In the hands of a skilled C++, as well a C, developer these things are actually not the issue you made them out to be.
That's a tautology.
The real issue is that a developer has to spend some time developing this skill, and it is essentially waste for solving most problems. The same developer could have learned something else with his time that makes him more productive.
More people are being employed today to use java than any other language. As of today, monster.com lists 4233 java positions vs 3315 for "C or C++".
Development in java is much faster than either C or C++ because there is a larger base of easily reusable code, and because you don't have to deal with memory management. Unit testing, automated builds, and automated documentation are vastly superior in java, not to mention that portability is guaranteed.
I am continually baffled by people who knock java for its speed. It is faster than perl, python, ruby, and PHP, but nobody ever knocks these languages for their slowness. Most applications sit there with their CPU idle most of the time anyway.
Java is faster than perl, python, ruby, and PHP. If you want speed, use C or C++. Enjoy debugging the pointers and memory leaks (that is the "slow" part I care about more).
Your whole livelihood revolves around solving other people's problems.
Which is exactly what he gave an architecture to do and you didn't.
Usability is one problem, features or functionality are another. The solutions to these two separate problems should not be coupled, so that each can be changed easily without affecting the other and so that both converge as rapidly as possible to what works best for the customer. This is little more than a restatement of tried and true "separation of concerns" object oriented programming mindset.
The fact that he names the different software roles as "programmer" and "designer" does not mean that one person cannot play both roles if necessary. On the other hand, NOT using this architecture does mean that if two people are available who each have specialized skill (one in usability and the other in business functionality), then you cannot take advantage of it. The coupling forces someone with both skills to do all the work thereby forcing quality to the least common denominator level.
That argument borders on professional misconduct. There is no statement in the GPL that can be remotely construed as placing the work in question into the public domain. I don't think precedent has been very kind to people who, when confronted with an accusation of copyright infringement argued "well, all his copyrighted works are public domain whether the author thinks so or not".
XFDL works for this, but unfortunately there is only one vendor: PureEdge. The US Air Force is using this for online/offline forms capabilities. XFDL was sort of a predecessor to XForms (one of the PureEdge lead technicals is on the XForms WG).
Eventually, XForms should have enough support to category kill this problem. It's just taking a while because it has a lot of dependencies on other XML specs that make it difficult for implementors. I was SO glad to see IBM and Novell step in to provide resources to Mozilla implement XForms.
Groovy is heavily influenced by ruby - it supports the same kind of closures/iterators and strict "everythin is an object, damn it" mentallity. If you work in a java environment, groovy has some compelling points that make it superior to jython and jruby. Groovy does not introduce its own class libraries -- it is purely syntax and reuses the java libraries. It is normally interpreted, but can also be compiled. When it compiles, it compiles to pure bytecode which makes it literally indistinguishable from compiled java code.
Finally, it adds one innovate syntax feature that I really like: in addition to syntax support for lists and hashes, it has syntax for representing heirarchical data structures and searching them (using closures). This makes tasks like dealing with XML or HTML effectively trivial.
Is it fair for one commercial site to link to another sites content - producing a leech effect - and not compensating the other site for linking?
Yes, it is. When you place your content so it is accessible by HTTP, you know that this means that people can link to it. If you don't want others to link to it, you have many options. You can password protect it, you can check the referrer page in the HTTP request header, you can check a cookie, or (gasp) you can take it off the web. You are in complete control. By placing something on the web you inherently agree to allow it to be used in web-like ways that you take no technical steps to prevent.
Besides, all a link does is create an HTTP **request**. It seems that every six months or so, somebody knew gets confused about the difference between copying somebody elses content and automatically asking for a copy to be made. Courts have already rules that deep-linking is legal because there is no copying by making a link and because the originator retains full control.
First off, schema changes are pretty rare once you have production data. Sometimes you add fields and tables, but almost never do you refactor the data model because either you can map your existing data, which proves you haven't achieved any benefit, or you can't which proves you've achieve negative benefit.
Despite this, your argument actually proves a benefit for SPs that I had forgotten about -- they provide encapsilation from the data model. So all your client code written in different languages works fine as long as you preserve the API.
As for programming java-to-COM using a socket, I've actually done that, but trying to get another organization to write their side of such an interface is usually a blank-stare generator. They would probably think for a while and suggest using ODBC instead.
I work in a military environment where the firealarm would probably go off if a port opened up that networking couldn't identify. "Oh, don't worry about that port -- it's the custom socket code I wrote" would probably get me sent to gitmo.
Since you can store java objects in the database, I see no reason why you could not simply add something like Jasper Reports to it, for example. When the JSR for standard java IDE plugins gets finalized, you could simply support that and you'd have it all right there.
Why do you say this? It seems like it would compete just fine (and do well) against MySQL. The fact that you CAN embed it doesn't mean you have to. This guy actually has a lot of standard database features that MySQL is deficient in.
I was rather impressed with Cloudscapes features: - store serializable java objects in table fields - java stored procedures, functions, triggers - hash joins in addition to nested loops - subqueries and views - transactions, four isolation levels - row and table level locking (default = row) - deadlock detection - custom aggregators - blob and clob data types - cost based query plan optimizer - multicolumn B-tree indexes - query and lock built-in performance monitoring
The SP may or may not substantially raise load on the central machine. You seem to assue that SQL issued from the middle tier takes less work than SQL issue locally. The reverse is actually true. In addition, SQL from the middle tier has to push the rowset over the centralized machines network interface, which can be a very slow operation relative to local memory access, and uses a shared resource. You only get a resource savings if the data can be cached in the middle tier are reused enough to eliminate subsequen SQL calls to the server. For data accessed with low frequency and high volume, this is mostly a losing bet.
As for using vendor specific features, you aren't considering the ROI. By coding to least common denominator SQL capabilities, you are wasting your users time, because the vendor specific features make a big difference. In an enterprise system, nobody gives a crap about theoretical niceties like portability of the RDBMS. They want the thing that helps them do the company's core business process faster and better. And since the latter is what pays your salary, you will lose that debate every time.
SPs are text and can be version controlled as easily as anything else. That's two people who have made this completely moronic argument today.
Why do you call SPs "premature" optimization? What's premature about it? It doesn't take any extra time to code in the SP language (in fact for data-centric operations it's often easier).
You seem to assume that stored procedures cannot do dynamically generated sql. Oracle has very nice features for this, so at best this is a RDBMS specific concern.
Sounds like you are making an argument for why SQL server is bad, not why stored procedures are bad. I don't know a whole lot about sql server, so I can't agree or disagree with your facts or conclusions.
Postgres has OO stored procedure languages, so it isn't only oracle that is reasonable. Does SQL server really not support the.net languages in the database?
It usually comes down to the fact that a database driven system has enormous performance considerations at play. It is very easy to write SQL or an algorithm that uses SQL that requires an incredible amount of resources. Stored procedures allow this data access to be done without having to pipe all the data over the network, and it's often the easiest way to assure that the development work of finding the best performing way is done once and reused.
Having said all that, I do not think there is any way to say "use SPs for everything" or "use SPs for nothing". A well designed middle tier that runs on web servers can be a lot more scalable if it can hold the right data in the middle tier (the "hot" data), and thereby substantially reduced the database load. To have the "hot" data dense on the web server requires leaving data access to the volumes of not-hot data in stored procedures. Also, for things that change data, you typically have greater trust that the stored procedure will abide by all the special data rules. When you have a stored procedure that works, you can use database security to ensure that by god, you can only add one to this column if you subtract one from some row in this other table. Typically DBA's don't trust middle layer programmers as much with data integrity and take the attitude that if the database doesn't guratantee it, it will eventaully be violated.
The ultimate answer is that it depends on your data access patterns and data logic rules, and how well your web layer team can assure that it respects the performance and data integrity needs of the database.
You give the best reason to use stored procedures: to insure "data logic" is preserved. This comes in serveral forms: - more complex constraints than foreign keys and check constraints - enforcement of denormalizations - enforcement of data movement (eg to a decision support system, archive, system interface, etc...)
Your statement that business logic should go in higher layers doesn't rule out SPs, because these are a reasonable choice to BE one of the higher layers.
In some cases, "business logic" can be configured as data in tables. In almost all cases it generally depends on business process state strored in tables. Depending on the amount of data required to make the business logic decision, it is sometimes superior to implement this as a stored procedure. Consider something that loops over all rows in a large data set, and makes a decision about each row. In a stored procedure, you might be rate limited by the speed of memory access and CPU. For the middle layer to implement it, you may have to pipe the large data set over the network, which might be orders of magnitude slower.
My experience is that overall system performance is usually a very strong driver of implementation strategy here. There is no reason SPs can't be just as maintainable as any other middle tier code. The only technical difference is that they run on the most centralized shared resource, but they have much faster data access. So it's a scalability for speed tradeoff.
In fact, often stored procedures are MORE maintainable, because reality in a heterogeneous enterprise environment is that no matter what you pick for your middle layer, somebody you have to integrate with won't be able to deal with it. Your spiffy java API for checking whether a series of transactions is properly ordered isn't callable from their COM object or vice versa. What ends up happening is you end up reimplementing solutions in multiple places, which is fine until the business rules change. Contrast this with the fact that just about every language supports a database connectivity that allows calling stored procudures. So their perl code logs into your database and calls your API -- easy.
1) (not OO) If this is so important, use an OO language to write them. Eg: java SPs and Oracle types are both OO. More importantly, databases themselves are not OO, so this is desired most of the time anyway.
2) (not version controlled) What do you think would happen if you checked your DML into a source control system??? would the world explode? This is a moronic point. Your DBA's shouldn't install anything on your production system other than from source control.
3) (can't organize other than by naming) You refuted your own argument -- use a naming convention. Also, use packages.
4) (No global compilation) I'm not sure what this even means or why it is desireable. If it was desirable, you could write a simple script that would issue the compile statement for an explicit list of packages or all packages in the dictionary. Compile errors like the one you claim is not reported in fact are generally reported.
5) (No unit testing frameworks). If you use a langage that has one, they this is false. java SPs can be tested with JUnit, PL/SQL SPs can be tested with utPLSQL. Bzzzt.
6) (mountain of code snippets). Maybe you have this problem, but I don't. Hmmm, I wonder why.
7) (No real debugger. No stepping through the code, no breakpoints, no watches.) Oracle has this. So does postgres. So does MS SQL Server. So does Firebird.
8) (commercial databases charge you per CPU) If you don't like the way they charge you, don't buy it -- that's why it's COMMERCIAL. Oracle has a per named user licence if you don't like the per CPU one. There's always postgress or firebird if you don't want to pay.
9) (couple your middle tier using a high speed interlink) Sure, and I can have my middle tier call my stored procedures if I want.
Well, it depends. If the API works as advertised, then, yes -- it is the applications responsiblity to assure it is used securely. On the other hand, if the API does not work as documented, then you cannot place the burden on the application to anticipate how it fails to behave correctly.
Although I do not know which is the case here, it is somewhat telling that the API was appearently changed in later versions of windows.
Actually, **Windows** has a hole in its API's that mozilla relied on. So mozilla patched themselves to eliminate a dependency on insecure MS code. In other words, mozilla is working around a microsoft caused security hole. If you use mozilla on linux (or a fixed version of windows), you aren't vulnerable.
How can an attacker "easily install a Mozilla extension?", exactly. If you are talking about somebody who has rooted your box, then they can already log all your keystrokes regardless of what browser you use. If you are talking about somebody writing browser malware, it's a big problem if a web page can install extensions without your approval. I've never heard of such an exploit for mozilla (lots for IE, though).
You are also asserting that a mozilla extension can access the cleartext typed into a login box by "parsing the DOM before navigation begins". It's not clear to me that this is true. If it is, I think it should be considered a security hole. Mozilla should sandbox that text and use protected memory, etc...
Are these really the best points of the movie? I think you are seeing a bunch of biased people overreacting to Moore deliberate attempts to stretch the truth.
-21 members of the Bin Laden family were flown out of the country
Since medieval times, the idea that you should pay for this crimes of your family members has been considered evil. In fact, Osama has been very publicly disowned by his family. He was kind of well known before 9/11 and so his relationship with his family members was surely understood by the CIA and FBI.
Prior to being the leader, Karzai was a consultant for one of the companies trying to build the pipeline.
So what? Is there some principle that says people with petroleum consulting experience shouldn't become leaders?
Prior to 9/11, Bush had been on vacation over 40 percent of his time in office.
Deliberate distortion. Bush worked extensively from his ranch in Crawford Texas instead of the White House and Moore deliberately mis-counted this as "vactation".
weapons of mass destruction So where did the Anthrax go? They have found Sarin gas in a missle, by the way. Were there others like it? We know Saddam had WMD at one point in the past. We STILL don't know what happened to them.
The UN resolutions placed a burden on Saddam to document the destruction of these weapons. He never did. The result is that we didn't know whether he had them or not. Bill Clinton is on record saying so. Post 9/11 we can't take that risk. You don't quote the pre-9/11 "no WMD" statement. My guess is it is consistent with the "we can't tell because he didn't comply" truth.
definite connection between Iraq and 9/11
"Connection" is vauge. The nature of the releationship between Al Qaeda and Saddam's regime remains a topic of intense debate. The 9/11 commission concluded that it is unlikely that Saddam participated in the planning or provided resources for 9/11. The press widely mis-reported this to mean that Iraq and Al Qaeda were not assisting each other in any way, when many examples of such "connection" have been documented.
Slashdot Mirror
Java is not more secure than Ruby or Python.
Java is faster than both ruby and python, so what is your point?
In the hands of a skilled C++, as well a C, developer these things are actually not the issue you made them out to be.
That's a tautology.
The real issue is that a developer has to spend some time developing this skill, and it is essentially waste for solving most problems. The same developer could have learned something else with his time that makes him more productive.
C/C++ are languages of choice of the industry
This is flat out wrong.
More people are being employed today to use java than any other language. As of today, monster.com lists 4233 java positions vs 3315 for "C or C++".
Development in java is much faster than either C or C++ because there is a larger base of easily reusable code, and because you don't have to deal with memory management. Unit testing, automated builds, and automated documentation are vastly superior in java, not to mention that portability is guaranteed.
I am continually baffled by people who knock java for its speed. It is faster than perl, python, ruby, and PHP, but nobody ever knocks these languages for their slowness. Most applications sit there with their CPU idle most of the time anyway.
Compared to what?
Java is faster than perl, python, ruby, and PHP. If you want speed, use C or C++. Enjoy debugging the pointers and memory leaks (that is the "slow" part I care about more).
Your whole livelihood revolves around solving other people's problems.
Which is exactly what he gave an architecture to do and you didn't.
Usability is one problem, features or functionality are another. The solutions to these two separate problems should not be coupled, so that each can be changed easily without affecting the other and so that both converge as rapidly as possible to what works best for the customer. This is little more than a restatement of tried and true "separation of concerns" object oriented programming mindset.
The fact that he names the different software roles as "programmer" and "designer" does not mean that one person cannot play both roles if necessary. On the other hand, NOT using this architecture does mean that if two people are available who each have specialized skill (one in usability and the other in business functionality), then you cannot take advantage of it. The coupling forces someone with both skills to do all the work thereby forcing quality to the least common denominator level.
That argument borders on professional misconduct. There is no statement in the GPL that can be remotely construed as placing the work in question into the public domain. I don't think precedent has been very kind to people who, when confronted with an accusation of copyright infringement argued "well, all his copyrighted works are public domain whether the author thinks so or not".
XFDL works for this, but unfortunately there is only one vendor: PureEdge. The US Air Force is using this for online/offline forms capabilities. XFDL was sort of a predecessor to XForms (one of the PureEdge lead technicals is on the XForms WG).
Eventually, XForms should have enough support to category kill this problem. It's just taking a while because it has a lot of dependencies on other XML specs that make it difficult for implementors. I was SO glad to see IBM and Novell step in to provide resources to Mozilla implement XForms.
Groovy is heavily influenced by ruby - it supports the same kind of closures/iterators and strict "everythin is an object, damn it" mentallity. If you work in a java environment, groovy has some compelling points that make it superior to jython and jruby. Groovy does not introduce its own class libraries -- it is purely syntax and reuses the java libraries. It is normally interpreted, but can also be compiled. When it compiles, it compiles to pure bytecode which makes it literally indistinguishable from compiled java code.
Finally, it adds one innovate syntax feature that I really like: in addition to syntax support for lists and hashes, it has syntax for representing heirarchical data structures and searching them (using closures). This makes tasks like dealing with XML or HTML effectively trivial.
Is it fair for one commercial site to link to another sites content - producing a leech effect - and not compensating the other site for linking?
Yes, it is. When you place your content so it is accessible by HTTP, you know that this means that people can link to it. If you don't want others to link to it, you have many options. You can password protect it, you can check the referrer page in the HTTP request header, you can check a cookie, or (gasp) you can take it off the web. You are in complete control. By placing something on the web you inherently agree to allow it to be used in web-like ways that you take no technical steps to prevent.
Besides, all a link does is create an HTTP **request**. It seems that every six months or so, somebody knew gets confused about the difference between copying somebody elses content and automatically asking for a copy to be made. Courts have already rules that deep-linking is legal because there is no copying by making a link and because the originator retains full control.
First off, schema changes are pretty rare once you have production data. Sometimes you add fields and tables, but almost never do you refactor the data model because either you can map your existing data, which proves you haven't achieved any benefit, or you can't which proves you've achieve negative benefit.
Despite this, your argument actually proves a benefit for SPs that I had forgotten about -- they provide encapsilation from the data model. So all your client code written in different languages works fine as long as you preserve the API.
As for programming java-to-COM using a socket, I've actually done that, but trying to get another organization to write their side of such an interface is usually a blank-stare generator. They would probably think for a while and suggest using ODBC instead.
I work in a military environment where the firealarm would probably go off if a port opened up that networking couldn't identify. "Oh, don't worry about that port -- it's the custom socket code I wrote" would probably get me sent to gitmo.
PL/SQL has almost none of the supposed defeciencies discussed here.
Since you can store java objects in the database, I see no reason why you could not simply add something like Jasper Reports to it, for example. When the JSR for standard java IDE plugins gets finalized, you could simply support that and you'd have it all right there.
Why do you say this? It seems like it would compete just fine (and do well) against MySQL. The fact that you CAN embed it doesn't mean you have to. This guy actually has a lot of standard database features that MySQL is deficient in.
I was rather impressed with Cloudscapes features:
- store serializable java objects in table fields
- java stored procedures, functions, triggers
- hash joins in addition to nested loops
- subqueries and views
- transactions, four isolation levels
- row and table level locking (default = row)
- deadlock detection
- custom aggregators
- blob and clob data types
- cost based query plan optimizer
- multicolumn B-tree indexes
- query and lock built-in performance monitoring
To me, this feature set seems superior to MySQL.
The SP may or may not substantially raise load on the central machine. You seem to assue that SQL issued from the middle tier takes less work than SQL issue locally. The reverse is actually true. In addition, SQL from the middle tier has to push the rowset over the centralized machines network interface, which can be a very slow operation relative to local memory access, and uses a shared resource. You only get a resource savings if the data can be cached in the middle tier are reused enough to eliminate subsequen SQL calls to the server. For data accessed with low frequency and high volume, this is mostly a losing bet.
As for using vendor specific features, you aren't considering the ROI. By coding to least common denominator SQL capabilities, you are wasting your users time, because the vendor specific features make a big difference. In an enterprise system, nobody gives a crap about theoretical niceties like portability of the RDBMS. They want the thing that helps them do the company's core business process faster and better. And since the latter is what pays your salary, you will lose that debate every time.
SPs are text and can be version controlled as easily as anything else. That's two people who have made this completely moronic argument today.
Why do you call SPs "premature" optimization? What's premature about it? It doesn't take any extra time to code in the SP language (in fact for data-centric operations it's often easier).
You seem to assume that stored procedures cannot do dynamically generated sql. Oracle has very nice features for this, so at best this is a RDBMS specific concern.
Sounds like you are making an argument for why SQL server is bad, not why stored procedures are bad. I don't know a whole lot about sql server, so I can't agree or disagree with your facts or conclusions.
.net languages in the database?
Postgres has OO stored procedure languages, so it isn't only oracle that is reasonable. Does SQL server really not support the
It usually comes down to the fact that a database driven system has enormous performance considerations at play. It is very easy to write SQL or an algorithm that uses SQL that requires an incredible amount of resources. Stored procedures allow this data access to be done without having to pipe all the data over the network, and it's often the easiest way to assure that the development work of finding the best performing way is done once and reused.
Having said all that, I do not think there is any way to say "use SPs for everything" or "use SPs for nothing". A well designed middle tier that runs on web servers can be a lot more scalable if it can hold the right data in the middle tier (the "hot" data), and thereby substantially reduced the database load. To have the "hot" data dense on the web server requires leaving data access to the volumes of not-hot data in stored procedures. Also, for things that change data, you typically have greater trust that the stored procedure will abide by all the special data rules. When you have a stored procedure that works, you can use database security to ensure that by god, you can only add one to this column if you subtract one from some row in this other table. Typically DBA's don't trust middle layer programmers as much with data integrity and take the attitude that if the database doesn't guratantee it, it will eventaully be violated.
The ultimate answer is that it depends on your data access patterns and data logic rules, and how well your web layer team can assure that it respects the performance and data integrity needs of the database.
You give the best reason to use stored procedures: to insure "data logic" is preserved. This comes in serveral forms:
- more complex constraints than foreign keys and check constraints
- enforcement of denormalizations
- enforcement of data movement (eg to a decision support system, archive, system interface, etc...)
Your statement that business logic should go in higher layers doesn't rule out SPs, because these are a reasonable choice to BE one of the higher layers.
In some cases, "business logic" can be configured as data in tables. In almost all cases it generally depends on business process state strored in tables. Depending on the amount of data required to make the business logic decision, it is sometimes superior to implement this as a stored procedure. Consider something that loops over all rows in a large data set, and makes a decision about each row. In a stored procedure, you might be rate limited by the speed of memory access and CPU. For the middle layer to implement it, you may have to pipe the large data set over the network, which might be orders of magnitude slower.
My experience is that overall system performance is usually a very strong driver of implementation strategy here. There is no reason SPs can't be just as maintainable as any other middle tier code. The only technical difference is that they run on the most centralized shared resource, but they have much faster data access. So it's a scalability for speed tradeoff.
In fact, often stored procedures are MORE maintainable, because reality in a heterogeneous enterprise environment is that no matter what you pick for your middle layer, somebody you have to integrate with won't be able to deal with it. Your spiffy java API for checking whether a series of transactions is properly ordered isn't callable from their COM object or vice versa. What ends up happening is you end up reimplementing solutions in multiple places, which is fine until the business rules change. Contrast this with the fact that just about every language supports a database connectivity that allows calling stored procudures. So their perl code logs into your database and calls your API -- easy.
Gosh, what a crummy analysis.
1) (not OO) If this is so important, use an OO language to write them. Eg: java SPs and Oracle types are both OO. More importantly, databases themselves are not OO, so this is desired most of the time anyway.
2) (not version controlled) What do you think would happen if you checked your DML into a source control system??? would the world explode? This is a moronic point. Your DBA's shouldn't install anything on your production system other than from source control.
3) (can't organize other than by naming) You refuted your own argument -- use a naming convention. Also, use packages.
4) (No global compilation) I'm not sure what this even means or why it is desireable. If it was desirable, you could write a simple script that would issue the compile statement for an explicit list of packages or all packages in the dictionary. Compile errors like the one you claim is not reported in fact are generally reported.
5) (No unit testing frameworks). If you use a langage that has one, they this is false. java SPs can be tested with JUnit, PL/SQL SPs can be tested with utPLSQL. Bzzzt.
6) (mountain of code snippets). Maybe you have this problem, but I don't. Hmmm, I wonder why.
7) (No real debugger. No stepping through the code, no breakpoints, no watches.) Oracle has this. So does postgres. So does MS SQL Server. So does Firebird.
8) (commercial databases charge you per CPU) If you don't like the way they charge you, don't buy it -- that's why it's COMMERCIAL. Oracle has a per named user licence if you don't like the per CPU one. There's always postgress or firebird if you don't want to pay.
9) (couple your middle tier using a high speed interlink) Sure, and I can have my middle tier call my stored procedures if I want.
keep in mind that IE loads on boot
In particular, patching IE requires a reboot, while patching firefox or mozilla does not.
Well, it depends. If the API works as advertised, then, yes -- it is the applications responsiblity to assure it is used securely. On the other hand, if the API does not work as documented, then you cannot place the burden on the application to anticipate how it fails to behave correctly.
Although I do not know which is the case here, it is somewhat telling that the API was appearently changed in later versions of windows.
Actually, **Windows** has a hole in its API's that mozilla relied on. So mozilla patched themselves to eliminate a dependency on insecure MS code. In other words, mozilla is working around a microsoft caused security hole. If you use mozilla on linux (or a fixed version of windows), you aren't vulnerable.
How can an attacker "easily install a Mozilla extension?", exactly. If you are talking about somebody who has rooted your box, then they can already log all your keystrokes regardless of what browser you use. If you are talking about somebody writing browser malware, it's a big problem if a web page can install extensions without your approval. I've never heard of such an exploit for mozilla (lots for IE, though).
You are also asserting that a mozilla extension can access the cleartext typed into a login box by "parsing the DOM before navigation begins". It's not clear to me that this is true. If it is, I think it should be considered a security hole. Mozilla should sandbox that text and use protected memory, etc...
Are these really the best points of the movie? I think you are seeing a bunch of biased people overreacting to Moore deliberate attempts to stretch the truth.
-21 members of the Bin Laden family were flown out of the country
Since medieval times, the idea that you should pay for this crimes of your family members has been considered evil. In fact, Osama has been very publicly disowned by his family. He was kind of well known before 9/11 and so his relationship with his family members was surely understood by the CIA and FBI.
Prior to being the leader, Karzai was a consultant for one of the companies trying to build the pipeline.
So what? Is there some principle that says people with petroleum consulting experience shouldn't become leaders?
Prior to 9/11, Bush had been on vacation over 40 percent of his time in office.
Deliberate distortion. Bush worked extensively from his ranch in Crawford Texas instead of the White House and Moore deliberately mis-counted this as "vactation".
weapons of mass destruction
So where did the Anthrax go? They have found Sarin gas in a missle, by the way. Were there others like it? We know Saddam had WMD at one point in the past. We STILL don't know what happened to them.
The UN resolutions placed a burden on Saddam to document the destruction of these weapons. He never did. The result is that we didn't know whether he had them or not. Bill Clinton is on record saying so. Post 9/11 we can't take that risk. You don't quote the pre-9/11 "no WMD" statement. My guess is it is consistent with the "we can't tell because he didn't comply" truth.
definite connection between Iraq and 9/11
"Connection" is vauge. The nature of the releationship between Al Qaeda and Saddam's regime remains a topic of intense debate. The 9/11 commission concluded that it is unlikely that Saddam participated in the planning or provided resources for 9/11. The press widely mis-reported this to mean that Iraq and Al Qaeda were not assisting each other in any way, when many examples of such "connection" have been documented.