[OS/2 is] technologically behind all the free Unixes, so what possibly could one learn from it, other than what was actually possible 10 years (or more) ago on realtively low-specced machines.
Threading: OS/2 still has the lightest, fastest and most usable threads of and Intel OS that I'm aware of (with the possible exception of BeOS).
Workplace Shell: If WPS was open source and X-compatible (not as hard a port as you might think), GNOME would look clunky and KDE would be considered archaic.
DOS support: Still of interest to more people than you'd believe; if Linux had OS/2's DOS emulation facility, it would be of great interest to people with some "still working" DOS legacy apps.
There may be some other features of OS/2 worth bringing into the future. IBM may open-source them, depending on whether they see future value in keeping the IP proprietary and whether the decision makers on that grok the open source idea.
Every software development life cycle (SDLC) methodology I've ever seen starts with a phase called "requirements analysis." They always will, but what's implicitly understood is that the definition of "requirement" varies radically with the type of project.
One place you won't find the terms "requirements analysis" or "requirements management" used outside of specific examples is in the Project Management Institute Body of Knowledge (PMBOK), which is (get this) an ANSI standard for project management.
The PMBOK dispenses with the concept of a project as a sequence of segmented phases and describes a project as the outcome of several "process groups" that wax and wane in importance during the project. When you talk about "requirements management" you are cutting a broad swath across these process groups and invoking activities such as risk management, scope management, resource management. time management, and so forth.
For example, the first process group is "initiating processes." What drives your organization to authorize a project? If your requirements don't relate directly to that, you're already on the wrong track.
My main exposure to SDLCs was in professional services; limiting the context to "outsourced project" already answers some of the questions I raised above. Some guys I worked with at PwC consulting had the best approach to requirements management (within this context) that I saw. (Yes, I realize that PwC Consulting changed its name to "Monday" and sold iteself to IBM, but despite outward signs of insanity, these guys had the SDLC methodologies down.) Anyway, at the commencement of each project, they would write a custom requirements manager in Microsoft Access. At the end of the project, they'd throw it away, because it was never quite the right one for the next project.
The cliché that comes up in every Java vs. Perl flame session is "use the right tool for the job." Unless your projects need to follow some kind of rigorous methodology (like DOD contracts), you should plan for variation. Put together a suite of tools (there are already some excellent suggestions) and include as part of the planning for a new project "tool selection" and let the project team deploy these tools as best suits each project.
The PMBOK definition of "project" specifies that a project be "unique." If it's not unique, then it's not a project, it's part of some ongoing process. Very insightful: all projects are unique.
It sounds like you have the out of the box thinking to be a next-generation player. You need to skate where the puck is going to be and I have to say, it's going to be harder than nailing Jell-O the the wall.
Above all, you need to maximize synergies to develop a strategic go-forward plan to be first to market in the opportunity space. Focus on synthesizing a world-class, robust, scalable solution using best-of-breed technologies. You need to capture eyeballs if you're going to drive revenue generation; you need to get the public to drink the Kool-Aid.
Develop a leveraged business model and have a fully-realized exit strategy.
PMMail did have an option for selecting POP as the outbound transport protocol, specific from SMTP. I understand what you're saying about the DNS names, but the interface was very clear that you were selected POP for outbound traffic. I also remember a POP server with a SEND command defined (It defined a HELP command that would list available commands, I used it via telnet a couple of times). This must have been a non-standard extension that was cropping up in the mid-90's because I can't find it documented in the RFCs (neither SEND nor HELP).
I guess the reason nobody ever picked up on this idea is that it isn't a standard. Either that or my memory is completely shot. Anyone work with POP servers circa 1995/1996 who would know for sure?
At any rate, your post drove me back to the RFC's and the POP protocol does not officially support outbound mail, hence my idea won't work. Dang.
Many of us use POP to receive our email (typically when we can't use IMAP). A lot of people don't realize the POP can be used to send mail. A mail client I used to use exclusively, PMMail for OS/2, could use POP to send mail. The benefit of this is that POP is authenticated by design. When I took my OS/2 laptop from place to place, I never had to worry about finding an SMTP relay that would take my mail (although at the time, most of them were open) because my ISP's POP server would happily accept mail from me wherever I was.
So what if mail servers accepted SMTP for inbound mail only, and required POP for outbound mail? Mail arriving from points unknown would be accepted via SMTP, but mail heading out would need that initial authentication -- no more forged headers. I think it's a great solution: it's compliant with IETF standards that are in place today. There's one problem.
Since PMMail, and I assume its short-lived Windows version PMMail 95, I haven't seen any mail clients that support POP for outgoing mail. Given the problem with spam and forged headers, I can't believe that no one has seized upon this idea.
Anyway, if the response is positive enough, I may be motivated to crack open some open-source mail client add support for outbound POP...
If I install 1.4 [Cisco's Switch Manager] won't function.
Cisco says, "In order to avoid compatability problems, do not user a version later than 1.3.1." They never said it won't function, and it all likelyhood, it will work just fine. They just haven't tested it, so they don't want to take the support calls if (and this is a big if) there is a problem.
Many of the "Java ain't all that" articles have valid points, but yours is just tripe.
You're soaking in it! If you are using Linux, then you are probably using networking infrastructure developed by Don Becker on NASA's time. They supported his work, and he felt that as a government employee, he had a "patriotic duty" to develop technology that could be used freely by the citizens who paid his salary.
If you don't agree with that, go use Microsoft Windows and don't forget to pay the proper per-connection license for your non-government network stack.
The "this one sucked less" tone of the review sadly reminds me of a lot of Microsoft Windows advocacy from past years. "Windows 95 crashes a lot less than Windows 3.1!" "With Windows 98, it only took me three tries to install the new hardware!"
Is Episode III, as the review suggests, likely to be the "Windows 2000" of Lucas' declining franchise? You know, "pretty good except for a few remaining legacy problems (Jar Jar)." I don't like to see movies that have to have apologetics any more than I like to run software that comes with a list of excuses. Windows Lemmings run Windows and claim it's the best, even if they don't really like it. Star Wars lemmings run out to see Lucas' latest (and then again on a digital screen 2 weeks from now) even though the substance of his films is insultingly weak.
The same market forces that have kept Windows so lousy are also at work setting up Episode III to be complete tripe (with great special effects).
Episode II will probably get nominated for best visual effects and I hope the next LoTR film bests it amongst the Academy voters.
Sun is making sure that Linux API's are available on Solaris. It is certainly possible to do this without having to GPL all or any of the code base.
They are doing this so that Linux applications will port trivially to Solaris. This isn't an admission that Linux is as good as Solaris, but just that it's more popular for developers.
I like this "I wouldn't have bought it anyway and the producer loses nothing" argument.
It's really late and I'm alone on a subway car with your mother. I think she's sexy. Now the law says your mother's sex organs are her property to license as she sees fit. I suppose that with some application of charm, or display of wealth (since it's your mother, a crisp $20 would probably do) I could convince her to grant me access to park my skin yacht in hair harbor, but maybe I don't think she's worth the effort or expense. So, I just rape the shit out of your mom for duration of the subway car.
Now, at the end of the ride, she's lost nothing. She still has her vagina. She didn't lose any time (she had to ride to her stop anyway). All she's lost is the propery rights to her snatch, which -- based on her offspring -- couldn't have been that valueable to her anyway.
I like the way you think. Now, where's your mom live?
You're basically right about Lucas' legal position. (One nitpick: documentaries can use copyrighted material without permission under "fair use" provisions of Title 17.)
Star Wars has made George Lucas a billionaire (or close to it) and you have to ask exactly what he thinks he's got to lose by letting loose of the franchise. Sir Arthur Conan Doyle did this with his Sherlock Holmes character and greatly enriched popular culture. For example, Sherlock Holmes appears in more films than any other recurring character.
Lucas has also been very grandiose over the years with his association with Joseph Campbell. The two have promted Star Wars from "successful pop culture" to "modern-day myth making." You'd think that releasing his tight-fisted grasp on the material would cement Lucas' mythmaker status. Sure, Tolkein never let loose of his canon, but then again, he never claimed to be the new Homer.
Episode I demonstrated that Lucas was pretty much out of new or even good ideas. If Episode II continues this, then we can pretty much bet that Episode III will draw a shameful end to what the original Star Wars started so brilliantly. If Lucas wants to live up to his own hype and ensure that Star Wars has the new ideas to make it a legacy, he should let loose of it.
If he just wants to make a couple more hundred million dollars before he dies, then, yeah, he's doing exactly the right thing.
I think you simply haven't realized quite how useful it is, in real life, for information to be human-readable.
This is particularly true if the humans work for an intelligence agency, law enforcement, or even a corporation that has decided it has a burning need to know what your information is. Encryption is BAD BAD BAD! You think ASN.1 is a bitch to debug? Try figuring out what's wrong with HTML that has even wimpy 40-bit DES slapped on it.
Of course, you never have to deal with that because the SSL stream is already decoded for you. That might not help with a new format, but maybe someone could come up with a special language that's really good for rearranging data and making it presentable. We could call is "Practical Language for Extracting and Reporting." Yeah, PLER. That has kind of a nice ring to it. There are quite a few jobs that need this kind of data munging, but are too small for Java and would take too long to write in C++, so I'd be there'd be a lot of interest in this hypothetical PLER language.
Only the geeks care about the frameworks. This is a point which is often lost on geeks.
This is getting waaay off topic, but I think that geeks are painfully aware that many of the things they care about are only important to them. That's the whole point of Slashdot, fool. It's a forum for exactly the kind of people who are likely to think that frameworks are cool.
JTXA may be a non-event in the greater scheme of things, but clearly this forum serves a community of people who tend to find these things newsworthy. You do know what site this is, right?
Jxta (the reason for this thread) does nothing useful at launch, and it solves a problem for which many people already have good solutions. In short, it's going nowhere.
If you're right (I haven't really looked at JTXA to see either way), then I agree.
It's amazing how a factual observation can actually advance your point of view. "Frameworks are boring" pegged the meter on the idiot-o-meter.
When Apache came out, it... was the first really usable, supported web server.
I suppose that the NCSA web server I'd been running, featuring everything offered by the first Apache release, doesn't count... because, why?
...frameworks are boring.... Show me something USING that framework that can't be done with anything else out there, and I'm interested.
While you are reading this (or, I suspect, having it read to you while you stare at the animated GIFs and drool), you are looking at the net result of a framework dubbed "The World Wide Web." Everyone and their grandmother has invented other frameworks that do the same thing. Why don't you do everyone a huge favor and stop using this "boring" framework and go do something interesting, like sitting in a corner and stroking a peice of felt. That seems about your speed.
What does Jxta let me do that nothing else can do?
I don't know, what does Apache let you do that nothing else can do?
Writing a P2P app isn't rocket science; a freshman CS major can probably do a decent job of it.
Yes, but there are certain disadvantages to having such a "one-off" P2P infrastructure. Working within a framework instead leverages other people's efforts and provides opportunity for cooperation or interoperability between unrelated efforts.
A freshman CS major can write a working web server, but but running Apache, I get a framework which offers me access to mod_perl, mod_php and mod_jserv, so I can employ the power of Perl, PHP or Java, respectively. This flexibility and standardization was not an accident but a specific design goal.
I'm not disagreeing about JTXA -- it might fizzle; it's just not as pointless as you depict it.
Much of this discussion is missing two key points:
The "Desktop" issue is, to some extent, just a popularity contest. If Linux had a larger desktop presence, then Linux Geeks would have more "cocktail-party credibility." Who cares?
Linux is Open Source Software and Open Source Software is written by Geeks to solve the problems that Geeks have, not the problems that Joe Desktop has.
Ideally, there should be roughly three kinds of computers: an engineering (geek) kind (e.g. Linux), a low-admin server kind (e.g. AS/400), and an appliance kind (e.g. Mac). What would really capture some desktop space would be something like a "Linux Install for Business and Interactive Desktop Operations" (LIBIDO?!). Not only would this thing not need a command line, but it would actually be hard to find it, if it had one at all. It would install with an office suite ready to go. Applications would have strict API and install guidelines. The goal would be to produce a machine with very few options so that it had a repeatable, bullet-proof operation across thousands of installations. Geeks would find this intensely dull and I don't know very many who would line up to donate their precious open-source development time to such a project.
Linux is kicking ass in the server market because the people who define what it does (the Geeks) care about the server market. When a critical mass of suitably-motivated Geeks really wants to produce a system that will win the hearts of Corporate Goons and find a home on desktops everywhere, then it will be created.
Until then... well, I'm going to spend the next 10 hours painstakingly customizing the appearance of my titlebars...
...some people assume that if you say something bad about Java, that it means you must be cheering on Microsoft.
I'm not one of those people, but the topic of this thread is Microsoft.
The fact that there are Java work-alikes just highlights the fact that Sun refuses to release the Java source code for free(dom) use.
No, it highlights the fact that some people don't like the rules they have to follow to get Sun's source code. That's fine; some people don't like the rules imposed by the GPL, either (particularly Microsoft). That's why there are other licenses and duplicate efforts. WebMacro and Velocity are both free software, and they do exactly the same thing, but Velocity was created because (at one point) WebMacro's license conflicted with the APL.
Sun's Java license has never stopped me from doing what I need to do, so I don't mind it. It did bother some other people I know, so you know what they did? They wrote their own damn Java implementation. I suppose they should have just wasted their time whining about Sun on Slashdot, instead.
Why else would people have to produce re-implementations that end up forking the language in subtle ways?
Who did that? Oh yeah, Microsoft. No one else, though. Japhar and Kaffe have struggled to keep full compliance with Sun's published specification. In other words: You don't know what you're talking about.
This frothing-at-the-mouth rhetoric about standards bodies is just thinly-veiled Java bashing. Microsoft submitted VBScript to ECMA, which mixed it with JavaScript and created ECMAScript. Has this made JavaScript more compatible, less buggy or more secure? Not that I've noticed.
Meanwhile, what standards body control the Linux Kernal? Perl? PHP? Is mod_perl part of any W3C standard? Sun's strict control of Java's definition is a feature not a hinderance. Sure Java has plenty of weak spots, but there are numerous of options for fixing them, none of which rely on a standards body deliberating.
Microsoft submits their crap to standards bodies to distract feeble-minded tehcnopundits like yourself. The fact is, their stuff is more proprietary than anyone else's and they'll do what they want with it regardless of any standards.
If Java is so "proprietary" how is it that there are several open-source implementations of it? Can you name one open source implementation of C#?
No, they don't. You must be confusing one of two things.
Sometimes a CA will sign the credentials of a subordinate CA. The new CA usually operates within a narrow context. When we have been talking about CA in this discussion, we have been talking about root CA's that are not certified by any other CA.
What I think you are talking about is cross-certification. Let's say that my company trust Verisign and your company trusts Thawte. If we want to work together, we can take the option of using the same CA, which means one of us has to go through the process of forming a new trust relationship. Instead, we can have a cross-certfied CA set up. This CA is endorsed (signed) by both Thawte and Verisign, meaning that my company will trust certs sign by the new CA and so will yours, although neither of us form a new trust relationship.
Even if you were correct, you still haven't solved the problem. Let's say I've got Verisign's root CA certificate signed by Thawte. How do I know it was really signed by Thawte? I need Thawte's root CA cert... and well, we're back at square 0.
If they have *no* CA's, how do they import any other ones? Without a cerver cert, any imposter could (say) dos the CA, and spoof their address.
You need at least one cert in the browser
You have both failed to understand how CA certs work and brilliantly highlighted a little-considered problem with PKI.
The CA certs that are embedded in the browser have absolutely nothing to do with downloading new CA certs. The new CA certs are just that -- new CA certs.
The problem you highlight is this: how do I know that the CA cert that I'm downloading actually contains the public key for the CA I think it does? When your browser quietly loads an SSL page, you have to just assume that the CA certificates that installed in that browser are valid.
The accepted solution to this problem is to publish CA certificates so widely that subverting a single channel would be unlikely to result in a signficant number of people obtaining the fake CA cert. Furthermore, a human can verify the "Certificate FingerPrint" (an MD5 or SHA-1 hash of the cert). This Certificate Fingerprint should be so ubiquitous that a fake CA certificate should be immediately obvious.
Of course, this assumes that you, the recipient of the CA Cert make some effort (or any effort, for that matter), to verify the CA Cert. Have you verify any cert you've ever recieved? I'd be willing to be that most people reading this have never done so.
In summary, the bootstrap issue is a big deal, although you are mistaken that you need a CA cert in the browser to verify subsequent CA certs; they aren't related.
the first time a web page comes up that's signed by CA X, the browser says "Here are the details for CA X. Do you wish to install this key permanently so that you will not be warned about certs signed by this CA in the future?"
Yes, but where does this CA public key come from? All the browser knows, at that point, is that the server certificate has been signed by an unknown CA. The CA's public key is not part of the SSL handshake. How do you redirect the browser to find the CA certificate for that CA without allowing an attacker to steer the browser to a bogus cert?
For example, the browser says,"This certificate has been signed by Verisign. Do you want to accept Verisign's CA certificate (from www.h4x0r.com)?
I'm fairly sure that if you serve your root certificate with an appropriate Content-Type, and Netscape will happily import it after confirming with the user.
You are correct, but the real problem is steering Joe-Sixpack to that CA cert location. Typical end-users just aren't aware of them or used to downloading them. I addressed this in another post.
A CA will just have to convince the open source projects (possibly by donating money and/or servers and/or people contributing to the browser code) to get their cert in the default setup.
This is a Bad Thing(tm). By allowing an open-source project to include the CA's they want, I anticipate a veritable fuckload of weird CA certs embedded in Mozilla. (Maybe the Powers That Be on Mozilla or other OSS browsers will be hyperclued, but I, for one, don't want to take that risk.)
Instead, OSS browsers should contain no CAs. Upon install, the browser may bring up instructions on how to find the most popular CA root certs. Then Joe Six-Pack will have to get them, or find himself constantly nagged on SSL sights. The upshot will be that the browser is not quitely trusting anyone, and Joe Six-Pack now has an awareness of CA certs and how to load them.
Slashdot Mirror
- Threading: OS/2 still has the lightest, fastest and most usable threads of and Intel OS that I'm aware of (with the possible exception of BeOS).
- Workplace Shell: If WPS was open source and X-compatible (not as hard a port as you might think), GNOME would look clunky and KDE would be considered archaic.
- DOS support: Still of interest to more people than you'd believe; if Linux had OS/2's DOS emulation facility, it would be of great interest to people with some "still working" DOS legacy apps.
There may be some other features of OS/2 worth bringing into the future. IBM may open-source them, depending on whether they see future value in keeping the IP proprietary and whether the decision makers on that grok the open source idea.One place you won't find the terms "requirements analysis" or "requirements management" used outside of specific examples is in the Project Management Institute Body of Knowledge (PMBOK), which is (get this) an ANSI standard for project management.
The PMBOK dispenses with the concept of a project as a sequence of segmented phases and describes a project as the outcome of several "process groups" that wax and wane in importance during the project. When you talk about "requirements management" you are cutting a broad swath across these process groups and invoking activities such as risk management, scope management, resource management. time management, and so forth.
For example, the first process group is "initiating processes." What drives your organization to authorize a project? If your requirements don't relate directly to that, you're already on the wrong track.
My main exposure to SDLCs was in professional services; limiting the context to "outsourced project" already answers some of the questions I raised above. Some guys I worked with at PwC consulting had the best approach to requirements management (within this context) that I saw. (Yes, I realize that PwC Consulting changed its name to "Monday" and sold iteself to IBM, but despite outward signs of insanity, these guys had the SDLC methodologies down.) Anyway, at the commencement of each project, they would write a custom requirements manager in Microsoft Access. At the end of the project, they'd throw it away, because it was never quite the right one for the next project.
The cliché that comes up in every Java vs. Perl flame session is "use the right tool for the job." Unless your projects need to follow some kind of rigorous methodology (like DOD contracts), you should plan for variation. Put together a suite of tools (there are already some excellent suggestions) and include as part of the planning for a new project "tool selection" and let the project team deploy these tools as best suits each project.
The PMBOK definition of "project" specifies that a project be "unique." If it's not unique, then it's not a project, it's part of some ongoing process. Very insightful: all projects are unique.
- Freaked
is one of my all-time favorite movies. A must-see if you like screwball comedy with a sharp cynical edge.Above all, you need to maximize synergies to develop a strategic go-forward plan to be first to market in the opportunity space. Focus on synthesizing a world-class, robust, scalable solution using best-of-breed technologies. You need to capture eyeballs if you're going to drive revenue generation; you need to get the public to drink the Kool-Aid.
Develop a leveraged business model and have a fully-realized exit strategy.
PMMail did have an option for selecting POP as the outbound transport protocol, specific from SMTP. I understand what you're saying about the DNS names, but the interface was very clear that you were selected POP for outbound traffic. I also remember a POP server with a SEND command defined (It defined a HELP command that would list available commands, I used it via telnet a couple of times). This must have been a non-standard extension that was cropping up in the mid-90's because I can't find it documented in the RFCs (neither SEND nor HELP).
I guess the reason nobody ever picked up on this idea is that it isn't a standard. Either that or my memory is completely shot. Anyone work with POP servers circa 1995/1996 who would know for sure?
At any rate, your post drove me back to the RFC's and the POP protocol does not officially support outbound mail, hence my idea won't work. Dang.
So what if mail servers accepted SMTP for inbound mail only, and required POP for outbound mail? Mail arriving from points unknown would be accepted via SMTP, but mail heading out would need that initial authentication -- no more forged headers. I think it's a great solution: it's compliant with IETF standards that are in place today. There's one problem.
Since PMMail, and I assume its short-lived Windows version PMMail 95, I haven't seen any mail clients that support POP for outgoing mail. Given the problem with spam and forged headers, I can't believe that no one has seized upon this idea.
Anyway, if the response is positive enough, I may be motivated to crack open some open-source mail client add support for outbound POP...
- If I install 1.4 [Cisco's Switch Manager] won't function.
Cisco says, "In order to avoid compatability problems, do not user a version later than 1.3.1." They never said it won't function, and it all likelyhood, it will work just fine. They just haven't tested it, so they don't want to take the support calls if (and this is a big if) there is a problem.Many of the "Java ain't all that" articles have valid points, but yours is just tripe.
- I don't WANT a government-developed OS.
You're soaking in it! If you are using Linux, then you are probably using networking infrastructure developed by Don Becker on NASA's time. They supported his work, and he felt that as a government employee, he had a "patriotic duty" to develop technology that could be used freely by the citizens who paid his salary.If you don't agree with that, go use Microsoft Windows and don't forget to pay the proper per-connection license for your non-government network stack.
Is Episode III, as the review suggests, likely to be the "Windows 2000" of Lucas' declining franchise? You know, "pretty good except for a few remaining legacy problems (Jar Jar)." I don't like to see movies that have to have apologetics any more than I like to run software that comes with a list of excuses. Windows Lemmings run Windows and claim it's the best, even if they don't really like it. Star Wars lemmings run out to see Lucas' latest (and then again on a digital screen 2 weeks from now) even though the substance of his films is insultingly weak.
The same market forces that have kept Windows so lousy are also at work setting up Episode III to be complete tripe (with great special effects).
Episode II will probably get nominated for best visual effects and I hope the next LoTR film bests it amongst the Academy voters.
They are doing this so that Linux applications will port trivially to Solaris. This isn't an admission that Linux is as good as Solaris, but just that it's more popular for developers.
It's really late and I'm alone on a subway car with your mother. I think she's sexy. Now the law says your mother's sex organs are her property to license as she sees fit. I suppose that with some application of charm, or display of wealth (since it's your mother, a crisp $20 would probably do) I could convince her to grant me access to park my skin yacht in hair harbor, but maybe I don't think she's worth the effort or expense. So, I just rape the shit out of your mom for duration of the subway car.
Now, at the end of the ride, she's lost nothing. She still has her vagina. She didn't lose any time (she had to ride to her stop anyway). All she's lost is the propery rights to her snatch, which -- based on her offspring -- couldn't have been that valueable to her anyway.
I like the way you think. Now, where's your mom live?
Star Wars has made George Lucas a billionaire (or close to it) and you have to ask exactly what he thinks he's got to lose by letting loose of the franchise. Sir Arthur Conan Doyle did this with his Sherlock Holmes character and greatly enriched popular culture. For example, Sherlock Holmes appears in more films than any other recurring character.
Lucas has also been very grandiose over the years with his association with Joseph Campbell. The two have promted Star Wars from "successful pop culture" to "modern-day myth making." You'd think that releasing his tight-fisted grasp on the material would cement Lucas' mythmaker status. Sure, Tolkein never let loose of his canon, but then again, he never claimed to be the new Homer.
Episode I demonstrated that Lucas was pretty much out of new or even good ideas. If Episode II continues this, then we can pretty much bet that Episode III will draw a shameful end to what the original Star Wars started so brilliantly. If Lucas wants to live up to his own hype and ensure that Star Wars has the new ideas to make it a legacy, he should let loose of it.
If he just wants to make a couple more hundred million dollars before he dies, then, yeah, he's doing exactly the right thing.
- I think you simply haven't realized quite how useful it is, in real life, for information to be human-readable.
This is particularly true if the humans work for an intelligence agency, law enforcement, or even a corporation that has decided it has a burning need to know what your information is. Encryption is BAD BAD BAD! You think ASN.1 is a bitch to debug? Try figuring out what's wrong with HTML that has even wimpy 40-bit DES slapped on it.Of course, you never have to deal with that because the SSL stream is already decoded for you. That might not help with a new format, but maybe someone could come up with a special language that's really good for rearranging data and making it presentable. We could call is "Practical Language for Extracting and Reporting." Yeah, PLER. That has kind of a nice ring to it. There are quite a few jobs that need this kind of data munging, but are too small for Java and would take too long to write in C++, so I'd be there'd be a lot of interest in this hypothetical PLER language.
- Only the geeks care about the frameworks. This is a point which is often lost on geeks.
This is getting waaay off topic, but I think that geeks are painfully aware that many of the things they care about are only important to them. That's the whole point of Slashdot, fool. It's a forum for exactly the kind of people who are likely to think that frameworks are cool.JTXA may be a non-event in the greater scheme of things, but clearly this forum serves a community of people who tend to find these things newsworthy. You do know what site this is, right?
- Jxta (the reason for this thread) does nothing useful at launch, and it solves a problem for which many people already have good solutions. In short, it's going nowhere.
If you're right (I haven't really looked at JTXA to see either way), then I agree.It's amazing how a factual observation can actually advance your point of view. "Frameworks are boring" pegged the meter on the idiot-o-meter.
Now go play with your felt.
- When Apache came out, it
... was the first really usable, supported web server.
I suppose that the NCSA web server I'd been running, featuring everything offered by the first Apache release, doesn't count... because, why?- ...frameworks are boring.
... Show me something USING that framework that can't be done with anything else out there, and I'm interested.
While you are reading this (or, I suspect, having it read to you while you stare at the animated GIFs and drool), you are looking at the net result of a framework dubbed "The World Wide Web." Everyone and their grandmother has invented other frameworks that do the same thing. Why don't you do everyone a huge favor and stop using this "boring" framework and go do something interesting, like sitting in a corner and stroking a peice of felt. That seems about your speed.- What does Jxta let me do that nothing else can do?
I don't know, what does Apache let you do that nothing else can do?- Writing a P2P app isn't rocket science; a freshman CS major can probably do a decent job of it.
Yes, but there are certain disadvantages to having such a "one-off" P2P infrastructure. Working within a framework instead leverages other people's efforts and provides opportunity for cooperation or interoperability between unrelated efforts.A freshman CS major can write a working web server, but but running Apache, I get a framework which offers me access to mod_perl, mod_php and mod_jserv, so I can employ the power of Perl, PHP or Java, respectively. This flexibility and standardization was not an accident but a specific design goal.
I'm not disagreeing about JTXA -- it might fizzle; it's just not as pointless as you depict it.
- The "Desktop" issue is, to some extent, just a popularity contest. If Linux had a larger desktop presence, then Linux Geeks would have more "cocktail-party credibility." Who cares?
- Linux is Open Source Software and Open Source Software is written by Geeks to solve the problems that Geeks have, not the problems that Joe Desktop has.
Ideally, there should be roughly three kinds of computers: an engineering (geek) kind (e.g. Linux), a low-admin server kind (e.g. AS/400), and an appliance kind (e.g. Mac). What would really capture some desktop space would be something like a "Linux Install for Business and Interactive Desktop Operations" (LIBIDO?!). Not only would this thing not need a command line, but it would actually be hard to find it, if it had one at all. It would install with an office suite ready to go. Applications would have strict API and install guidelines. The goal would be to produce a machine with very few options so that it had a repeatable, bullet-proof operation across thousands of installations. Geeks would find this intensely dull and I don't know very many who would line up to donate their precious open-source development time to such a project.Linux is kicking ass in the server market because the people who define what it does (the Geeks) care about the server market. When a critical mass of suitably-motivated Geeks really wants to produce a system that will win the hearts of Corporate Goons and find a home on desktops everywhere, then it will be created.
Until then... well, I'm going to spend the next 10 hours painstakingly customizing the appearance of my titlebars...
- ...some people assume that if you say something bad about Java, that it means you must be cheering on Microsoft.
I'm not one of those people, but the topic of this thread is Microsoft.- The fact that there are Java work-alikes just highlights the fact that Sun refuses to release the Java source code for free(dom) use.
No, it highlights the fact that some people don't like the rules they have to follow to get Sun's source code. That's fine; some people don't like the rules imposed by the GPL, either (particularly Microsoft). That's why there are other licenses and duplicate efforts. WebMacro and Velocity are both free software, and they do exactly the same thing, but Velocity was created because (at one point) WebMacro's license conflicted with the APL.Sun's Java license has never stopped me from doing what I need to do, so I don't mind it. It did bother some other people I know, so you know what they did? They wrote their own damn Java implementation. I suppose they should have just wasted their time whining about Sun on Slashdot, instead.
- Why else would people have to produce re-implementations that end up forking the language in subtle ways?
Who did that? Oh yeah, Microsoft. No one else, though. Japhar and Kaffe have struggled to keep full compliance with Sun's published specification. In other words: You don't know what you're talking about.Like I said,"Thinly-veiled Java bashing."
Meanwhile, what standards body control the Linux Kernal? Perl? PHP? Is mod_perl part of any W3C standard? Sun's strict control of Java's definition is a feature not a hinderance. Sure Java has plenty of weak spots, but there are numerous of options for fixing them, none of which rely on a standards body deliberating.
Microsoft submits their crap to standards bodies to distract feeble-minded tehcnopundits like yourself. The fact is, their stuff is more proprietary than anyone else's and they'll do what they want with it regardless of any standards.
If Java is so "proprietary" how is it that there are several open-source implementations of it? Can you name one open source implementation of C#?
- Very often, CA's certify each other.
No, they don't. You must be confusing one of two things.Sometimes a CA will sign the credentials of a subordinate CA. The new CA usually operates within a narrow context. When we have been talking about CA in this discussion, we have been talking about root CA's that are not certified by any other CA.
What I think you are talking about is cross-certification. Let's say that my company trust Verisign and your company trusts Thawte. If we want to work together, we can take the option of using the same CA, which means one of us has to go through the process of forming a new trust relationship. Instead, we can have a cross-certfied CA set up. This CA is endorsed (signed) by both Thawte and Verisign, meaning that my company will trust certs sign by the new CA and so will yours, although neither of us form a new trust relationship.
Even if you were correct, you still haven't solved the problem. Let's say I've got Verisign's root CA certificate signed by Thawte. How do I know it was really signed by Thawte? I need Thawte's root CA cert... and well, we're back at square 0.
- If they have *no* CA's, how do they import any other ones? Without a cerver cert, any imposter could (say) dos the CA, and spoof their address.
You have both failed to understand how CA certs work and brilliantly highlighted a little-considered problem with PKI.You need at least one cert in the browser
The CA certs that are embedded in the browser have absolutely nothing to do with downloading new CA certs. The new CA certs are just that -- new CA certs.
The problem you highlight is this: how do I know that the CA cert that I'm downloading actually contains the public key for the CA I think it does? When your browser quietly loads an SSL page, you have to just assume that the CA certificates that installed in that browser are valid.
The accepted solution to this problem is to publish CA certificates so widely that subverting a single channel would be unlikely to result in a signficant number of people obtaining the fake CA cert. Furthermore, a human can verify the "Certificate FingerPrint" (an MD5 or SHA-1 hash of the cert). This Certificate Fingerprint should be so ubiquitous that a fake CA certificate should be immediately obvious.
Of course, this assumes that you, the recipient of the CA Cert make some effort (or any effort, for that matter), to verify the CA Cert. Have you verify any cert you've ever recieved? I'd be willing to be that most people reading this have never done so.
In summary, the bootstrap issue is a big deal, although you are mistaken that you need a CA cert in the browser to verify subsequent CA certs; they aren't related.
- the first time a web page comes up that's signed by CA X, the browser says "Here are the details for CA X. Do you wish to install this key permanently so that you will not be warned about certs signed by this CA in the future?"
Yes, but where does this CA public key come from? All the browser knows, at that point, is that the server certificate has been signed by an unknown CA. The CA's public key is not part of the SSL handshake. How do you redirect the browser to find the CA certificate for that CA without allowing an attacker to steer the browser to a bogus cert?For example, the browser says,"This certificate has been signed by Verisign. Do you want to accept Verisign's CA certificate (from www.h4x0r.com)?
- I'm fairly sure that if you serve your root certificate with an appropriate Content-Type, and Netscape will happily import it after confirming with the user.
You are correct, but the real problem is steering Joe-Sixpack to that CA cert location. Typical end-users just aren't aware of them or used to downloading them. I addressed this in another post.- A CA will just have to convince the open source projects (possibly by donating money and/or servers and/or people contributing to the browser code) to get their cert in the default setup.
This is a Bad Thing(tm). By allowing an open-source project to include the CA's they want, I anticipate a veritable fuckload of weird CA certs embedded in Mozilla. (Maybe the Powers That Be on Mozilla or other OSS browsers will be hyperclued, but I, for one, don't want to take that risk.)Instead, OSS browsers should contain no CAs. Upon install, the browser may bring up instructions on how to find the most popular CA root certs. Then Joe Six-Pack will have to get them, or find himself constantly nagged on SSL sights. The upshot will be that the browser is not quitely trusting anyone, and Joe Six-Pack now has an awareness of CA certs and how to load them.