Slashdot Mirror
Are All Bugs Shallow? Questioning Linus's Law
root777 writes to point out a provocative blog piece by a Microsoft program manager, questioning one of the almost unquestioned tenets of open source development: that given enough eyeballs, all bugs are shallow. Are they? Shawn Hernan looks at DARPA's Sardonix experiment and the Coverity static-analysis bug discovery program in open source projects to conclude that perhaps not enough eyeballs are in evidence. Is he wrong? Why? "Most members of the periphery [those outside the core developer group] do not have the necessary debugging skills ... the vast numbers of 'eyeballs' apparently do not exist. ... [C]ode review is hardly all that makes software more secure. Getting software right is very, very difficult. ... Code review alone is not sufficient. Testing is not sufficient. Tools are not sufficient. Features are not sufficient. None of the things we do in isolation are sufficient. To get software truly correct, especially to get it secure, you have to address all phases of the software development lifecycle, and integrate security into the day-to-day activities."
They become a lot shallower when you can look at the source code.
As we can all see, this has gone famously for Microsoft.
...the proof is in the pudding?
What do they say?
Sounds like he's selling something.
Unless you're writing some insanely complex application like a launcher for thermonuclear missiles, you pretty much will have user error as a major instigator of bugs.
Until you get your code into the hands of users who - for example - will repeatedly hit the ENTER key wile waiting for a response, you don't have a clue what might happen.
The Kai's Semi-Updated Website Thingy
Ok, you win. Most open source software hasn't been reviewed very much. Some open source software has security holes, and should not be trusted.
But, all proprietary software should not be trusted, at all. Proprietary software, by definition, has not been reviewed by anyone who hasn't entered into an agreement with the seller. The risk of accidental holes may be less, but the risk of intentional back doors is much higher.
This is precisely the kind of argument you become susceptible to if you think that an attribute of software (security) is more important than your freedom. Shawn makes some good points about the technical quality of software and it's true there may not be enough eyeballs to find bugs in free software let alone hands to fix them. What Shawn would have us take from this article is that free software may not be technically superior. It's an attempt to frame the argument and shape what's people think is important in software. Unfortunately, if you care about software freedom, Microsoft's FXCop and PreFast-clean mean nothing. Their software disrespects you as a user and keeps pushing the limits in dividing and taking power away from their user base. Don't buy this line. Choose freedom first and interested parties will take care of attributes like security, ease-of-use, and compatibility over time.
Comment removed based on user account deletion
But then again, you get what you pay for so... oh wait
Ahhh, the dream that a perfect process will make up for the imperfect person.
We should be careful not to let Microsoft deflect the conversation about software away from the ethics of using software you can't change, provide to your neighbor, or improve when you need more features. If the OPs conclusion is that free software may not have this particular leg to stand on in the arena of technical superiority, we must point out that freedom is our primary concern and that we each focus on security to the extent that we must obtain additional security for our software.
Except the point he is trying to make is that his code is better then the competing individual because he follows process doctrine.
Unfortunately, to make his claims stick he took a failed project as an example to support his theories. While being quite pointed in defining what projects failed he did not cite which projects of his has succeeded. This would have been at least a good starting point for a real argument.
Is good process doctrine wrong? No, it won't hurt of course, but it's not quite a kevlar vest against root shells.
Besides more examples from both sides of the camp he really does neglect several facts. Many open source projects are often led or particpated by professionals as well. In fact a recent article suggested a great more open source projects are corporate sponsored.
It's just an awful piece when you consider he is painting his enemy as both unprofessional and only arming that foe with one failed project example.
Personally, I wanted to read something useful that I could learn from and grow with, but this is pretty standard tripe.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Since when does MS have the right to say "To get software truly correct..."? They KNOW how to make software secure?
One of my most difficult bugs was fixed by simply rescheduling the time a datamining job was to run (which was integrated in to a massive ERP system with other major components of which i had no insight). It took at least 24 hours to test everytime i created a new build. Essentially it was a scheduling ordering issue, where pre-processing of other processes wasn't done in time.. It took me a month to figure this one out. Some times the bugs are outside of the scope of your own system, and the bug will probably re-arise as data grows. I've also had some difficult threading issues where a wait is never notified caused by bad error handling, which was fixed by simply renaming a file (after 1 month of multi threaded debugging with the final session taking 3 days for one execution).
That's kinda funny.
I spent part of today working around problems with a closed source application.
The other part of the day has been working with an open source program, where I've already solved the problem, and am documenting my changes to pass back to the author for the next release.
I'm not a "core" developer for any public projects. I've never submitted a bug fix to someone like Microsoft (but have sent bug complaints that went unanswered). I have sent quite a few bug fixes for open source applications, most of which were used in future release. I'm just another guy, or as indicated, another pair of eyes.
Serious? Seriousness is well above my pay grade.
I wouldn't say that your statement is true. It's possible for a defect introduced in the requirements or design stages of development to find its way into the code, but occasionally a programmer makes an error in a loop that leads to a problem; perhaps they meant to use greater than or equal to, but only used greater than.
What process error is that other than human error? There's almost no way to ensure that human error will ever occur regardless of what type of process is being used. You can argue that proper testing should catch the bug, but not all software has the luxury of complete testing, and once again its possible that due to human error a test case is left out. I suppose that you could require the software use a formal methods to get around that, but at that point time and cost are going to become a large issue.
You can't stomp out all of the bugs during development, especially if you have some non-trivial system. One of the major benefits of open source is that third parties can and do spot bugs of this nature and can correct them or notify the developers. It's a recognition of the fact that developers aren't perfect and neither is their code.
Many bugs are caused by the silent L in in the word USER.
his argument is also wrong. he's assuming that just because developers are *paid* they are more productive than unpaid developers. how do you know that paid developers are not surfing the web all day? i just don't buy this at all...
Bugs are an error in the process, not the code. If you find a bug, you need to find the process error that allowed that bug to occur.
Agreed!
I read, with interest, the referenced article. I was expecting FUD - but I didn't find much, until I reached the Conclusion.
eg.
The many eyeballs argument is neat, tidy, compelling, and wrong.
The article starts with
Eric S. Raymond wrote , “Given enough eyeballs, all bugs are shallow.” He calls this Linus’ law.
and then attempts to refute. Fair enough. Except - the link leads to The Cathedral And The Bazaar - where I cannot find the quote... Hmmm
Now this might be relevant if the "many eyes" routine was the only form of audit used in GNU/Linux - but is not the only form of review/audit used. I'm sure other, more knowledgable posters will be able to provide more evidence than I could find in a quick search.
I call FUD
I also think a big difference is that you psychologically don't write shitty code when you think others are going to look at it.
Coders that write shitty code don't know that they write shitty code. From their perspective the code is just fine and even very good. When ever I told someone I don't like his code and challenged him to explain what he did and why, he only answered: "erm, well that is what the code should do as the requirements demand that", they had no idea what my point was and when I pointed i tout they shrugged and did not understand or value my concerns.
angel'o'sphere
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
It's also why something is in the last place you look - because you stop looking !
All bugs are shallow because eventually someone smarter than you looks at it, and it's obvious to them. How often and how soon this happens in practice is an exercise for the reader :)
I want to delete my account but Slashdot doesn't allow it.
There is a problem of deflection on another level. Most of Microsoft's problems when it comes
to security are design issues. Creating and then enforcing standards and policies with respect
to source code and development process is not going to help if the whole thing is broken as
designed. You will end up with a very consistent turd that looks good on paper.
Buffer overruns and such are not the most serious problem.
A Pirate and a Puritan look the same on a balance sheet.
If one qualified programmer can write a bug and it takes at least one qualified programmer to find that bug then how can it actually be damaging to have many look for the bug, once it is identified even by a "non qualified" programmer others can address the issue much quicker. He seems to try to relate literal depth in the code to the comment "bugs are shallow", while some bugs maybe subtle and complex like all software after QA, first release and further have been completed others maybe be found much later on in the development cycle but they have to be looked for. Most professional (paid to work on the software in question) programmers write the software, debug, submit to QA and hands are pretty much off until they hear back. Something may come to mind later on that he/she may go back and change but who's to say someone professional or not is sitting back and actually discovers a flaw on his own time? Is that necessarily a bad thing? The change still has to be submitted to and committed by the (qualified) team that wrote it in the first place to change their software release. So in short you can't really question "Linus's Law" in this regard because it's only adding to the project, either by feature requests or bug reports. This keeps the software relevant and popular which is a good thing ... right?
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
Any technological endeavor human beings work towards will always be subject to "more eyeballs means improvement". If there's not enough eyeballs, then there simply isn't enough people working on the problem.
I haven't RTFA. but from the summary, most of what this program manager says is intuitively obvious.
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
...though perhaps not in the way he intends.
Look, software is *hard*. Building an OS kernel is like assembling a thousand watch movements by hand. You're going to screw up. It's not a matter of "if". There Are Always Mistakes.
Now, when he says "truly correct", I'm assuming he doesn't mean formal proving. That would be absurd, especially for an operating system as complex as Windows or Linux (or really anything with limited resources). Anything short of the formal proof and you just have empirical evidence that it works - but if there's a billion branches and trillions of code paths, nobody will hit all of them with all data.
Fact is, stuff is going to break. You can't prevent it.
So if we can't keep code from breaking - if all significant code is buggy - what's the answer? Well, with open-source code you can find a bug in your application and debug through the kernel itself, finding out why your syscall isn't returning the right information, and fix it yourself. Then everybody benefits from your work - keep in mind, you only did it (or needed to) because your application exposed a flaw. If you're using Linux 1.8 for some unholy reason, well you can fix it anyway (just nobody else will care).
But if you're using Windows, and you get bad return data from a method, your best shot is probably going to be to just coerce the data how you want it. This happens *all the time* in closed-source software - handle a buggy OS method with a special case.
So "many eyeballs" is correct, but not because there are thousands of expert code analysts poring over every git commit. It's correct because any piddly little application developer can debug the kernel itself, following his own method calls around to make sure they do the right thing. Even if he doesn't know how to fix it, he'll be able to say "doThis(*myData) isn't returning the right value" and lead the experts (writers/kernel hackers) straight to a fix.
This is the strength of open source, at least from a code quality standpoint.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
The funny thing about this article is that he essentially never mentions (a) design flaws or (b) perverse economic incentives to sell defective software. IMO these are probably the two biggest reason why MS has such a terrible reputation on security.
As an example of a design flaw, there are lots and lots of things that MS designed for ease of use, while ignoring security. MS software is way too willing to execute code in an email or on a web page just because they wanted to do something flashy without putting any responsibility on the user to know what the heck was going on. This is a design flaw. No amount of debugging will ever fully succeed in working around it.
The economic incentives to ship buggy, insecure software are also huge. Companies gather revenue by putting out a new version of the software with a long list of features. Users who buy the new version of the software generally have no way of knowing that it's full of bugs. MS is of course infamous for this.
Of course the implication of the whole article is that MS pays people to fix bugs, while nothing like that is going on in the open source world. This is complete nonsense. Most well known open-source projects are written by paid coders. But let's not let facts get in the way of MS advertising.
Find free books.
From the article:
One cannot deny the logic. In fact, it is a tautology. If you assume that all individuals have a non-zero probability of finding and fixing a bug, then all you need is "enough" individuals.
Emphasis added by me to show where I think his argument goes off the rails. "Linus' law" does not assumed that each eyeball is a bug fixer--it simply states that bugs are made shallow. Often the hardest part of fixing a bug is knowing about it, and finding it. The open source process makes it easier to do both, even if there are only a small group of coders actually fixing things.
This is not about how many software engineers you have reviewing your code. It's about how your end users can interact with the software engineers.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
What the essay fails to capture is the nature of the functioning of the eyeballs in practice, between open source and closed source. In closed source, the eyeballs only look at what they are paid to look at, if the code is just barely good enough to sell, then out it goes and nobody looks at that code again until the complaints start rolling in and then and only the do they fix it, well, sort of fix it, they of course only fix it just barely enough to silence the noisiest of complaints and the only if there are real consequences for failing to do so. Don't think so then try this http://social.technet.microsoft.com/Search/en-GB?query=this%20is%20a%20know%20fault&ac=8 and a huge number of them have never been fixed.
Open source follows a completely different series of routes;
1) People looking for faults because they get a kick out of finding them and fixing them.
2) Tweaks to functions that indirectly remove bugs by simply replacing them with better code.
3) Discoveries in user interactions, less of a complaint because there is no force in pushing the fix.
5) Governments and government departments directly pursuing more secure code.
6) Corporations seeking to build a public reputation by demonstrating coding expertise.
So in the case of open source software there are many 'different' kinds of eyes, so those eyes all working from different perspectives do in reality make bugs very shallow. In the closed source proprietary world the bugs are buried in the depths of the code, hiding in the dark, basically because of profits versus workmanship issues, which means no light is shone on them because only one set of eyes looking from a single 'shallow' perspective looks at them.
There is of course one other set of eyes looking at code, the saboteurs both private and government, looking for faults to exploit. Hard with open source because it can rapidly turn around and bite you on the arse if you use it (if you protect against it everybody notices). Closed source (mostly but a lot of less than honourable eyes lend up looking at it), of course can be targeted as long as you, well, use open source code yourself whilst promoting closed source to everybody else (hmm, kind of reminds me of all those mainland China computer companies, odd that, isn't it).
Chaos - everything, everywhere, everywhen
I think that in Microsoft's case in particular, all the exploits out there prove the opposite of his case.
I'm not a MS dev or even anyone important, just a small business owner who fixes infected Windows machines (it's better than 3/4 of the work I do, sadly) so it seems to me that security wise at least he is way off base - the many more eyes that are looking at MS Windows without even having access to the code base are doing a pretty damned good job of finding security bugs in it.
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
Ladies and gentleman, the article author is making a strawman argument. By transforming the "Linus' Law" into a badly written syllogism, and pointing out examples where _his invented syllogism_ fails, he's implying that closed source is _better_. Unfortunately, the vulnerabilities of closed source are often worse, by comparison and from experience.
This is a classic absolutist fallacy. The author has taken what is essentially a rhetorical way of stating a more precise claim (that bugs become more shallow with more eyes and that as you increase this number the shallowness increases). The author has then found that that statement in its most general form might not be correct or might not be the whole story. And therefore decides to throw out moderate versions of the claim. I am not impressed.
Newsflash "Microsoft Employee quotes another Microsoft Employee who says Open Source is crap".
I might give the blog some small amount of thought if Microsoft had ever produced any software of any quality whatsoever. Microsoft's area of expertize has always been in marketing and this is an example of it.
More specifically, if you're going to attack the logic of a statement please don't use an argument to authority to do so.
Not necessarily. If its a quick and dirty hack to get something done in a short period of time on a "temporary" basis, then its quite possible the programmer intentionally wrote "shitty code" - and KNEW it was shitty code.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
True, but that's not what he is questioning. Given two identical projects that are fairly complex (i.e. an OS kernel) he's saying that just being open source doesn't necessarily provide "more eyes". While I think there is a bit of merit to this, it certainly doesn't hurt to have more eyes possible - especially when you don't have to pay for them.
Agreed, of course. However, the converse is important, too:
Given two identical projects that are fairly complex (i.e. an OS kernel), being closed source virtually guarantees that there won't be 'more eyes'.
But the real question is: How many eyes are enough?
The answer is its own problem: Only one more pair. The tricky part is figuring out whose they are. (Yes, I'm in screaming agreement with what the OP is saying.)
It's a quality issue as much as it's a question of quantity. Ben Laurie, writing about the Debian OpenSSL Fiasco, states:
So yes, it does matter whose eyes are turned to a particular problem. The difference between FOSS/Open Source and Closed Source is therefore whether the Closed Source company has hired the right people and whether the FOSS project has gained the attention and interest of the right people.
Neither of those situations is guaranteed, but they are not at all equivalent. (Especially when we consider that for many of the best FOSS products, gaining the attention and interest of the right people is done by employing them.) Realistically, FOSS faces better odds of having bugs found and fixed, all else being equal.
Crumb's Corollary: Never bring a knife to a bun fight.
What do we have to do to get you to stop posting?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Which is a process problem, right? If the process that is set up is to have coders blindly write code to spec, defined input/output and no other architecture requirements - then the fact that the entire product is a mess isn't that coder's fault - it's the fault of a process that didn't include proper architecture standards.... maybe.
Good process might not hurt but my experience is that it is directly related to how fast many projects get mired down and never write any code. People get so involved in process that they never do anything. Process can be good but you have to avoid letting process become more important than coding. A perfect program that is never written isn't very useful.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
One of these things is not like the other...
Features are to software correctness as apples are to oranges.
Really, do not subscribe me to your newsletter, mr 'program manager'
I don't know the meaning of the word 'don't' - J
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
Let me rephrase this for him -
"For 25 years, we deliberately chose to ignore the bitter lessons that were learned by the big vendors, to take shortcuts
to ship shit software first and fix it later and to build up massive layers of cruft in the name of backward compatibility. Now we are caught in a nice pickle
as we've spent years trying fill the leaks in our crap - some of which is so insecure that, 8 years after the launch, we still have record numbers of bugs in
Windows XP almost every fucking Patch Tuesday -and restructure it into something rock solid.
However, until we can get this done, we need to play smoke and mirrors, convince you to toss Win XP - and your old PC, most likely, buy our latest
and greatest and spit out evermore FUD about how nobody else can get stuff done except us.
Ladies and gentlemen, I give you the M$ business plan and I'm pleased to say that it's working as well as ever and thank you all"
Pain is merely failure leaving the body
Then you probably miss out on a lot of good information because someone makes a basic mistake.
IME pedants are usually so busy proofreading they miss the gist of the content. ;-)
Me included!
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
I'm all for open source software. I could give you a dozen reasons why it's a great thing.
But does anyone REALLY believe it's bug-free because there are lots of eyeballs on it?
From the first time I heard that argument I thought it was laughable and not backed by any solid evidence.
He's attacking that argument for a simple reason: Because he can. It's a stupid argument.
And he's getting people all worked up and distracted over it.
Meanwhile, in the next room, Microsoft salespeople are convincing your boss they need to switch all your licensing to a yearly subscription model, and that there's no reason why you should actually OWN the software that you're paying all this money for.
But at least with open source you can find and apply the proper eyes to software you did not write yourself instead of just trusting the vendor.
Since you know so much, point out the design problems in the NT kernel. Lets go for a small number - 10.
I'm not sure if you read my comment closely. I do see his point as valid and we do need more eyeballs and hands on free software(not open source). I just don't want people to miss the forest for the trees. The trees are so many technical, popularity, and quality arguments that are posed by proprietary software developers to obscure a more pressing issue: user freedom. Note, I'm not talking just software freedom here. We need software to live our lives but we also use many services that seek to lock us in, categorize us, track us and direct us to perpetuate ourselves as good little consumers.
You posted as AC possibly because you feel your point of view is not popular on Slashdot but I really wonder. Aren't you concerned about your future freedom when so few companies control not just your communications, your periodicals, but the very instruments(your computer and devices) you use to take in this digital world?
bla, bla, bla ,bla, bla
Got Code?
Bwahaha. Nothing to see here.
I've had that argument posed to myself actually. My manager preferred I post often and clean it up later as the project evolved.
I'm more of a design, document, implement kinda guy. More often then not my initial designs and goals are a bit more complex and generally solved more problems then one.
However, they paid the bills so in the end it's up to my employer on my style. I prefer to make art more then utilities ;)
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Ok, I've got some news for you. The quotation is not meant like an immutable law. There's a really good, important point there, but it's still just a meaningful aphorism. Let me help you with this -- when you see "given enough eyeballs, all bugs are shallow", read it as "given enough eyeballs, [almost all] bugs are shallow". Does that help? Can we move on now? This discussion is so stupid it's almost painful. Here are some other things to know: MS blog author wants attention; ESR is a self-important moron. Thank me later.
Let's see:
Mr Microsoft Man: "Eyeballs alone won't make a kernel secure."
Mr FOSS Man: "Writing unfree software is immoral!"
Let me try this on for a couple of other common criticisms of some FOSS projects:
Mr Web Man: "Safari is way faster than Firefox on OS X and uses less resources."
Mr FOSS Man: "Writing unfree software is immoral!"
Mr Netbook Man: "The Gnome desktop is still kinda clunky, even after all these years."
Mr FOSS Man: "Writing unfree software is immoral!"
Mr Graphic Designer Man: "Linux still doesn't do proper color management."
Mr FOSS Man: "Writing unfree software is immoral!"
Mr Gamer Man: "There aren't any decent games for Linux."
Mr FOSS Man: "Writing unfree software is immoral!"
Who's derailing the conversation here, again?
Like they know anything about finding or fixing Bugs...Puuleeze. I take anything I hear from Redmond as complete BS, Except for news of Ballmers termination/resignation..at that point, I go ALL-IN on their stock.
I've written a lot of code on short notice for deadlines; but even then I can't say I've written "shitty code" in a long time. But I limit my interpretation in such cases to code that is bug prone and/or hard to read. Anything that is stable and easy to read can be optimized/expanded at a later time if necessary.
Mathematically, the many-eyeballs argument, and the million-monkeys argument are equivalent.
Yes, but this is only true if N(eyeballs) = 2 million - N(one-eyed monkeys) - 2*N(zero-eyed monkeys). Of course, once we have humans and their eyeballs involved, we will need modify this recently discovered Microsoft monkey-eye theorem. We should inquire if Microsoft considers human and monkey eyes equivalent in order to determine the effective conversion factor between human and monkey eyes.
A Microsoft Creationist would set the conversion rate at infinite, since our eyes are in the image of God, and monkey eyes are not in God's image. I find this ironic, since God is invisible and therefore has no image.
A Microsoft geneticist might argue that the similarity in eyeballs is comparable to the similarity in the genetic code that encodes the eye. This might state the monkey eyes and human eyes have 90% of their genes in common. However, these genetic differences represent a vector in an N-dimensional space, where N is the number of genes required to express an eye. If we assume that human eyes are the reference, we can determine the 'gain' (presumably less than 1) of the monkey eyes of by finding 'eye-gain' vectors of the Monkey eyes. We can then use a standard inner product to determine the 'eye-gain' values for the various monkeys used in this "Microsoft Writes an OS with Monkeys at the Keyboards Experiment".
In either case, Microsoft will need a new Math to support this claim. When the blogging Microsofty proves this assertion mathematically, I will be only to happy to equate Microsoft with monkeys coding an operating system.
Think global, act loco
Freedom is your primary concern. There are certain ethical quandries that people just don't care about. For example, most people know that the low, low prices at large department stores are directly due to shabby treatment of worker in China and India, but they still shop there. Most people know that the meat, eggs and dairy that most fast food places use come from animals who live in tiny cages for all of their short lives, but people are still ordering sausage-and-egg-McMuffins. In this case, most people don't care (or even know) that the software isn't "free", all they care about is that it works the way they want it to. If you want to support free software (as I do) on ethical grounds, that's well and good. But be aware that you're digging yourself in - alienating those who don't care whether or not software is "free" by telling them that quality and security are lower priority (and if there's one thing F/OSS needs, it's more users, because users => market leverage).
So instead of brashly saying "security and quality" are low priority, why not attack the flawed argument? A F/OSS project will always have more eyes running over the code than a closed source project of equal magnitude. And to those who suggest that the closed source coders are just better, remember that open source needs less LoC (because we can use each others' code, licence and political issues notwithstanding), and as every good coder knows, every line of code is a potential bug, no matter how good the coder. F/OSS gains twice from this - firstly, we have half as many lines, and secondly, our LoCs are read twice (once by the original coder, and once by the guy re-using it). So it's not even a question of whether or not the bug is shallow - it's more that the pool is half as deep.
Of course, humans cannot think of everything, but with the right software model and the right tools, we will be able to. For the same reason that we use tools to perform complex calculations flawlessly, calculations that we use to have an extremely hard time doing reliably manually. We don't have the right software model in which to construct rock-solid applications because we are not thinking outside the box. We are addicted to our way of doing things.
I defend the hypothesis that the two major crises that afflict the computer industry (unreliability and low productivity) are due to our having adopted the Turing Machine as the de facto computing model in the last century. The thread concept (algorithm) is fundamentally flawed and the use of multithreading in multicore processors exacerbates the productivity and reliability problems by at least an order of magnitude. The only way to solve the crisis is to switch to a non-threaded, non-algorithmic, syncrhonous (deterministic), reactive and implicitly parallel model.
The big surprise in all this is that the solution to the crisis is not rocket science. It is based on a simple parallelizing concept that has been in use for decades. We already use it to simulate parallelism in video games, simulations and cellular automata. Use two buffers; while processing buffer A, fill buffer B with all the objects to be processed during next cycle. When buffer A is done, swap buffers and repeat the cycle. Two buffers are used to prevent racing conditions and ensure robust timing. No threads, no fuss and the resulting code is deterministic. We just need to take the concept down to the instruction level within the processor itself and adopt a synchronous reactive software model. It's not rocket science.
Folks, the days of Turing, Babbage and Lady Ada are soon coming to an end. It's time to wake up and abandon the flawed ideas of the baby-boomer generation and forge a new future. The boomers were wildly successful but this is a new age, the age of massive parallelism and super complex programs. The boomers need to retire and pass the baton to a new generation of computists. Sorry but that's the way I see it.
Rebel Science News
Open source bugs get fixed because people notice and are bothered by the bugs. This is the biggest motivator of open source contributions - everybody has an itch to scratch. The bugs that get fixed fastest are the bugs that are encountered the most. And this is why the Microsoft guy is absolutely correct in his analysis.
Bad security is not a user-facing bug. Unlike functionality bugs, there is little incentive for community members to identify and fix security bugs. Sure, the Linux kernel and other key packages will attract expert eyes, but the average random piece of open-source software will not.
Security analysis is both complicated and un-glamorous. There are not a lot of people attracted to that kind of work. There are even fewer people who would do it for free. The position of the linked article is that it's better to pay people to think about security than it is to rely on the principles of OSS. I agree 100%.
* File Locked rather than writeable by administrator for upgrade purposes.
* Ring 1 or higher code being able to write to Ring 0 locations.
* Administrative users necessary to run most things (MS software or otherwise).
* Proprietary networking.
* Lack of regression testing (LAND should just never have happened).
There's 5, who wants to take up the mantle from there.
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
What is it you are trying to sell exactly? Microsoft Secure Development Lifecycle?
"Eyes" on the source code aren't just code reviewers... they also consist of the attackers. Ok.. attackers have to find vulnerabilities to exploit somehow. The same techniques used by would-be attackers against the source to find exploitable holes can be used by the community (with source code access as a pre-requisite) to more effectively and with greater number people searching for things they can take advantage of, the more likely any issue is quicky found.
The only way to find faster, would be perhaps for someone to offer a bounty for anyone finding verifiably exploitable privilege escalation or remote exploitable security bugs in a default build of a stock kernel :)
The funny thing is... even addressing "at all phases" of the software development lifecycle and "integrating security into the day-to-day activities" is not enough to be secure.
Observation: This is the closest thing I believe I have seen so far, to an admission, from a Microsoftian, that their software can be inherently insecure (by design).
Seeing as the initial design is one of the most important parts of the software "lifecycle" by some views of the situation.
But the above quotation didn't argue merely AGAINST more eyes. It argued that essentially you can't make software more secure by looking at it, having code reviewed, and testing it.
That's absurd.
While there can be security weaknesses that won't be detected by thorough testing or code review, very large classes of security weaknesses can be.
Also, the complexity of the software systems interacting comes into play here...
Applications with simple well-controlled interactions and stable API (E.g. not like Windows) are less likely to have security issues that can escape a good code review.
Mine.
It must have been something you assimilated. . . .
kernel debugger
One big piece of FUD here is the notion that Microsoft programmers are paid, while open source programmers are not. The open source projects I know of advance mostly because of paid programmers, and I suspect that that is the case in general. That gives them the usual capitalist incentives for finding and removing bugs.
In product after product, Microsoft continues to ship fewer vulnerabilities than our competitors.
I wish he had cited some. It does not seem to be anyone's experience, and the only study I have ever seen that said that Windows was more secure than Linux did so by counting each Linux vulnerability several times (once per distro), and comparing just Windows against entire Linux repositories.
He also looks only at whether more eyeballs are good, neglecting the disadvantage of the uniformity of the WIndows monoculture, etc.
He also argues that the Coverity scan was not an example of many eyeballs because it was government funded. So, the government paid for it - but it still happened.
He does cite some stuff including, hilariously, a study carried out in 2002 that concluded that Linux was close to becoming unmaintainable. Eight years later I am pretty sure it is being maintained.
I am also wondering about the advantages of there beinga lot of code that is shared by multiple projects. I remember a BSD code review catching an X Windows bug. In that particular case it was not fixed upstream because the XFree86 people were being awkward, but I wonder how many cases there are of stuff getting fixed.
It is also easier to report open source bugs. I have never reported a bug in a proprietary app, but I have reported lots of Linux bugs (mostly distro level, or fixable at distro level) because I can follow what it happening, and I know what the (usually good) reaction to my individual report is.
As for proprietary networking, my Windows box uses TCP/IP. What does yours use?
And I didn't really understand #1, #2, or #3. You need to give more details to justify your claims, and preferably to show how they are any different from Linux/OpenSource bugs.
Let's see:
Mr War Man: "Peace alone won't make our country rich"
Mr Peace Man: "Waging war is immoral!"
Let me try this on for a couple of other common criticisms of some conflicts:
Mr Warman: "War is a faster way to increase the economical wealth in a society"
Mr Peace Man: "But it is immoral!"
Mr Car Man: "Gasoline cars are way faster than walking or bicycling"
Mr Peace Man: "But it is immoral!"
etc.
"shitty" code does not equal buggy code.
Your aesthetics, my aesthetics, or any other programmers' aesthetics are just personal opinions, don't need to be justified, and really have no particular value. On the contrary... you need to justify 100% a violation of some sort before code can be considered objectively bad, instead of just "Not how [you] would have gone about writing that, if you had been the person to write it".
As long as the code does exactly what it's supposed to do, and nothing more, and follows standard programming structure defined by the language and basic stylistic conventions (such as indentation), then the code is not shitty, no matter what my (or your) opinion is about its aesthetics.
I am intrigued by your ideas and wish to subscribe to your magazine.
A quick and dirty hack is not shitty coding, but inadequate design. The code probably does exactly what the (inadequate, informal) design said it ought to. which makes the code itself high quality, even if the design using it sucks :)
I assume the networking comment referred to the layer 7 protocols, and I think #1 was a reference to the difference in how library updates are handled in linux compared with WinXP (I haven't used a later version of windows, so I can't really comment on them).
Well I don't see people joining PETA and saying "Hey you know what, our views are a little extreme, lets try be a little more level headed".
I don't see people joining Greenpeace and saying "Hey now, Genetic Engineering's alright y'all". And lets not get started on Sea Shepard.
You also don't see hippies and vegans going to MacDonald's or Wallmart and working there in the hope to make it more ethical.
The point I am trying to make is that GNU started as the environment for people who cared about those Freedoms. Linux became part of that and is Licensed under the GPL. It is part of the Ecosystem that cares about those Freedoms. To turn around and say, well maybe those Freedoms aren't important, maybe we should become more mainstream so we can cater to the masses who like MacDonalds and Wallmart and don't care about Hens in cages or sweatshops, is kind of besides the point.
We all have our own reasons for using Linux but it would not exist without those freedoms... If you have a different view on freedoms you can also use *BSD, Solaris or something like Haiku (Etc. etc.). If you don't care, there is NOTHING that is stopping you from using Windows or OSX.
I certainly know that if I emigrated to a country and started saying people should follow my political views I certainly wouldn't be well received, it's no different with the F/OSS sphere. It is what it is. It is what it is because of what it is and really, most of us have bigger mouths than we should.
The Developers are free to do what ever they want and their projects can go in what ever directions they want them to. Users like me can be thankful for what they give us. Yes some are more rabid in proclaiming the Freedoms, but then again if a single project isn't free enough, a half-assed effort of replacing it is at least made.
Long post after a tired and long day tl;dr: Freedoms could be only a concern for a minority, but a large part of what exists is because of them. Even if they aren't the most important thing doesn't mean they aren't important.
Actually, most bugs that survive initial testing are not shallow. If they were, they'd have been caught early.
A key point of the article is that almost nobody in the open source world is really looking hard at old code. An experiment was run to encourage code review, but nobody really wants to do that. This is related to the phenomenon that many open source projects stall out at version 0.x. The basic functionality is in, the fun part has been done, and the boring grind of making the last bits work isn't getting done.
Some bugs are so deep the open source process can't fix them. Search Google for "prune_one_dentry oops". The Linux kernel is known to crash when all free memory has been taken over as file cache, a process needs memory, and due to some lock being set, file cache space can't be released. Bugs of this type have been reported steadily since 2004, and it's still not fixed. It will probably take a redesign of some fragile code to fix that, and nobody wants to take that on.
Take a look at the comment below yours, unfortunately there are still plenty of nutjobs in the free software community who equate producing closed source software with killing people.
A ridiculous amount of the linux kernel code is written by programmers paid by IBM, Intel, RedHat, etc.
Someone pays. I'm just glad it isn't me.
I think a better point for him to make might be that good software development in practice requires you pay people to do it. Who does the paying probably matters to some degree, but unpaid people are probably more inclined to solve problems interesting to them than problems which are boring but ought to be fixed.
He's arguing, probably correctly, that open source software is not necessarily secure because you can put and infinite number of eyes on it. There are not, in practice infinite number of developers available, and of the people who could be classed as developers that are available only a small percentage have meaningful skills to apply to the problem. Fair enough. I'm getting a PhD in comp sci, so on paper I'm a potential developer for linux. In practice I've never contributed anything to the linux codebase, nor have I attempted to invest the time in doing so, and I suspect I'm not alone.
I think the most important point is that lots of businesses contribute developer time to various open source projects, as do governments. But they're mostly in the business of monetizing services, on an individual basis they, like me, have no obligation to keep paying people to develop the software they service. That's a problem, since if enough of them fall on hard times the projects themselves are going to suffer, and it risks being a nasty downward spiral. For all of the things wrong with MS, if you get an operating system from them you're paying for an operating system, or a word processor or whatever, and the market for those products determines their viability, and how much developer time can be applied to them. Newspapers sell advertising space, to pay for journalism. If the market for journalism remains unchanged but the market for advertising space tanks your journalists are looking for work. If the market for whatever products the main contributors to linux sell erode away (ironically, like the car business, by making an easier to use more reliable product) there's no one actually paying for the thing which costs money to make. A sufficiently secure, stable etc. piece of software requires the minimum of support, but doesn't stay current without investment. Windows may not be the most 'current' OS in the world, but when you buy a new version M$ isn't out anything by making it more secure, more stable etc.
Writing shitty arguments is immoral! Money alone won't make a kernel secure neither. Big corporation backing won't make a kernel secure neither. In fact, nothing alone won't make a kernel secure. Anything here we didn't already know? Yes, the overall development process is important, but even with the best development process, it won't suffice to make a kernel secure. BTW, is there any secure kernel out there?
Achille Talon
Hop!
Actually I was giving criticisms of the literal "NT" kernel. But thanks for being here in the future team.
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
The most important tool, in close to the 20 yrs experience I have had, to discovering flaws is experienced users. It is *their* software which *you* have built for them. *They* know when things are hosed.
In my experience, FOSS maintainers have take take criticism and released fixes far more rapidly than any software vendor I have ever worked with. And as developer the most important thing to do has been to talk to power users and get their feedback. MS does not do any of this. No matter how much money you pay them.
putting the 'B' in LGBTQ+
* File Locked rather than writeable by administrator for upgrade purposes.
Firstly, what do you mean ? Secondly, how is this a security issue ?
* Ring 1 or higher code being able to write to Ring 0 locations.
More details, please.
* Administrative users necessary to run most things (MS software or otherwise).
An application issue. Has nothing to do with the kernel at all, let alone its design.
* Proprietary networking.
TCP/IP is proprietary ?
* Lack of regression testing (LAND should just never have happened).
A process problem, nothing to do with design.
and then attempts to refute. Fair enough. Except - the link leads to The Cathedral And The Bazaar - where I cannot find the quote... Hmmm
It's on this page: http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s04.html
Right after point #8, about halfway down.
Air France went into the ocean. THERE WAS NOTHING WRONG WITH THE CODE!!!
What was in error was the philosophy the code was written by.
A philosophy that disallowed human intervention. Disallowed for human handling of exception.
A philosophy that put machine over man.
Don't bow down to the stone image of the beast of man, for this beast is error prone and the image of this beast can be no better, even in perfection of an image.
computers are made of stone, mineral, metals, etc.. and the image is of thought processes.
no need for religion in this realization.
Open source allows for human interaction in its fundamental philosophy, where we all can make or contribute to correction and refinement.
Another example of perfect code and failure was the newly installed 911 service in Atlanta, for the 1996 Olympics. A system that required an address to be entered before it would transmit the call to the field.
Were was the failure here? Failure to give the Bicentennial park an address? Or expecting all places of crime have been given an address?
There was nothing wrong with the code of the software but in the design philosophy of the software.
in other words there was no code to correct, without first realizing the philosophy the code was based on was what was in error.
Microsoft is by far, practicing a philosophy of being successful by entrapment of its customers, making people need Microsoft software.
And a large part of how it does this is by being Windows, where you can see where you want to go, but you can't get there by yourself.
That's not the way open source software works. And it is open source software pressure that gives MS motive to improve its products.
And MS is biting the hand that is keeping it from being consumer to much of a fat lazy corporate consumer entrapment marketing firm, of which it apparent wants to be.
And we have seen and continue to see legal courtroom proof of MS's intent.
I am not knowledgeable enough to address #1 and #2, but I know for sure that #3, #4 and #5 all have nothing to do with the NT kernel.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Wrong premise: closed sourcecode is only written by paid developers.
And you need to actually realise there's a bug there. If the effect of a bug is for an application to crash, or (if in some ideal world someone's thought to do this) hit an assert, or an OS to panic, it's in a sense easy: you know that in some way the code has hit an explicit (assert, call to panic) or implicit (dereference zero) pre-condition and died. You know where it died, you have some chance of finding what was happening beforehand depending on the sharpness of your preparation, you have it all. Now, consider the recent Ubuntu ``32K states for certificate generation'' http://www.formortals.com/all-2006-2008-debian-ubuntu-crypto-keys-worthless/ problem. That didn't cause any of the above. It might, in some ideal world, have failed a test suite, but how many distinct certificates do you generate before there's `enough'? And to throw extra fat on the fire, if memory serves the bug was introduced by someone attempting to get a clean pass from a static analysis tool (or gcc -Wall --- it's the same principle). But, for two years, that lurked there. As an open-source and security community, it's a real mark of Cain, and we should understand why it happened. Because it says very bad things about process, correctness and testing.
Absolutely right. The author seems to be making the argument a lack of pay implies a lack of skill.
From the article:
According to Cowan, who is now a Security Program Manager for Windows, “the scientific conclusion of Sardonix is that auditing is both demanding of high skill and tedious, and so karma/reputation/good will is not enough to motivate people to do it. You must pay them to do it, precisely as Microsoft does.
The author is right that the "many eyeballs" scheme needs skilled eyeballs to work, but assumes that the only way to get good people on a project is by paying them. It seems odd that an article that tries so hard to provide a compelling argument makes such a poorly backed assumption. It's certainly true that good people need to be payed, but they can be paid to work on free software or write free software in their spare time; both cases have many examples.
So if this is the future...where's my jet pack?
One of the key arguments that people like to taunt regarding software security and specifically open source security is the fact that they compare say redhat enterprise 4 to Windows 2003. If you look at the Redhat Errata you may start to be alarmed. The question then comes around... 'who actually installs EVERY single redhat package when they install the whole system?'.. the answer from my experience is very few. However that is where many of the comparisons come from. If you segregate the overall number of comparable systems between linux and windows you will often find that the number of security vulnerabilities to be not wildly different. However if you compare the whole distribution's release to a windows install then your going to think.. 'dang windows is secure'. There are several other points in the argument that I tend to enjoy asking people who use these types of numbers.
1. if you have so few vulnerabilities what is your exposure footprint? e.g. how many people are trying to trojan you on windows vs linux?
2. how many of the vulnerabilities have been reported by the community that develop the software? If we look at Firefox for example most of their vulnerabilities are not actually reported by hackers or security experts but by their core developers who realise someone else in their team wrote some crap code or didn't properly do something. Here are some URL's to give some further evidence http://www.mozilla.org/security/announce/2009/mfsa2009-47.html http://www.mozilla.org/security/announce/2009/mfsa2009-63.html (although after actually going to find evidence I found that in 3.0 and 3.5 most vulnerabilities came from researchers and not the community like many earlier releases)
but nobody remembers who the critic is.
and this critic is far less known than Linus.
And obviously less experienced at actually dealing with software development.
FWIW, I use FOSS software in work and play daily, and have even contributed a few very minor things. I wasn't even taking issue with the ethical argument for free software -- only pointing out that it's not a get-out-of-jail-free card that works against any and all criticisms leveled at FOSS, or the ways it's being produced.
This is precisely the kind of argument you become susceptible to if you think that an attribute of software (security) is more important than your freedom.
I'm a person with an @gnu.org email address, and I approve of this message! ;-)
I will go out and say that the quality aspects of software are important too.
But freedom helps that along. You're more secure against Linux Genuine Advantage, because free software doesn't have activation shenanigans going on (although I do have a perl script I'd like to give you if you like). If enough people want a feature that goes against corporate gatekeepers' interests, someone who's able to code it up might go do it. Hopefully (and likely?) the many eyeballs are a bigger benefit than they're a detriment; it does take time to weed out the amateurish---which is different from amateur---patches and bug reports, though.
And in our current software landscape where the dominant free OS is unix-like, the hackers (and power users) enjoy a different kind of freedom too: they're more free to tweak their computer so it performs the way they like it to. As I recall, when I was using proprietary (non-unix-like) OSes I couldn't as easily automate things and write small nifty shell scripts to help me make my computers run just right. I think this is a valuable (but different) form of empowerment that may be useful to illustrate to people the free software ideas: "now imagine that the software didn't have the knob you wanted to twist; why, you could add that yourself, or if enough people want it they might. [etc.]"
But to recap my first point: even if free software isn't automagically more secure and less crash-prone, we can make it so, and due to its nature it is secure from some of the annoyances seen in proprietary software. That alone is a big win; and I hear here on slashdot that the headaches had and salaries spent when ensuring license compliance make free software a good value proposition from the get-go.
I'm also free to use free software even if I don't share the ideology that produced them, you know. Or do you want to stop anyone from using Linux if they're not ideologically pure? If so, perhaps there is something to the "free software is Communism" argument after all...
Getting software right is very, very difficult. ... Code review alone is not sufficient. Testing is not sufficient. Tools are not sufficient. Features are not sufficient. None of the things we do in isolation are sufficient. To get software truly correct, especially to get it secure, you have to address all phases of the software development lifecycle, and integrate security into the day-to-day activities."
Well, maybe if you started out with a language that was properly designed to guarantee certain qualities (like Haskell), instead of the tar pit that is C/C++, you wouldn’t have to do all that magic to guarantee proper code.
But oh, it’s so much work to use QuickCheck to guarantee that the software will do what it should.
Yeah, so you rather take even more time to write the tests and do all that magic later, and still not have a 100% guarantee.
Way to go...
Any sufficiently advanced intelligence is indistinguishable from stupidity.
...A perfect program that is never written isn't very useful.
It is, however, bug-free!
0. People being paid by big companies like HP, Red Hat, and Novell to fix Linux bugs.
I feel the need to explicitly call this guy a shill, rather than imply it. IF he honestly believes what he wrote, he's merely an idiot.
Shawn Hernan has deliberately misconstrued what Raymond wrote. Raymond explicitly said that the phrase "Given enough eyeballs, all bugs are shallow" was an informal phrasing of the lesson, in the very first sentence of the lesson. The actual phrasing was given as "Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone." There's not even one sentence separating the two.
Trying to rip apart an informal phrasing, and ascribing hidden syllogisms to it, tells me this man is either an ideologue or an idiot. Given his position, he's a dangerous ideologue or idiot.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
You are correct. Mr Peace Man there is just as relevant and useful as Mr Foss Man above.
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
Hey, thanks for pointing out that closed sourcecode sometimes is not written by the paid developers!
Good catch!</sarcasm>
This is not about Microsoft bashing. Yes, they are an easy target. But you have not provided any sort of rebuttal to the GP's point -- a developer working toward a fixed financial reward is not sufficiently motivated to produce quality code. See The Mythical Man-Month and other sources.
Reality unfortunately insists otherwise. We can't blame Microsoft for it but it is still the rule rather than the exception. There are plenty of idiot developers out there that still have the single user MSDOS mindset where security is not seen as a problem because from their viewpoint the user only has a computer so that they can run that developers application and nothing else. "Security" dongles are a major offender and other bits of crapware that insist on running services instead of just running like a normal application. You could run things like that as normal users but developers have admin so they write it so it MUST run admin.
That is more of the cause of the malware plague than Direct-X, old versions of IE and MS Outlook.
Oh yes, remember that a "power user" is an Administrator that just hasn't given themselves full permissions yet but they or the malware they bring in can do that without help.
Some of my points (IMHO, my 2 cents, works for me, etc.):
Mr Web Man: "Safari is way faster than Firefox on OS X and uses less resources."
Me: "Safari doesn't run at all on GNU/Linux or Solaris or FreeBSD. Besides, Firefox has a LOT of features that I like"
Mr Netbook Man: "The Gnome desktop is still kinda clunky, even after all these years."
Me: "I don't know what you mean by Clunky, but I prefer the functionality of Gnome over Windows or OSX any day of the week. Anyway, I like KDE and XFCE more than I like Gnome."
Mr Graphic Designer Man: "Linux still doesn't do proper color management."
Me: "I don't know what that means. You may be right."
Mr Gamer Man: "There aren't any decent games for Linux."
Me: "There are actually some decent games for GNU/Linux, but I agree that the selection could be greater. I hope the situation improves, but gaming is far from my primary concern"
You'll notice that I don't have to mention software freedom.
Lemon curry???
It is also easier to report open source bugs. I have never reported a bug in a proprietary app, but I have reported lots of Linux bugs (mostly distro level, or fixable at distro level) because I can follow what it happening, and I know what the (usually good) reaction to my individual report is.
Quite right. And if I am capable of fixing that bug, I do so and submit the fix. That's what open source development is about, isn't it? Most of my contributions to open source software are small fixes.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Heisenbugs like race conditions (http://en.wikipedia.org/wiki/Heisenbug ) are rarely 'shallow', in that they usually require a lot of analysis, reasoning and testing, and dedicated time to form a mental (or otherwise) model of the code. The argument for 'shallow' here is the potential number of people willing to invest that kind of effort.
Having source code helps a lot, even more when you can instrument the code or use some sort of debugger (which itself can change timing etc and perturb the resulting behavior), but I've tracked down heisenbugs without it.
The previous comments that 'design counts' is certainly true, and there's often trades to be made in the kind of potential conditions you can get. For instance, some synchronization approaches can trade the chance of deadlock against the chance of race conditions.
I'll not comment on whether Microsoft code is "better", since I choose to avoid Microsoft products. (But I will note that many, if not most of the Microsoft desktop products started life outside Microsoft...)
FTA ....
Coverity asks, “would you like to know about 0day defects months in advance?” They ask that to promote their work in scanning open source projects for security vulnerabilities. Quoting from Coverity’s 2009 report:
“In January 2006, Coverity, Inc., was awarded a contract from the U.S. Department of Homeland Security [] to improve the security and quality of open source software[] Since 2006 [Coverity] scanned over 60 million unique lines of code on a recurring basis from more than 280 open source popular source projects.”
[...]
"You might argue that the mere fact that Coverity can do this work is just another set of eyeballs. But I reject that argument entirely. This is a government subsidy to go do some hard and useful work, not a magic property of the fact that these are open source projects. The real beneficiaries of the subsidy are not Coverity (who is providing a fine service), but other companies whose business model is primarily about services and not software.
We think that’s great. The work that Coverity is doing falls into a category of analysis known as “static analysis,” which Coverity defines as “a set of techniques for examining a software system and making determinations about what its behavior will be at run time, using information collected without running the code.” Microsoft and the SDL are big proponents of static analysis. "
To me the most appropriate word for Open Source compared to commercial software is *inexorable*. Open Source is the relentless glacier (ok, Borg for those of you who need to get out more) that grinds all in its path. Even worse than a static Borg, Open Source is snowballing through the network effect. Even the latest and greatest cellphones are Open Source and companies are scrambling to adopt it in devices and their corporate data centers. Microsoft can't defeat Open Source due to the different set of economics at work. It is simply a matter of time before Microsoft cannot offer enough new features to make paying for it more worthwhile than using a free equivalent.
http://marc.info/?l=openssl-dev&m=114651085826293&w=2
And so MD_Update(&m,buf,j); /* purify complains */ was commented out.
BTW, is there any secure kernel out there?
OpenBSD is the best you will get in the unix world. Developed mostly by people doing it as a hobby with some company support.
Wang unix was also highly thought of but wasn't used too much. That was developed by a company with little outside help.
VMS is also secure, again developed by one company with little outside help.
My point - Anti-Microsoft isn't always anti-closed source. Sometime it's anti low quality.
I know that was a flippant remark, but step back and look at it.
The statement is an accurate, yet deeply depressing indictment of the modern world. We should be focused on making thing better, not accepting things the way they are.
Just to be fair, there are plenty of FOSS fans that think the benefits of Free Open Source Software are intrinsically intellectual and technical. Proprietary software isn't immoral it's just (often) needlessly or inappropriately proprietary and therefore of somewhat decreased intellectual value.
Quack, quack.
Actually I was quite serious (although still flippant :P ) and just trying to say that no conversation is enriched by a one-track-mind activist who does nothing but beat the drum for their own pet topic.
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
It is also easier to report open source bugs. I have never reported a bug in a proprietary app, but I have reported lots of Linux bugs (mostly distro level, or fixable at distro level) because I can follow what it happening, and I know what the (usually good) reaction to my individual report is.
Report a closed source bug and you get fobbed off by first line support who know less than you. You have little change of ever talking to someone who understands the problem.
Report a open source bug and you get told why you are wrong, or why they can't be bothered to fix it, or how unreasonable you are for demanding they fix your problems. But if you provide a patch you have a chance of being taken seriously.
It's not exactly easy either way around.
"You see old friend. I've brought more auditers than you did."
-- 'The' Lord and Master Bitman On High, Master Of All
Well, he makes some good points. Code review is indeed difficult, requires good skills, and is not done by many people in the free software community (the OpenBSD development team being a notable exception). Good software engineering methodology is crucial, certainly.
He concludes that Microsoft ends up shipping fewer vulnerabilities than anyone else. Is this true? Well, with the obvious exception of OpenBSD, it might be; but that's not the whole story. What developers do when a vulnerability is found is pretty important, too. Probably even more important.
Not long ago, a serious vulnerability was discovered in several versions of IE. Turns out Microsoft had known about it for several months. So, naturally, they had a patch all ready and tested before it became a problem - right? Well, no. Instead, they urged users to upgrade to IE8. The bug didn't get patched until almost a week after exploits were seen.
For all their professionalism and expertise, Microsoft developers labor under a severe handicap: they have to work on what Microsoft managers tell them to work on. They may think that a given bug is urgent and should be patched right away; but at the end of the day, the priorities are set by people who are focused on the bottom line, and those people know that nothing much is going to happen to Microsoft if a vulnerability is left open for a week or two. Every year, people in the Linux community confidently assert that this is the year of the Linux desktop; and every year, they're proven wrong. Too many people are locked into Microsoft's proprietary formats, and have too much time invested in learning to use Windows, to switch easily. And that's not going to change anytime soon.
Tried. Debated. Demonstrably false.
A major factor in what makes open-source software more secure?
The kind of hacks that make people cringe don't survive for long, and are less likely to even make it into the wild.
Imagine you're coding on a closed product, your management demands a feature, and you're pressured into "just doing it". You're likely to just make an ugly kludge, build it, and ship it.
Now imagine you're required to release the source code as well, and you know that at least one coder you respect is going to be reading it.
Uhhhh...dude? it is an OS and NOT a religion, okay? Why do you think that MSFT has 90%+ of the market? Hint: it is not a conspiracy, or Ballmer sneaking a money truck up to the back door of every shop in the middle of the night. It is because a good 99.999% of the public don't WANT to know how to change the software they use, could frankly not care less about giving it to their neighbor, and have no chance in hell of improving code.
Those things may be important to MIT hacker types, but the vast majority of the public really couldn't care less. They want pretty, they want simple, they want easy. there is a damned good reason why MSFT and Apple spend the money they do on UIs, it is because the customers want GUIs not shell scripts. Have you even tried OSX? It is really really nice. Windows 7? really nice too and user friendly.
So if you are actually wanting to convert followers to your OS/religion/whatever? hate to be the one to break the news but compromises will have to be made. Things like a stable ABI so drivers (even "non free" ones) can be put on CDs, so that instead of the ass backwards "let the kernel devs do it" you can have little penguins on boxes like the little Apple and Winflag the other guys have. The words 'open up bash and type" will have to DIAF and be the absolute LAST resort, and not the first as it is now. Because as it is now for geeks Linux is okay, for retailers and the public it is a royal PITA which is why they would rather pay good money than have your "free OS".
Because in the end it really ain't gonna make any difference if "more eyes make bugs shallow" or not if you are stuck at 1% forever. It all comes down to giving the public what they want. They want GUIs, they want simple, they want easy. They do NOT want CLI, they do NOT want to learn how to code or write scripts, and they do NOT want to have to research like it is a fricking test just to shop for peripherals at the local Walmart. I honestly think Linux security could be a real help to Joe public if just more time was spent on usability and making things easy instead of yet another text editor or distro.
But to get to that critical mass point I truly believe changes will have to be made so that the Walmarts, the Best Buys, and the mom and pop shops like mine will support you. But we don't drink the "freedom" koolaid, and don't give a crap about having access to the code if our bottom lines are eaten away by after sale support thanks to "open up bash and type" and paperweight roulette. And I apologize for the length, but I truly hate how Linux seems doomed to stay a tiny niche because those that treat it like a religion act like the world will just looove CLI and research and all the other PITA crap if they will just "embrace the freedom". But as the success of iPods and iTunes has shown the public really doesn't care as long as it is easy to use and pretty. The new DEs have the pretty down, at least on the surface, but the ease of use is a hell of a long ways away from OSX and Windows.
ACs don't waste your time replying, your posts are never seen by me.
Can this guy not even read? Or is he just too lazy to do the tiniest bit of research into Linus' Law actually is? From The Cathedral And The Bazaar:
Linus' Law says nothing about how many bugs are introduced into a system, or how well code is generally audited. All it says is that once someone finds a bug, if you have enough people looking at that bug, someone will figure out what the problem is, and someone will figure out a solution, pretty quickly.
That's it. And it is still true.
Why doesn't the gene pool have a life guard?
Excuse me, but how do you know that OpenBSD has the most secure kernel in the UNIX family?
"File Locked rather than writeable by administrator for upgrade purposes"
Pure nonsense - unix behaves the same and is mearly semanticly different. Removing a file thats in use mearly unlinks it from the directory index its no different than renaming and 'deleting' later which can be done on NT based systems. Crap like this scares me anyway - I don't concider it to be a feature. The transactional kernel interface for file system and configuration modification in recent versions of windows is extremely cool - nothing like it is supported on other platforms of which I'm aware.
"Ring 1 or higher code being able to write to Ring 0 locations"
This is nonsense - Ring 1 does not exist on NT kernels.
"Proprietary networking."
Really? Last I looked MS has a standardized bsd style RFC defined socket interface for IPv4 and IPv6. You mean networking in terms of RPC, network file protocols? SMB? Can you be a little more vauge? What open "non propritary" protocols that didn't suck do you think existed when early versions of windows were being produced?
"Lack of regression testing (LAND should just never have happened)."
Agreed.
and then attempts to refute. Fair enough. Except - the link leads to The Cathedral And The Bazaar - where I cannot find the quote... Hmmm
It's on this page: http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s04.html Right after point #8, about halfway down.
Thanks - admittedly I stopped reading after about page 6 and just used search...
In my world, the software stands or falls on its own merits. There's plenty of truly excellent FOSS out there, and as I said in a neighboring message, I use some of it daily. There are also areas where the FOSS world has failed to produce anything beyond clunky second-rate knock-offs of proprietary software. And there are areas where proprietary software has built on and then surpassed the FOSS software it's riffing off.
Specifics?
Some of my favorite FOSS stuff -- things I'd pick over the commercial alternatives any day of the week, purely on their own merits: The Linux kernel and GNU command-line utilities. PostgreSQL. The Dojo toolkit. Firefox. Thunderbird. Eclipse. CUPS. Apache (web server, many of their other projects suck). Various Debian package managers. VirtualBox.
Some cheap and clunky and altogether second-rate things that attempt to duplicate functionality of commercial software that does the job much better, that I (hate to but nevertheless) use, for any of a number of reasons: GIMP. OpenOffice (especially the Word and Excel clones -- and good grief, it oughtn't be that hard to do better than *Word,* of all things!) GNOME/KDE/any other Linux desktop. Various RAW conversion utilities.
Some commercial software that does stuff better than the FOSS stuff they're riffing off or building on: Jira. Confluence. Mac OS X.
Some areas where the FOSS world has consistently failed to deliver, despite years and years of effort and constant promise, and the fact that the problems appear ideally suited to being solved the FOSS way:
Content management systems. There are a gazillion FOSS ones out there, and all of them suck in some significant way -- either they're a big ol' mess of vaguely connected utilities (Drupal), they make very big assumptions about how you want your site to work (Joomla), or they're half-finished while incorporating several internally competing ways of doing things (Lenya and its plethora of editors, none of which really work very well.)
Anything related to proper graphic design tasks. This requires a full chain of utilities from the RAW file in the camera to the finished file to be sent to the printer (or put up on the web). Most of the chain just isn't there: no system-wide color management, no RAW conversion software with accurate, consistent profiles for a wide range of cameras, no genuinely functional (and color managed) page layout software.
I could go on, but you get my drift. I don't care for ideological arguments. If FOSS is a genuinely and universally better way to make software, it would have incontrovertibly proved it by now. If it was genuinely and incontrovertibly unworkable, it would have failed by now. Instead, it's done neither -- it works brilliantly for some things, fails miserably in other things, and muddles along for lots of others. Just like any other way of making software.
Whew. I feel better now.
> He also argues that the Coverity scan was not an example of many eyeballs because it was government funded. So, the government paid for it - but it still happened.
FOSS static code analysis tool Cppcheck has done similar job (after the Coverity scans) and found bugs (that were reported and fixed) from the Kernel and other open source projects. It is not government funded, it is purely made by the community. Here is a list of reported and fixed bugs:
http://sourceforge.net/apps/mediawiki/cppcheck/index.php?title=Found_bugs
There are a lot more bugs found and fixes that are not in the list as many developers have started using it on their own after seeing it in use and the members of the Cppcheck project are nowadays more focused in developing Cppcheck rather than testing it against other open source projects.
He reports Coverity's results on open source software
... but doesn't report Coverity's results on Microsoft's software.
He reports that Coverity scanned 280 open-source projects
...but doesn't report that only 180 of those have "active developer support".
He can't be bothered to present any data at all on the distribution of the reported or corrected defects — how many are in nethack or aalib or that long-abandoned "flash-based photo album generator"?
He doesn't, for instance, mention that Samba and several others have no defects Coverity can discover. None.
Vim has none. X.org has ... three. All of KDE, nearly five million lines of code, has ... ninety. glibc has none.
There have been MySQL and PostgreSQL and Berkeley DB versions with none. His bioblurb says he's "currently working to ensure that Microsoft SQL Server is secure". That's interesting. You mean it isn't, now? How many defects can Coverity find in SQL Server?
TFA is a nauseating pile of sneers and aspersions ("Hope is not a security strategy"?) built on a very carefully selected and very few facts. "No one is doing auditing" he quotes. "No one is doing auditing" and reporting it to some self-styled central authority almost no one ever heard of is what's true, but telling the truth isn't what he's doing here. He's a "Program Manager", and he works for Microsoft.
As always, all IMO. Insert "I think" everywhere grammatically possible.
The author is right that the "many eyeballs" scheme needs skilled eyeballs to work, but assumes that the only way to get good people on a project is by paying them. It seems odd that an article that tries so hard to provide a compelling argument makes such a poorly backed assumption. It's certainly true that good people need to be payed, but they can be paid to work on free software or write free software in their spare time; both cases have many examples.
Agreed.
I've often heard people complain because they say their work is under appreciated - but when they get a pay rise they still complain. When asked what the problem is they tell me they don't feel they get the recognition they deserve. Ego is an underrated motivation for excellence. Open Source code contribution can scratch the ego itch. As someone else has pointed out - many crap programmers don't know they're crap programmers. In Open Source projects other people are pretty quick to tell you if they think your code is crap - and, unlike traditional paid development there is less need to be polite instead of right.
if you are reading this read the +0 anon parent comment. Debian did clear it with upstream, and upstream wrongly said it was ok.
~.~
I'm a peripheral visionary.
Creating and then enforcing standards and policies with respect
to source code and development process is not going to help if the whole thing is broken as
designed.
I was thinking of the irony of an MS project manager lecturing the Linux kernel devs on "bugginess."
Put identity in the browser.
This argument is logical, and reasonable.....but for all that is wrong
Linux is (surprisingly) not riddled with bugs, not full of security holes, and is maintained
Microsoft products (surprisingly) do have security holes, do have bugs, and these are left unpatched until people complain ...
The problem is that in general people who use Linux complain about the flaws, and if the people who manage the code agree it is a flaw, then it does get fixed, the only cost is time .... with Microsoft fixing/not fixing each flaw is evaluated as to the cost in money and time
Linux people use Linux and so have an incentive to make it work (at least how they want it to) Microsoft only need to keep selling, so it has to be "good enough", people have noticed that internet explorer development ground to a halt when there was little or no competition and picked up again when people started using other browsers ....
Puteulanus fenestra mortis
To be fair to Microsoft this is no longer true. UAC asks the user if they wish to elevates privileges when an app does something unsafe. Vista took a lot of flak when UAC appeared (including from myself) but it did force user land applications to stop abusing the registry (e.g opening HKLM with read/write permissions), writing random files to random locations on disk and other unnecessary operations. The consequence is apps written / patched in the last 3 years run pretty cleanly and if they don't, you get the UAC popup. In practice it's little different from what happens in Ubuntu or OS X in similar circumstances.
GPL is kind of like the paparazzi following you around saying "you're free to do anything you want, just as long as you don't mind that I share it with everybody". Hmmm, actually it's like if the paparazzi would force you to take your own pictures and publish them.
From the sound of your analogy, you clearly either don't understand the GPL or you are just trolling.
The only time you have to share your changes to GPL'd software is if you have modified it and choose to -distribute- it. If you don't distribute the modified version, you are free to keep the changes to yourself.
Merely using GPL software doesn't force any restrictions on you.
Your paparazzi analogy is pure FUD.
You know, the language of the GPL is pretty straightforward. Why don't you take a few minutes to actually read it before you start spouting more crap like this.
A house divided against itself cannot stand.
I defend the hypothesis that the two major crises that afflict the computer industry (unreliability and low productivity) are due to our having adopted the Turing Machine as the de facto computing model in the last century
You're hypothesis fails by being based on false assumptions. The Von Neumann architecture has been the de facto computing model, not the Turing Machine. Turing Machines suck at IO.
Furthermore you don't seem to understand that the reason computer programs are, as you call them, unreliable and low productivity, is mainly because programming is hard, and most of the time this has nothing to do with threads. Have you ever spent hours trying to get elements to line up perfectly on a web page in three different browsers? It is a problem that makes you want to pull your hair out, and yet it doesn't matter whether you are running with threads or with double-buffers, the problem will still be there. Programming is hard because controlling a computer is hard.
The boomers were wildly successful but this is a new age, the age of massive parallelism and super complex programs. The boomers need to retire and pass the baton to a new generation of computists. Sorry but that's the way I see it.
What the hell? When did this become a generational war?
Qxe4
That is not what I was trying to get across, you sure can use Linux if you don't share the ideology... It's more that just because you don't share the ideology doesn't mean it isn't important over all.
There seems to be an increasing movement, evident sometimes on Ubuntuforums for example to suggest Linux should become less Free (For reasons of convenience or market expansion).
There are more users now who don't care or only care about the free as in beer side of things. Just because they may be the majority doesn't necessarily mean it's right to change the way things were before.
I'm really to tired and exhausted at the moment to make a decent effort of what I'm trying to say... It's along the lines of if you're not happy with the way things are move to change them yourself or use something else. If you don't care whether your system is half proprietary for example you could always use Mint.
My opinion is that if Linux was not F/OSS, it wouldn't exist. From there I also begin to believe that the less Free it becomes the more likely it is to cease to exist. In the long run the only thing that can also prevent its extinction is openness.
Oh, absolutely Linux wouldn't exist if it wasn't FOSS. Hell, I'd say it wouldn't exist if it wasn't free as in speech. There's a reason Linux is Linux and OpenBSD is OpenBSD, and a lot of the reason has to do with the licensing. That model has worked brilliantly for it.
But from that to claiming that that particular model is the only morally acceptable way to make software is a leap I'm not ready to make.
I learned something about "Group intelligence" from the quiz show Who Wants to be a Millionaire in which contestants are given three lifelines to help them answer difficult questions.
The weakest lifeline by far is to appeal to the wisdom of the crowd and ask the audience. This only works for the simplest question.
Phone a friend works better IF you know the right friend.
However the most powerful lifeline. The one smart players keep till last is 50:50 - randomly removing two wrong answers.
So if open source debugging is equivalent to "Ask the Audience" then closed source debugging by the specialised team of developers is "Phone a Friend". Now all we have to do is figure out what is the debugging equivalent of 50:50 and all our problems are solved.
Breaking News! Neat one line slogan not completely accurate! More in our special feature at eleven.
"Hannibal's plans never work right. They just work." Amy/A-Team
An unpaid developer works on stuff that is interesting to him. A paid developer works on stuff that is interesting to his manager.
If I'm working for MS and I notice a certain feature is a bit buggy, I might want to take a look and fix those bugs. But there is a deadline and the marketing department want a certain feature added so they can put another checkbox on their next ad. So the bugs don't get fixed.
But if I'm working on an open source project and I notice a feature is a bit buggy I can go ahead and fix it because my manager isn't breathing down my neck to add some other feature.
I'm working for a company that uses MS products. My manager notices a feature is buggy. I report it to MS and.... nothing happens. So I find work arounds and show the other people at my company how to make the feature work despite the bugginess.
I'm working at a company that uses open source products. My manager notices a feature is buggy. I report it, and if the manager is still breathing down my neck, I find the bad code, fix it, send a patch to the project maintainers.
MS's priority is to add features to make their software more marketable. Open source software's priorities are whatever is important to each developer working on it. That may mean adding more features (like MS) or making the features more robust (unlike MS).
Debugging is not fun work and the eyes go where the fun is.
Mr Graphic Designer Man: "Linux still doesn't do proper color management." Mr FOSS Man: "Writing unfree software is immoral!"
You can have more than decent color management on Linux and/or with FOSS software, actually. I bought a cheap calibration hardware that comes in Pro and non-Pro variants. I opted for non-Pro. The difference between the two is software. With ArgyllCMS, you can actually get better results using the non-Pro device than with whatever software comes with the Pro version. And that's without any compiling or patching or any kind of fiddling most 'normal' graphic designers find too difficult to even attempt. Not just that. Should I get a new device (at least one of the well-known brands), it would most likely work with the same software without any need for a change in work flow.
So, while I would maintain that it's not quite right to write software that you cannot share with your friends or modify if you know how, I would also like to point out how many anti-open-source arguments like the one above have been obsoleted by maturing open-source projects.
Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
Does the entire imaging chain from RAW in the camera to the final layout sent to the printer handle profiling transparently?
I.e., suppose I want to convert my RAW file to the ProPhoto colorspace and work in 16-bit in that when processing the pictures, then flatten them to Adobe RGB for page layout, then convert the RGB to CMYK for printing, to the device profile supplied by the print shop. Can this be done in a Linux environment? Can it be done without much muss or fuss?
Last I checked, it wasn't even close, but yeah, that was a while ago.
we must point out that freedom is our primary concern
It might be yours, but when it comes to choosing software getting the job done cost effectively is mine. If the closed source commercial software will do the job and the FOSS won't then I'll choose the closed source commercial, thanks. It's not an automatic choice. Some FOSS is better than the closed source commercial, but some is complete rubbish, and in the latter case I couldn't give a monkeys about the "freedom" it gives me.
Quidnam Latine loqui modo coepi?
Like "Quick and Dirty Operating System" from Seattle? Whatever happened to that?
Plan9 is in the Unix family, one secuirty alert in 15 years
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Bugs are an error in the process, not the code. If you find a bug, you need to find the process error that allowed that bug to occur.
Not in the code?
Of course bugs are errors in the code. Duh! And sure, bugs may be errors in the process as well.
But why the false antithesis?
-wb-
Excuse me, but how do you know that OpenBSD has the most secure kernel in the UNIX family?
It's been proved over many years of exposure to the internet. The kernel level exploits that work on most other systems both open and closed source have never worked on the OpenBSD kernel.
OpenBSD has a strong history and strong people behind it.
Open source gets more eyes on source cheaply, but it's not magic that makes everything better.
questioning one of the tenents of open-source...
Well he would, wouldn't he ... how is this news ?
Unicode killed the ASCII-art *
You get what the subsystem maintainers merge into their trees and what Linus in turn merges into his tree so...
You get it exactly and word it perfectly.
Linux IS its freedom, without it, it wouldn't be the same and might not even exist.
One of the most beautiful things I find about GNU/Linux is that I can get a working development AND/OR server environment all from a single package manager. That is because all the software is free, no endless license agreements to click through or setup programs that try to install all kinds of crap or require me to register. Just apt-get/pacman/emerge.
To me windows is the OS that never fails to have a major hickup. Silly stuff like suddenly deciding I got duplicate ethernet cards or freezing completely on a copy and don't even get me started on the long work of visiting every website for all the various apps that I use, downloading them manually, then installing them, clicking through all the decisions, organising them efficiently (why does everything go in the main menu?).
OSX is little better although its setup is easier you still got to go hunting yourself. And don't even get me started on when you want to configure basic things like the END and HOME key to behave as you would expect them. And neither OS has focus under mouse, a basic feature that linux/unix gui's have gotten right for decades.
But all of that exists, because of the vision of a free set of tools Stallman had. Same as there are still whales swimming thanks to the "extreme" views of Greenpeace. Sure sure, you might to want to wear fur, but then you can't have whales.
I think it is sad that having principles is today considered extreme. People who say opensource freedom don't matter say that because they don't vote, democracy does not matter. You might be right, if you ever been in a place like China (and there are far worse places to be as a westerner) then you might have a hard time figuring out why dictatorship is so bad, everything works and crime is low.
A paradise surely? Yup, right up to the point that it is YOU they are coming after.
We recently have had two stories about software products being bought and their future being in doubt. MySQL now being owned by Oracle, and its future is fairly safe because GPL is hard to kill off. But what about FAST search now owned by MS? Oops its unix/linux support is gone just like that and screw anyone who depends on it, no way out for them.
Freedom, it doesn't matter until you no longer have it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Does the entire imaging chain from RAW in the camera to the final layout sent to the printer handle profiling transparently?
That is in photography arena. I was talking about graphic design man mentioned above. I've never needed to deal with RAW files myself because a photographer would never give me RAWs. I usually get a TIF or JPEG and work with that. For all practical graphic design purposes, my CM work flow is more than satisfactory.
I've heard people complaining about RAW formats before, but I really can't say anything about it other than I know people complain about it.
Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
Good for you. Nevertheless, it's probably not good enough for anyone who needs to do color-critical photographic work, which means everybody doing anything for serious print media. Lightweight Web work is a different matter, of course; you don't even need GIMP for that.
Your entire argument can be brought down by the fact the IE is such a lousy browser. Or that Vista blew chunks. Where is this paid for quality?
I will grant you that documentation is hard to get written for free by a developer because dev's hate doing that, but if paid dev's are any better, then why is the documentation for Windows so piss poor (they got into a bit of trouble with that in the courts when they were ordered to hand over the documentation and it was found out just how bad it was).
If you knew a bit about human beings you would see how stupid your argument is.
Who produces the best quality, a person only doing their job for they money OR a passionate volunteer who does it for the love of the job. Gosh, that is a hard one. It would be like asking which is better, a Soviet era Yugo or a McClaren F1. And the beauty of opensource is that the Yugo costs a fortune but the F1 is free.
You do remember that software is a unique product? No real production costs. Only the salary of the coder and if he works for free because he WANTS to do it... then the sky is the limit.
It tooks years for MS to get its webserver even close to performing as well as Apache, despite countless paid dev's. Windows security and reliability was a joke, despite years of paid developers.
Where are the results of all those paid developers?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
As why it should be impossible to build a very complex software in open source that is better (or at least equal in quality) than closed source teams?
Do we even need to give proof to refute this?
BAIN http://www.devslashzero.com
OpenBSD has been exposed much less than, let's say, Linux. Shouldn't you use a metric like: n_vulnerabilities_detected / n_instance_hours_of_exposure?
Wasn't the windows source code leaked or something and when people tried to compile it, it turned out endless compiler errors just on the kernel? What do you mean get my facts out of here? This is a marketing only zone? I protest! I got my freedoms... oh, I don't have any freedoms, all my freedoms are belong to MS? Shoot, knew I should have paid more attention to that Stallman guy. Sure sure, I will bend over for the next windows update license agreement, will there be lube this time?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Good for you. Nevertheless, it's probably not good enough for anyone who needs to do color-critical photographic work, which means everybody doing anything for serious print media. Lightweight Web work is a different matter, of course; you don't even need GIMP for that.
First, your premises are not correct. Not every piece of color-critical print work involves RAW files, and sometimes not even photographs. So, unless you want to keep on talking about some fictional 'everybody', not it's untrue that it doesn't work for everybody. It works for me and many others out there some of whom I know in person.
Incidentally, I do graphic work for living, and I don't have to deal with RAW format at work either even though I have all the tools I need. We have photo people here who do that.
Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
Now when I say shit code, I don't just mean code that doesn't do the job, I also mean code that is just ugly. We have all written shit code, even if we didn't know so at the time. We either didn't know something that would have made all the difference, or just weren't on the ball that day. I don't believe anyone who says they have never written shitty code. Sometimes, there just isn't a nice way, say when doing with a shit API. Abstract away the shit API, sure, but then you have much more code, and is that better? I HATE shit APIs because of this knock on effect. And I'm sure many of us have written "sulk code" when we have perceived ourselves in this no win situation. Or there is always the ball of quick fixes and prototype. If you won't fess up to ever having written shit code, I wouldn't want to work with you, because it makes it much harder to move on and get to the good code.
OpenBSD has been exposed much less than, let's say, Linux. Shouldn't you use a metric like: n_vulnerabilities_detected / n_instance_hours_of_exposure?
I'd rather not. The number of vulnerabilities found per unit of time decreases after long exposures. Apart from that not all vulnerabilities are equal, you need some kind of points system for them.
OpenBSD is used all over the place though, it's had loads of exposure to the internet running all kinds of things. If it had serious flaws they would have come out by now.
Plan9 is in the Unix family, one secuirty alert in 15 years
I never mentioned it because I have no experience with it. But again it's proof that the argument isn't open source V closed source - It's people that do a good job V people that do a bad job.
Linux, BSD, Plan9, and so on believe in doing a good job.
Microsoft believe in promising to fit it at the next upgrade.
RAW files aren't the only, or even the most important problem. The problem is colorspace conversions across programs. Can you do that under Linux with a reasonable effort? Honest question, 'cuz I don't know.
Yeah sure. Only open source developers care about their work. Anyone that gets paid wouldn't care enough to do a good job or do one iota more than they are paid to. All hail the open source saints.
I can't say I've written "shitty code"
We know you can't say, and we know you did
this post contain no useful information, no need to mod it down
You cab't just put out the worst argument on the other side and claim that everyone who is on that side thinks that way. Most FOSS people have actual arguments why their software is better in itself, even in no-copyright land.
The error is inherent in the act of programming: you are turning vague descriptions into exact algorithm. Since the vague description can't specify the correct behaviour in all circumstances - if it did, it would be a complete and runnable program in itself - the programmer must use his imagination to try to find the circumstances where the resulting program might behave in an undesirable manner, and decide what it should do instead. Since it is impossible to guarantee that you've thought of every possible situation, you can't guarantee that the code is bug-free.
Of course there are ways to reduce bugs - checking that your inputs are within expected range, checking that memory allocations succeeded, checking that you aren't trying to stuff more stuff to a buffer than it can hold - but in general, any nontrivial program will have bugs. It's not avoidable, and you should plan your systems with that fact in mind (memory protection, sandboxing, firewalling, making core can't-fail-or-system-crashes components as trivially simple as possible, etc).
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
RAW files aren't the only, or even the most important problem. The problem is colorspace conversions across programs. Can you do that under Linux with a reasonable effort? Honest question, 'cuz I don't know.
I won't lie. It's not easy, but it can be done. The reason I use Linux is because of my ideological convictions, and because I also work as a web developer and am fully aware of the benefits of open-source model.
There really are half-arsed tools out there, that require considerably more effort to achieve results comparable to commercial software, and sometimes you have to chain three tools (incliding command-line ones) to get the result that would require on Adobe InDesign otherwise. But I also believe that in the end, at least in graphic design, the skill of the user is far more important than the tools, once you reach the point when things are doable one way or the other.
Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
You provide a much more cogent argument than most. It's a tad unfortunate, but there still exist (after all these years) projects that are well known in the F/OSS community which are being driven by rabid nutcases who are absolutely convinced that their product can do no wrong.
Mr Netbook Man: "The Gnome desktop is still kinda clunky, even after all these years."
Me: "I don't know what you mean by Clunky, but I prefer the functionality of Gnome over Windows or OSX any day of the week. Anyway, I like KDE and XFCE more than I like Gnome."
Gnome Developer: Well, at least it doesn't give you 15 different options, none of which are even remotely intelligible. You must be some sort of idiot.
Mr Graphic Designer Man: "Linux still doesn't do proper color management."
Me: "I don't know what that means. You may be right."
GIMP Developer: Nobody needs those features, for the most part you can fudge what you need with X, Y and Z. You must be some sort of idiot.
Mr. Graphic Designer Man: Well, somebody obviously needs them because this isn't the first time they've been asked for. The fudges you suggest make everything take a little bit longer and they don't really work very well. And you won't win any friends by describing random strangers as idiots.
GIMP Developer: They work for me, now f*ck off back to Photoshop because you're obviously a fanboi.
Mr. Graphic Designer Man: Fine, have it your own way.
Not all software needs to be installed by admin.
DRM? No thanks, I'll just get it somewhere else...
UAC was created to fix a problem that was there before by a design problem. If there was no problem UAC would not have been needed.
I think the matter that people get paid, nor that most of those working on the same area are from the same company will help in making Linus's Law 'more true'.
Yes, in general, the more people look at an issue, the more likely it is that someone will spot a bug, if there is one.
But - I give you the following caveats to this:
* people working closely together might reduce design flaws, but not necessarily implementation flaws - knowing specifically what a piece of code is doing CAN stand in your way of spotting subtle bugs in it (because the code more or less reads like what you expect). So, it helps to have more 'independent' pairs of eyeballs looking at the code.
* people not knowing the subject matter inside out are not on par with people who do. People who know how buffer overruns come about may figure out potential buffer overruns more likely than others. On the other hand, if, say, these people were to look at encryption code, they may see a potential for a buffer overrun, but not necessarily, whether the implementation of the encryption routines has a (not totally obvious) security flaw in the way it handles its keys; or whether any s-boxes may be good or not.
So, the more 'subject-matter-aware' eyeballs, which work independently of each other, look at a given code, the more likely you are getting a better review of the code.
I don't think I'm a bad C developer, but I don't think I could spot the majority of the linux kernel flaws because I do not know enough of the design of the kernel and potential interaction of areas of code.
If you go through the official bug reporting channels and file the bug with a projects bug tracking system, after confirming that it is not a duplicate, it is generally quite easy to file bug reports for open source projects, generally with absolutely no hassle whatsoever. I've done it many times.
When you are 'reporting a bug' by getting on slashdot and enumerating the reasons that you prefer photoshop to the gimp, that is the sort of scenario in which open source projects don't take you seriously.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
GNU/Linux is the platform that suits me better than any of the competition. How on earth is that possible if I'm not concerned about software freedom?
"Because the software is of higher quality" is the only reason that I and many others need, why should I care about freedom in the creation process if the end result is worse?
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Not necessarily. If its a quick and dirty hack to get something done in a short period of time on a "temporary" basis, then its quite possible the programmer intentionally wrote "shitty code" - and KNEW it was shitty code.
Shitty code by itself doesn't mean much in terms of quality without the context in which it is written.
A quick and dirty hack that is considered shitty by the creator(s) s not necessarily a terrible piece of crap. When the hack is,
then there is nothing more to say beyond saying that the hack is shitty.
That is, what matters is both, intention, awareness and knowledge. That's what differentiate shitty code that inevitably crops out as required hacks in non-trivial systems (that is, engineering trade-offs with a known risk) and what we truly consider as shitty code, shitty code written by shitty code monkeys either due to ignorance/incompetence and/or a lack of professional ethics that'd make one give not a shit about quality.
It might seem like trivial hyperbole, but it is a critical distinction to make.
Today, a pithy aphorism was found to be not literally true. Film at 11.
You're right that not every vulnerability is equally serious. However, the reasoning "If it had serious flaws they would have come out by now." is incorrect. A serious flaw might be present, but it might expose itself only in very specific circumstances...
I tend to apologize in the comments when I throw a hack in some code - along with an explanation of why the ugliness is there, and what it solved.
In a perfect world, that would be documented in unit tests, but in 35,000 lines of ten year old Perl? Comments. Lots of them.
Why can't I mod "-1 Idiot"?
It's not that easy, I've had mixed experiences with bug reporting, from bugs being fixed almost immediately or in a day or two after I reported it on the developers mailing list, to being a mostly ignored bugzilla ticket that will be eventually purged (firefox). It's always easier when a clear test case can be presented, such as a minimal script that reproduces the problem. However not all bugs can be that easily reproduced.
Of course it's still easier and more effective to report bugs of open source programs that closed source. It's hard to even bother reporting closed source programs bugs, you won't even get past the first line tech support...
Thinking like this is a sure way to add more and more constraining checks and complicated processes, which very quickly become huge hindrances. All this because you ignore the fact that programmers are humans, and humans make mistakes.
I'd rather acknowledge that bugs are bound to happen, and make their detection as quick as possible, and their fixing as easy as possible.
I have never reported a bug in a proprietary app, but I have reported lots of Linux bugs (mostly distro level, or fixable at distro level) because I can follow what it happening, and I know what the (usually good) reaction to my individual report is.
Thousands and thousands of people report bugs in Windows every day. That little pop-up when something crashes ("Do you wish to send a report...") assists in finding and fixing a lot of bugs, I'm sure. You never clicked "Yes" when that popped up?
You can advertise in this sig from as little as £99.99 a month!
How the Hell is that post insightful? It's totally beside the point.
GP doesn't say anything about what the users should do or not do with free software. He just state that Freedom is and should be an important value of F/OSS. (indeed, if it wasn't, F/OSS wouldn't be.)
Freedom is also freedom to use it even if you don't share it's core value.
(\__/) This is Lapinator
(='.'=) copy it in your sig
(")_(") so it can take over the world
Generally, two philosophies exist:
that open source is more secure because it is more rigorously reviewed;
and, that proprietary software is more secure because access to the source code is limited.
While seeming contradictory, both schools of thought have validity depending on circumstances. Open source philosophy states that open source software cannot rely on obscurity for security — because the source code is transparent, security must be implemented well at the source code level. Also, open collaboration is thought to result in the earlier discovery and correction of security flaws—an aspect of the thesis that “given enough eyeballs, all bugs are shallow.
Maybe I am burning some karma here, but perhaps you should look at this as a teachable moment! I have worked with programmers like you, and it wasn't pretty. If you teach someone a better way to code something, everybody wins. If you just want to feel superior in your programming skills then nobody gets ahead. Just telling someone that they write shitty code and then not helping them understand why is just wrong.
None of this is a matter of morality
Did you read the post that that post was a reply to? Because that one said that it was a matter of morality. So, yeah, replying to that is relevant.
Context, people!
Administrative users necessary to run most things (MS software or otherwise).
To be fair to Microsoft this is no longer true. UAC asks the user if they wish to elevates privileges when an app does something unsafe. Vista took a lot of flak when UAC appeared (including from myself) but it did force user land applications to stop abusing the registry (e.g opening HKLM with read/write permissions), writing random files to random locations on disk and other unnecessary operations. The consequence is apps written / patched in the last 3 years run pretty cleanly and if they don't, you get the UAC popup. In practice it's little different from what happens in Ubuntu or OS X in similar circumstances.
Administrative users necessary to run some things (usually specialized software). There are still a lot of special-case (expensive) software packages that require admin privileges. Sure they've got a much smaller number of users, but unless the software opens up low ports or is intended to access restricted file systems, there's no need to require admin access. Some Windows devs are still living in the Win9x days when there was only one user on a system. And what's up with requiring admin privs to "install" drivers just because I changed which USB port I plugged a device into?
The GP's argument - code quality of closed source code projects vs. code quality of open source projects - was based on a wrong premise. That's a rebuttal.
no system-wide color management...(and color managed)
Can someone tell me what this is even supposed to mean? That you can't adjust the color deltas based on your monitor's color reproduction quality like you can in Windows? Is that the complaint here?
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
Firstly, what do you mean ? Secondly, how is this a security issue ?
A lot of Windows Updates require a reboot because in Windows land you can't overwrite files that are in use. This is a security issue as you are still vulnerable to the flaw it patched after you apply the update but before you reboot.
...another specious argument.
The biggest problems in WinDOS isn't the kernel but the userland. A lot of this userland
is inherited from 16-bit Windows either directly or conceptually. Unfortunately, Windows
is just a little bit more than a VMS clone.
A Pirate and a Puritan look the same on a balance sheet.
Plan9 is in the Unix family, one secuirty alert in 15 years
I tried to figure out how many bugs per production system that is, but I got "division by zero error".
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
What's the problem with those?
The Tao of math: The numbers you can count are not the real numbers.
Other people have raised points of practicality wrt humans...i.e., that you're going to make things too cumbersome and the like. I'm sure your rebuttal is that that is simply evidence of an imperfect solution to the process problem. The flaw, of course, is that your contention is really only a truism. Humans are involved, and no quantity of process will eliminate all probability of a bug getting through. The only way to know a program is correct is to prove it, mathematically. Not all programs can be proven, so you're limited to writing programs in a style which lends them to proofs. However...even taking those measures isn't really sufficient. Because imperfect humans are still involved. Humans are involved either in doing the proof, or in writing the software that does the proof for you. No matter how many humans you put in that chain of proof, you can not eliminate entirely the probability they all miss something. Given enough time and enough code, eventually a bug will survive, with any process we can put in place.
> Uhhhh...dude? it is an OS and NOT a religion, okay? Why do you think that MSFT has 90%+ of the market? Hint: it is not a conspiracy
No. It's due to the fact that software purchases trap you. What you bought yesterday determine what you can buy
today unless you are willing to suffer an extremely large migration burden. This was all set in stone probably
before you ever touched your first computer. This vendor-lock has been going on since when PCs came with MS-DOS.
Nevermind Linux versus Windows. How about MacOS vs. MS-DOS?
Microsoft sees the effect and tries to exploit it. So does Apple.
If OS were really "not a religion" then it would be trivial enough for any of us to ignore the relevant market leader.
A Pirate and a Puritan look the same on a balance sheet.
Ah, the warm fuzzy feeling I have knowing that I could color-manage my Mac any time I choose. Once I learn what it means.
I’m old enough to remember 16K of memory being described as “whopping”
Mr. Microsoft Program Manager, here's a piece of advice for you: Windows would be a lot more secure and a lot easier and more pleasant to use if you fixed your shallow bugs first. Trust me, there are so many of them, you'll be busy for years to come. Once you have those under control, they talk to us about deep bugs and program correctness and what Linux can do better, OK?
I don't see people joining Greenpeace and saying "Hey now, Genetic Engineering's alright y'all".
I tried, and was rejected. Only difference is that I didn't say "y'all".
Report a open source bug and you get told why you are wrong, or why they can't be bothered to fix it... But if you provide a patch you have a chance of being taken seriously.
Anyone can complain about anything, but taking action and finding a solution is much better received in any situation. I don't see your point.
or how unreasonable you are for demanding they fix your problems.
Demanding that someone fix a problem is generally not acceptable anywhere.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
Does you definition of Freedom extend to me being able to keep my source code to myself?
>>> "Given enough eyeballs, all bugs are shallow."... The open source community uses this argument to assert that open source software is more secure than proprietary software.
Shawn Herrnan starts off by making the above premise, then proves his own point by ripping his own premise apart...furthermore his own premise is guilty of massive overgeneralisation and incompleteness.
He's clearly trying to get readers to subconsciously associate that this is the ONLY reason why Linux is more secure than Windows, which is baloney. Linux starts out with a much better security model. From the get-go, UNIX (which Linux is based quite directly on) was intended to be a multi-user system. Windows has been a continual kludge of disjointed evolutionary decisions rooted ultimately in single-user DOS.
For real proof, lets just consider directly the actual relative security records of the software itself. Consider the number of Windows security holes compared to Linux. Or just about Opensurce projects generally, lets just start with IE and Firefox.
Clearly his own initial premise is so faulty so and is the only basis of his whole article so his whole article is invalid. Its actual purpose seems clear.... it is (not even very well done) misdirection to promote FUD in those who are not technically savvy, with the side benefit of allowing him to be seen kissing Microsoft butt in public.
And how does your ideology countenence that you're spending your clients/employers money on the extra time you spend using a non optimum toolset ?
If someone who was building me a house took an extra five weeks to build it because they had a personal issue with the monopolistic hammer makers, and so were using a selection of not-quite hammers, I'd think them petty and unprofessional.
I'm for open source software ( and against Adobe's monopoly ), and use it where suitable, but it provides far from the best tools for graphic design in general and in most specifics.
Given two graphic designers of identical skill, the one who spends most time having to think about/get tools to work is the one with the least time for design, and therefore produces work of a worse quality.
Bugs are an error in the process, not the code.
Bugs can be an error in the process or the code. An example of a code error (in a BASIC snippet to make it simple)
100 a=b+c
110 d=a+c
120 if d=100 gosub 1000
The error is that it should be comparing a to 100 rather than d to 100. A bug can be a simple typo; the a is one key away from d with only s between them. True that most code won't even run if there is a typo, but if the compiler or interpreter sees nothing wrong with the syntaxt, or sees no other errors, it will run, but give the wrong result.
Free Martian Whores!
I've met quite a few people who write shitty code, know they write shitty code, don't care that they write shitty code, have no interest at all in improving, and will continue to write shitty code until a dismissal or death finally intervenes.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
But then again, you get what you pay for so... oh wait
Scam artists count on your believing that you get what you pay for. And how much did you pay for the air you're breathing?
Free Martian Whores!
The deepest bug of all is the idea that you can write trustworthy code. Look at how long the integer overflow lurked in the merge sort. Until we get rid of the need to trust code with everything, and build systems that only supply the minimum capabilities required to do a job to a given program, we're not going to have secure computing.
And that's a key point. While open source programming will never eliminate bugs, it certainly enforces a certain amount of discipline. I've been following the Linux KVM list for a few weeks, and oddball code is called into question constantly. It seems to me that an open, collaborative process where essentially anyone anywhere can pop open your code does encourage better practices than keeping everything behind closed doors, where only a relatively insular community can or is even willing to look at what you're doing.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Mod parent up.
It matters not whether the eventual product is open or closed. More eyes makes Torvald's statement true-- it does make the 'pond' of code more shallow. It does so also because of the fact along the code tree, a hierarchy of coders looks at broader and broader parts of the kernel to understand how elements link together. Linux has a modularity of design not difficult to understand. Few people will look deeply across the entire kernel, yet others will look at 'their' subsections, like disks, devices, filing systems, processor ports, lean distributions, and so on, know that other parts of the kernel are (hopefully) nice and tight.
---- Teach Peace. It's Cheaper Than War.
Even intelligent people without a direct interest in, or need to learn about, computers find even OSX and modern Windows difficult as soon as they have to do something unfamiliar.
The iPhone/iPad + apps interface has it closer to correct for most people, personal documents aside, they don't need or want access even to the filesystem.
I do, ofc, but I feel it's starting to become a minority viewpoint, and maybe the success of Linux will be that in the near future it's the best way to have what we now regard as a OS.
Of course not. It's total BS.
All you need for evidence is the readdir bug that began in BSD and was for around 25 years.
Bugs are an error in the process, not the code. If you find a bug, you need to find the process error that allowed that bug to occur.
Assuming this were true, then switching to safer programming languages would not affect the security of the output. Of course, switching to safer languages has been shown to improve security, thus your premise that bugs are not a property of code is false.
Higher Logics: where programming meets science.
Absolutely.
Of course if it's GPL licensed you'll keep the binaries to yourself while you're at it.
Or do you mean does his definition of freedom allow you to profit from the work of others without allowing them the freedom they allow you?
Watch this Heartland Institute video
Before GNU there was BSD. Opensource existed before GNU. On the other hand even Linus isn't the kind of extremist as RMS.
Yeah sure. Only open source developers care about their work. Anyone that gets paid wouldn't care enough to do a good job or do one iota more than they are paid to. All hail the open source saints.
But of course paid developers sometimes care about their work. The same goes for any paid job. If one's lucky enough. But it's far from common.
Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
Mr Graphic Designer Man: "Linux still doesn't do proper color management."
Me: "I don't know what that means. You may be right."
Funny that you mention that; I've throughly compared several CMS engines, from Adobe, Apple, Esko (formerly Barco), Efi (makers of the Fiery) and LittleCMS (the OS CMS used everywhere Linux need color management). Believe it or not, LCMS was right there with Efi on quality, a little better than Adobe, and waaay better than Esko (Apple was erratic, it seems to be a modification of Efi's engine). And it ran circles around everything else on terms of performance and resource utilization.
So, quality _can_ be better on OSS, but it won't dispel long help myths.
-Kz-
So if I understand this correctly, Microsoft -- who can't seem to get the bugs shaken out of its products, who can't seem to release anything that doesn't require a security patch in the first few months of its life, who can't seem to stop the buffer overruns and associated "old" problems from crashing their software -- has an opinion of how some other OS is developed, and wants people to believe that the competitors' development model is wrong?
Wow. Just wow. I didn't realize clueless meters could go that high.
Up until recently, Microsoft's code vetting procedures were so bad that in the past, developers snuck in WHOLE GAMES into Excel. How the hell do you miss something like that in a code review? I'm of course assuming that this type of behavior would not be condoned at Microsoft -- maybe it was, and that's part of the problem.
And how much did you pay for the air you're breathing?
Hey, this is primo stuff!
When you're afraid to download music illegally in your own home, then the terrorists have won!
Actually I was giving criticisms of the literal "NT" kernel.
Having been there when NT was thrown together (in 1991 - it's STILL the same code today), there was no proper development cycle whatsoever. It was and remains a particularly dirty hack. MS haven't had a proper product since its inception. The kernel was unmaintainable from the day it escaped (it wasn't released!), and all MS have done since is polish the same old turd. It still suffers from ALL the flaws it had at first - including some interesting race conditions that were never fixed.
It all stems back to some spectacularly stupid Gates demands. The man was, and remains, a moron (albeit, a rich moron). It has never ceased to scare me that such a large proportion of the world's computers have MS crapware on them....
You're right that not every vulnerability is equally serious. However, the reasoning "If it had serious flaws they would have come out by now." is incorrect. A serious flaw might be present, but it might expose itself only in very specific circumstances...
Of course. But it's safe to assume that it's less likely than finding another serious flaw in something which has a long history of serious flaws.
Want to take a bet? I bet you the next 'remote execution of arbitrary code' won't happen in OpenBSD.
Hi Mr. Troll! Can I call you Trolly? It is actually simple Trolly, it is because if one is comparing various OS companies spelling Microsoft out several times is pointless, whereas MSFT allows everyone to know of whom you speak without having to devolve to pathetic name calling like "Windblowz" or "M$" or like yourself, who can't come up with even a single point you can argue against and instead devolve into using lame insults like the 14 year olds playing Halo.
But hey, I'm sure it isn't very fun to have to look in the mirror and know that nobody wants to play your little reindeer games, that not a single major store in the entire USA will carry your product due to paperweight roulette and what a royal PITA it is to shop for, and that even with a cost of $0 you simply can't compete because a major faction controlling the design and outcome of your product treats it as a religious icon instead of an OS. So I can understand how frustrated and impotent that must make you feel.
So when you can figure out how to string more than a few dirty words together or...ohh what is it called? Oh yeah, actually have a conversation, feel free to come back and try again. Until then please accept this total loser consolation prize of a year's supply of Rice-a Roni, the San Francisco treat!
ACs don't waste your time replying, your posts are never seen by me.
OSS development works. Whatever happens it is adequate, even innovative. So his view doesn't seem to fit what has been working for OSS. You can only attribute that to bias. He's 100% biased and nothing he does or says can possibly matter.
You can lead a man with reason but you can't make him think.
Most of Microsoft's problems when it comes to security are design issues.
Most of Microsoft's problems when it comes to security are the shitty third-party software packages used/installed by end users.
For example, pretty much every single reason that windows might show the UAC prompt (outside of installing software/hardware, of course) has been bad practice since somewhere around Windows 2000. That, of course, doesn't stop software shops from building bad software and telling users to disable UAC to compensate.
Now, whether the design of Windows is flawed in that it allows this in the first place is open to discussion, but my argument is that a Windows machine COULD be secure if the users didn't have to disable all the security measures to get their crappy software to run.
Karma: Poor (Mostly affected by lame karma-joke sigs)
No. It's due to the fact that software purchases trap you. What you bought yesterday determine what you can buy today unless you are willing to suffer an extremely large migration burden.
I like how you slipped in the "purchases" and "bought", as if free software doesnt have this same effect.
To rephrase your bias into something rational:
It's due to the fact that software traps you. What you used yesterday determines what you can use today unless you are willing to suffer migration pains.
In the end, Linux is not free. Its certainly free as in not spending a dime, but even if I were to wholly embrace Linux and accept the lock-in, the damn thing just isnt as user friendly and the software ecosystem is a lot smaller. The Win7 OEM costs about $100. I make $25 per hour. Over the typical 3 to 4 year lifespan of my main desktop, I will certainly save myself at least 4 hours of my time by choosing Win7.
"His name was James Damore."
Most people know when software is free or not. Or rather, they know when they have to pay for software.
You can lead a man with reason but you can't make him think.
So if you are actually wanting to convert followers to your OS/religion/whatever? hate to be the one to break the news but compromises will have to be made.
Sure, but what about those of us who don't care about increasing market share? My family uses OS X, and every time I try to set something up for them, I have to guess and click on a bunch of largely undocumented buttons and menus. Since the programs are closed and don't cooperate with other programs, I have to learn each program individually (including completely redundant functionality like exporting compressed archives) instead of just learning the new things that program does that I can't do with other tools.
This is perfectly fine for them, but I'm concerned that this rush to market Linux to the masses will do the same thing to Linux. Personally, I don't much care if joe six-pack uses windows or mac os x, I just want to keep being able to type '$ man <whatever>' then write a shell script to do what I want with the tools I know. With free software (that stays free via copyleft), I can be reasonably confident that my operating system will stay open and easy for me.
Yeah sure. Only open source developers care about their work. Anyone that gets paid wouldn't care enough to do a good job or do one iota more than they are paid to. All hail the open source saints.
Someone working for a company cares about what the company pays them to care about. If they spend time on something the company doesn't want them to, it will cause them to get a bad review and/or fired. A company paying someone to make open source software is going to care more about the code being clean than a company paying someone to make propietary software. this is because with open source software many more people will see the actual code than with propietary software and shoddily written code will reflect badly on the company.
None of this reflects on the work ethic, morals or ability of either the open source programmer or the proprietary source programmer. It is possible for these to be the same person and the analysis still applies.
The truth is that all men having power ought to be mistrusted. James Madison
Files being locked instead of writeable by admins is indeed inconvenient... that's why Windows machines need reboots for things that Linux machines don't... but that's hardly a design flaw that causes security issues.
I don't know about Ring 0 not being protected from Ring 1, but that sounds... unlikely... to me. Are you referring to a specific issue, or ...? Either way, I was under the understanding that modern versions of Windows only use Ring 0 and Ring 3.
Not a single software package that I run needs admin rights (er, well, Mass Effect does, I think, but is that MS' fault?) and certainly Microsoft's software doesn't. Would you care to back up your assertion with a single concrete example?
Windows uses the same networking that any other modern OS uses. Even if it might still have NetBIOS running, it's hardly necessary, and it runs over TCP/IP nowdays (and has for a long time).
A lack of testing isn't a design flaw, it's a process flaw. Still a flaw, but we're talking design flaws here. Any number of Linux (or MacOS, or BSD, or ...) kernel bugs "should just never have happened" as well. In a perfect world, none of them would...
Karma: Poor (Mostly affected by lame karma-joke sigs)
Oh, thank you. Now I got it. I don't usually fix other people's bugs, I just nag about them, so this didn't occur to me :)
You don't know what you don't know.
Microsoft has 90% of the market because of what they did in the late 80s and though the 90s that resulted in them becoming a convicted criminal monopolist. Please read up on that era and watch how those things play into how software development is so complex that once you commit to one you will almost never put the resources into any other, even though they may be viable. Software today is not a democracy. It is a dictatorship. OSS is the only free choice you have. That's not an extreme view, that's the reality of developers, developers, developers.
You can lead a man with reason but you can't make him think.
Does a jailed inmate still consider himself free if he jailed in the US?
You can lead a man with reason but you can't make him think.
You assume the dicussion is about freedom for most people. End users and businesses in the end usually only care about cost of software + support.
There's nothing unetchical about not being able to change MS software, although I seriously doubt they'd come after anyone that changed it only on their computer. Can you provide an example to where that happened?
There's no inherent reason you should be able to provide MS software to your neighbor anymore than you should be able to provide a photocopy of a book or a copy of an entire CD to them.
There's nothing wrong with not being able to "improve" their software either. Its a limitation, sure, but there's no ethics issues involved.
You can point out freedom all you want, but the points you discuss are irrelevent to most people, and they'd rather have something that works well. Yes, I ran Linux on a server for 10 years, and desktop for two. I CHOOSE to pay for Windows again because it worked better than Linux, and I don't care about your talking points.
That the company which has *never* shipped an exploit-free version of Internet Explorer has something to say about security.
It's hard not to troll. Honestly, providing constructive criticism is difficult to someone so lacking in prudent judgment. But here goes, in the hopes that someone reading this at Microsoft will actually pay attention:
The society for a thought-free internet welcomes you.
If we were talking XP and OSX 10.0, I would agree with you, but I was talking about the latest and greatest from all camps, which means Snow Leopard, Windows 7, and Ubuntu 9.10. While all three on first glance would appear to be equal, in actual usage SL and Win7 are just more intuitive and GUI based than the latest Linux, which IMHO quickly runs back to CLI at the first sign of trouble. Examples-I switched my 67 year old father to windows 7. Later on he buys a camera but doesn't know how to set it up. He plugs it in, Windows asks him if he wants to have the camera set up, he choses yes, and it is all done for him. Since giving dad Windows 7 he has not once had to call me with a problem, because Action center and the Internet based troubleshooter has walked him through the few times he has had a problem. No CLI, no guesswork, all just simple and easy. My Macbook using friends? Same thing, all easy and intuitive GUIs all around.
Now compare to my last experience with Ubuntu 9.10. I install it, which while having a nice live CD was a more complex install than Windows 7 which was two clicks and go make a sandwich. Ubuntu doesn't really give a good explanation of how Linux partitions should be set up and for those without experience in that area I imagine it would be confusing, especially compared to Windows 7 where no less than 3 of my most clueless relatives were able to upgrade themselves from XP to 7 without my help.
Then upon first boot I find I have no sound, so I do what you are always told to do, search the forums even though that would not be obvious to a new user-strike one. Upon reaching the forums, what did I find? Page after page of "fixes" that if you don't understand Linux commands might as well be gibberish and I have found often need to be "tweaked" for your specific hardware. All answers started and ended with "open up bash and type". No GUI help to be found. Strike two. After finally getting sound sorted out (which if I didn't have IT experience and was comfortable using CLI and understood the commands being given would have most likely been impossible) I run updates as I would suggest for any OS. Upon reboot I have nothing but a black screen. It turns out that sometimes there is a "bug" in Ubuntu where if you have an onboard GPU plus a discrete GPU Linux can refuse to use the discrete, but plugged into the onboard I was likewise black screen. The solution? Booting into single user and yet more CLI commands! Strike three and you're out!
As a PC retailer every new version of Ubuntu I install on a few machines to evaluate with the mindset of "can my customers use this without constantly calling me?" and every single time I am sadly disappointed. If you are a CS grad, have IT experience, or are willing to sit down and reads lots of man pages and learn plenty of CLI, well then Linux is for you. That adds up to about 0.00001% of the population at large and exactly 0% of those that walk into my shop. With SL and Win7 it is simply easier for the customer, with lots of hand holding, nice GUIs for everything, and shopping for both is a breeze. Not so with Linux, that at the slightest hint of trouble runs back to CLI and for whom shopping for is frankly a nightmare with NO way to tell in the store if anything will work or not.
And in the end the customer doesn't care WHY it doesn't work, they just know it doesn't. That is why unless fundamental changes and compromises are made I just don't see Linux getting any more marketshare than it has, except in places like cellphones and kiosks where the customer is basically locked down into a black box and can't do anything the developer didn't intend. and that is why stores such as mine as well as the big chains like Walmart and Best Buy don't carry your product, because the after sale support would eat away any savings over the cost of a Windows license and more. And without the sales and support network I just don't see Linux gaining any real share, as most normal folks aren't gonna trawl forums or read man pages for hours, they just aren't. Sorry, and I do hope that Linux gets better in the future, but as it is now Linux is just a more expensive proposition than Windows and OSX from a retail standpoint.
ACs don't waste your time replying, your posts are never seen by me.
Reporting a bug is pretty easy in MS-land: http://connect.microsoft.com/
You get to vote on issues, comment, see responses from engineers, etc. Kinda like you'd expect.
Karma: Poor (Mostly affected by lame karma-joke sigs)
* File Locked rather than writeable by administrator for upgrade purposes.
That's a design CHOICE, not a design flaw. Its also irrlevent, because you still need to bring down the affected services on Linux too for the patch to take affect.
* Ring 1 or higher code being able to write to Ring 0 locations.
Only when done by an administrator... otherwise updates would be difficult, would they not?
* Administrative users necessary to run most things (MS software or otherwise).
Most MS software (all currently sold products?) do not require admin access to run. Third party software which is badly written is much to blame here, and MS has been attempting to force the issue with things like UAC.
* Proprietary networking.
Not a design flaw, and vague too. At any rate proprietary doesn't not mean bad design.
* Lack of regression testing (LAND should just never have happened).
Wow... need to go back to Win95? Which by the way isn't part of the NT kernel line.
So by my count you're still at zero. Want to try again? Or is there a reason you could only even conceived of five very poor attacks?
Unfortunately, Windows is just a little bit more than a VMS clone.
Man you say this like it is a bad thing. If Windows were a VMS clone, it would be bulletproof, stable, usable, but really expensive.
Wait...
I'm dating myself, but I used to love VMS.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
Yes, you should eliminate the part of the process that says "insert bug".
Seriously, it's not helpful to say it's a process problem because we haven't defined a process comprehensive enough to prevent all bugs, and we never will.
The idiot argument isn't played much today in the OSS arena, and to think that the idiot argument is unique to Linux is to prove the idiot argument is sometimes apt. The reality of it is that the number of Windows users called idiots vastly exceeds the number of people being called idiots in OSS. Nowadays, if there are issues, it is the bug report trap hell moreso than the idiot accusation. The report trap hell is where you report a bug and it is immediately denied until someone confirms it then you are entitled to receive emails about that bug that you reported 9 months ago.
And to the graphics designer. Well, 70% of those using Photoshop haven't paid for the $700 program, thus showing why we need free software alternatives.
The accusation of the idiot claim in the OSS world is just an exaggeration of what used to happen long ago, only today it is used as a tool by those who have something to loose as OSS advances. Just as the bias of this blogger demonstrates.
You can lead a man with reason but you can't make him think.
a developer working toward a fixed financial reward is not sufficiently motivated to produce quality code.
Bullshit. A developer working toward a fixed financial reward is NOT NECESSARILY sufficiently motivated, but neither is a developer working toward a non-monetary reward.
We all have our own thresholds of motivation, and some of us doing it for cash also just happen to love it and do it well because of that.
Karma: Poor (Mostly affected by lame karma-joke sigs)
Not true. I reported a bug in AVG when Vista was first RTM'd. Over a couple of dev cycles and several emails to their tech support the bug was ironed out. Closed source on a closed OS, and the bug reporting/fix cycle worked just fine.
You can't win Darth. If you mod me down, I shall become more powerful than you could possibly imagine
Absolutely right. The author seems to be making the argument a lack of pay implies a lack of skill.
But lack of pay can imply lack of time - and resources.
If you are working a full time job - and paying attention to your wife and kids - you are not going to have endless hours free to study and debug someone else's code.
You are not are going to have endless hours free to write and debug your own code.
There will be very real limits to the size and complexity of your projects.
There is even a simpler argument: This FOSS fan likes linux for my dev work because it's free, it works, and I like the unix system. There is no morality here - I just use it because it works. I'll use proprietary software without thinking twice (tax season, anyone?).
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
Sure it can -- if those additional eyes report mostly "non-bugs" (items they think are bugs but that are not in fact bugs, but result from user error/failure to read or understand what the behavior is supposed to be/etc.) then investigating and closing those false positives can take time away from investigating and fixing the actual bugs reported by others.
Actually, yes, I want to take a bet for let's say 100 USD (or EUR if you prefer). Is the amount OK with you? How should we set this up?
More properly, bugs are an error in the execution of the process. They will not be certainly an error in the process itself until we are able to write the software equivalent of the universal constructor, the software that can write all software.
Flaws in process can, however, encourage execution errors.
All the typical user can do is describe the bad behavior. The fact that they have source code (if they downloaded it at all) doesn't help.
You rarely see "moderate versions" of the claim, so he's no more guilty than proponents typically are.
The whole point of color management is that you don't have to do anything. The OS takes care of presenting consistent color across different applications, different monitors, and different printers. All that's required is that the OS has a ColorSync profile for the relevant device, and these are provided by hardware manufacturers (like Apple, Epson, HP, etc.) and installed along with driver software.
There are differences in bugs.
Some bugs are just simple programming mistakes, but some bugs are major design mistakes that can be very hard to drill down to and resolve.
And the major design mistakes aren't always evident until you put a system under stress with multiple users.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Except for a really simple program, we can not produce "perfect" software and there is provably no way to validate the software is error free. So, we can't know if something is perfect if in fact it is. If it is perfect, we will likely have a % of users that will have perceived "bugs" (user error) as well as possibly a few developers who think it can be perfected further to address the complaints of those users (or imaginary ones or themselves) and soil an otherwise perfect program.
Vast numbers of "bugs" that are really just user error and misunderstanding - which one can subjectively blame on interface design - the perfect program would handle everything thrown at it according to specifications. The specifications would be extremely detailed and also would have to be perfect.
There are 3 sides:
human requirements (flawed; vague; not clear on specs)
human interaction (really flawed; larger group)
implementation "bugs" (most are shallow - come on, we all know programming is mostly debugging.)
Democracy Now! - uncensored, anti-establishment news
I'm sort of agnostic about the whole software choice thing - I use Linux, Mac, and Windows for various things. But the linked article is such self-serving bullshit it's hard to take it seriously.
Why do you think that MSFT has 90%+ of the market?
They don't. There's a whole world of computing out there beyond laptops and desktops. When it comes to embedded and server devices, Linux is kicking ass.
The majority of the population want pretty pictures controlling their computers, there's no doubting that. Aside from basic office apps, the PS3 could probably handle most of their needs (web browser, movies, pictures).
But when you want power, a GUI can't cut it. Sometimes you need to see the guts. And that's when Linux shines. It's not for 90% of the population. It's the perfect tool for devs and admins.
If some company wanted to put forth the effort, they could probably put together a decent Linux UI that was easy to use for your average consumer. And they have. People use Linux more often than they know - in their cameras and cell phones and assorted other gadgets. The UI is so prominent that without special tools it's *impossible* to "open up bash and type...".
Last post!
Fail in the first paragraph. The million monkeys argument is speaking of random output. The many eyeballs argument is speaking of skilled actors. By calling them the same he is implicitly insulting each and every person who does any sort of security review on Free software.
Next point, he wants to reduce the problem to number of hours spent. I would argue that independent security review hours are worth a lot more than hours spent by people who "know how it's supposed to work" for the same reason you should always have someone else proof-read your paper. If you've already drunk the kool-aid, you won't see the flaws.
He is correct that Free software does not tend to get a compartmentalized review. That is, there are few if any who ONLY review code. Instead, developer A reviews developer B's code while understanding the changes so that he can continue to do his work. At some point, developer C will review A and B as he gets up to speed to do what he wants to do. A and B will end up reviewing that work should the patch be submitted. It is certainly a less formal process.
The biggest advantage to the Free software method is that there is no company line. Nobody can demand silence on a security problem that would screw up the release cycle with an empty promise to fix it later. Nobody can slip in an update to fix (or paper over) a horrific undetected flaw in a patch to add a printer driver. Anyone who wants to know about it will know about it.
Interestingly, he sort of touches on that at the end. When DHS decided to have Coventry do a 3rd party audit, there was no need to gain special permission or special access to anything. It was all there ready for them. Here we have proof that the ability of anybody at any time to do whatever analysis they want is not merely theoretical. It happens in the real world.
"The boomers need to retire and pass the baton to a new generation of computists."
Perhaps I can pass this along at the next boomer geek meeting.
Seriously, geeks in my age group have a lot of diversity of opinion and we aren't all thread-happy. As far as retirement goes, I'd Dig it as long as you Cats bring me enough Bread.
I much regret that the idiot argument does still take place today. I wish it didn't (it almost invariably makes the person who's making the argument look like a wanker in public) but IMO it's still not dead.
On the positive side, I would say it's hanging over someone's shoulder with a body collector about to go past calling "Bring out your dead!"
There's nothing wrong with my post. I lived through that era. Are you an employee of Microsoft? Are you a paid poster? Do you know you can be fined $10,000 for every infraction if you don't post that you are being paid to astroturf?
My comments are on point and apt. Clearly you might not understand what I'm writing and clearly from your other "troll" posts you are trolling.
You can lead a man with reason but you can't make him think.
Well it's a summary of a rebuttal, it just doesn't contain any substance.
An analysis cannot rely on luck, though luck may be a pleasant surprise. If all developers loved it and could do it well, then by extension, all code could be open sourced and no one would steal it; this entire discussion is moot.
Open Source has a distinct, tangible effect on the developer's motivation, because her product is her code. Closed Source can't effect the developer this way, because her product is "finished software," which is an acknowledged impossibility -- source: The Mythical Man-Month.
You mean you want me to stop. The best way to deal with people's posts that you don't like is to get enough insightful posts that you get mod points and then do some moderation (within the bounds of what the moderation system was designed for). The other alternative is that you just don't read them. My best suggestion though would be to educate yourself on the era that brought us to where we are to day--learn history so you don't repeat it, so to speak. Another alternative is to move to digg.com.
I have been wondering, at least within the scope of this thread, whether there are a number of people that read Microsoft's retort to the NY Times article where they claimed Microsoft had never sufficiently overcome the stigma of the anti-trust case, and are now making a concerted effort on their behalf to assist. This is just a thought, not a conclusion, so do go a berserk on it, heh.
You can lead a man with reason but you can't make him think.
The kernel was unmaintainable from the day it escaped
What do you mean by unmaintainable? How can it be unmaintainable, yet still be in use to this day?
It still suffers from ALL the flaws it had at first
Got any details?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I just saved my employer roughly $5,000 in licensing costs by using a Samba server as opposed to buying Server 2008 and a whole bunch of CALs. I probably saved my employer at least $5000 by using Linux KVM for virtualization rather than going with VMWare. Yes, in both cases, it takes a bit of set up, it might not be so polished, but at the end of the day, both systems are under reasonably heavy load, have had few problems to speak of (certainly no more than I'd expect from Windows or VMWare servers), so I'm happy.
As to OpenOffice, yes, it isn't as polished as Office 2003, but one thing I've noticed is that I don't have to cook the Office registry keys every few months on my users' profiles because something goes completely braindead and Word starts crashing. What's more, because the licensing is cheaper (as in free), I don't expect quite the polish, but you know what, for about 95% of the documents I create, it works more than adequately.
What's missing out of your type of evangelism, as much as an open source advocate's evangelism is that software is a tool. If Vista is what the customer wants, it does what they need, and they don't mind the price tag, then I install Vista. If they come to me and say "We need a straight file server", why would I try to sell them a copy of Server 2008 and a bunch of CALs, when I can deliver just as reliable a server for considerably less? If you lock yourself into just one single vendor, even if it's mighty Microsoft, you're probably screwing at least some portion of your customer base. And for what? So you don't have to spend 15 minutes editing smb.conf?
The world's burning. Moped Jesus spotted on I50. Details at 11.
In practice, even difficult bugs are usually only second order. Plus disciplined programming using strongly typed languages helps a lot. So one could perhaps claim that "all bugs should be shallow" and that any failure to be shallow wis in fact a tools failure.
The other fly in this ointment is that a lot of bugs happen because of incomplete specifications. Before you can find the bug you have to first recognize that the spec is incomplete. For new code, there may be no person who can recognize that. Of course you can quibble the hard ones in this category away by relabelling them "feature requests" but some of them result from building in constraints that are inessential to solving the problem at hand, and those are really bugs.
Squirrel!
I'm a strong proponent for a writer-editor style dichotomy with source code. Namely, there is one person writing the code, and one person, who's sole job it is, is to look at the writing before it goes in. This doesn't catch everything of course... real publishing doesn't catch everything either.
But think about when the last time you saw a comma misplaced in a major publication, and you'll start to get the idea behind this method.
WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
What's missing out of your type of evangelism, as much as an open source advocate's evangelism is that software is a tool.
Note to self: Linux zealots imagine evangelism whenever someone questions the logic of choosing something other than Linux from a strictly rational cost/benefit point of view.
If I choose Linux, I spend hours searching for properly supported hardware whenever I want to upgrade or add anything. If I choose Linux, I deal with limited choices in software which often forces more work on me. My time is worth $25 per hour. The cost of OEM Win7 isn't anything at all in comparison to the amount of time I will have to waste running Linux as a desktop OS.
"His name was James Damore."
I reported a proprietary bug. To Microsoft no less. It was several years ago. I reported to MS that MS-Money couldn't add correctly. I even walked the tech support guy throught he process, where I showed him that if you saved 100k a year, MS-Money would show you as having saved a whopping 80k after 10 years. The tech support acknowledged the problem, and confirmed that it was reproducible on his end.
The result? About 4 weeks later, a message was left on my answering machine saying that since I wasn't home, they were going to close out the bug report. Needless to say, I don't use MS-Money any more. Of course, since MS has now officially given up on that product, no one will be using it much longer.
Note to self: Microsoft evangelists no jack-shit about Linux.
I have had few problems installing the latest versions of Ubuntu on my rather annoyingly difficult HP notebook with its goofy Broadcom drivers. By the same token, I have spent the better part of an hour trying to find appropriate drivers for similar notebooks (and don't get me started on when HP's universal print driver goes kersplonk).
This idea that somehow Windows is this insanely excellent platform, and that all the software for it is easy to use is just a load of crap. What I notice about most Windows-only admins is that they frankly don't know jack-shit about computers beyond this very limited ecosystem. They have no malleability, no adaptability, no capacity to ignore the boot up logo and deal with problems and come up with reasonable solutions.
I'm not any kind of zealot. I'm a guy who has worked with everything from old DOS 3.3 systems running LANTastic and Xenix servers to Server 2008 and VMWare, and the one thing I like to think is that I can learn new systems with relative ease, and can offer my boss or my customers solutions that fit their needs and their budgets. If they have the budget for Microsoft servers and CALs then that's fine, but these days I'm getting people asking me questions like "How can we get away from large licensing budgets".
I charge $50 an hour for my time, minimum. I guess that's what the extra $25 gets you, someone who isn't just a Microsoft drone who can't even use dpkg to install a driver.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Need to agree with you.
I worked for a company that believed that mantra. We spent lots of time and money on developing the perfect process. The only problem was we didn't have the process required to define that perfect process.
Let's see, the guy builds a tool (Sardonix) to help with code review. Nobody wants to use it. Clearly this means that Open Source enthusiasts aren't willing to do code review. It couldn't be something simpler, like, say, the Sardonix model not working or the tool sucking. It's clearly the fault of the users.
Yeesh, that's the kind of game-winning strategy that'll keep bringing in those DARPA grants (again, I only know what I read in the article; it may well be that the Sardonix folks *did* assume that they needed to change their approach and the author of this piece is just blowing smoke).
I use Drupal to build Web sites. I don't understand it well enough to actually submit bug fixes. But if I do experience a problem, I can view the code directly and try to identify where in the code the error originates. And, other people experiencing the same error can see my bug report, and vice versa.
"Typical" is way too vague a term. There's a huge range of capabilities between clueless noob user and expert coder, and an open source model eases collaboration across that full range.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
If you go through the official bug reporting channels and file the bug with a projects bug tracking system, after confirming that it is not a duplicate, it is generally quite easy to file bug reports for open source projects, generally with absolutely no hassle whatsoever. I've done it many times.
So have I. More often than not, in fact a LOT more often, the bug then goes un-triaged for 4-6 months. Sometimes the bug never gets looked at *years* later. Occasionally, it'll be looked at and commented on, but still not fixed years later.
Sometimes, like in Notepad++ and MySQL Query Browser, the developer completely misunderstood the bug and replied with an idiot workaround that didn't even come close to addressing it. I call out these guys by name because the experience sucked so much, and tbe bugs were trivial. (Notepad++'s bug was in menu handling code-- menus have been a solved problem since 1984! MySQL Query Browser was using Control-A for something other than "Select All" on Windows.)
I know a lot of people have trouble reporting bugs to proprietary software companies, but I've done this twice and in both cases it was fixed in the next version. (One was Apple, their Address Book program claimed to support a cell phone model it didn't actually support. One was Microsoft, a bug where SQL Management Studio windows would open off-screen under some circumstances.)
So my proprietary bug-fixing record is 2/2 (I know; not typical), where my open source record is closer to 1/20.
Comment of the year
All I'm saying is that while proprietary software can be highly useful it's value stops at it's usefulness. You can use proprietary software to do things or to learn how to use it to do things, but you need open source software to learn how it works and how to make it better.
Proprietary software is essentially the same thing as open source software, just with protective business process rules restricting its use. It would be like the sciences keeping their source business processes secret by restricting access to research and peer review. Medicines would probably still work, but what would society gain and why would you trust them?
Quack, quack.
Another problem is the claim that there are vast numbers of eyes on every line of code. A baseless claim. What we need is for people who have done a code review to actually sign off that the did a code review. then we could start getting a feel for how many modules / projects actually have been reviewed, and by how many people. Also good would be what tools were run against the code, with results.
wake up and hold your nose
Systems are either provably correct or not.
A lot of Windows Updates require a reboot because in Windows land you can't overwrite files that are in use. This is a security issue as you are still vulnerable to the flaw it patched after you apply the update but before you reboot.
How is that different than any other OS?
If you patch a security flaw in Linux or OS X, and the file is in-use by some process, the in-use (in-memory) copy doesn't get patched, only the copy on disk. Therefore, your computer is still vulnerable until you reboot.
Now in theory, if you know exactly what processes were using the vulnerable file, and none of them were required for the system to function, you could simply close all of those processes and restart them without rebooting your OS. This wouldn't be possible in Windows, since Windows needs the process closed before it does the patch.
Philosophically, the two systems are different. But from a practical perspective, the end result comes out to be the exact same.
Or am I totally off-base?
Comment of the year
GIMP Developer: Nobody needs those features, for the most part you can fudge what you need with X, Y and Z. You must be some sort of idiot.
Mr. Graphic Designer Man: Well, somebody obviously needs them because this isn't the first time they've been asked for. The fudges you suggest make everything take a little bit longer and they don't really work very well. And you won't win any friends by describing random strangers as idiots.
GIMP Developer: They work for me, now f*ck off back to Photoshop because you're obviously a fanboi.
Mr. Graphic Designer Man: Fine, have it your own way.
To be fair to GIMP, there doesn't seem much point to GIMP supporting color management features if the OS itself doesn't. Although I guess they could add it for the OS X and Windows ports, if anybody runs GIMP on OS X or Windows.
That's an OS-wide problem, sadly. (And one of those "wow, you're waaay behind" ones, considering how long Windows and OS X have had good color management support.)
Comment of the year
The grandparent is either a subtle troll or an subtle joke. I'm not sure which. There's a third option: he genuinely believes that crap he typed. But that's too terrifying to contemplate.
Comment of the year
That's what they do. Before they accept a patch and sent it higher up in the chain (eventually all the way up to Linus) they do check the code and sign off on that.
At some point the patchsets get so large that it might not be looked at all parts and just checked on those parts that are more likely to have problems.
New things are always on the horizon
Calling someone a cunt is being on point? Not unless this is an article on Gyno today or a DM on Halo 2 it isn't. And wow, paranoid much? Isn't it funny how anyone who doesn't suck down the "FLOSS is Freedom!" koolaid is suddenly a paid agent of the evil supermegacorp, hiding in the shadows, waiting to stick a knife in your back? Oh wait, I suppose it isn't funny for you, being totally paranoid and delusional and all.
And of course here you are, in your second posting of this thread, which i will give you credit for at least not posting anon this time, yet you still can't have a rational discussion or point out a single flaw in my original post and instead devolve to name calling yet AGAIN. I thought Linux trolls were supposed to be all "leet" and all that? You do know how a discussion works, yes? A person makes a statement, you counter by trying to prove/disprove their argument, followed by making your statement, didn't you ever debate?
But hey, maybe when you take your meds and aren't seeing the shadows move (don't look under the bed....it's Ballmer! Eeek!) you can return and try to actualy have an intelligent conversation on the merits and weaknesses of the Operating Systems under discussion here at /. but until then, please accept this total loser consolation prize of a year's supply of Turtle Wax! Turtle Wax, when you just have to have a shiny car!
ACs don't waste your time replying, your posts are never seen by me.
Bugs are an error in the process, not the code. If you find a bug, you need to find the process error that allowed that bug to occur.
Well bugs can be created at the code level, such as with typos or indirection mistakes, but otherwise I think your point is sound. I would still reword it to better apply TFA by saying it this way:
More interested observers ("eyeballs") can make flaws ("bugs") in every part of the development process shallow, not just code.
A more valid point can be made than what is in TFA by talking more about process transparency and documentation, in terms of making all those "eyeballs" more effective than they are now. TFA utterly fails to make any such points. Instead, they go on a diatribe against a hand-picked list of OSS projects, on the false assumption that any flaws in the example competing systems makes their own system better.
I think the counter-point to the "shallow" rule, that better applies to the claims here, is that projects that lack "eyeballs" (i.e. proprietary projects, which automatically lack transparency to the interested consumer base) leave open the existence of "deep bugs" at every process level. If any of the few eyes deigned worthy of access to the project misses those bugs, the ability of nefarious third parties to exploit these bugs after release goes up significantly. Lack of transparency at every process level, including code, means that these bugs will be exploited before helpful interested third parties can discover them (i.e. white hats). This simple fact about disparity in process transparency makes proprietary development inherently flawed, and the "eyeballs rule" is a method of simplifying the reasoning behind this fact.
And how does your ideology countenence that you're spending your clients/employers money on the extra time you spend using a non optimum toolset ?
As for my own workflow, there are two reasons I don't cost my clients any more than others do. I don't do book design (which I can only imagine would be a pain doing in Scribus, and I'm sure LaTeX, which I still haven't mastered, would again save a lot of time compared to InDesign), and I know my tools well enough.
Sure, with Inkscape, you sometimes have to export as many as dozens of PNGs along with the original SVG file, and recompose it in Scribus to get a faithful press-ready copy in PDF. You might think that's a lot of time. But in reality all that time is more than made up by Inkscape's responsiveness and the quality of PDFs produced by Scribus. In comparison, I cannot say I've ever been satisfied with performance and stability of Adobe products, and Illustrator doesn't even offer crash recovery, which frequently leads to much hair-pulling.
Given two graphic designers of identical skill, the one who spends most time having to think about/get tools to work is the one with the least time for design, and therefore produces work of a worse quality.
You are, then, talking about one incompetent, and one skilled designer. Tools of the trade are not something you want to fool around with, and I'm sure you'll agree. I've attempted a complete switch to open-source two times before I succeeded, and I've only decided to switch for good when I felt comfortable using the available tools.
Just another note. Just because open-source tools are different, doesn't automatically mean they are inferior. Take LaTeX for example. It actually offers unparalleled typography, yet it's difficult to use for people who are used to Quark or InDesign. In hands of an experienced LaTeX typesetter, this tool will put to shame any fancy designer using proprietary software.
Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
To be fair to Microsoft this is no longer true. UAC asks the user if they wish to elevates privileges when an app does something unsafe.
Even that isn't quite true. UAC doesn't kick in for any random application, definitely not for those which were written before Vista and have no knowledge of UAC. If an application is trying to do something for which the current identity under which the thread is running doesn't have permission, the API call will just fail - no UAC prompts, nothing.
To use UAC, the application needs to be explicitly coded to tell the OS to elevate - using a binary manifest, for example (this can be retrofitted to existing applications). Alternatively, the parent process can spawn the child process, asking the OS to elevate it.
Files being locked instead of writeable by admins is indeed inconvenient...
Note that there is a workaround of sorts for that.
While Windows won't let you directly delete a file that's not opened with FILE_SHARE_DELETE (currently running binaries are not), it will let you rename such a file. After doing that, you can create a new file with the old name. If it is a DLL, any process started at this point will, of course, pick and use the new file.
I don't know why Windows Installer doesn't use this trick, to be honest.
Laurie addresses exactly this point in the entry I linked to. Immediately following the sentence I quoted (and to which you refer):
[Emphasis mine]
And so MD_Update(&m,buf,j); /* purify complains */ was wrongly commented out.
Crumb's Corollary: Never bring a knife to a bun fight.
Every none programmer I know seems to think that all software should be written at the speed of thought and be bug free.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
The words 'open up bash and type" will have to DIAF and be the absolute LAST resort, and not the first as it is now.
I have to comment on this.
I agree that resorting to console should be last resort during normal operation. However, when writing a HOWTO for fixing a particular problem, it is actually a convenient tool, often preferable even when a way exists to do the same thing with UI.
Reason? It's much easier to describe and reproduce! With UI solutions, you have to provide cues for locating the necessary UI elements, and the sequence of clicks and/or keyboard input. The resulting algorithm description is non-automatable, and has to be parsed and processed by a human - and they often get it wrong, and then get stuck. Then you have problems such as localized software (where suddenly all your button labels are wrong!), or a new release which decides to change layout of a dialog (case in point: changes in Control Panel layout between 2K/XP/Vista/7).
With bash or equivalent, you just provide the user a script, which he can cut & paste as a single block of text, and it just runs and does its thing. In cases where it needs some input from the user, it can request that input (and only as much as it actually needs), and then proceed to do its magic.
Note that the above is not restricted to Unix by any means; it's just as true in Windows. In fact, for advanced Windows HOWTOs, it's relatively common to just provide a .reg/.cmd/.vbs file that does what needs to be done, rather than describing the process of doing that via UI.
It has to be noted, though, that Connect is mostly for developer products. If you browse the sections available there, you won't find one for Windows or Office, for example.
In fact, I was once challenged by another slashdotter to find the proper channel to report Office bugs (assuming the person reporting is a techie who can actually report the bug properly, and not call support with a question of "my computer doesn't work"). To my chagrin, I couldn't find one. This was duly reported, and I hope we can do better than that in the future.
MS's priority is to add features to make their software more marketable.
It's true, but remember that "bug free" is also a feature.
What do you mean by unmaintainable? How can it be unmaintainable, yet still be in use to this day?
You can use something that's unmaintainable. All "maintenance" is, in this context, is applying the necessary fixes to keep the OS reasonably current and secure. Every product, sooner or later, reaches a point where it's "not economically feasible" to continue making proper repairs-- you just wind-up spending too much money and time doing so.
Maintainability of --anything-- begins with good documentation and an engineering framework that allows for repairs of whatever is broken or functionality upgrades without breaking other things. Since well-documented APIs that say what they do and do what they say are still something I'd assume are lacking in Windows 7 based on complaints of software and drivers not working correctly on it, it would seem that this fundamental flaw in building a foundation for the OS is indeed still present.
Philosophically, the two systems are different. But from a practical perspective, the end result comes out to be the exact same.
Or am I totally off-base?
I wouldn't say the result is exactly the same, as a lot of the time system updates on Linux trigger a restart of the daemons to ensure the new version is loaded in memory. This isn't always the case, which means your point does have some merit.
There is also the chance that the user will finish using a particular affected application as they don't need it at that time, and then come back to it later. A slim chance of loading the patched binaries in this situation isn't bulletproof, but it's better than guaranteeing the files won't be patched until the reboot.
UAC asks the user if they wish to elevates privileges when an app does something unsafe.
...which is nice, but not real helpful when every single game with an auto-updater requires Admin to run.
http://edge.technet.com/Media/Interview-with-Mark-Russinovich-the-future-of-Sysinternals-Security-Windows
http://mschnlnine.vo.llnwd.net/d1/edge/2/9/5/1/MarkRussinovichEdge_edge.wmv
Most of the video is basic market hype. But at 27:10
Why not scrap the entire Windows code base and start over?
Russinovich openly freely admit that it's simply too much work!
CONCLUSIONS
1. Vista/7/8 = Forever Unsafe.
2. Microsoft dont even want to try making a safe Windows.
http://mschnlnine.vo.llnwd.net/d1/ch9/9/1/1/5/3/4/RussinovichInsideWindows7_ch9.wmv
Most of the video is basic market hype. But at 41.50
Russinovich explain one of the reasons why Vista/7 will always be bloated.
CONCLUSION
Every Windows will be slower and slower and slower and slower.
I know you're just providing information as to what this feature does, but I think you may be missing the (subtle, humorous) point the person you responded to and others are making: the feature is so irrelevant and useless to the average computer user that it's arguably a waste of time to bother implementing it.
I'm just thinking of all the people out there who haven't bought $3500+ monitors capable of color calibration. Great, so you have ColorSynch on your computer. That means that everything you see on your sub-$500 monitor or consumer-grade inkjet printer is incorrect by the same margin. And color WILL be off, even if those devices have a profile, simply because their design and manufacture tolerances are sloppy and not adjustable enough. You can't accurately calibrate a monitor with "auto-setup" and basic color-temperature choices. You can't accurately calibrate a printer by only aligning its printheads.
Sure, some applications might benefit from being calibrated to synch with each other, for example, a vector graphics program, a photo manipulation program, and a publication layout program. But what percentage of computer users are doing such advanced levels of prepress?
That said, I've noticed a trend with a subset of Mac users and Photoshop users. They'll deride a competing OS or application for not having some exotic professional feature. When you ask them when they last used it, they typically can't answer, but will point out that "It's there if I need it". Then, if one feels like delivering a little kick to the gut when the Pretentious User is down, one can further observe that tools do not an artisan make, and that a sufficiently talented and resourceful artist can make a masterpiece even with crude implements.
Even GIMP. I don't know how true that really is, I can't say I've ever pushed GIMP to its limits or into anything it can't do well that Photoshop could do. But the point is, most people don't even know what those limitations are or how it would gimp them to use GIMP or Linux instead. Just saying.
Uhhh dude? There ius a problem with your logic, hold on I'll find it.....oh yeah, here it is, this part "you just provide the user a script, which he can cut & paste as a single block of text, and it just runs and does its thing." You know what the problem with that is? It does NOT work, that's what!
Sure that works in the enterprise environment where the script was written, where every desktop is a Dell Vostro model xxy with the exact same specs, but in the consumer market? Total can of fail pal. I have opened up three identical Dell latitudes, same make and model, and found different guts in each one. You just don't get that twinkie shit in consumer devices like you do enterprise hardware so you end up needing to "tweak" the Linux "fixes" because they were written for model x with firmware y and two months later the consumers are getting x+1 with y+f firmware. And do you HONESTLY think the average consumer is gonna have the skills to look at a failed "fix" and be able to understand what it was supposed to do, figure out exactly why it failed, be able to understand the Unix commands enough to rewrite them for their hardware, and re-implement said fix?
So I'm sorry, but that is bullshit. Joe consumer has NO desire to learn a list of Unix commands as long as my arm, or how to edit config files, or use single user mode to write scripts to fix borked files, or any of that other bullshit. They just don't want it, and you are honestly deluding yourself if you think you can change that by offering "free as in freedom" to them. They don't care. Windows 7 OEM costs a whole $100 and at my $20 an hour it don't take much "open up bash and type" bullshit to make the OEM license the cheaper alternative. Why do you think Walmart doesn't sell cheap Linux boxes anymore? Because the after sale returns and support tore them a new one, that's why.
As a retailer I can say that with Ubuntu 9.04 I was looking at an average of 400% higher returns, and 8-12 hours of after sale support compared to an average of ZERO for Windows. That is because with a decent Av and no paperweight roulette customers can take care of themselves pretty much with Windows 7. So you can crow ALL you want about the "power of the force" and "CLI is true computing" or any of the other nonsense, because honestly consumers just don't give a wet fart about that. Server admins care about that, not Joe consumer. Joe wants simple, easy, GUI. And sad to say Linux is a total fail when it comes to that. great for servers, don't get me wrong. For file and especially web servers the savings Linux brings makes it WELL worth the extra hassle. but we aren't talking servers, we are talking consumer desktops. And we aren't talking about CS grads with IT experience, we are talking Joe and Jane normal. And for them Linux just isn't ready, not even close. Sorry.
ACs don't waste your time replying, your posts are never seen by me.
Like I said, for the average consumer, you just give him a script as a file which he double-clicks and it runs and fixes whatever needs to be fixed. Whether it's a .sh file on Linux or a .cmd or .vbs file on Windows is irrelevant.
Providing a script to cut & paste is less convenient to the user, but it's easier to do in a technical support forum. Note: I'm not talking about official phone support and the likes here. Just someone popping up on some forum asking why "X doesn't work", and you know why and how to fix it, and need to get him to do something, spending as little time as possible on explanations. And I'm not definitely not talking about user doing such things on his own, unless he has problems he can't solve (for whatever reasons - and this shouldn't happen frequently!), and needs outside help. That's why my original post had the sentence to the effect at the very beginning.
As for the rest of your post regarding Linux usability etc, I'm afraid you're preaching to the wrong guy here - as it happens, I actually work for MS...
Ubuntu 9.10 puts my 4 laptops into/out of Suspend/Hibernate perfectly. Has since 9.04. I have 3-D accelerated Desktop with Cube rotation, glassy effect, wobbily windows, snapping windows, etc, etc. Have had all of that for about 2 years now. Wireless (Wifi) works perfectly. VPN works perfectly. Networking works perfectly, also, CDMA Broadband through Verizon with a USB dongle. I can sleep/suspend/hibernate my laptop at work, come home, open it up, it automatically connects to my home Wi-Fi. I click the VPN and I pick up right where I left off without skipping a beat. I can even sleep/suspend/hibernate, go somewhere without Wifi, plug in my USB Dongle for Verizon, click my VPN button, and still pick up where I left off (though slightly slower). I have 64-Bit Firefox. 64-Bit Epiphany/Webkit with HTML5 video support (including h.264), 64-Bit Flash support, 64-Bit Java support (that I use extensively) for both Java 1.5 and Java 6. JBoss, Glassfish, Eclipse, etc, etc. Lots of highly useful programming languages, compilers, scripting environments, etc. Databases (PostgreSQL, FUCK YEAH!). All with a simple click in Synaptic. It beats Windows HANDS FUCKING DOWN! Anyone who can't get Linux to work for them is a Fuck-Tard! I don't even have to try.
Over-the-top Response Guy! Giving "Over-the-Top Responses" since 1970.
When under time constraints, as I mentioned, it won't be documented. I used "temporary" in inverted commas, because as we all know, once the shit code works, marketing/whoever will want to ship it, and it will be forgotten about and end up "permanent".
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Didn't you read anything that I wrote at all? It doesn't really matter how easy it is for the tech support guy if it doesn't fucking work! I have yet to see any of that shit work with a currently being sold unit. Not even once. That is because the "fix" was written 3 years ago for a Latitude 100l with a broadcom model xxy, firmware yyz, with a 3com modem and an Intel 945g GPU.
But of course nobody is actually selling latitude 100l models anymore, the new model has a broadcom xy6z with firmware qrs, a robotics modem and either an Nvidia 8600m or an Intel GMA 3100 GPU. See the problem there? Your "easy to use" fix is gonna do exactly jack and shit because the devices it was written for isn't there and there isn't some magic coding fairy just sitting on the forums waiting to write all new scripts for the latest model. Most likely what you will get is pointed to the 3 year old script and be expected to "tweak it", which I pointed out the consumer is not qualified to do nor has any desire to spend weeks figuring that shit out, or will be told "RTFM Noob!".
But go ahead and believe the lie, no skin off of me. pretend all you want pal that users will be able to embrace the "power of CLI" and fall in love with the blinking cursor. Meanwhile in the real world they will either return it and demand their money back, or bring it to someone like me and say "How much for Windows Home premium again?" and I will shitcan your "superior" OS for something the user can actually...oh what is the word? Oh yeah, use. I personally think all Linux developers should be forced to spend 3 months working in a repair shop dealing with actual customers all day. I bet that the usability of Linux would shoot up by leaps and bounds if they weren't surrounded by fellow CS nerds and had to see how their "more powerful interface" actually worked in the hands of Joe and Sally Normal. Hint? It don't.
I have been working shops since the days of Win3.x, so I know of which I speak. What YOU think is easy and what I think is easy really isn't for them. That is why Windows and Apple will continue to own the market, because Linux is built by CS grads FOR CS grads, with nobody actually bothering or caring about Joe average.
ACs don't waste your time replying, your posts are never seen by me.
Didn't you read anything that I wrote at all? It doesn't really matter how easy it is for the tech support guy if it doesn't fucking work!
Didn't you read what I wrote?
Yes, things should work out of the box. Really, they should. And when they don't, it shouldn't require shell scripts to fix them. I agree with all of that. I also agree that Linux isn't there yet.
But it's was not the point of my post!
In practice, with any OS on the market today - yes, that includes Windows and OS X - there is a possibility for a casual user to run into a problem that he cannot fix himself (or call tech support and have them walk through it without extreme frustration). At this point he will either find a local resident geek who'll fix that for a beer, or, for the lack of one, will head to some forum (for more technically inclined, IRC channel) begging for help.
(... again - since this seems to be kinda not sticking as well as it should - I'm not saying that the above is in any way normal, or that Linux does not have a problem with it being far more frequent than competing OSes ...)
And at that point only, command line / shell / scripts often offer the easiest way to help such a person.
Do I make myself clear now?
But go ahead and believe the lie, no skin off of me. pretend all you want pal that users will be able to embrace the "power of CLI" and fall in love with the blinking cursor. Meanwhile in the real world they will either return it and demand their money back, or bring it to someone like me and say "How much for Windows Home premium again?" and I will shitcan your "superior" OS for something the user can actually...oh what is the word?
Oh God. Apparently not.
Man... I work for Microsoft! I write proprietary software for a living. For #%@& sake, stop taking me for a Linux/FOSS advocate, because I sure as hell ain't one! It's not "my" OS, mmkay?
However, I am a geek, and I evaluate things based on their technical merits. Unix shell has certain merits to it, for certain audience, and/or in specific circumstances. I've very specifically and carefully outlined those!
That's exactly what happens. The patch is sent to in most cases a mailing list. People give feedback on the patch and it's rejected. The patch is reworked based on the feed back and then resubmitted.
What this guy is talking about is how static analysis finds more bugs then eye balls. Big deal, it takes just one guy to do that and attach a patch to correct them in an open source project and this happens often. People use programs such as valgrind to fix small memory leaks all the time.
The article fails to mention anything above security flaws. What about non-security flaws which static analysis can't pick up such as a dialog box popping up at the wrong time or a spelling mistake? Static analysis isn't the silver bullet that this salesman is trying to push on us. Yes, it should be included in the process of patch review however reviewing every change going into the repo is always going to beat proprietary methods of committing junk that barely runs and then just running a tool to find the places you screwed up.
How does using Visual Studio equate to me being an inmate?
Note to self: Linux zealot will continue to use strawmen after the absurdity of his previous strawman was exposed.
"His name was James Damore."
Not my experience at all. Steam, Windows Live and other modern games appear to work just fine for me, despite me not being logged in as administrator. Besides, even if it were, it would be little different from Linux, OS X where you need to be root (e.g. via sudo) to perform installations or updates.
> Very little software on Windows requires administrative privileges -- Vista forced those necessary fixes years ago.
If it did, it did not do it properly. Spotify, WoW, Firefox, Adobe Reader, Dreamweaver, Foxit ... they all require administrative privileges to perform the (otherwise automatic) updates. Microsoft is doing a lot better: MSE works for regular users, as does the automatic update function.
Actually, yes, I want to take a bet for let's say 100 USD (or EUR if you prefer). Is the amount OK with you? How should we set this up?
You are crazy.
If you have money to give away give it to Haiti, or another charity of your choice.
Very well. The one who loses the bet gives 100 EUR (or more, if you prefer) to a charity. Now, are you ready to put your money where your mouth is?
So i have to state explicitly that an argument based on a wrong premise must be wrong? I thought that's common knowledge on /.
I am NOT talking to you like you are a Linux advocate, I am simply point out you are completely and totally wrong, that's all. Normal users don't fix major problems. Sorry, they don't. They take it to the local shop to fix, and we will NOT support Linux! Why? Because it is too big of a royal PITA, that's why! With OSX and Windows it is easy to find out if a device is supported. Go to the manufacturers website, type in model #, and tada! Done. Linux? Waste several hours on forums, many of whom are out of date, looking to see if the "fix" that worked for model A might possibly work for model B, but more often finding it will need a good hour and a half+ of tweaking to make it work. Yuck.
And I totally agree with you that Unix shells have their place, it is on file and web servers. It is NOT however need to be within 100 yards of a consumer! I would say a good 80% of Windows problems that are not virus related can be fixed with a simple driver reinstall. Add another 5-10% that can be solved through using tools like dependency walker and you have the vast majority of problems licked. Due to the locked down hardware environment OSX problems are usually even quicker to fix.
The problem with your entire theory is you think that a 3 year old shell script written for hardware that isn't even sold anymore will work today, right now, and I can tell you it won't. Not without serious tweaking that a home consumer simply isn't qualified to perform. It is like saying "Linux is ready for grandma" and forgetting to mention "as long as grandma is a coder that knows shell commands". Go to any forum, let's say Ubuntu. Look up something like "network problem" or "wireless problem" or "Sound problem" and then look at the dates on the "fixes". I think you'll find the majority are over a year old, and many of the newer ones are merely parroting earlier fixes without updating them. This is fine in enterprise, where the same hardware is in the field for years, it does NOT however work in consumer markets, where the refresh is closer to 3-6months.
And THAT sir, is my point. You seem to think CLI "fixes" will work in this case, but unless you hire full time coders to man the forums and constantly come out with new ones and updates to previous ones I am pointing out that you might as well be hosting "How to get VGA to work in DOS" for all the good it will do the user. Try it with a broadcom sometime. If you do not have the EXACT model, and I do mean exact, right down to the firmware rev, it will not work. Then the user is told to "tweak it" which of course they can't, so they bring it to me who shitcans the Linux and installs Windows. The customer is happy, I'm happy, and there is one more person in the world bad mouthing Linux. Because if you don't have a CS degree or IT experience it is simply too big a PITA to use, sorry but that is the facts.
ACs don't waste your time replying, your posts are never seen by me.
Try actually rebutting using logic, instead of repeating that you are right, everyone else is wrong, don't they all know that?
Remember to cite sources.
Actually, yes, I want to take a bet for let's say 100 USD (or EUR if you prefer). Is the amount OK with you? How should we set this up?
You are crazy.
If you have money to give away give it to Haiti, or another charity of your choice.
You appear to be mentally ill. Given this it's unlikely you have 100USD to give away.
But I'll donate 100USD to the OpenBSD project after payday just for you.
I wouldn't know, I only read slashdot...
At the bottom of the
Again, it's bullshit, and no amount of quoting Brooks or other ./ users will make it true. Having worked for more than ten years in the commercial software industry, I can say that there are those who care, and those who don't. People who write open source software don't love it because it's open source, they do it because they love it. I happen to get paid to do it, but that doesn't mean I love it any less than the next guy.
Karma: Poor (Mostly affected by lame karma-joke sigs)
No amount of "no amount of Brooks" or "I've worked more years than you" (both false) will change the plural form of the word "anecdote" into "evidence."
I never claimed to have worked more years than you.
That said, why is my anecdote insufficient, while your assertion is to be taken as fact?
At least I have ONE example to back up my claim.
Karma: Poor (Mostly affected by lame karma-joke sigs)
...A perfect program that is never written isn't very useful.
It is, however, bug-free!
I suspect it would have at least one:
Bug 0: Program does not exist.
These opinions are my own and not necessarily
the opinions of God or any other supreme being.
That's not a bug, that's a feature!