We need a fresh package format that, instead of keeping a database of installed packages, uses a./configure/autoconf like script to actually check for what's installed.
The problem with this approach is that you can only check dependencies that are actually installed. You'd need to use metadata to declare what your package provides *anyway*, or tools like apt couldn't work, and then you could still run the risk of "package X claims to provide foo, but doesn't actually" and "feature foo on distribution Q is called oof on distribution P". The only thing this could really do is slightly lessen the pain of badly made third-party packages (which should be fixed anyway), at the expense of drastically complicating the whole system.
I know that support for some sort of signatures has been integrated into the CVS version of apt, and is available in apt 0.6 (in experimental). I don't remember whether this is release signatures, package signatures, or both, and I don't want to open that particular holy war again.
You know, one of the things I find really annoying about our political class [both halves] is the way they dodge uncomfortable questions by changing the topic, usually to some sort of plug for their positions or an attack on their opponents. I call this the "Bait&Switch" school of rhetoric. For instance,
Reporter: "Mr. President, your No-child-left-behind policy has been criticized for having problems X, Y, Z, and W. What is your response?" Chimp-In-Chief: "I just want to say that those children are grateful that a brutal dictator has been removed from power and will no longer terrorize them with weapons of mass destruction." Reporter: "Speaking of which, where are the weapons of mass destruction?" Chimp-In-Chief: "It doesn't matter, because a brutal dictator was removed, which is more than would have happened if we had had a Democratic president, and anyway everything is different after 9/11."
I find this kind of slippery speech incredibly condescending and alienating; unfortunately, it's effective enough that every major candidate does it, so I can't really vote against it. I've even heard that some of their supporters imitate this trick too. Sad.
Or could you maybe give an example what that should be: "But what if so much code has already been written that no programmer wants to go back and make all the changes necessary to make it really work?"
I can give you one. The APT library (the backend to Debian's apt tools) uses a built-in download manager to fetch packages and other files. So far so good.
Now, say I'm in the middle of a long download, and I decide I changed my mind about some packages. For instance, I want to install some packages I hadn't thought of or cancel some downloads. There is no way to do this in any interface without cancelling the whole download and setting it up again, and that's because the backend library does not support this functionality. You can access the list of individual download jobs, but there's no way to cross-reference between jobs and the packages to which they refer (aside from decoding URIs to guess what the package is).
I asked the authors about this, and they said (essentially) that they didn't want to go back and make all the changes. This is probably reasonable -- it's a fairly esoteric feature and could be a pain to get working perfectly -- but it is one example of a place where the backend can limit the frontend.
I do find it amusing, though, that the author of the article just implicitly assumes that the reverse is not true: ie, that designing the frontend first will never result in arbitrary limitations for the backend.
Whereas your entire premise is based on the fallacy of overprecision.
For reference, this is the fallacy of overprecision (I couldn't find it on most of the general lists of fallacies on the Web, but a direct Google search turned it up):
Overprecision: rejecting a concept as unusable because it has borderline cases or because the definition, phrasing, syntax, grammar, or structure of the proposition or argument is not perfect.
Note that the fallacy refers to rejecting entire CONCEPTS, not arguments; for instance, "we can't agree on whether this is theft; therefore, the concept of theft should be discarded."
We all know that it's theft.
On the other hand, this is a classic example of argumentum ad populum, also known as "appeal to popularity". For instance,
"Everyone knows that the Earth is flat, so why do you persist in your outlandish claims?".
You simply don't like the word because you can't hide from what it says about what you are doing, so you sanitize it away until you are comfortable.
Whereas this is the fallacy of ad hominem, or "attacking the person". This particular form is known as "poisoning the well"; for instance,
"Of course you'd argue that positive discrimination is a bad thing. You're white."
So, in order to brute-force a password, you use the list of passwords *known* to generate the hash, and try all of them until you get a match.
I don't see why you'd need more than one -- the only thing the password file stores is the hash, so two passwords with the same hash should be considered "identical". I think.
I generally get annoyed about this too. One thing to remember, though, is that a lot of these devices use specialized chips for which compilers may not be readily available. For instance, the Neuros uses a DSP chip which needs a $4000 development kit (gcc doesn't support it as a target).
Of course, an interpreted language could be used to get around this problem, but then you have the overhead of an interpreter on top of a chip that's already struggling to keep up with its duties.
I think that the usefulness of Ogg is dependent on what you are using it for. As you mention, network effects probably make it useless for file-sharing -- but if you're mainly interested in making compressed audio for your own use it's great. I have a huge stack of CDs that now sits on my hard drive and Neuros as about 3GB of Ogg files.
I'm not sure why printing new chips should come into it -- I got ogg support on my Neuros by upgrading the firmware.
Whether it's because the cracker was sloppy or inexperienced, or because the Gentoo team have good server security, I can't say - but it seems they were pretty lucky compared to Debian.
I'd imagine they were especially on-guard for breakins after the recent Debian incident. I would be if I were running a distribution's server (especially now).
If Mandrake got h4x0r3d, urpmi would still work, as all RPMs supported by Mandrake are signed.
Nice to know, that.
That's particularly helpful when J. Evil Hacker breaks into mandrake.com [or your local mirror] and decides that you don't REALLY need those last 5 security updates...
Just signing the packages isn't enough -- you need to sign the archive as a whole, and then to have some sort of "warn if the signature is too old" criterion to avoid this sort of replay attack. And in fact, the Debian archive database (the Packages file, to be precise) is already signed. Unfortunately, the tools don't check the signature automatically:-(
(in case it isn't clear, I agree with the parent of the post I originally replied to -- the grandparent of my post, and the great-grandparent of this post..)
And here I thought this latest movie-making attempt had hit rock bottom with the second movie. Next thing you know they'll make Faramir turn evil...oh, wait...
How does that do you any more good than having source code to start with? That's assuming you can get the source -- in the case in the article, it appears that the code escrow didn't work the way the customers expected it to.
Slashdot Mirror
We need a fresh package format that, instead of keeping a database of installed packages, uses a ./configure/autoconf like script to actually check for what's installed.
The problem with this approach is that you can only check dependencies that are actually installed. You'd need to use metadata to declare what your package provides *anyway*, or tools like apt couldn't work, and then you could still run the risk of "package X claims to provide foo, but doesn't actually" and "feature foo on distribution Q is called oof on distribution P". The only thing this could really do is slightly lessen the pain of badly made third-party packages (which should be fixed anyway), at the expense of drastically complicating the whole system.
Daniel
I know that support for some sort of signatures has been integrated into the CVS version of apt, and is available in apt 0.6 (in experimental). I don't remember whether this is release signatures, package signatures, or both, and I don't want to open that particular holy war again.
Daniel
You know, one of the things I find really annoying about our political class [both halves] is the way they dodge uncomfortable questions by changing the topic, usually to some sort of plug for their positions or an attack on their opponents. I call this the "Bait&Switch" school of rhetoric. For instance,
Reporter: "Mr. President, your No-child-left-behind policy has been criticized for having problems X, Y, Z, and W. What is your response?"
Chimp-In-Chief: "I just want to say that those children are grateful that a brutal dictator has been removed from power and will no longer terrorize them with weapons of mass destruction."
Reporter: "Speaking of which, where are the weapons of mass destruction?"
Chimp-In-Chief: "It doesn't matter, because a brutal dictator was removed, which is more than would have happened if we had had a Democratic president, and anyway everything is different after 9/11."
I find this kind of slippery speech incredibly condescending and alienating; unfortunately, it's effective enough that every major candidate does it, so I can't really vote against it. I've even heard that some of their supporters imitate this trick too. Sad.
Daniel
experts say the Internet -- with its discussion boards, blogs and self-published articles -- is a treasure trove of bad spelling.
They had to ask experts?
Daniel
Or could you maybe give an example what that should be:
"But what if so much code has already been written that no programmer wants to go back and make all the changes necessary to make it really work?"
I can give you one. The APT library (the backend to Debian's apt tools) uses a built-in download manager to fetch packages and other files. So far so good.
Now, say I'm in the middle of a long download, and I decide I changed my mind about some packages. For instance, I want to install some packages I hadn't thought of or cancel some downloads. There is no way to do this in any interface without cancelling the whole download and setting it up again, and that's because the backend library does not support this functionality. You can access the list of individual download jobs, but there's no way to cross-reference between jobs and the packages to which they refer (aside from decoding URIs to guess what the package is).
I asked the authors about this, and they said (essentially) that they didn't want to go back and make all the changes. This is probably reasonable -- it's a fairly esoteric feature and could be a pain to get working perfectly -- but it is one example of a place where the backend can limit the frontend.
I do find it amusing, though, that the author of the article just implicitly assumes that the reverse is not true: ie, that designing the frontend first will never result in arbitrary limitations for the backend.
Daniel
So what should we use to make presentations then?
LaTeX?
Yes.
Daniel
As interesting as it would be to watch SCO fold up like a house of cards, I think this chart might provide a little more context.
Daniel
Didn't you know that too much Slashdot rots the....uh, what was I saying again?
Daniel
Whereas your entire premise is based on the fallacy of overprecision.
For reference, this is the fallacy of overprecision (I couldn't find it on most of the general lists of fallacies on the Web, but a direct Google search turned it up):
Overprecision: rejecting a concept as unusable because it has borderline cases or because the definition, phrasing, syntax, grammar, or structure of the proposition or argument is not perfect.
Note that the fallacy refers to rejecting entire CONCEPTS, not arguments; for instance, "we can't agree on whether this is theft; therefore, the concept of theft should be discarded."
We all know that it's theft.
On the other hand, this is a classic example of argumentum ad populum , also known as "appeal to popularity". For instance,
"Everyone knows that the Earth is flat, so why do you persist in your outlandish claims?".
You simply don't like the word because you can't hide from what it says about what you are doing, so you sanitize it away until you are comfortable.
Whereas this is the fallacy of ad hominem , or "attacking the person". This particular form is known as "poisoning the well"; for instance,
"Of course you'd argue that positive discrimination is a bad thing. You're white."
-- Daniel "Logic Cop"
I thought there was a patent on elliptic curve cryptography. Did I misremember?
Daniel
So, in order to brute-force a password, you use the list of passwords *known* to generate the hash, and try all of them until you get a match.
I don't see why you'd need more than one -- the only thing the password file stores is the hash, so two passwords with the same hash should be considered "identical". I think.
Daniel
I generally get annoyed about this too. One thing to remember, though, is that a lot of these devices use specialized chips for which compilers may not be readily available. For instance, the Neuros uses a DSP chip which needs a $4000 development kit (gcc doesn't support it as a target).
Of course, an interpreted language could be used to get around this problem, but then you have the overhead of an interpreter on top of a chip that's already struggling to keep up with its duties.
Daniel
I think that the usefulness of Ogg is dependent on what you are using it for. As you mention, network effects probably make it useless for file-sharing -- but if you're mainly interested in making compressed audio for your own use it's great. I have a huge stack of CDs that now sits on my hard drive and Neuros as about 3GB of Ogg files.
I'm not sure why printing new chips should come into it -- I got ogg support on my Neuros by upgrading the firmware.
Daniel
Whether it's because the cracker was sloppy or inexperienced, or because the Gentoo team have good server security, I can't say - but it seems they were pretty lucky compared to Debian.
I'd imagine they were especially on-guard for breakins after the recent Debian incident. I would be if I were running a distribution's server (especially now).
Daniel
Stop whining and move to India then.
Funny you should mention that.
Daniel
I'd feel much better having embedded Linux (or some other proven secure system)
I wasn't aware Linux (or any other non-toy operating system) had been proven secure. Do you have a reference?
Daniel
If Mandrake got h4x0r3d, urpmi would still work, as all RPMs supported by Mandrake are signed.
:-(
Nice to know, that.
That's particularly helpful when J. Evil Hacker breaks into mandrake.com [or your local mirror] and decides that you don't REALLY need those last 5 security updates...
Just signing the packages isn't enough -- you need to sign the archive as a whole, and then to have some sort of "warn if the signature is too old" criterion to avoid this sort of replay attack. And in fact, the Debian archive database (the Packages file, to be precise) is already signed. Unfortunately, the tools don't check the signature automatically
Daniel
We were talking about ordinary businesses, not the Mafia.
Wait, there's a difference?
Daniel
(in case it isn't clear, I agree with the parent of the post I originally replied to -- the grandparent of my post, and the great-grandparent of this post..)
Lot of good that did this guy. I agree with the parent.
Daniel
Yeah, that's an old non-networked annoyance, not a new networked annoyance :-)
Daniel
And here I thought this latest movie-making attempt had hit rock bottom with the second movie. Next thing you know they'll make Faramir turn evil...oh, wait...
Daniel
If the patent stands, we'll have to rewrite every web site that uses plug-ins.
You say that as if it's a bad thing.
Daniel
Even earlier this year when I tried installing debian, again the install kernel was 2.2.
If you look through the help screens in the installer's boot menu, you'll see that you can boot a 2.4 kernel.
Daniel
How does that do you any more good than having source code to start with? That's assuming you can get the source -- in the case in the article, it appears that the code escrow didn't work the way the customers expected it to.
Daniel