Re:If everyone has to re-write the fix ...
on
Sun Eyes PostgreSQL
·
· Score: 1
Most BSD-license loving programmers have the (somewhat egotistical) attitude of "I'm releasing this because I hope it gets used." They tend to want the fixes out there.
This is in keeping with the fact that BSD folks toil away on code for which they can't expect to charge any money.
Don't look down on the Texans. It has one of the highest ranked computer engineer programs in the country. I've heard of Doug Berger before and we have read his research papers and use his simulators (made between him and Todd Austin of Wisconsin) in our graduate classes at CMU (I'm BS&MS ECE, CS '01).
I didn't ask about how well their program is rated. Has UT produced any programs that people use? E.g.
MIT -- Kerberos
Berkeley - RISC, BSD Unix, RAID, TCP/IP networking as standard OS feature
Stanford -- RISC
Cornell -- Ensemble, Horus, Spinglass -- distributed programming toolkits
Caltech -- Carver Mead (VLSI method, VLSI tools, machine vision)
UT -- a simulator that you've used. What sort of simulator, please?
MIT -- Kerberos Berkeley - RISC, BSD Unix, RAID, TCP/IP networking as standard OS feature Stanford -- RISC Cornell -- distributed systems research Caltech -- Carver Mead (VLSI, machine vision)
My original point was more about things like sshd -- there's just not a good reason for that to be written in an unsafe language. It defeats the whole purpose of your "secure" shell if a buffer/heap overflow allows someone to compromise your whole box.
Normally the code that needs optimizing is a small part -- you make that go fast and you can achieve your goals.
I don't understand how you'll do a language like ML or lisp without automatic storage management.
The problem has to do with returning closures with bound variables -- the nice thing about having a GC is that they will get freed, eventually.
If you do manual memory management, will you manage this yourself (for closures)? Or will you ban closures? If you are banning closures, you've lost one of the key benefits of using Lisp or ML --- you just got rid of lambda (in its most general form), and you'll just have supercombinators (functions without bound variables), like in "C". Or will you rely on some static analysis to find things that can be freed automatically? These are all pretty tough -- just using GC is probably the way to go.
Although you can blame the programmer for writing a faulty application, I don't think that is relevant.
You are a taxi driver. Your job is to deliver people from point A to point B, safely and quickly.
You can choose from two cars.
Car A is such that if you make an error when driving, it will do something bad -- perhaps even blow up, killing the passengers. Furthermore, a driver can accidentally drive the car into an obstacle, ruining everything.
Car B is the same as the first, except there's nothing the driver can do to make the car blow up. If the driver purposefully tries to drive the car into a wall, it stops before it hits the wall.
It seems like you want to pick car A, and say that anyone who drives car A badly, is at fault. I'm saying just pick car B, there will be far fewer accidents, and there is no reason to point your finger at the "bad driver".
If a driver is given the choice between the two, and picks car A, and makes a mistake, it would seem that he has been grossly negligent. He could have chosen the safe option, but he chose the unsafe one, and the passengers got killed. So I think we agree the programmer has been terribly irresponsible.
Unnecessary when using languages that solve this p
on
Heap Protection Mechanism
·
· Score: 2, Insightful
Languages like Lisp, Haskell, Scheme and ML allow you to avoid buffer and heap overflows (assuming the language implementation is correct).
It is therefore, in my opinion, less optimal (from a security perspective) to use something like "C" for a complicated app like sendmail, web server or secure shell daemon (sshd) than it is to use a language like "C".
Indeed. It looks like there is no formal specification. So you are fucked. That's what's good about specifications; either the program is bad or the spec is bad, but at least you know where to point.
It seems they provide a syntax checker -- this is a program that supposedly tells if your program is kosher or not.
But then again, given that there isn't a spec, what do you do when there are differences between what the checker accepts and what the interpreter accepts? Hmmmmm. I guess you rip your hair out.
When you use a program like this to define what is allowed, you essentially say, "whatever is good is whatever this program accepts. It is what it is. Have a nice day, biatch!" It is the road to hell.
If you work on programming languages, a formal semantics, whether operational, denotation or what have you are great to have -- you avoid stupid mistakes that folks notice later. E.g. the fact that statements in "C" are not expressions too.
If you work on a parser/lexer, BNF and regular expressions sure are handy -- but their advantage is that they allow you to specify, precisely and concisely, what you are doing.
With distributed systems, having a formal model of comuunications between asynchronous processes allows you to SPECIFY how they communicate and formally prove that you don't have certain killer issues: deadlock, livelock, etc.
So for some problems, specs sure are handy. Anything involving rocket ships or robots that do surgery -- I'd rather have a spec. It would be nice to have a machine-checked proof that critical systems meet the constraints too.
"Technology giveth and it taketh away, and the industry knows this," Chuck D said. "The horseshoe makers probably got upset at the train manufacturers because (the new industry) took away their transport dominance, just as the train manufacturers probably got mad at the airline industry."
"I think this expands artistry and it's about adjustment," he said.
"As an artist representing an 80-year period of black musicianship, I never felt that my copyrights were protected anyway," Chuck D said. "I've been spending most of my career ducking lawyers, accountants and business executives who have basically been more blasphemous than file sharers and P2P. I trust the consumer more than I trust the people who have been at the helm of these companies.
"The record industry is hypocritical and the domination has to be shared. P2P to me means 'power to the people,'" Chuck D said. "And let's get this to a balance, and that's what we're talking about."
E.g. Landline has all there music available for download -- not just a single album, and there's no DRM or other bullshit.
Is it novel and exciting because they also have a record deal?
I thought a lot of industry-hating musicians would just refuse record deals on principle.
Exactly. Think about the enthusiasm at a startup that is doing well, but lacks money. People fucking make sacrifices until it is clear that it is a dead duck. They don't have much to lose but a few months pay and some time. If anything, they improve their marketability as they finish.
I have to figure the guy in charge of managing those folks drove them all out.
This is how the system in the USA works. The idea is that local communities can't tax the Feds or impose regulations on them. Otherwise they clearly would, and it would lead to chaos. E.g. the City of Berkeley would tax the hell out of the Feds, until they agreed to make the whole country a nuclear free zone, or cut off all business with Myanmar (Burma). That's how things went after the Revolution and until the formation of the United States -- there was terrible fights like this between states and the feds.
So the feds have property that they control. Then they turn around and provide this to private companies (typically contractors). Theoretically, because the contractors get the services for free, the market price of the rent should be higher. E.g. suppose a contractor has a choice: fed property or a neighboring plot that is otherwise the same, but comes with taxes. The market price of the fed property will be higher by the cost of the crap that the company avoids.
Google theoretically shouldn't save any money by doing its stuff on govt property: the price should be higher than on state-controlled or country-controller property, all things being equal.
Onen neat place to see this is the NV/CA border on Lake Tahoe. The same pile on the NV side costs more, because taxes are lower.
So the "problem" is due to the law, not Google. Unless they get that property for below-market costs (perhaps due to corruption), there's nothing awful going on here. Perhaps you think we need to change our constitution to make it possible for states to tax the feds, but that's another issue, and it doens't involve Google.
One problem at demonstrations is that the cops attempt to seize and destroy images (video/cameras) made by people there attempting to document abuses by the cops.
This would solve that problem -- realtime uploading of the images to a location where the cops can't get them.
This doesn't apply to America, where cops are all lawful and good (/sarc) -- but rather, to countries that have repressive governments and no free exchange of information.
OK, for whatever reason, all your engineers desert one day.
Do you look in the mirror and figure that you really fucked it up big? Are you really going to tell that to the shareholders --- sorry guys, I lost your company.
No -- you reach for your lawyer, claim you got "raided" and try to build the biggest sympathy case you can.
And if it works, when you are over, you tell folks, "I went up against Yahoo!. They got horribly dirty and tried to raid us. They succeeded in raiding 92% of the staff. But I fought back, we settled and the investors were happy. The only reason we didn't lose everything was due to my nerves of steel."
"Nuance said 13 engineers from its Menlo Park and Montreal offices were 75 percent finished with a project..."
That sounds like they aren't very finished. Who knows if they would have finished in time, if they were at that stage. Even if I thought I was 75% finished, we know I might only be half finished -- that last bit to finish is always a huge effort, and that's typically where you blow your schedule.
You figure the business folks suing Yahoo have an interest in making it sound like they were more finished than less -- e.g. if they were 99% finished, and Yahoo! swooped in to recruit the whole bunch, that would look awful.
So perhaps they were "50% finished" -- however you measure that (sounds like their app is a totally new piece of work, so you can't really estimate it well), and they pump it up to 75% finished.
Also, why did so many of the guys split to go to Yahoo!? It looks to me like people were itching to leave. Considering this happened after a merger/buyout --and that one camper was pretty unhappy, perhaps the engineers were feeling bad and were looking to move somewhere nicer.
Slashdot Mirror
Most BSD-license loving programmers have the (somewhat egotistical) attitude of "I'm releasing this because I hope it gets used." They tend to want the fixes out there.
This is in keeping with the fact that BSD folks toil away on code for which they can't expect to charge any money.
I'm feeling a terrible disruption in the force --- it is as if a million chairs just got thrown out a window.
No, I haven't answered myself. I don't have multiple personalities, and it is not karma whoring night.
Try reading 'flat' and then it will make sense.
I've spent plenty of time in Texas.
UT is a huge system. Upon reflecting on that and their relative lack of released software, I began to wonder if they'd made anything worth using.
I forgot about ACL2, the only software project I've heard of that comes from Texas.
Thanks for reminding me of ACL2 -- I'd forgotten about that!
I mention Kerberos, RISC and RAID because that's what people are using, right now, not because it is the latest and greatest.
Don't look down on the Texans. It has one of the highest ranked computer engineer programs in the country. I've heard of Doug Berger before and we have read his research papers and use his simulators (made between him and Todd Austin of Wisconsin) in our graduate classes at CMU (I'm BS&MS ECE, CS '01).
E /
I didn't ask about how well their program is rated. Has UT produced any programs that people use? E.g.
MIT -- Kerberos
Berkeley - RISC, BSD Unix, RAID, TCP/IP networking as standard OS feature
Stanford -- RISC
Cornell -- Ensemble, Horus, Spinglass -- distributed programming toolkits
Caltech -- Carver Mead (VLSI method, VLSI tools, machine vision)
UT -- a simulator that you've used. What sort of simulator, please?
E.g. Berkeley developed SPICE, a tool used to simulate circuits. Last I heard, it was the standard tool to use for that stuff. Here's the project page: http://bwrc.eecs.berkeley.edu/Classes/IcBook/SPIC
Austin also has a high number of tech companies around - heck, AMD, IBM, Intel, Freescale, just to name a few.
I didn't ask what firms work there. I want to know what software people at UT have made that is worth talking about.
Exactly. What has UT produced that folks use?
MIT -- Kerberos
Berkeley - RISC, BSD Unix, RAID, TCP/IP networking as standard OS feature
Stanford -- RISC
Cornell -- distributed systems research
Caltech -- Carver Mead (VLSI, machine vision)
UT -- ?????????
Does any major piece of software that folks use come from UT?
...
I can think of famous projects from MIT, Berkeley, Stanford, CMU, Caltech, Cornell
But I can't think of a single one from UT. Not a single one. Is there something we all use that comes from UT?
I know they have good petroleum engineering at A&M -- but I'm interested in CS.
Here's something from guys who do lots of transactions in a safe language -- perhaps you've heard of Orbitz? If you'll notice, they manage memory so that they avoid GCs whenever possible.
My original point was more about things like sshd -- there's just not a good reason for that to be written in an unsafe language. It defeats the whole purpose of your "secure" shell if a buffer/heap overflow allows someone to compromise your whole box.
Normally the code that needs optimizing is a small part -- you make that go fast and you can achieve your goals.
You are correct that that is what it stands for.
And I am correct that that is nonsensical.
Did you look at this: http://www.davidflanagan.com/blog/2005_03.html ??
I'm guessing not. He points out how the acronym is a pile of stinking bullshit.
I don't understand how you'll do a language like ML or lisp without automatic storage management.
The problem has to do with returning closures with bound variables -- the nice thing about having a GC is that they will get freed, eventually.
If you do manual memory management, will you manage this yourself (for closures)? Or will you ban closures? If you are banning closures, you've lost one of the key benefits of using Lisp or ML --- you just got rid of lambda (in its most general form), and you'll just have supercombinators (functions without bound variables), like in "C". Or will you rely on some static analysis to find things that can be freed automatically? These are all pretty tough -- just using GC is probably the way to go.
Although you can blame the programmer for writing a faulty application, I don't think that is relevant.
You are a taxi driver. Your job is to deliver people from point A to point B, safely and quickly.
You can choose from two cars.
Car A is such that if you make an error when driving, it will do something bad -- perhaps even blow up, killing the passengers. Furthermore, a driver can accidentally drive the car into an obstacle, ruining everything.
Car B is the same as the first, except there's nothing the driver can do to make the car blow up. If the driver purposefully tries to drive the car into a wall, it stops before it hits the wall.
It seems like you want to pick car A, and say that anyone who drives car A badly, is at fault.
I'm saying just pick car B, there will be far fewer accidents, and there is no reason to point your finger at the "bad driver".
If a driver is given the choice between the two, and picks car A, and makes a mistake, it would seem that he has been grossly negligent. He could have chosen the safe option, but he chose the unsafe one, and the passengers got killed. So I think we agree the programmer has been terribly irresponsible.
Languages like Lisp, Haskell, Scheme and ML allow you to avoid buffer and heap overflows (assuming the language implementation is correct).
It is therefore, in my opinion, less optimal (from a security perspective) to use something like "C" for a complicated app like sendmail, web server or secure shell daemon (sshd) than it is to use a language like "C".
To be consistent, it should really be called JA Office. Ajax is a nonsensical buzzword.
Indeed. It looks like there is no formal specification. So you are fucked. That's what's good about specifications; either the program is bad or the spec is bad, but at least you know where to point.
e loping_ColdFusion_Applications/debugError3.htm
It seems they provide a syntax checker -- this is a program that supposedly tells if your program is kosher or not.
But then again, given that there isn't a spec, what do you do when there are differences between what the checker accepts and what the interpreter accepts? Hmmmmm. I guess you rip your hair out.
When you use a program like this to define what is allowed, you essentially say, "whatever is good is whatever this program accepts. It is what it is. Have a nice day, biatch!" It is the road to hell.
Here's the checker: http://livedocs.macromedia.com/coldfusion/5.0/Dev
Good luck!
If you work on programming languages, a formal semantics, whether operational, denotation or what have you are great to have -- you avoid stupid mistakes that folks notice later. E.g. the fact that statements in "C" are not expressions too.
If you work on a parser/lexer, BNF and regular expressions sure are handy -- but their advantage is that they allow you to specify, precisely and concisely, what you are doing.
With distributed systems, having a formal model of comuunications between asynchronous processes allows you to SPECIFY how they communicate and formally prove that you don't have certain killer issues: deadlock, livelock, etc.
So for some problems, specs sure are handy. Anything involving rocket ships or robots that do surgery -- I'd rather have a spec. It would be nice to have a machine-checked proof that critical systems meet the constraints too.
http://www.wired.com/news/mp3/0,1285,60650,00.html
"Technology giveth and it taketh away, and the industry knows this," Chuck D said. "The horseshoe makers probably got upset at the train manufacturers because (the new industry) took away their transport dominance, just as the train manufacturers probably got mad at the airline industry."
"I think this expands artistry and it's about adjustment," he said.
"As an artist representing an 80-year period of black musicianship, I never felt that my copyrights were protected anyway," Chuck D said. "I've been spending most of my career ducking lawyers, accountants and business executives who have basically been more blasphemous than file sharers and P2P. I trust the consumer more than I trust the people who have been at the helm of these companies.
"The record industry is hypocritical and the domination has to be shared. P2P to me means 'power to the people,'" Chuck D said. "And let's get this to a balance, and that's what we're talking about."
I agree it is silly to expect musicians to make music for free.
I never meant to imply otherwise.
Don't other bands do like these guys? E.g. the Beastie Boys released some free, remixable tracks.
You ever listen to mixtapes? There's a whole illegal music industry, where there's no copyright. E.g. http://www.mixunit.com/ http://mixtapekings.com/
The record labels tolerate this (while busting P2P folks) because it is good for promoting talent and identifying acts worth putting money into.
50 cent relesed 5 hit mixtapes before he did a single paid album.
E.g. Landline has all there music available for download -- not just a single album, and there's no DRM or other bullshit.
Is it novel and exciting because they also have a record deal? I thought a lot of industry-hating musicians would just refuse record deals on principle.
Exactly. Think about the enthusiasm at a startup that is doing well, but lacks money. People fucking make sacrifices until it is clear that it is a dead duck. They don't have much to lose but a few months pay and some time. If anything, they improve their marketability as they finish.
I have to figure the guy in charge of managing those folks drove them all out.
I think the scientists could have auctioned off the names of the new objects to pay for further space exploration, better telescopes, etc.
Here's an example: a species named after goldenpalace.com (an online casino):
http://www.msnbc.msn.com/id/7493711/
This is how the system in the USA works. The idea is that local communities can't tax the Feds or impose regulations on them. Otherwise they clearly would, and it would lead to chaos. E.g. the City of Berkeley would tax the hell out of the Feds, until they agreed to make the whole country a nuclear free zone, or cut off all business with Myanmar (Burma). That's how things went after the Revolution and until the formation of the United States -- there was terrible fights like this between states and the feds.
So the feds have property that they control. Then they turn around and provide this to private companies (typically contractors). Theoretically, because the contractors get the services for free, the market price of the rent should be higher. E.g. suppose a contractor has a choice: fed property or a neighboring plot that is otherwise the same, but comes with taxes. The market price of the fed property will be higher by the cost of the crap that the company avoids.
Google theoretically shouldn't save any money by doing its stuff on govt property: the price should be higher than on state-controlled or country-controller property, all things being equal.
Onen neat place to see this is the NV/CA border on Lake Tahoe. The same pile on the NV side costs more, because taxes are lower.
So the "problem" is due to the law, not Google. Unless they get that property for below-market costs (perhaps due to corruption), there's nothing awful going on here. Perhaps you think we need to change our constitution to make it possible for states to tax the feds, but that's another issue, and it doens't involve Google.
One problem at demonstrations is that the cops attempt to seize and destroy images (video/cameras) made by people there attempting to document abuses by the cops.
This would solve that problem -- realtime uploading of the images to a location where the cops can't get them.
This doesn't apply to America, where cops are all lawful and good (/sarc) -- but rather, to countries that have repressive governments and no free exchange of information.
OK, for whatever reason, all your engineers desert one day.
Do you look in the mirror and figure that you really fucked it up big? Are you really going to tell that to the shareholders --- sorry guys, I lost your company.
No -- you reach for your lawyer, claim you got "raided" and try to build the biggest sympathy case you can.
And if it works, when you are over, you tell folks, "I went up against Yahoo!. They got horribly dirty and tried to raid us. They succeeded in raiding 92% of the staff. But I fought back, we settled and the investors were happy. The only reason we didn't lose everything was due to my nerves of steel."
"Nuance said 13 engineers from its Menlo Park and Montreal offices were 75 percent finished with a project ..."
That sounds like they aren't very finished. Who knows if they would have finished in time, if they were at that stage. Even if I thought I was 75% finished, we know I might only be half finished -- that last bit to finish is always a huge effort, and that's typically where you blow your schedule.
You figure the business folks suing Yahoo have an interest in making it sound like they were more finished than less -- e.g. if they were 99% finished, and Yahoo! swooped in to recruit the whole bunch, that would look awful.
So perhaps they were "50% finished" -- however you measure that (sounds like their app is a totally new piece of work, so you can't really estimate it well), and they pump it up to 75% finished.
Also, why did so many of the guys split to go to Yahoo!? It looks to me like people were itching to leave. Considering this happened after a merger/buyout --and that one camper was pretty unhappy, perhaps the engineers were feeling bad and were looking to move somewhere nicer.