um, Sun dont sponsor ant. There are no active Ant committers from sunw, no direct funding. They do give Apache some server hardware for which everyone is grateful, but so have Apple.
James Duncan Davidson did invent Ant while at Sun, but now he has left them, & he isnt active anyway. The core Ant dev team (myself included) are end users fixing their own personal build problems in a way that other people can reuse.
As to why Sunw still say they are involved in Ant on the sunsource site, I dont know. Maybe cos Ant is so critical in Java projects -right up there with JUnit, maybe because they feel parentage rights gives them credit. But notice the welcome page of Ant1.6 has a special 'call to inaction' to sun, which says 'stop moving the entry points in tools.jar' around. Changes Sun make between java versions often end up causing us to release point releases of Ant just to keep everyone's build going. Sigh.
I dont read forbes much, I read the Economist. By UK standards it is still fairly right wing, thinks power grid deregulation is a good idea, etc etc.
But they actually seem to have grasped that Linux and Open Source is a good thing. By saving companies money, they free up cash for more interesting stuff. The Economist had a good article on the SCO business recently, and generally tend not to view the GPL/OSS movement as a bunch of subversives. Radicals, maybe, but subversives no.
Maybe Forbes is being briefed by different companies -not just MS, but perhaps, for this article, those poor people at Cisco.
Yes, it is deeply ironic that the sole useful roles of ActiveX are
(arguably) downloading the Flash runtime to run code and graphics in a sandbox
downloading the java runtime to run code in a sandbox
downloading IE and OS patches using windows update
If we kill off activeX -which is a good thing, IMO- windows update is the true victim. Flash and Java can ship with the browser. But that would give MS an opportunity to do a better update mechanism than windows/office update. One that lets you roll back updates. One that doesnt delete IE during a patch (it is very hard to recover from that BTW). The good thing is that by eliminating ActiveX, you eliminate a whole insecurity vector into a PC, so the number of patches needed should fall.
The underling technology behind AX, predates Applets -they are OCXs, OLE Custom Controls, that are descendents of VBXs, Visual Basic Extensions.
Originally they were just DLLs that you would use in form design in your VB (then C++ app); you'd redist the libraries with your app. (The original JavaBeans model is sun's response to this design). OCXs worked very well for their limited role.
ActiveX was, as you say, a response to applets -and presumably netscape plugins. They modified IE to host OCXs, then added dynamic download of signed code.
But code signing says 'I am not malicious', not 'I am competent, there are no security holes, if there are I will pay the finder $100,000'. Actually they could; enough of a fiscal penalty would stop buggy AX controls shipping, primarily because nobody would run activeX.
The only way to fix that is to run the code in a sandbox. Applets do that;.NET does that. Actually Java Web Start goes back to the ActiveX model -signed code is given total rights to the system, which is dumb. But at least JWS also runs unsigned code in the sandbox:)
No I don't think auth should be broken, be it basic, digest or even NTLM and passport.
But I do think auth-in-the-URL is wrong wrong wrong. How many of those techically ignorant users you cite will have manually coded up urls like http://fred:pass@hotmail.com/ ? pretty much zero, I'd expect. If you want a modern browser to store your password, you use its password manager. I think the only time I have ever done it was to get WebDAV access using the XP filesystem, something which took so much effort it wasn't worth it.
So make auth-in-URL support a switch, just like any of those other insecure features, and ship with it turned off for all the zones.
In a way it is extra pressure: if they don't think MS is doing enough then they can bring the site back.
I'd also note that in Win2003 server, IE is locked down a lot more than ever before, to the extent of disabling ActiveX download outside of the trusted zone, cranking back the rights to sites in that zone and then adding *microsoft.com in. That way windows update works but most other active X support is gone.
However, they have a lot to do, in ways that may break some things but would make the systems less vulnerable, not just to classic IE hacks but email scams
Stop interpreting those spam-friendly
http://2343455/ urls
Stop whining when browsing to a site that has AX disabled. A small icon is ok; a dialog box 'you are getting a worse experience is not.
Make it possible and easy to fully uninstall outlook express. you cannot even delete this on XP; system recovery brings it back. Ugly manual hacks last until the next critical upgrade gets forced on the machine, at which point it reappers.
Crank up the security settings for everyone who isnt using win2k3
Rebuild IE with VS.net 2003 and set the 'check for buffer overflows' flag in the build.
Stop integrating Windows Scripting Host with IE. Every IE install forcibly adds.js,.vbs and.wsh file extensions to the path and enables their execution. I have to rebind these to notepad on my machines.
Give us a no-images options for the email zone.
There are probably lots more of these things to do. All I see for the current user base is after-the-fact bug fixes rolled out intermittently, not attempts to address fundamental problems.
Is this the same legal system that let the Asterix cartoon get an injunction on Mobilix. And something to stop people linking to the.nl site that showed people how to sabotage railway lines?
All legal systems have flaws, they are just in different places:(
Instead of an unknown host error, you get a 302 + text/html redirect that leads to a 200 + text/html page.
This plays havoc with Web Services, that expect 200+text/xml on a successful response. The SOAP Stacks either died on the 302 error code (Apache Axis), or the HTML body (MS.net). Either way, the errors were not at all intuitive.
yes, that is what irritated me about it. By changing the failure modes of all existing network applications (Unknown Host -> ConnectionTimedOut) && (404 -> 200 + text/html + search), they went and made everyone's support costs worse. It is harder to track down problems, therefore more expensive.
Also they will have lit up the eyes on all the accountants of the big ISPs, who probably think "we should do that" -how long before earthlink and MSN copy? They would be able to do that -its their servers- but it would be a major inconsistency across the 'net. That would make support calls significantly harder to deal with...
One thing you can do with OS porting for VMs is fix memory allocation so it is shared. under VMware, you tell the OS how much space it has, it thinks it owns it and it remains locked for the life of the app. So I have to allocate 700MB to Win2K+Visual studio to get our project's build to compile in a sensible time, leaving 300MB of ram for the hosting OS.
Whereas if they could co-operate, so that the OS asks the Xen kernel for memory, and releases it when needed, then they would all cooperate better.
I think it is something they havent had to deal with yet.
I am running Win2K+visual studio in one vmware vm right now; I can bring up Win2K3 to run office 2003 when I need to go on exchange. But with the block MSDN license *and* a volume 'no activation' key for XP, office, etc. I get to skip activation.
But imagine if I did have to activate stuff everytime I rebuilt a new VM? Within a month I'd have the activation police complaining I'd activated onto 5+ systems, and that therefore I was violating some license.
Yet at the same time, a VM image, once activated, can be shared and of VMware makes all the hardware look the same, the system doesnt have to think you need reactivation.
So legitimate users of activated apps under a VM will suffer -we have to go through reactivation grief- yet there is now a new way to bypass activation -ship an image of the OS+apps already activated; you just run it in a window.
I dont know how long it will take the 'activation' police to deal with it.
HP has no interest in giving SCO money. If they had to pay a per-installation fee for linux, then they couldnt afford to embed linux in things. When you consider that HP make more embedded things (printers etc) than they do PCs & servers, they really, really dont want SCO to succeed.
Interesting heisenberg effect here: by announcing the indemnification, SCO are weakened. Even fewer people will be daft enough to pay the licensing fees, SCO cash flow will be hit, they cant afford lawyers, etc, etc. A good move all round.
Now, when will IBM follow? Maybe its because IBM's exposure is more direct (that derivative work bollocks) they cannot afford to.
Those screenshots of explorer crashing with a.NET exception do not prove that explorer.exe is now a.net app -a COM component running in the process could be managed code.
That said, I have no evidence to disagree with any of your statements. The longer they slip, the more PCs will be able to run a deep.NET stack and not have the system appear dog slow.
Yes. By crippling the runtime, all you get are crippled apps.
If you look at the phones in a UK phone vendor, say Virgin Mobile, you will see that java is not sold directly, instead 'downloadable games'. And they list it second, after 'downloadable ringtones'.
So there we have it, the cross platform language intended to replace the windows API is, in its sole 'post-PC' client configuration, used to sell phones, after downloadable ringtones.
Maybe the next iteration will improve, but the 1.0 version was so minimal it was useless for anything 'interesting'. It is only if this happens that java on phones will deliver anything better than shockwave-on-phones could do.
How about a camera tied to the nudge detector of the car alarm. Instead of annoying people at night so much that they hope that burglars get a move open, pop the bonnet/hood and unplug the alarm, the cameras could photo the surroundings then text it to your mobile?
We cant stop people rebuilding the open source code for the SCO platform, not unless gcc stops supporting it. But we can
stop providing binaries
stop fielding support calls: forward them to SCO
add checks in the code to refuse to run on SCO platforms
It'd be nice for the whole community to have a 'no SCO' day in which we withdraw support for all their products on SCO. "We give you the right to use the stuff on any platform you want, but we dont want to encourage you to use SCO prducts".
Working on the Java side of Apache, it is only with the new Java support in SCOx that people have a chance of running my code on SCO boxes. Maybe this means we have a chance to get our retaliation in early: fix up Ant to refuse to compile on SCO and nobody can build on the box, even if they can run code built on other systems.
you offer a beer token to a project/individual; those projects/individuals can offer beer tokens to others. These promises would be transitive so with enough infrastructure to detect where people are you could end up redeeming your beer tokens locally, even if the project is remote.
Of course, you do have to worry about the exchange rate between beer tokens and pizza tokens.
That assumes that all the updates take. I had a "critical" IE6 service pack toast IE; my system reboots and explorer wont come back up. Nor does System Restore, since the artwork on that app comes from IE too. Another of my systems refuses to update any more -it'll need a clean build before I can fix things. Sigh.
I wasn't actually expecting SP2 this year, because as a beta tester for the last SP, I'd have heard if they were even thinking of beta-testing a new drop.
One thing nobody has picked up on is why are MS delaying the service pack. Could it, perchance, have anything to do with the judgement requiring them to ship Java with the
next Service Pack?
Slashdot Mirror
In my experiments with that product line, it is actually worst in class. They must have done it deliberately, though I can't see why.
Also they are network visible by default (useful) and usually unsecured by default(bad).
um, Sun dont sponsor ant. There are no active Ant committers from sunw, no direct funding. They do give Apache some server hardware for which everyone is grateful, but so have Apple.
James Duncan Davidson did invent Ant while at Sun, but now he has left them, & he isnt active anyway. The core Ant dev team (myself included) are end users fixing their own personal build problems in a way that other people can reuse.
As to why Sunw still say they are involved in Ant on the sunsource site, I dont know. Maybe cos Ant is so critical in Java projects -right up there with JUnit, maybe because they feel parentage rights gives them credit. But notice the welcome page of Ant1.6 has a special 'call to inaction' to sun, which says 'stop moving the entry points in tools.jar' around. Changes Sun make between java versions often end up causing us to release point releases of Ant just to keep everyone's build going. Sigh.
I dont read forbes much, I read the Economist. By UK standards it is still fairly right wing, thinks power grid deregulation is a good idea, etc etc.
But they actually seem to have grasped that Linux and Open Source is a good thing. By saving companies money, they free up cash for more interesting stuff. The Economist had a good article on the SCO business recently, and generally tend not to view the GPL/OSS movement as a bunch of subversives. Radicals, maybe, but subversives no.
Maybe Forbes is being briefed by different companies -not just MS, but perhaps, for this article, those poor people at Cisco.
Funnily enough, I'd just noticed that myself. About time, too :)
If we kill off activeX -which is a good thing, IMO- windows update is the true victim. Flash and Java can ship with the browser. But that would give MS an opportunity to do a better update mechanism than windows/office update. One that lets you roll back updates. One that doesnt delete IE during a patch (it is very hard to recover from that BTW). The good thing is that by eliminating ActiveX, you eliminate a whole insecurity vector into a PC, so the number of patches needed should fall.
The underling technology behind AX, predates Applets -they are OCXs, OLE Custom Controls, that are descendents of VBXs, Visual Basic Extensions.
.NET does that. Actually Java Web Start goes back to the ActiveX model -signed code is given total rights to the system, which is dumb. But at least JWS also runs unsigned code in the sandbox :)
Originally they were just DLLs that you would use in form design in your VB (then C++ app); you'd redist the libraries with your app. (The original JavaBeans model is sun's response to this design). OCXs worked very well for their limited role.
ActiveX was, as you say, a response to applets -and presumably netscape plugins. They modified IE to host OCXs, then added dynamic download of signed code.
But code signing says 'I am not malicious', not 'I am competent, there are no security holes, if there are I will pay the finder $100,000'. Actually they could; enough of a fiscal penalty would stop buggy AX controls shipping, primarily because nobody would run activeX.
The only way to fix that is to run the code in a sandbox. Applets do that;
No I don't think auth should be broken, be it basic, digest or even NTLM and passport.
But I do think auth-in-the-URL is wrong wrong wrong. How many of those techically ignorant users you cite will have manually coded up urls like http://fred:pass@hotmail.com/ ? pretty much zero, I'd expect. If you want a modern browser to store your password, you use its password manager. I think the only time I have ever done it was to get WebDAV access using the XP filesystem, something which took so much effort it wasn't worth it.
So make auth-in-URL support a switch, just like any of those other insecure features, and ship with it turned off for all the zones.
- Stop interpreting those spam-friendly
http://2343455/ urls
- Stop interpreting scam-friendly
http://ebay.com:url@123456/ urls
- Stop whining when browsing to a site that has AX disabled. A small icon is ok; a dialog box 'you are getting a worse experience is not.
- Make it possible and easy to fully uninstall outlook express. you cannot even delete this on XP; system recovery brings it back. Ugly manual hacks last until the next critical upgrade gets forced on the machine, at which point it reappers.
- Crank up the security settings for everyone who isnt using win2k3
- Rebuild IE with VS.net 2003 and set the 'check for buffer overflows' flag in the build.
- Stop integrating Windows Scripting Host with IE. Every IE install forcibly adds
.js, .vbs and .wsh file extensions to the path and enables their execution. I have to rebind these to notepad on my machines.
- Give us a no-images options for the email zone.
There are probably lots more of these things to do. All I see for the current user base is after-the-fact bug fixes rolled out intermittently, not attempts to address fundamental problems.Is this the same legal system that let the Asterix cartoon get an injunction on Mobilix. And something to stop people linking to the .nl site that showed people how to sabotage railway lines?
:(
All legal systems have flaws, they are just in different places
Instead of an unknown host error, you get a 302 + text/html redirect that leads to a 200 + text/html page.
.net). Either way, the errors were not at all intuitive.
This plays havoc with Web Services, that expect 200+text/xml on a successful response. The SOAP Stacks either died on the 302 error code (Apache Axis), or the HTML body (MS
yes, that is what irritated me about it. By changing the failure modes of all existing network applications (Unknown Host -> ConnectionTimedOut) && (404 -> 200 + text/html + search), they went and made everyone's support costs worse. It is harder to track down problems, therefore more expensive.
Also they will have lit up the eyes on all the accountants of the big ISPs, who probably think "we should do that" -how long before earthlink and MSN copy? They would be able to do that -its their servers- but it would be a major inconsistency across the 'net. That would make support calls significantly harder to deal with...
Apple+Sun are a good combo; they have complimentary product lines, both bay-area west-coast based, etc, etc.
Sun could move from Sparc to Power, apple merge OSX w/ solaris (over time), leaving one true proprietary unix worth having.
Novell? Not a good merger/acquisition track record.
One thing you can do with OS porting for VMs is fix memory allocation so it is shared. under VMware, you tell the OS how much space it has, it thinks it owns it and it remains locked for the life of the app. So I have to allocate 700MB to Win2K+Visual studio to get our project's build to compile in a sensible time, leaving 300MB of ram for the hosting OS.
Whereas if they could co-operate, so that the OS asks the Xen kernel for memory, and releases it when needed, then they would all cooperate better.
I think it is something they havent had to deal with yet.
I am running Win2K+visual studio in one vmware vm right now; I can bring up Win2K3 to run office 2003 when I need to go on exchange. But with the block MSDN license *and* a volume 'no activation' key for XP, office, etc. I get to skip activation.
But imagine if I did have to activate stuff everytime I rebuilt a new VM? Within a month I'd have the activation police complaining I'd activated onto 5+ systems, and that therefore I was violating some license.
Yet at the same time, a VM image, once activated, can be shared and of VMware makes all the hardware look the same, the system doesnt have to think you need reactivation.
So legitimate users of activated apps under a VM will suffer -we have to go through reactivation grief- yet there is now a new way to bypass activation -ship an image of the OS+apps already activated; you just run it in a window.
I dont know how long it will take the 'activation' police to deal with it.
have you also looked at
Alambic?
It is cups based, and has SMTP support too...
HP has no interest in giving SCO money. If they had to pay a per-installation fee for linux, then they couldnt afford to embed linux in things. When you consider that HP make more embedded things (printers etc) than they do PCs & servers, they really, really dont want SCO to succeed.
Interesting heisenberg effect here: by announcing the indemnification, SCO are weakened. Even fewer people will be daft enough to pay the licensing fees, SCO cash flow will be hit, they cant afford lawyers, etc, etc. A good move all round.
Now, when will IBM follow? Maybe its because IBM's exposure is more direct (that derivative work bollocks) they cannot afford to.
Those screenshots of explorer crashing with a .NET exception do not prove that explorer.exe is now a .net app -a COM component running in the process could be managed code.
.NET stack and not have the system appear dog slow.
That said, I have no evidence to disagree with any of your statements. The longer they slip, the more PCs will be able to run a deep
Yes. By crippling the runtime, all you get are crippled apps.
If you look at the phones in a UK phone vendor, say
Virgin Mobile, you will see that java is not sold directly, instead 'downloadable games'. And they list it second, after 'downloadable ringtones'.
So there we have it, the cross platform language intended to replace the windows API is, in its sole 'post-PC' client configuration, used to sell phones, after downloadable ringtones.
Maybe the next iteration will improve, but the 1.0 version was so minimal it was useless for anything 'interesting'. It is only if this happens that java on phones will deliver anything better than shockwave-on-phones could do.
How about a camera tied to the nudge detector of the car alarm. Instead of annoying people at night so much that they hope that burglars get a move open, pop the bonnet/hood and unplug the alarm, the cameras could photo the surroundings then text it to your mobile?
One issue with fragmentation is that metcalfes law works in reverse: exponential loss of value.
If a network is split in two, the value of each network is (.5)^2, or a quarter of the value were the network to be united.
Even though there are now two separate networks, the total value is half what it would otherwise be.
- stop providing binaries
- stop fielding support calls: forward them to SCO
- add checks in the code to refuse to run on SCO platforms
It'd be nice for the whole community to have a 'no SCO' day in which we withdraw support for all their products on SCO. "We give you the right to use the stuff on any platform you want, but we dont want to encourage you to use SCO prducts".Working on the Java side of Apache, it is only with the new Java support in SCOx that people have a chance of running my code on SCO boxes. Maybe this means we have a chance to get our retaliation in early: fix up Ant to refuse to compile on SCO and nobody can build on the box, even if they can run code built on other systems.
yes, this could work.
you offer a beer token to a project/individual; those projects/individuals can offer beer tokens to others. These promises would be transitive so with enough infrastructure to detect where people are you could end up redeeming your beer tokens locally, even if the project is remote.
Of course, you do have to worry about the exchange rate between beer tokens and pizza tokens.
I wasn't actually expecting SP2 this year, because as a beta tester for the last SP, I'd have heard if they were even thinking of beta-testing a new drop.
One thing nobody has picked up on is why are MS delaying the service pack. Could it, perchance, have anything to do with the judgement requiring them to ship Java with the next Service Pack?