))
• Hideous complexity under the hood. Edit some magic mumble-mumble registry key if you want to do X...
• Totally useless error messages, so when something inevitably goes wrong, you haven't a clue how to fix it.

I'm not sure if MSFT has fixed the desktop. Somehow, I doubt it.

Unfortunately, the two big Linux desktops (GNOME and KDE) are showing symptoms of Windozification, which is why I don't use them. XFCE is just perfect, IMO.

Re:Microsoft employee-wannabe

[CoolVibe]

OLE Automation.

KDE kio-slaves, KParts and language agnostic DCOP scripting from KDE. Works even better than MS-OLE.

Re:Microsoft employee-wannabe

[adolfojp]

Would you care to enlighten me as of why is .NET a "not even that great of a VM"?

C# is Java with the power of hindsight. Java is Smalltalk with the syntax of C. Guido Van Rossum has stated that Python owes a lot to ABC. Every computer language has borrowed features from others. It is the way that computer language development work. If you can make a better product by taking features from another and adding and improving then you should do it.

Re:Microsoft employee-wannabe

[killjoe]

"Would you care to enlighten me as of why is .NET a "not even that great of a VM"?"

Because it doesn't support multiple inheritance like the python VM does.

"If you can make a better product by taking features from another and adding and improving then you should do it."

Yes but that doesn't make it admirable does it.

Re:Microsoft employee-wannabe

[dskoll]

I've written the following open-source programs:

rp-pppoe

mimedefang

remind

I have no doubt Miguel has done more than me, but what's your point?

Re:Microsoft employee-wannabe

[dedazo]

Miguel had a series of slides about why UNIX sucks.

Yes... can you quote a single thing there that is false? Are you using that as "proof" of the "Unix sucks" thing? Are you serious?

because in my entire career, I've used Windows only for a hellish 5-month stint back in 1996 (Win95) [...] I'm not sure if MSFT has fixed the desktop

No, it's still the same. Windows hasn't changed at all since 1996, so don't worry about it.

Re:Microsoft employee-wannabe

[e2d2]

I had the same point that you did, none at all..

You basically attacked him with baseless comments. If he wanted to work for Microsoft then why isn't he? Do you think they wouldn't love to have him in their camp? His admiration from everything I've read has been for their ability to unify the desktop and offer superior toolsets. But you made it seem like he's a shill because he has these opinions.

Ceasing support after a year is a valid excuse?

[Richard_at_work]

Maybe there is some validity in saying they (Port 25) are untrusted, but what excuse is it that Redhat ceased updates for v9 in 2004, a mere year after the product was released (March 31 2003). Seriously, is a single year of updates good enough? I think they actually have a valid point on that one at least, a year isnt long enough to even be considered stable server software in my book.

Re:Ceasing support after a year is a valid excuse?

[dhasenan]

Consumers were expected to move to Fedora, which replaced the free version of Redhat. RHEL continued its five-year support arrangement, so for enterprise customers, there was no change.

What's the big deal? If yours is a small business, you can get basic support for $350. Larger, $2500 gets you a full contract. That's hardly taxing to a company that also has the option of running an unsupported RHEL, or an alternative of choosing another support company.

Re:Ceasing support after a year is a valid excuse?

[InsaneGeek]

But what if you paid for Redhat 9, standardized upon it, put a huge developer investment into it, and a year later they tell you it's gone and they want more money (since RHEL was basically 9 with minor changes), or to goto something else that will require another huge developer investment. That is unacceptable, and Microsoft has every reason to bash them over the head for it. Bad business practice, if anything Redhat should have said 9 was the last release and we will support our paid customers who made an investment in it for longer than 1 year and do good by them.

Re:Ceasing support after a year is a valid excuse?

[InsaneGeek]

You might want to re-read the post standardize upon Redhat 9, which then had it support cut a year later.

Re:Ceasing support after a year is a valid excuse?

[drinkypoo]

Consumers were expected to move to Fedora, which replaced the free version of Redhat.

I think you got that wrong. It should read "Consumers were expected to become unpaid beta testers of RHEL on all of their desktop systems."

It's not like they're the minions of satan or anything, but Redhat pulled a classic bait-and-switch on the Linux community and I for one am astounded at how many people are willing to make apologies for them.

Re:Ceasing support after a year is a valid excuse?

[Moofie]

"That is unacceptable, and Microsoft has every reason to bash them over the head for it"

Microsoft? Bashing Red Hat over licensing? Wow. That's rich. I wonder where they find salesdroids with absolutely no ability whatsoever to think critically, so they can spout this stuff with a straight face.

Re:Ceasing support after a year is a valid excuse?

[Vellmont]

But what if you paid for Redhat 9, standardized upon it, put a huge developer investment into it, and a year later they tell you it's gone and they want more money

If someone did that I guess they made a really dumb decision putting all that money into a product that never had any support guarantees in it. You should have ponied up the few extra bucks and standardized on RHEL 2.1, or even the previous "Redhat Advanced Server".

(since RHEL was basically 9 with minor changes)

Actually RHEL 2.1 was based on Redhat 7.2. RHEL 3 was based on Redhat 9. One of the "minor changes" was the level of support that was offered.

Redhat should have said 9 was the last release and we will support our paid customers who made an investment in it for longer than 1 year and do good by them

Like I said, there was never any support contract for RH9, and by that time if you wanted guaranteed support you should have picked a RHEL product. I'm still running a RH9 box. It works great with the updates from Fedora Legacy, and I certainly don't blame RH for getting out of that game.

Re:Ceasing support after a year is a valid excuse?

[darkonc]

Well, given that RH9 never really had a strong support regime (commercial customers who wanted long-term support were pointed at RHEL), I don't think that this would have been a big shock... This is more like getting people who downloaded the Vista Betas being pissed off that they're expected to actually install and ooooh! pay for the commercial version when it comes out in 200[678].

Re:Ceasing support after a year is a valid excuse?

[NineNine]

Like I said, there was never any support contract for RH9, and by that time if you wanted guaranteed support you should have picked a RHEL product.

That's a crock. What if you were to buy a shiny new car, and the next year, the manufacturer stopped selling replacement parts for it. "Hey, you only had a one year warranty!" Hell, I play the same games for longer than a year. Red Hat really blew it on this one, and that move made me positive that I wasn't going to trust any of my business stuff to Red Hat.

Re:Ceasing support after a year is a valid excuse?

[charlesnw]

HAHA LOL Oh man thats good. I needed a good laugh. Whew.

Re:Ceasing support after a year is a valid excuse?

[Moofie]

Please, for the love of Dog, stop with the car analogies. They just. Don't. Work.

Re:Ceasing support after a year is a valid excuse?

[subsolar2]

That's a crock. What if you were to buy a shiny new car, and the next year, the manufacturer stopped selling replacement parts for it. "Hey, you only had a one year warranty!" Hell, I play the same games for longer than a year. Red Hat really blew it on this one, and that move made me positive that I wasn't going to trust any of my business stuff to Red Hat

Your an espcially dumb car buyer if you get upset at support ending after a year. Because the company had annouced that the model 9 car would only be supported for one year before you bought it and that if you wanted parts for more than a year you should buy Truck model 2.1.

related links

[porkThreeWays]

I was reading the death of red hat support slashdot comments from a few years ago. I think it's interesting that so many people thought that would be the death of red hat. In fact, they are stronger than ever. Even with strong competition from large corporate entities that weren't in the linux game a few years ago, red hat remains the market leader.

Re: Article Text

[Mongoose+Disciple]

From the article:

Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor

I'd be curious to hear what vendor the article author thinks is doing more to improve security than Microsoft if this statement is to be decried as FUD, and what kind of metrics/data support this. Amount of exploits patched? Amount of money spent on security?

I mean, even if you think Windows is one giant yawning security hole, that really only says that they have the most room for improvement. I'd be surprised if they're not patching the most holes, affecting the largest number of users, and spending the most money on security -- even if the results are often sad.

Speaking of FUD...

[Future+Man+3000]

Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor

Which vendors are doing more to improve their security?

Given what they had to start with, I think it's very difficult to claim anybody's done what they've accomplished between 95 and XP SP2. You tell me one other vendor that's gone so far as using tools like authentication and WGA to combat the worst offenders of security -- the users themselves? Linux users, Mac users, even the *BSD user is free to boot their operating systems without the slightest arbitrary challenge to their right to do so and from there go on to face any number of potential security issues; but with Windows, you need only upgrade your CD drive emulator a handful of times or use Windows Update as directed to find yourself relieved of the concerns users of lesser operating systems face.

They had the most potential with regards to security and they've finally met it, and I say kudos.

Re:Speaking of FUD...

[jd]

Which vendors are doing more to improve their security?

Well, I can say for certain that Microsoft are doing more than Gemini is doing for GEMSOS. But that's only because GEMSOS has been proven free of security flaws, so there's really not much to improve.

Re:Speaking of FUD...

[WilliamSChips]

Wow, you're good. I can't tell if you're trolling or not!

Why would you trust Port 25?

[jd]

At the very least, they should be using Port 465 (SMTP over SSL/TLS). It's no wonder they feel insecure, using plain-test. Honestly!

Re:Why would you trust Port 25?

[giggls]

STARTTLS does exist for years now, so 25 is all you need!

Sven

Re:Why would you trust Port 25?

[Professor_UNIX]

STARTTLS does exist for years now, so 25 is all you need!

Most bigger ISPs block port 25 due to spam concerns these days so port 587 is all you need for SMTP TLS message submission.

Re:Why would you trust Port 25?

[giggls]

587 is OK, but the OP was talking about 465 which I consider to be obsolet now.

Sven

Re: Article Text

[theantix]

Exactly. You don't usually hand the MVP and the Most Improved trophies to the same person...

Anyone using Red Hat 9?

[also-rr]

Even my old university has now upgraded their labs to FC5, and they are so cheap that they actually asked if there was a discount on a GPL upgrade license.

Re:Anyone using Red Hat 9?

[grammar+fascist]

Even my old university has now upgraded their labs to FC5, and they are so cheap that they actually asked if there was a discount on a GPL upgrade license.

One of two things comes to mind:

1) Yes. There's a 30% discount for anyone who doesn't install Windows on any machine.

2) Yes. RMS will personally throw money at you if you use GPL 3.0.

Re:Anyone using Red Hat 9?

[kfg]

RMS will personally throw money at you if you use GPL 3.0.

But he'll use coins and throw them really, really hard.

If he makes an alliance with Rick Jay I'd even be worried about paper money. Cash cards would be right out.

KFG

Re: Are You Serious?

[mpapet]

what vendor the article author thinks is doing more to improve security than Microsoft if this statement is to be decried as FUD

Just about every linux/bsd distro and probably apple too on the desktop.

and what kind of metrics/data support this. Amount of exploits patched?
The problem with this mindset is you think it's okay that the code that is increasingly responsible for running more things that make a country productive is never seen and can't be reviewed except for poking at it in a willy-nilly blackbox style. As a matter of principal I don't think it's okay. At all.

Amount of money spent on security?
If I were Warren Buffet I could spend two hundred million dollars on security for a fundamentally insecure OS by buying advertisement and story space telling people it's really secure. And they would believe it. I could set up a site called port23 and look like I'm reaching out to the IT pro. Meanwhile BSD and *nix security is insanely robust at pennies (tenths of pennies?) on the dollar with code that everyone can see and test.

Enlighten me

[BlueScreenOfTOM]

Can someone explain to me why strcpy is insecure? No sarcasm here, I really would like to know.

Re:Enlighten me

[dyamkovoy]

strcpy copies one string into a location without caring about how much space there actually is. Meaning a hacker (or careless programmer) can write too much into that location and overwrite important data (such as the stack). See Buffer Overflow.

Re:Enlighten me

[tankbob]

strcpy works by reading the source string and copying to the destination until it encounters a null character.

If the source string is longer than the allocated destination buffer then data can overflow into your program code. This could be exploited to execute arbitary code.

strncpy should be used instead as it allows you to specify the maximum number of chars to copy.

Re:Enlighten me

[WWWWolf]

C language doesn't do string bounds checking. If you have char foo[123] and you say "foo[542] = 'b';", you're writing to part of memory that's somewhere after the space allocated for foo.

strcpy() basically does this: It copies, byte by byte, things from source string to destination string. If source has more bytes than destination string has, boom - you just overwrote the memory that follows the destination string.

The correct solution is to use strncpy(), with which you can specify the maximum size of the destination string.

Re:Enlighten me

[BlueScreenOfTOM]

But, if you didn't own (so to speak) the memory beyond the end of the destination string and you try to write to it, wouldn't it seg fault?

Re:Enlighten me

[caseih]

No bounds checking. Instead, always use strncpy.

Re:Enlighten me

[dyamkovoy]

Yes it would, but if you _do_ own that bit of memory, you just corrupted your data without realizing it.

Re:Enlighten me

[dtfinch]

If the string is on the stack, then overflowing it could easuly and predictably overwrite the return address to the calling function. By overwriting it it an address within the overflowed string on the stack, they could cause it to execute code in the string when the current function returns.

Re:Enlighten me

[cortana]

Yes, and that's not such a serious problem--only a Denial of Service attack. But consider the case where your memory is arranged like this:

char foo[10]  int authenticated
[            ][                 ]

Memory boxes not to scale. Or maybe sizeof(int) on this platform is really large. ;)

Anyway, if you screw up and copy an 11-byte string over foo, the final byte will be written into authenticated. Now imagine that authenticated is a flag which stores whether the user is permitted to perform a priviliged operation.

What is interesting, but not really surprising, is that Microsoft chose to replace the unsafe functions such as strcpy with their own safe variants with names like safe_strcpy (though I can't remember the exact name, it's something like that). They could have just recommended people used already-existing functions such as strncpy or strlcpy, instead of adding yet another incompatibility obstacle that must be surmounted when porting software from/to the Windows platform...

Re:Enlighten me

[spitzak]

As others said, there very likely is another allocated piece of memory right there, so you will just overwrite that, and not get an error.

Even if those memory locations are not allocated, memory protection is not per byte, but per page, so you won't get an error. Also many memory allocators will put information (such as how much memory is free and available here and where is the next free block) into the "unallocated" memory, so writing over it will cause the memory allocator to crash.

Re:Enlighten me

[chris_eineke]

The C Standard Library function strcpy copies strings, which simply are arrays of characters terminated with a binary zero (NULL, NUL, \0). Strcpy doesn't check if there's enough space in the destination buffer, so depending where and how big your destination buffer is, strcpy will happily overwrite precious data. This flaw can be used for several severe attacks against OS security. An alternative to strcpy is strncpy, which relies on the programmer to provide the size of the destination buffer so that it knows when to stop copying/overwriting data.

Please let us know when it's video.

[drinkypoo]

Please let us know, in the summary, when an interview is a video file. Some of us don't have time at work to watch videos (today, actually, I've been busy watching specific videos for work, and trying to clean them up so they don't look like crap, at which I have failed) and would like to know before we have to click down into them - especially when you can't just click the link, and have to visit the site, because the primary article link is malformed.

This is one of the crappiest story submissions I've seen in a long time.

not FUD

[McGiraf]

"claiming Microsoft is doing more to improve security than any other vendor"

That is not FUD, they started so far behind everybody else that they have to do more than anybody else just to keep Windows running

Doing more for security?

[Caine]

I'm working with Microsoft right now, and I don't think I've ever met a firm that takes security so seriously as they do when it comes to "normal" software, especially in the field I work in. So that claim might not be as much FUD as some would like it to be.

strcpy ok sometimes

[KidSock]

I use strcpy. If you know for a fact that the string is terminated then it's overkill to use anything else. For example the below is perfectly legit:

    char buf[6];
    strcpy(buf, "hello");

In fact, to truly protect yourself from invalid input you frequently need to write a state machine style input parser. It's the parser that ensures all strings are properly terminated which would mean all downstream copies could be performed safely with strcpy.

It's far more important to understand *why* strcpy should not be used. Then you'll know when you *can* use it.

Re:strcpy ok sometimes

[Savage-Rabbit]

It's far more important to understand *why* strcpy should not be used. Then you'll know when you *can* use it.

<rant>
Programmers are human and they screw up. It is easier to simply outlaw 'strcpy' in favor of 'strncpy' or 'strlcpy' than it is to re-educate the programmers. If you place the code that guarantees the string length does not exceed your predefined maximum buffer size and the code where you do the actual 'strcpy' in different places the chance of a screw up are greater than if you do what the 'strcpy' man page (more or less) recommends:

strlcpy(buf, input, sizeof(buf));

This is much less failure prone and there is much less chance of buffer overflow and the resulting string is NUL terminated. It does have portability issues but even if that is an issue 'strncpy' still beats 'strcpy' since there is at least no buffer overflow as long as your remember to NUL terminate explicitly which a lot of people don't remember to do which is where 'strlcpy' came from. That being said you are right many developers do a a lot less input authentication (which is what I assume you mean by input parser) than they should.
</rant>

Re:strcpy ok sometimes

[hab136]

I use strcpy. If you know for a fact that the string is terminated then it's overkill to use anything else.

Because variables never get overwritten with garbage, either intentionally or not. Also, only one programmer ever works on a piece of code, and would never change the length of either the buffer or the input, let alone the content. /sarcasm

In your trivial example, it's easy enough to see it's harmless, true. It's still bad practice. What is the compelling reason to use an unsafe function? To save a few characters?

Yes, it is important to know why strcpy should not be used. And then you should never use it, even when it's "safe", because it's a bad habit. Humans are much more habitual than logical, even programmers. Especially programmers at 2am after they've been on a caffiene-induced all-night coding session.

Re:strcpy ok sometimes

You are correct in saying that "helllo" is six characters. "alkjdg" is also six characters. Neither has any relation to the original post.

Re:strcpy ok sometimes

[mrsbrisby]

In your trivial example, it's easy enough to see it's harmless, true. It's still bad practice. What is the compelling reason to use an unsafe function? To save a few characters?

Yes, it is important to know why strcpy should not be used. And then you should never use it, even when it's "safe", because it's a bad habit. Humans are much more habitual than logical, even programmers. Especially programmers at 2am after they've been on a caffiene-induced all-night coding session.

I disagree with this- that somehow just enough good habits would solve all the security problems. It's plainly not true.

Instead, I find it much better to get yourself in the habit of knowing you're going to fuck it all up sooner or later and make sure that when you fuck things up, you still haven't created a security hole.

Believe it or not, this is much easier than memorizing which system calls are reentrant, and therefore safe to use in a signal handler, or whether mkdir("/") returns EISDIR or EEXIST. By admitting you are at least at one point, going to be completely incompetant (probably at 2am), you can engineer a better design.

Love it or hate it, every person who mutters about setuid, strcpy or gets should have to read the qmail source code, beginning to end. It's an excellent design that should be used as a model for how to write secure software: by partioning the risky bits away such that you can audit them completely.

As long as people keep this function q is dangerous attitude, they're going to make the big mistakes- the design mistakes that aren't really fixable: Like postfix using a world-writable queue directory and the restriction that "important files can't look like postfix queue entries", or why window messages on Win32 automatically mean the window owner is succeptable to a buffer overrun.

Re:strcpy ok sometimes

[uid8472]

As long as people keep this function q is dangerous attitude, they're going to make the big mistakes- the design mistakes that aren't really fixable: Like postfix using a world-writable queue directory [...]

The only thing in a Postfix spool writable by other than the Postfix user is the maildrop queue, which is group-writable and owned by the group that postdrop is setgid to. So, whatever problems it may have had in the past that way, they've clearly been fixed.

Re:strcpy ok sometimes

[njchick]

Just wait until "hello" is translated.

Re:strcpy ok sometimes

[Tom+Veil]

Still, in large software projects or ones that might be maintained for years, it's best to avoid it entirely. You never know when the size of the array or size of the data will be carelessly changed, especially when the project is collaborative. It might seem like overkill in some cases -- such as when one line directly folows another as in your example -- but it certainly doesn't hurt to avoid strcpy.

        #define BUF_SIZE 6
        char buf[BUF_SIZE];
        strmcpy(buf, "hello", BUF_SIZE);

Re:strcpy ok sometimes

[pipo]

Kind of true, but what about maintenance ? You basically don't put any safeguard against future errors...

Also, ensuring strings are properly terminated is one thing, but you still have to check against your buffer's size.

By using strncpy correctly you close the door to future problems; if this is really a major source of slowness in your
app, that should be apparent during profiling, and you can optimize _then_: Do not trade security for "maybe speed" :p

Here's an interesting paper by Todd Miller and Theo de Raddt on ~ the subject:
http://www.courtesan.com/todd/papers/strlcpy.html

Re:strcpy ok sometimes

[mrsbrisby]

The only thing in a Postfix spool writable by other than the Postfix user is the maildrop queue, which is group-writable and owned by the group that postdrop is setgid to. So, whatever problems it may have had in the past that way, they've clearly been fixed.

``No Postfix program is set-uid. Introducing the concept was the biggest mistake made in UNIX history. Set-uid (and its weaker cousin, set-gid) causes more trouble than it is worth.'' -Wietse Venema

This just demonstrates my point- Wietse used to think, like parent thinks (and as I assume you think, by defending him), that a function q is bad, and it must never be used.

I think, and I hope Wietse now thinks (I'm taking your word on it now- he made quite a stink about this vulnerability, and TMK, never actually acknoledged its seriousness, or his wrong-edness), that it's the programmer that is stupid.

Since the programmer is stupid, the programmer must use those few bouts of lucidity where he/she is aware of this to insulate themselves from their own stupidity. ... which is of course, exactly what insecure and buggy programs are: the stupidity of the programmer. Perpetuating this myth that insecure and buggy programs are somehow the fault of the language, or some set of unsafe library functions, is a good way to hide the stupidness of all programmers: It lets Microsoft pretend they're making security important, and it lets Wietse think he's unstoppable, and maybe, these things confuse the users of these software.

Unfortunately, that just makes another myth all the easier to spread: That it isn't possible to resist attacks from evildoers, and that security can never be absolute so why bother/cry about it.

port23? no...

[mr_mischief]

If you're going to convince people you're all about security, you don't do "port23". You do "port22".

If anyone's confused, take a look at /etc/services on your local *nix. Failing that, take a look at the IANA assigned port numbers reference.

It's not what you say...

[MarkByers]

It's not what you say, it's the way you say it. The statement may be true but it's misleading. It's like saying that 25% of companies would not consider using Linux. Sounds bad for Linux, right? But really it means 75% of companies would considering using Linux. So even though their statement is true, it's still a deliberate attempt at FUD.

Re: Article Text

[5937]

I imagine those infinite apes running in circles and shouting "patch! patch! patch!". Seems you would count that as doing *a lot* to improve security, even if the result is not improved at all?

strcpy?

[ENOENT]

Can you think of a sillier thing to criticize MSFT about? Really?

I looked at (some) of the code. They do a malloc(strlen(foo)+1), and, if it succeeds, they do a strcpy() of foo. THERE IS NO VOODOO MAGIC IN STRNCPY TO MAKE IT SAFER IN THIS SITUATION.

Really. There isn't.

Re:strcpy?

[Quantam]

And don't forget this!

(meant to be mildly humorous in a nerdy sort of way)

Re:strcpy?

[miro+f]

erm, if the malloc succeeds then it DOES mean that there is enough room for the copy. if there isn't enough room then malloc will fail.

Re:strcpy?

[Myria]

An integer overflow would imply that the string is the size of the address space minus 1. Where's the code that's executing the strcpy? =)

(Yes, this is theoretically possible in DOS and Win16...)

I hope "foo" is not direct user input from an insecure context, or its size is limited. Allocating hundreds of megabytes is bad even if it doesn't leave to a buffer overflow.

Melissa

Re: Are You Serious?

[Mongoose+Disciple]

The problem with this mindset is you think it's okay that the code that is increasingly responsible for running more things that make a country productive is never seen and can't be reviewed except for poking at it in a willy-nilly blackbox style. As a matter of principal I don't think it's okay. At all.

The problem with your mindset is that it's only correct if security is always the most important thing. It's not. The world doesn't work that way.

Microsoft always plays a losing game of catch-up to *nix in the security department, and *nix damn near always plays a losing game of catch-up to MS in the usability department. (There are, of course, many more considerations besides those two.) There are things the open source paradigm consistently does better, and there are things the commercial closed-source paradigm consistently does better. That's reality.

slight misspelling...

[absurdist]

They had the most potential with regards to security and they've finally met it, and I say kudos.

I believe it's spelled Kodos.

More FUD

[MarkByers]

"It could be at 25% would not consider Linux, 33% don't know what Linux is, 30% don't know if they would consider it or not, and 2% would consider using Linux."

Why would only 2% consider Linux? I think that's just more FUD. It's higher than that. You are just making an example but disguising it as a fact and hoping people won't notice. You could have picked any number. Why 2%?

FUD, FUD, FUD! Even Anonymous Coward is FUDing. Slashdot is really going downhill...

Slashdot has too much FUD. 99.999% of people wouldn't consider reading Slashdot.

MS Linux Labs?

[cunina]

Isn't that like "Jews for Jesus," "Rock Against Drugs," or "McDonald's New Healthy Menu?"

Re:MS Linux Labs?

[WilliamSChips]

Indeed, Daniel Jackson.

FUD?

[Pedrito]

Port 25 has on occasion put out FUD such as claiming Microsoft is doing more to improve security than any other vendor and...

I'm sorry, how does this qualify as "fear", "uncertainty" or "doubt?" Maybe FUD means something else to you? That sounds more like CCS, "calming", "certainty", and "surety" than FUD. I'm not saying their statements are true, simply that it's not FUD.

Re:FUD?

[WilliamSChips]

It's implicit FUD. Saying that Windows is doing the most about security is saying that everyone else is doing less and therefore is less secure. This isn't even Alanis FUD and you're complaining!

Re:Why Port 25

[AlXtreme]

I don't know if you get SMTP yourself. You receive email via SMTP (port 25). So actually, if they were to see themselves as 'Port 25' then they see it as a means to get feedback and thus listen to us. Exactly as MS meant.

Oh, and please hand in your geek card at the door.

strcpy_s not MS specific

[Kunta+Kinte]

What is interesting, but not really surprising, is that Microsoft chose to replace the unsafe functions such as strcpy with their own safe variants with names like safe_strcpy (though I can't remember the exact name, it's something like that). They could have just recommended people used already-existing functions such as strncpy or strlcpy, instead of adding yet another incompatibility obstacle that must be surmounted when porting software from/to the Windows platform...

Unless I am mistaken, strcpy_s() and the other 'safe' variants are part of and ISO standard. Check out https://buildsecurityin.us-cert.gov/daisy/bsi/arti cles/knowledge/coding/314.html

The thing is even the wiki article gets this wrong.

I think Bill is waiting for an apology for your rant :)

Re:strcpy_s not MS specific

[cortana]

Part of a (very recently published) ISO standard they may be, but for now they are still annoying, Windows-specific warts. Judging by the speed with which the C99 standard is being implemented, I think this situation will continue for many years.

Interesting - used MP3 encoding

[xtaski]

found it interesting Microsoft is using MP3 encoding for this and not Windows Media... hmm...

Re:Interesting - used MP3 encoding

[Ilgaz]

Because there is no windows media player for Linux. Mplayer doesn't count. It is third party.

Windows Media Player for OS X is half dead too. What they did is acquire global license of a great small companies product, telestream flip4mac and they distribute it as "windows media components for quicktime". While it works better than Wmedia for OS X (surprise!) can't be counted as a true dedicated player.

I wrote these details to show another minor proof that MS didn't change. If they have changed, let them release windows media player for Linux. Setting up a geek , lame named "port 25" and interviewing with Icaza doesn't change anything. I can't find the slashdot story but they didn't invite those Mono guys to some conference I remember.

Re:Or do it my even better way!

[sholden]

So all the negatives of strncpy with none of the positives.

It might be better to restrict the length copied to match the destination rather than the source...

Even if you did that right, you didn't null terminate after the call, and even if you added that extra bit of code you'd be wasting time setting chunks of bytes to 0 because strncpy is retarded.

Re:Or do it my even better way!

[david.given]

strncpy(buf, input, strlen(input));

Or even:

char buf[6] = "hello";

(works in the original coder's example because he declares buf in the same basic block).

Not only does this approach avoid calling any functions and may well produce faster code, but if your string is longer than your buffer, it'll zero-fill it for you automatically. One caveat: if your buffer is exactly the length of the string, it won't get zero-terminated and the compiler won't warn you, but habits like:

char buf[6] = "hello\0";

...will warn you of that.

RH9 (non) support no big deal.

[darkonc]

There are a few reasons why Redhat not continuing support for RH9 isn't a big deal...

1. Linux is open source. That means that, if there's a problem that's a show stopper for somebody, a company can (or a group of them can get together to) take the (available) source code, and put in the fix themselves... If there's actually a large body of companies that are using RH9 for important applications, then all sorts of company can (and will) pop up to provide that support (as happend when 7.3 lost support -- One friend of mine that still has a machine or two running 7.3 still has a choice of companies to get support from.)

   I would note that, while people who were using 7.3, way back when they still have access to third party support, while people who paid good money for windows ME and 2000 are gonna be completely SOL if they need something done, and Microsoft refuses to do it.

   There's been a coupl of times when I dug out the sources to a Red Hat RPM, added functionality that dealt with a problem that a customer was having, and offered the changes back to Red Hat. Anybody can do that.... Unlike Israel who almost had to go to war to get Microsoft to (ahem) 'graciously offer' to fix the Hebrew support in Microsoft's OSX version of Office.

Re:RH9 (non) support no big deal.

[Quantam]

Holy crap. Do you actually expect somebody to buy that? Well, if anybody is going to, it will be the "power users" like you and me, who have very little on the line, in terms of money. I don't know what planet you think you're on, but here, when the executives at a company find out that they're gonna have to write their own fixes for critical bugs in a piece of software they already paid for (or, alternately, have to rely on fixes written by someone they don't even know, or simply pay again for the same software), everyone who recommended using said software (and probably lots of people who didn't have a say in the matter, but had to work on the transition anyway) is gonna be looking for a new job.

Re:Miguel is the savior of .NET

[SanityInAnarchy]

Mono has better cross-platform support

That Microsoft doesn't give a shit about,

So why the fuck are they doing a bytecode language?

The rest of your post is equally trollish, but I just thought there was a point to be made there.

Re:Or do it my even better way!

[KidSock]

I think he is being sarcastic guys. Strlen(input) is an overrun in itself.

Full interview

[Rob+Kaper]

helo
501 Syntactically invalid HELO argument(s)
hello
500 unrecognized command
hey gnome boy
500 unrecognized command
sod off
500-unrecognized command
500 Too many syntax or protocol errors
Connection closed by foreign host.

Text version

[MobyDisk]

Does someone have a link to a transcription?

Re:Miguel is the savior of .NET

[sproketboy]

"So why the fuck are they doing a bytecode language?" Er, cause they want to pretend they're Java? Fact is since M$ hasn't bothered to provide a .net runtime even for the Mac (Ok i understand not porting VS) indicates to me that they're not bothering to compete with Java since they lost anyway.

Re:Miguel is the savior of .NET

[Ilgaz]

There is .NET runtime/framework for Mac but nobody has a clue what they will use it for.

At least me...

Re:Ahh .NET in action

[jpardey]

...Microsoft Windows NT version 5.5; Microsoft Toaster version 4.5; BSD network stack version 0.5b; gnuutils version 2.1; Microsoft Bob sp3 version 2.356287; Screensaver directory C:/Windahz/; ADMINISTRATOR password: rock0u7; BZFlag version 2.1; VirtualDancer version 2.4b; stupid troll jpardey version 1.2; PHP.NET version 1.2.867.5309...

interview != commenting and rambling

[tolonuga]

doing an interview is about asking questions and letting the person you interview talk.
I get annoyed a lot by stuff like this where the interviewer comments all the time or
talks about his own agenda rather than giving the spotlight to the person interviewed.

Re: Are You Serious?

[gbjbaanb]

I wouldn't agree that Linux is insanely robust - today I'm upgrading my kernel becuase of security flaws in the one I'm currently running. Again. Then, almost every time I type "yum upgrade" I get updated packages with security fixes in them. So linux is insanely secure? no way, just stop with the bigoted posts ok.

Back to the article comment - they said MS was doing th emost to improve security. Well, fair enough - they have made great inroads on fixing loads of stuff, it is not a big priority at MS, so yes, I think I can safely say that "MS is doing more to improve security than any other company out there", simply becuase they're improving their product the most (you could say Linux doesn't need to be improved very much)

Java's a disease as well

[WilliamSChips]

Java's just a less virulent disease. The cure is Python.

Re:Java's a disease as well

[WilliamSChips]

Because C++ is a lose in every possible way.

Re:Java's a disease as well

[WilliamSChips]

You do realize that if you want "speed" you go for C and not the bastardization that is C++ right? You do realize that people insisting on low-level langs like C and C++ is the reason we have so many fucking buffer overflow problems, right?

Re:Java's a disease as well

[WilliamSChips]

You are an AC. I am a registered user. Who do you think is more trustworthy?

Use it, but use something like PREfast

[Myria]

Microsoft's PREfast stuff lets you mark up code to say how the parameters to functions work. If you accidentally put a "5" instead of "6" as your array size, the compiler would notice a violation of the rules and issue a warning. It won't pick up everything (see "halting problem") but at least it'll find the obvious things.

There are performance reasons to use strcpy.

I personally feel that strcpy on a buffer allocated by the same function is okay, but doing this across functions is bad because someone else (or you years from now) modifying your code won't know to do that.

Melissa

GNUStep!

[Burz]

Yes, you are absolutely right IMO.

GNUStep is definately one of those frameworks where on several occasions I've looked at it and thought "Oh, what could have been."

Qt4 has drawn my interest, but I fell flat on my behind trying to get it compiled on OS X.

Re:Miguel is the savior of .NET

[SanityInAnarchy]

Why does it matter that they can, if they won't? In open source, it would matter, that's why we like Mono. In proprietary stuff, all that matters is what they want to do, not what they can do that they won't and we can't.

And you still haven't answered my question.

Re:Miguel is the savior of .NET

[SanityInAnarchy]

There's Mono, and then there's Rotor. I don't know about the Shared Source licensing on Rotor, and Mono still has rough edges.

But certainly, Microsoft isn't planning to release it for the Mac.

Re:Miguel is the savior of .NET

[Ilgaz]

So even a non developer end user like me laughs to claims that .NET will crush Java. I mean come on, it even runs Opera Mini my cellphone right now.

I have read some military mags and I got completely amazed at Java's success there too. I mean targeting, radar systems all run java etc.