The vast majority of the 'complexity' on the financial side (including payroll) of ERP systems are externally imposed. The business has no control over it.
Federal regs, financial best practices, laws, contracts, etc.
Why aren't things hidden more often in the alternate data streams? They are. It's a common rootkit hiding technique, or was for a time. But its very easy to detect, as it would alter the hash of the file, and would stick out like a sore thumb if a system file that never had an ADS all of a sudden did.
Send an E-mail to John Q Igoramus, which he will promply open and attempt to open an attachment in the email telling him that his daughter posted something lewd in her myspace account and to click here to see it, only that what he clicked on was a Trojan Horse, which promptly posts your corporate XP key to freexpwarez.com, which is used by 1,000,000 people to get free XP, which MS detects and promptly locks out all your corporate PC with a "You are a pirate" message. If your John Q Ignoramus users are running their systems as local admins, then you probably deserve some pain. Okay, you dont really deserve it, but you'll get no sympathy.
I realize this is slightly aside from your point, but any corporate IT shops where this would work arent doing their jobs.
I've never used Windows XP very much, but I wouldn't imagine that it would normally allow a user without administrative privileges to load arbitrary code (like drivers) into the kernel, right? Or are normal users allowed to do that if the code is signed or something? Non-admin users canot load drivers, start drivers, etc. However, the plug-n-play behavior that is what people see when they plug in most devices to USB ports doesnt run as the logged in user. It's a system service that handles the hardware plug n play. So when it sees a new device installed, if it recognizes it and has the drivers built into the system (ie, already loaded and trusted), it will load the drivers and mount the device, and make it available to all user sessions.
If it doesnt recognize it and/or doesnt have the drivers, then it does indeed require admin privs to install new drivers.
I never really did understand why Windows doesn't come with all its own drivers installed by default, though. It does. It comes with many tens of thousands of device drivers. One problem you run into though is with craptacular (yes, thats the technical term) consumer peripherals. They must farm out their driver software writing to 10-year old farm laborers in china or something. Most of these drver packs are good for one and only one model, so not reusable, and they're really poorly done.
So often, even if you have Model N1950 of this new digital camera, and windows ships with all drivers up to N1940 of the camera, its probable that you'll have to download drivers. Sometimes you can guess or know which drivers are compatible, but this is often plug n' pray (ie, might work, might not).
Why do you have to install e.g. the USB mass storage driver that comes with Windows the first time you insert a memory stick? You dont. The only Windows OS that doesnt support the vast majority of usb memory sticks (as mass storage) out of the box is win98 and previous.
Some specialized memory sticks, with security features, come with extra software, that can 'auto-run' when you install it, but thats just a security nightmare, and wont work for a non-admin anyway.
Funny, I'm an IT department for many companies, and I'm not cringing in fear or having nightmares over Vista.
For corporate IT, Vista is easy. Roll it out when and only when, its been tested, proven, and your organization is ready for it. Until then, just dont roll it out. Easy as pie. Now, if you've got end-users buying machines and trying to connect them to corporate resources without your control, then thats not corporate IT, thats just a bunch of people doing whatever they want.
And the black hole router detection is useful, and makes a lot of sense. If you're seeing problems with it, then it just may not be fully baked yet, and you need to give it time to settle out.
I mean geez, its not like anyone is forcing anybody to upgrade or anything. Your orgs should probably be at least considering buying vista with all new machines now, or as part of your VM purchasing, and just use the downlevel install options for now, that way you own it when you're ready.
If you're encouraging your clients to install Vista, when you know they're not ready for it, and its not ready for them, then you're a bad consultant.
If you're telling them its not ready, and they're doing it anyway, and then calling you for help, then you deserve every penny and more from those hours, cause you've got bad clients.:)
I dont normally even read, much less respond, to AC posts. However, this is a non-typical/. thread, so I'll change for this.
To answer your questions, I'm in my mid-30's, so figure 20 years of serious music listening.
How many have I listened to? Hard to put exact numbers on, but for Artists its got to be in the few hundreds, if not more, and several thousand songs. Of course, these numbers are just being pulled out of my butt based on a guess.
Sitting on my laptop now I have:
106 artists (many with more than one album) 1871 songs
The reason the ratio isnt higher is that I've got some of those one-hit-wonder songs from otherwise non-artists that I liked when I was in my teens and college.
Not had-in-background-while-coding, not flipped-through-in-traffic, actually sat and listened to and tried to really understand? I dont listen to music the same as you do. Part of it is just this time of my life, trying to turn a small IT business into a big IT business, and having very little free time, and fully focused on my business. But I dont just sit around and listen to music unless I'm doing something else.
Music by itself isnt enough to fully focus on. I just get bored. (Of course, while non-sober this may change.)
On a given weekday, I listen to music probably 12 hours a day.
1 hour from the radio while getting ready for the day. 15-30 minutes from the radio while commuting 0-1 hours while driving from the radio 8-10 hours while working
- usually from my mp3 collection
- sometimes from streaming music services for variety 0-1 hours from home off of XM radio from DirecTV (channel 817, XM Hitlist mostly, though sometimes switch over to 816 or one of the country stations)
This of course goes up and down depending on my love-life, with generally less music when there's a woman in the house.
None of this is just sitting there listening to music doing nothing else. I cant imagine doing that, I would either get bored, fall asleep, or drift off and stop listening to music while thinking about business or programming issues.
There's no reason to be self-righteous about it. Your way of listening to music isnt the 'one correct way for all humanity', its just your way. For me, reading is closer to what you're describing. I have probably several hundred books nowadays, and I read everything interesting I can get my hands on. But I dont go around bashing on people who dont read like I do.
Though I'll admit I do secretly pity them, as I know how much wiser, more knowledgeable, and more open minded person I am because of the books I've read.:)
Proliferation of IIS and ActiveX will force people to IE. This makes no sense.
The ActiveX issue I'll give you, though it's really only an issue for older software, as no one's doing activex stuff nowadays.
But how does use (proliferation) of IIS in any way force anyone to use IE? IIS is a webserver, it just emits what you tell it to emit. What does that have to do with IE?
To my knowledge he apparently has got ABSOLUTELY no updates from Microsoft since wga was turned on by them as he does not has the wga things. Doesnt work that way. Automatic Updates works just fine without WGA.
Only the manual, go-to-the-website-and-patch WindowsUpdate/MicrosoftUpdate is blocked without WGA.
Yeah. When the new threading system came out, I tried it, and it didnt work at all with Opera.
As per the beta testing instructions, I emailed pudge, and got a really jerky response from him about how it would never work because 'opera is broken'.
Strangely enough, even though Opera is still 'broken' according to pudge, the threading system mostly works under Opera. Guess the universe changed or something.
Of course, given the several hundred browser-agnostic ajax libraries and dom manipulation libraries out there, you'd think this wouldnt be too hard of a problem to solve. I just about gave it a try myself, but as usual, my 10-12 hours of IT work a day just about is enough.
The email is pudge and you can guess the rest, starts with @ and ends with dot.org.
Dont have high hopes about pudge fixing it though, at least based on his original response to me. Not sure what changed, whether he had a change of heart, or whether something changed in opera across patch releases.
My memory is that this mostly revolved around J/Direct (replacement of JNI) and adding/modifying classes and methods within the core namespace (ie, rather than adding ms specific namespaces).
Even the article you linked describes the changes to the core class as 'the scariest':
The last Java 1.1 incompatibility problem identified is actually the scariest. It is easy to avoid RMI and JNI if your application permits it: You just don't use them. The sticking point is that Microsoft decided the Core Java class libraries were insufficient for its needs. Now there's nothing wrong with extending things by subclassing and placing the new objects in a package outside of the java.* class hierarchy. But deciding to add about 50 methods and 50 fields into the classes within the java.awt, java.lang, and java.io packages, as Microsoft did, is extremely problematic. "Microsoft deceptively altered key classes and inserted them into their SDK," said Baratz, which results in developers thinking they are writing Java, when actually they are writing something that runs only on Internet Explorer. So in part sounds like we're talking about the same thing. Adding J/Direct for platform native stuff, and not using JNI for platform native stuff. Two sides of the same coin, I guess.
But I cant actually find any references to the specific java spec incompatibilities. It's probably in the original court filing, but I havent found that yet.
Nearly every news article that reporting on it at the time says the lawsuit was over 'Microsoft adding windows specific extensions to their jvm', but that is very vague, and general industry news (as opposed to developer-specific reporting) often gets the details wrong.
If you can find anything conclusive, please post it. Based on my limited research this morning, it looks like we both had a piece of it, and it was about 3 things: no RMI, no JNI - instead J/Direct, and modification of core classes in the namespace.
Geez there is a lot of self righteous nonsense on/. today.
I'll break something real critical to you:
YOU do not get to tell OTHERS what words mean to THEM.
Language is a consensual communication mechanism, not a dictatorial one.
(Dictionaries notwithstanding, they dont own the language, they just make a reference definition of one, and there are even many competing of these.)
Open Source to some people means gratis. To some it means any source they can look at. To some it is of the 'free speech' variety.
Neither you, nor anyone else, gets to put a patent or copyright on those two words.
Now mind you, if someone wants to be well understood, or be successfully persuasive, then it is incumbent on them to use a consensual vocabularly appropriate to their target audience. But its not required, just useful.
The 'Open Source Definition' you're referring to, is one very small group of people out of all humanity, agreeing to what they (ie, just that group) mean when they use that phrase. To top, its a highly technical piece of jargon, that is only relevant or meaningful to those in the industry.
Microsoft is providing view only, and only downloading the source as you step through it. FYI
You can also download the source directly in an MSI (the MSI is so that it forces you to agree the license before installing).
From Scott Guthrie's blog (ie, the guy who owns.NET at microsoft):
http://weblogs.asp.net/scottgu/archive/2007/10/03/releasing-the-source-code-for-the-net-framework-libraries.aspx
You'll be able to download the.NET Framework source libraries via a standalone install (allowing you to use any text editor to browse it locally). We will also provide integrated debugging support of it within VS 2008. Unfortunately, if you only read the whirley guy's blog, you dont get the whole story, as the idiot never links back to the actual announcement by Scott, or the press release.
Did YOU even bother reading the article?
Did you even read the article? You cannot do _anything_ with the code except to look at it. Heck, you can't even download the code for reference. Instead, MS Dev Studio's debugger will fetch the source code section from a Microsoft MSDN server as you step into it. Allow me to quote straight from Scott Guthrie's blog:
MS added various win32 specific things to their build of the JVM.
The result was, since everyone used windows, and the extensions were useful on the common platform, that people used those extensions.
Their software then broken one of Java's fundamental tenets, which is that it'll work (some J2EE stuff excluded) on any platform for which there is a JVM, unchanged.
So Sun sued MS, and eventually won. During and after the lawsuit, there was a period of time when the JVM that shipped with windows was woefully behind the current reference JVM from sun. Thats probably what you're remembering.
But that was because the court ordered them to stop distributing any new versions.
One of the odd twists to the story is that Microsoft's JVM was hugely faster than Sun's JVM, so everyone used it.
A = the original source code. B = source code generated by Reflector f(x) = compiling source code to IL C = IL generated by f(x) r(x) = reflector software
So you do f(A) = C
You then use the reflector, and do:
r(C) = B
But the problem is that A != B.
The only equivalence is that f(A) = f(B).
And more importantly, without the original source code you lose:
The last one is the meta-information you can gain from source code just by looking at how it's structured. The patterns and models that the developers used, etc.
Not to mention with what MS is doing you get symbols so you can step through.net source in the debugger.
The reflector re-generates source code based on the IL. But there's no guarantee that its the SAME source code. It is perfectly possible and reasonable to have two different sources compile to the same IL. Now they're not going to be drastically different, but they can be meaningfully different. But you're always going to lose some information content when compiling down to IL.
In addition, the VS.NET debugger will grab symbols for the source code as well, which allows the debugger to link directly to the exact line in the source code so you can step through it and see meaningful variable names in your locals window and such.
Lastly, with the reverse engineering of the reflector tool, you always lose comments, and you very easily lose the 'intent' of the software, as expressed by its original source code (which will almost certainly be different than the source code the reflector emits).
Not having read the fine article (of course!), do they say somewhere that the code they released is not covered by any patents or other kind of ethereous `IP' and so on? The answer to your question is one link away from the main article. Do your own reading.
Because it would be nearly impossible to do otherwise, and still make it work right in the debugger.
If the symbols dont line up, or the 'current line' in the stack trace clearly isnt what is actually executing, its going to be hugely obvious.
This would be very very difficult to do, and they would have to develop an entire subsystem in the vs.net debugger to deliberately hide stuff from you while still doing effective debugging.
In other words, its really not practical to do what you're suggesting, especially for little to no benefit.
Microsoft will release source code for 'Open'.Net on a schedule that suits them for strategic or monetary purposes. Maybe you'll get monthly updates. Most likely, you'll get quarterly updates. Maybe not even that many updates. Actually, Scott Guthrie's post was quite clear about that.
As.NET patches, service packs, and new releases come out, the source code will be made available as well on msdn. That way, the VS.NET debugger can always grab the exact source for the exact version of the library that you have.
I've got news for you, unless you're a customer or developer on their platform, they dont give a rat's hairy butt about you.
This is in response to direct and heavy requests, for years, by nearly all of their developers on.net. It's something that is genuinely useful to their users.
And as many others have noted, this is not even anything new. MFC and (IIRC) ATL libraries were similarly available back in the '90s.
This has absolutely nothing to do with open source, and they've been quite clear about that in their press release. This is all about giving their users something reasonable that they've been asking for for years.
I'll repeat it so hopefully it sticks in: Not everything that happens in the software world is about you!
There are so many: Object Pascal, Oberon, Cedar/Mesa, Modula-3, and on and on. Well, I guess we'll just be in fundamental disagreement there. Not sure I agree that you're going to be able to effectively write an O/S in object pascal. About the only thing going for it in this space is that you can include raw assembly in with it (IIRC) as part of the language.
In fact, at least in its Delphi/Kylix form, this is much more of a user-space apps development language than a systems development language.
The term "managed language" is some bizarre Microsoft neologism, and I have no idea what it's even supposed to mean. Hardly. Java would qualify as such. The defining characteristic is that its inteded to be run inside a VM.
And even Java has had the occasional (though rare and obscure) buffer overflow in its implementation.
In any case, people have written operating systems in Object Pascal, Cedar/Mesa, Oberon, Modula-3, Lisp, Smalltalk, and other languages. Several of those languages even have garbage collection and dynamic typing. It's not rocket science and it doesn't require new research. You mean like SPIN and Native Oberon? These are hardly real operating systems, they are research experiments done by academics. Those things are 5-10 years of work away from even knowing whether a full operating system can be developed in them (at least based on my reading from their websites).
Mind you, I'm in complete agreement that our development tools and languages are primitive. Things should be that easy, but they certainly are not at the moment, certain academic research projects notwithstanding.
The OP that started this was basically claiming that companies should just 'do it right' as if thats a magic wand you can wave and make it happen. This is a common trap, often completed by stating, 'if they would just use [insert your favorite niche language here]'. Heck, some companies even tried this, most notably NeXT. And they didnt stray far, only to Objective-C. And even with this, it took 12 years and the financial weight of apple to turn into a successful consumer operating system.
Is it possible that writing an O/S using Object Pascal would be safe? Possibly, but I think you'd find that you'd have large sections hand written in assembly or unsafe code, and then you're back at square one again.
Buffer overflows are completely avoidable by using a language with bounds checks. I notice that you dont actually name this language. Can you?
What classes of buffer overflows does it protect against? Do you still have full access to pointers and memory reads/writes/copies? Do you have to give up direct manipulation of the stack?
While I agree that it should (and will, eventually) be possible to write an operating system without the insanities of C-based languages, I'm definitely not aware of one. The only languages I'm aware of that even try to minimize the possibility are languages like Java and.NET, and then the horde of interpreted languages. But these are not appropriate for an operating system, at least not for another 10 years.
Maybe I'm wrong, show me up here. If you can name such a beast, I'd definitely be curious why the BSDs arent using it, or experimental O/S's like Hurd. Microsoft (and I'm sure others) have research projects to try building an O/S kernel in a managed language, but its very much in early research.
"3rd order effects"? Did you learn programming on Star Trek? Yes, thats right. Took lessons from 7of9 on distributed computing between make-out sessions.
Seriously though, what I mean by this is: A coding choice produced an unexpected side effect in another module, which caused an unexpected side-effect, which caused the actual stack overflow in yet a 3rd section. The example I saw (which I'm not able to find a reference for, unfort) looked to me like it would be literally computationally impossible to catch with static analysis. You'd have to drastically restrict the structures allowed in C to catch something like this.
Now its very arguable that the reason this stuff happens is because programmers are being 'tricky' and that is backfiring on them. But its also arguable that such programmers have to be tricky still to get the performance needed in some cases.
Probably the closest thing our race has ever seen to engineering that always 'does it right' the first time is NASA. And plenty of people have DIED on their ships. And they are arguably the most overfunded, overengineering, overly conversative R&D/engineering organization in the history of mankind.
Bottom line is that 'doing it right' perfectly is not possible, at least not for larger-than-tiny systems. At least not in the current state of the art in systems software. If nothing else, as long as we have to use C/C++ for systems software, its nearly impossible to automatically eliminate ALL classes of buffer overflows.
I wish I could pull up some examples quickly, but not all buffer overflows are obvious. Some of them are very much NOT obvious, and involve 3rd order effects. (yes, I realize this implies that the software was too complex, and thats arguable, but the point is still made that its not as simple as 'just do it right'.)
Many millions of dollars per year flow into software/os/systems R&D to find a way to make a system impervious to these types of attacks, while still having an O/S that runs at a useful speed.
But over top of all that, you run into the single most important reason why you cant do everything perfect every time. They're just people. It's not possible for any organization (whether for-profit corp or non-profit org) to hire only people good enough to always 'do it right'. In fact, the people capable of performing close to perfection are very rare. And not all of them are willing to work on boring software. So you always end up with 'mere mortal' developers working on something. And your real gurus/superstars try to oversee the design, but a full consumer operating system is too big for any one person to control all aspects.
What you say sounds great, and does a good job of making you sound appropriately self-righteous to the/. crowd, but it has very little basis in reality. As a perfect validation, try to find a piece of software of non-trivial size/complexity that has no bugs, and never has had a buffer overflow.
Most web browsers run with the full permissions of the user running them, enough to make it very hard for that user to create a botnet node or whatever. There are exceptions to this, but they are rare. Actually, this functionality you're describing has been present in Windows XP for years. Right click on IE, choose RunAs, and just leave the default and hit OK.
You've not spawned an IExplore.exe process with very specific security tokens. Basically restrict it from writing anything at all to the registry, and nothing expect a very few locations on the hard drive (temp & cache space, basically).
Vista makes it more prevalent, but its been there for years.
Vista and Win2008 server also has a limited form of MAC (what you're describing) as part of the services permissions. Basically, its an extra set of limitations you can make to services, and limit file permissions to just the very few that the service needs, regardless of what user account its running.
These are widely available in *nix as well, but they're not much used. I think SELinux includes this (amongst other) functionality, but I'm not an expert here.
... set the OS up with Unix-style permissions. Why would anyone want to do that? Real ACLs are far superior to the old-fashioned (and overly simplistic and limiting) traditional unix permissions system.
About the only downside to full ACLs is that the complexity is slightly higher.
Slashdot Mirror
The vast majority of the 'complexity' on the financial side (including payroll) of ERP systems are externally imposed. The business has no control over it.
Federal regs, financial best practices, laws, contracts, etc.
I realize this is slightly aside from your point, but any corporate IT shops where this would work arent doing their jobs.
If it doesnt recognize it and/or doesnt have the drivers, then it does indeed require admin privs to install new drivers. I never really did understand why Windows doesn't come with all its own drivers installed by default, though. It does. It comes with many tens of thousands of device drivers. One problem you run into though is with craptacular (yes, thats the technical term) consumer peripherals. They must farm out their driver software writing to 10-year old farm laborers in china or something. Most of these drver packs are good for one and only one model, so not reusable, and they're really poorly done.
So often, even if you have Model N1950 of this new digital camera, and windows ships with all drivers up to N1940 of the camera, its probable that you'll have to download drivers. Sometimes you can guess or know which drivers are compatible, but this is often plug n' pray (ie, might work, might not). Why do you have to install e.g. the USB mass storage driver that comes with Windows the first time you insert a memory stick? You dont. The only Windows OS that doesnt support the vast majority of usb memory sticks (as mass storage) out of the box is win98 and previous.
Some specialized memory sticks, with security features, come with extra software, that can 'auto-run' when you install it, but thats just a security nightmare, and wont work for a non-admin anyway.
Funny, I'm an IT department for many companies, and I'm not cringing in fear or having nightmares over Vista.
:)
For corporate IT, Vista is easy. Roll it out when and only when, its been tested, proven, and your organization is ready for it. Until then, just dont roll it out. Easy as pie. Now, if you've got end-users buying machines and trying to connect them to corporate resources without your control, then thats not corporate IT, thats just a bunch of people doing whatever they want.
And the black hole router detection is useful, and makes a lot of sense. If you're seeing problems with it, then it just may not be fully baked yet, and you need to give it time to settle out.
I mean geez, its not like anyone is forcing anybody to upgrade or anything. Your orgs should probably be at least considering buying vista with all new machines now, or as part of your VM purchasing, and just use the downlevel install options for now, that way you own it when you're ready.
If you're encouraging your clients to install Vista, when you know they're not ready for it, and its not ready for them, then you're a bad consultant.
If you're telling them its not ready, and they're doing it anyway, and then calling you for help, then you deserve every penny and more from those hours, cause you've got bad clients.
To answer your questions, I'm in my mid-30's, so figure 20 years of serious music listening.
How many have I listened to? Hard to put exact numbers on, but for Artists its got to be in the few hundreds, if not more, and several thousand songs. Of course, these numbers are just being pulled out of my butt based on a guess.
Sitting on my laptop now I have:
106 artists (many with more than one album)
1871 songs
The reason the ratio isnt higher is that I've got some of those one-hit-wonder songs from otherwise non-artists that I liked when I was in my teens and college. Not had-in-background-while-coding, not flipped-through-in-traffic, actually sat and listened to and tried to really understand? I dont listen to music the same as you do. Part of it is just this time of my life, trying to turn a small IT business into a big IT business, and having very little free time, and fully focused on my business. But I dont just sit around and listen to music unless I'm doing something else.
Music by itself isnt enough to fully focus on. I just get bored. (Of course, while non-sober this may change.)
On a given weekday, I listen to music probably 12 hours a day.
1 hour from the radio while getting ready for the day.
15-30 minutes from the radio while commuting
0-1 hours while driving from the radio
8-10 hours while working
- usually from my mp3 collection
- sometimes from streaming music services for variety
0-1 hours from home off of XM radio from DirecTV (channel 817, XM Hitlist mostly, though sometimes switch over to 816 or one of the country stations)
This of course goes up and down depending on my love-life, with generally less music when there's a woman in the house.
None of this is just sitting there listening to music doing nothing else. I cant imagine doing that, I would either get bored, fall asleep, or drift off and stop listening to music while thinking about business or programming issues.
There's no reason to be self-righteous about it. Your way of listening to music isnt the 'one correct way for all humanity', its just your way. For me, reading is closer to what you're describing. I have probably several hundred books nowadays, and I read everything interesting I can get my hands on. But I dont go around bashing on people who dont read like I do.
Though I'll admit I do secretly pity them, as I know how much wiser, more knowledgeable, and more open minded person I am because of the books I've read.
The ActiveX issue I'll give you, though it's really only an issue for older software, as no one's doing activex stuff nowadays.
But how does use (proliferation) of IIS in any way force anyone to use IE? IIS is a webserver, it just emits what you tell it to emit. What does that have to do with IE?
Only the manual, go-to-the-website-and-patch WindowsUpdate/MicrosoftUpdate is blocked without WGA.
Yeah. When the new threading system came out, I tried it, and it didnt work at all with Opera.
As per the beta testing instructions, I emailed pudge, and got a really jerky response from him about how it would never work because 'opera is broken'.
Strangely enough, even though Opera is still 'broken' according to pudge, the threading system mostly works under Opera. Guess the universe changed or something.
Of course, given the several hundred browser-agnostic ajax libraries and dom manipulation libraries out there, you'd think this wouldnt be too hard of a problem to solve. I just about gave it a try myself, but as usual, my 10-12 hours of IT work a day just about is enough.
The email is pudge and you can guess the rest, starts with @ and ends with dot.org.
Dont have high hopes about pudge fixing it though, at least based on his original response to me. Not sure what changed, whether he had a change of heart, or whether something changed in opera across patch releases.
My memory is that this mostly revolved around J/Direct (replacement of JNI) and adding/modifying classes and methods within the core namespace (ie, rather than adding ms specific namespaces).
Even the article you linked describes the changes to the core class as 'the scariest': The last Java 1.1 incompatibility problem identified is actually the scariest. It is easy to avoid RMI and JNI if your application permits it: You just don't use them. The sticking point is that Microsoft decided the Core Java class libraries were insufficient for its needs. Now there's nothing wrong with extending things by subclassing and placing the new objects in a package outside of the java.* class hierarchy. But deciding to add about 50 methods and 50 fields into the classes within the java.awt, java.lang, and java.io packages, as Microsoft did, is extremely problematic. "Microsoft deceptively altered key classes and inserted them into their SDK," said Baratz, which results in developers thinking they are writing Java, when actually they are writing something that runs only on Internet Explorer. So in part sounds like we're talking about the same thing. Adding J/Direct for platform native stuff, and not using JNI for platform native stuff. Two sides of the same coin, I guess.
But I cant actually find any references to the specific java spec incompatibilities. It's probably in the original court filing, but I havent found that yet.
Nearly every news article that reporting on it at the time says the lawsuit was over 'Microsoft adding windows specific extensions to their jvm', but that is very vague, and general industry news (as opposed to developer-specific reporting) often gets the details wrong.
If you can find anything conclusive, please post it. Based on my limited research this morning, it looks like we both had a piece of it, and it was about 3 things: no RMI, no JNI - instead J/Direct, and modification of core classes in the namespace.
Geez there is a lot of self righteous nonsense on /. today.
I'll break something real critical to you:
YOU do not get to tell OTHERS what words mean to THEM.
Language is a consensual communication mechanism, not a dictatorial one.
(Dictionaries notwithstanding, they dont own the language, they just make a reference definition of one, and there are even many competing of these.)
Open Source to some people means gratis. To some it means any source they can look at. To some it is of the 'free speech' variety.
Neither you, nor anyone else, gets to put a patent or copyright on those two words.
Now mind you, if someone wants to be well understood, or be successfully persuasive, then it is incumbent on them to use a consensual vocabularly appropriate to their target audience. But its not required, just useful.
The 'Open Source Definition' you're referring to, is one very small group of people out of all humanity, agreeing to what they (ie, just that group) mean when they use that phrase. To top, its a highly technical piece of jargon, that is only relevant or meaningful to those in the industry.
Please dismount your tall equine.
You can also download the source directly in an MSI (the MSI is so that it forces you to agree the license before installing).
From Scott Guthrie's blog (ie, the guy who owns
http://weblogs.asp.net/scottgu/archive/2007/10/03/releasing-the-source-code-for-the-net-framework-libraries.aspx You'll be able to download the
Did YOU even bother reading the article? Did you even read the article? You cannot do _anything_ with the code except to look at it. Heck, you can't even download the code for reference. Instead, MS Dev Studio's debugger will fetch the source code section from a Microsoft MSDN server as you step into it. Allow me to quote straight from Scott Guthrie's blog:
http://weblogs.asp.net/scottgu/archive/2007/10/03/releasing-the-source-code-for-the-net-framework-libraries.aspx You'll be able to download the
You've got it backwards.
MS added various win32 specific things to their build of the JVM.
The result was, since everyone used windows, and the extensions were useful on the common platform, that people used those extensions.
Their software then broken one of Java's fundamental tenets, which is that it'll work (some J2EE stuff excluded) on any platform for which there is a JVM, unchanged.
So Sun sued MS, and eventually won. During and after the lawsuit, there was a period of time when the JVM that shipped with windows was woefully behind the current reference JVM from sun. Thats probably what you're remembering.
But that was because the court ordered them to stop distributing any new versions.
One of the odd twists to the story is that Microsoft's JVM was hugely faster than Sun's JVM, so everyone used it.
It's really simple math.
.net source in the debugger.
A = the original source code.
B = source code generated by Reflector
f(x) = compiling source code to IL
C = IL generated by f(x)
r(x) = reflector software
So you do f(A) = C
You then use the reflector, and do:
r(C) = B
But the problem is that A != B.
The only equivalence is that f(A) = f(B).
And more importantly, without the original source code you lose:
- comments
- variable names
- original source structure
- structural 'intent'
The last one is the meta-information you can gain from source code just by looking at how it's structured. The patterns and models that the developers used, etc.
Not to mention with what MS is doing you get symbols so you can step through
Not quite.
The reflector re-generates source code based on the IL. But there's no guarantee that its the SAME source code. It is perfectly possible and reasonable to have two different sources compile to the same IL. Now they're not going to be drastically different, but they can be meaningfully different. But you're always going to lose some information content when compiling down to IL.
In addition, the VS.NET debugger will grab symbols for the source code as well, which allows the debugger to link directly to the exact line in the source code so you can step through it and see meaningful variable names in your locals window and such.
Lastly, with the reverse engineering of the reflector tool, you always lose comments, and you very easily lose the 'intent' of the software, as expressed by its original source code (which will almost certainly be different than the source code the reflector emits).
Because it would be nearly impossible to do otherwise, and still make it work right in the debugger.
If the symbols dont line up, or the 'current line' in the stack trace clearly isnt what is actually executing, its going to be hugely obvious.
This would be very very difficult to do, and they would have to develop an entire subsystem in the vs.net debugger to deliberately hide stuff from you while still doing effective debugging.
In other words, its really not practical to do what you're suggesting, especially for little to no benefit.
As
Wow, look at the arrogance on you.
.net. It's something that is genuinely useful to their users.
I've got news for you, unless you're a customer or developer on their platform, they dont give a rat's hairy butt about you.
This is in response to direct and heavy requests, for years, by nearly all of their developers on
And as many others have noted, this is not even anything new. MFC and (IIRC) ATL libraries were similarly available back in the '90s.
This has absolutely nothing to do with open source, and they've been quite clear about that in their press release. This is all about giving their users something reasonable that they've been asking for for years.
I'll repeat it so hopefully it sticks in: Not everything that happens in the software world is about you!
In fact, at least in its Delphi/Kylix form, this is much more of a user-space apps development language than a systems development language. The term "managed language" is some bizarre Microsoft neologism, and I have no idea what it's even supposed to mean. Hardly. Java would qualify as such. The defining characteristic is that its inteded to be run inside a VM.
And even Java has had the occasional (though rare and obscure) buffer overflow in its implementation. In any case, people have written operating systems in Object Pascal, Cedar/Mesa, Oberon, Modula-3, Lisp, Smalltalk, and other languages. Several of those languages even have garbage collection and dynamic typing. It's not rocket science and it doesn't require new research. You mean like SPIN and Native Oberon? These are hardly real operating systems, they are research experiments done by academics. Those things are 5-10 years of work away from even knowing whether a full operating system can be developed in them (at least based on my reading from their websites).
Mind you, I'm in complete agreement that our development tools and languages are primitive. Things should be that easy, but they certainly are not at the moment, certain academic research projects notwithstanding.
The OP that started this was basically claiming that companies should just 'do it right' as if thats a magic wand you can wave and make it happen. This is a common trap, often completed by stating, 'if they would just use [insert your favorite niche language here]'. Heck, some companies even tried this, most notably NeXT. And they didnt stray far, only to Objective-C. And even with this, it took 12 years and the financial weight of apple to turn into a successful consumer operating system.
Is it possible that writing an O/S using Object Pascal would be safe? Possibly, but I think you'd find that you'd have large sections hand written in assembly or unsafe code, and then you're back at square one again.
What classes of buffer overflows does it protect against? Do you still have full access to pointers and memory reads/writes/copies? Do you have to give up direct manipulation of the stack?
While I agree that it should (and will, eventually) be possible to write an operating system without the insanities of C-based languages, I'm definitely not aware of one. The only languages I'm aware of that even try to minimize the possibility are languages like Java and
Maybe I'm wrong, show me up here. If you can name such a beast, I'd definitely be curious why the BSDs arent using it, or experimental O/S's like Hurd. Microsoft (and I'm sure others) have research projects to try building an O/S kernel in a managed language, but its very much in early research. "3rd order effects"? Did you learn programming on Star Trek? Yes, thats right. Took lessons from 7of9 on distributed computing between make-out sessions.
Seriously though, what I mean by this is: A coding choice produced an unexpected side effect in another module, which caused an unexpected side-effect, which caused the actual stack overflow in yet a 3rd section. The example I saw (which I'm not able to find a reference for, unfort) looked to me like it would be literally computationally impossible to catch with static analysis. You'd have to drastically restrict the structures allowed in C to catch something like this.
Now its very arguable that the reason this stuff happens is because programmers are being 'tricky' and that is backfiring on them. But its also arguable that such programmers have to be tricky still to get the performance needed in some cases.
Are you kidding me?
/. crowd, but it has very little basis in reality. As a perfect validation, try to find a piece of software of non-trivial size/complexity that has no bugs, and never has had a buffer overflow.
Probably the closest thing our race has ever seen to engineering that always 'does it right' the first time is NASA. And plenty of people have DIED on their ships. And they are arguably the most overfunded, overengineering, overly conversative R&D/engineering organization in the history of mankind.
Bottom line is that 'doing it right' perfectly is not possible, at least not for larger-than-tiny systems. At least not in the current state of the art in systems software. If nothing else, as long as we have to use C/C++ for systems software, its nearly impossible to automatically eliminate ALL classes of buffer overflows.
I wish I could pull up some examples quickly, but not all buffer overflows are obvious. Some of them are very much NOT obvious, and involve 3rd order effects. (yes, I realize this implies that the software was too complex, and thats arguable, but the point is still made that its not as simple as 'just do it right'.)
Many millions of dollars per year flow into software/os/systems R&D to find a way to make a system impervious to these types of attacks, while still having an O/S that runs at a useful speed.
But over top of all that, you run into the single most important reason why you cant do everything perfect every time. They're just people. It's not possible for any organization (whether for-profit corp or non-profit org) to hire only people good enough to always 'do it right'. In fact, the people capable of performing close to perfection are very rare. And not all of them are willing to work on boring software. So you always end up with 'mere mortal' developers working on something. And your real gurus/superstars try to oversee the design, but a full consumer operating system is too big for any one person to control all aspects.
What you say sounds great, and does a good job of making you sound appropriately self-righteous to the
You've not spawned an IExplore.exe process with very specific security tokens. Basically restrict it from writing anything at all to the registry, and nothing expect a very few locations on the hard drive (temp & cache space, basically).
Vista makes it more prevalent, but its been there for years.
Vista and Win2008 server also has a limited form of MAC (what you're describing) as part of the services permissions. Basically, its an extra set of limitations you can make to services, and limit file permissions to just the very few that the service needs, regardless of what user account its running.
These are widely available in *nix as well, but they're not much used. I think SELinux includes this (amongst other) functionality, but I'm not an expert here.
... set the OS up with Unix-style permissions. Why would anyone want to do that? Real ACLs are far superior to the old-fashioned (and overly simplistic and limiting) traditional unix permissions system.About the only downside to full ACLs is that the complexity is slightly higher.