Is Netscape's Code Falling Apart At The Seams? 186
bobby writes: "There a commentary on SecurityFocus that has me thinking: they argue that the infamous Brown Orifice holes in Navigator are examples of a new type of security hole that results, not from bad coding practices, but from coders haphazardly interconnecting disparate components without considering how they'll work together. 'The most dangerous, well-concealed, complex, and noteworthy security flaws in the future will be of this sort,' they write, adding that only the Mozilla project can save Netscape. "
I may be mistaken, (Score:3)
"It is well that war is so terrible, lest we grow too fond of it."
Re:Seriously, though... (Score:1)
The answer to this would be, as some others noted, to write it from the scratch. This, however can not be the general fix - that's why people invented OO and modular programming.
I think that the time will come when the programming tools (and math behind the whole thing) will be so advanced that it will become easy for a good programmer to start the project right and develop it in any direction, thus reducing risks of this sort to a minimum.
I say "good programmer" cause we all know that an idiots with power tools just tend to produce rubbish at a greater rate.
z.
Agreement from Alan Cox (Score:4)
http://www.uwsg.iu.e du/hypermail/linux/kernel/0007.3/1305.html [iu.edu]
Re:That's not the problem (Score:1)
(jfb)
Part troll, part truth (Score:2)
Each of these companies is hugely powerful on their own, dominating their respective markets.
What it should show people is that corporations could care less about fairness and competition - left to their devices they will work to diminish and eliminate competition at the earliest possible stage (even if it is not in their own long-term interests). This is why the government has anti-trust laws and oversight.
Re:Eiffel (flamewar request) (Score:1)
Third chime's a tarm [eiffel.com]
t_t_b
--
I think not; therefore I ain't®
Re: (Score:2)
default (Score:1)
Re:mozilla makes open source look bad (Score:2)
Well, you can always download the mozilla source and compile just the browser component. Or, you could check out a project like Galeon, which has already done the work for you.
Really, writing any decent sized app from scratch is not the easiest thing in the world, and web browsers are quite complex. Even if mozilla made their browser 100% standards-compliant, people would still complain since most of the web isn't that way, so they have to code for that, too. How long in the making is Internet Explorer? I don't suppose you'd care to remember how much it utterly SUCKED until version 3.0, with version 4.0 being the first that actually rivalled Netscape. And you know, it takes up at least the same amount of space as Mozilla, and it _is_ just a browser.
Roar. Sorry, but I've been using Mozilla since M9 and I love it.
Re:That's not the problem (Score:1)
Another thing which you might want to remember is the fact that those bugs were JAVA-BASED. The java implimentation from sun had bugs.
I work for netscape, and have friends who are on the browser group. I know what the problem was, apparently you don't.
What about Microsoft's current problems? should they rewrite the everything in logo too?
-Just my
Fred Brooks (Score:2)
In the first edition of "The Mythical Man-month", Fred Brooks fought against David Parnas' black box modules. Brooks says that he ran the System 360 project with the goal of making all implementation details public. They printed huge spec manuals and printed reams of updates everyday, which would be dropped off at each programmer's office. In the second edition of "The Mythical Man-month", Brooks admits that he was wrong and Parnas was right. Implementation hiding was the right thing. The programmers for System 360 couldn't understand the whole system. These days, open source advocates claim that source code availability solves the "fragmented programmer knowledge" problem. I don't think it solve it (though it admittedly helps in some ways).
Re:Agreement from Alan Cox (Score:1)
Either you didn't read the article, or you didn't understand it.
If you've followed BUGTRAQ lately, you'd know that this malady seriously affects Windows systems, and that examples have included Microsoft-Microsoft, Microsoft-third party, and third party-third party component interactions.
It it too hard for you to conceive that the particular case (Netscape 4) is but an example of a general theme? If so, you should probably refrain from programming or entering any field that requires abstract thought.
Re: (Score:1)
Re:XPCOM/COM doesn't equal security holes (Score:1)
And one would hope that the Mozilla authors are responsible enough to remove any feature that does wind up being proven to have such a huge security hole (or at least disable it by default) until its been fixed. I don't know of any right now, but I'm sure some will be found eventually.
-RickHunter
Re:Correct Observation, Wrong Solution (Score:1)
Hmmm, so how many Linux kernel developers "spend a couple years developing flowcharts"? Which commercial software company for that matter? By the time your flowchart is ready, the market has already moved and you haven't even written any code yet..
Re: (Score:1)
Re:Correct Observation, Wrong Solution (Score:2)
P.S. Netscape v2 was a crashy POS, it just didn't matter that much because you weren't on the web 8 hours a day back then.
IE 4 was also a crashy POS, but it was generally engineered correctly (full DOM renderer just like Mozilla). On the other hand, Mozilla's XUL themes can't be considered correct engineering, except in the 1959
Re:Agreement from Alan Cox (Score:2)
So what does this say about GNOME security? Realistically, with all the debate we've been hearing about GNOME vs. KDE, is GNOME going to be as vulnerable to these kind of component based bugs as MS stuff? I mean, we keep hearing Miguel praise MS and the component model idea, but will it just create more problems? And if so, would there be any way to really provide a lot of background security for each component?
I don't use GNOME, but I happen to like it, and I would really like to see them be a secure desktop and not fall prey to the kind of attacks that we all know and love in Windows
"I may not have morals, but I have standards."
Re:Correct Observation, Wrong Solution (Score:5)
From everything I hear MS puts a lot of emphasis on the software process. This doesn't prevent them from succumbing to the same failures. Complexity is the enemy of security, and paraphrasing Brook's law... The complexity of a piece of software goes up as the square of the number of modules (features?) involved. Examining a product like Netscape, or IE, even good engineering practice cannot prevent such an extremely complex systems from behaving chaotically at some point. Now add to this short deadlines, and insufficient knowledge: of programming, of the off-the-shelf modules being used; and of the design of the system by the programmers writing it and you have holes waiting to happen. It is a credit to the people writing the software that such holes are not discovered more often.
--locust
Re: (Score:2)
Re:Awe man! I hate IE (Score:1)
Bad coding practices (Score:3)
examples of a new type of security hole that results, not from bad coding practices, but from coders haphazardly interconnecting disparate components without considering how they'll work together.
If you don't consider how components will interact when used together, then that is bad coding practice. If it's easy to use a component incorrectly, to the point of causing security problems, then I would venture a guess that the component in question has a bad interface. When we write code at work, my co-workers and I strive to have classes which are pretty much impossible to use incorrectly. Contrast this with something poorly designed and implemented like MFC which, when functions aren't called in exactly the right order at exactly the right time, it ASSERTs. If anything, it just sounds like the developers should revisit the ways their classes interact with each other and tidy it up a bit.
It's all just bad coding practices as far as I can see...
Programming for Security (Score:1)
Re:Awe man! I hate IE (Score:3)
Thankfully, IE 5 for the Macintosh spurned this 'innovation' and stuck with the hardened method of a config tree with sub-categories. I can install a fresh version of the browser and have it all configured in a few minutes. I still don't have the Windows version of IE configured the way I want it.
Another thing is that integration between the OS and the WWW is probably one of the creepiest, low-browed things I've heard of. There are just too many security problems associated with the internet to have a major part of your OS interface completely linked with it. This is ironically the problem they are noting with netscape.
I want to be able to browse in an encapsulated environment on a browser that 'utilizes' as few of the exploitable WWW technologies that exist. For this reason I use Lynx or w3m for 90% of my browsing. I fire up Mozilla for those inept pages who have no other way to use it except for javascript.
That right there is the largest concern I have with IE, the tight integration with the OS and filesystem. Not to mention mail, news, office documents, and the core scripting languages of the OS itself. Yes, you can turn a lot of that stuff off, but does it come that way by default?
Couldn't agree more. (Score:1)
NS6 PR2 is actually a step backwards from PR1. A lot of things that worked in PR1 were broken with PR2. Sure, all the glitzy toys are fun but, does the damned browser work? NO!!!
I have a very short, very simple wish list for the folks at Netscape:
- Real support for CSS
- Document rendering that resembles the code according to the recognized definitions of HTML
Anybody from Netscape can feel free to contact me [mailto] for examples.Re: (Score:1)
Re:So what does this say for Internet Explorer? (Score:1)
I knew we could.
A lot of the legacy code is there so that the newer bastard son of code works with stuff written for the older bastard son of code.
Hey, I still use "center" instead of the newer spec for centering text.
"And they said onto the Lord.. How the hell did you do THAT?!"
That thing with the turtle? (Score:1)
Seriously, a beautiful way to teach programming to grade school kids: I learned it on an Apple ][ in fourth grade, and it was a blast.
Re: (Score:2)
Re:Pretty mindless advocacy (Score:1)
I know, I know, I shouldn't encourage him... Oh well. :-)
Well, let's try this out... ``Eric Raymond has stated that open-source programming is often an ego-free activity.'' Look! They're in the same sentence! By your logic, that sentence is an even larger load of bollocks than the original article. Pity that it's true. And that the sub-clause (``Open-source programming is often an ego-free activity.''), while not proven, certainly seems to be true in practice. (Yes, there are exceptions. See that word often up there?)
He stated that Brook's Law doesn't hold---as originally stated---for debugging---in an open source project. He then provided a justification that holds up under current information theory (there isn't a direct link to the explanation in CatB, but it's on thi s page [tuxedo.org]. Exercise for the reader, I guess. (Anyone know why the comment system keeps sticking a space in ``this''? I'd look it up, but I'm working on my resume, which is slightly more important to me right now.)). And then, he provided an empirical example (Linux). And then, he tested his theory (fetchmail).
Agreed. That's a lie. Of course, you're the only person I have ever seen say this. To the best of my knowledge, nobody involved with Mozilla says this. Even the flakiest of news sites never seem to make this mistake. The article this discussion is about doesn't make this mistake.
Multiplatform AOL (Score:1)
Remember that supposed "AOL for Linux" download we saw a few weeks ago? ("Gamera") (url: http://slashdot.org/articles/00/ 08/13/137233.shtml [slashdot.org]) Gamera makes use of Mozilla for browsing the internet on a platform MSIE, AOL's choice browser for windows, doesn't support.
As much as we would all love to hate AOL for supposidly "killing" Netscape and Mozilla, I hope Gamera will aid in its increasingly widespread use. In addition to this, AOL will aid in the popularity of everybody's beloved Linux OS.
To summarize:
Javascript, not C/C++ (Score:1)
BTW, you're reading this message with Netscape, aren't you?
---
Every secretary using MSWord wastes enough resources
Entropy (Score:2)
Thats it. Thats the number one rule of long term software development. No matter what you do, no matter how good your coders are, entropy happens.
People forget, people leave the project. The coyboy coder stays up all night and in an evil cackle resorts to inline assembly. Stuff like this plagues prodcuts, even ones with the best of software enginnering, paradigms, and tools.
Take netscape for example. There are not that many engineers on it anymore id imagine. Its an OLD codebase. You probably just cant scrap it all and start over. That would take a long time, and people need to get paid for a living...something has to pay the bills.
There are two basic types of software products...Quality driven, and release driven. Release driven is such as Microsoft Office, products put out to meet customer demand, to compete against other products making headway, and to work towards strategic initiatives...not to mention fix bugs, improve UI, etc. Quality is a variable in this release, but time is the number one factor.
Quality driven products are ones like Linux (referring to the linux kernel), or Mozilla. "Its done when we feel its done." It hopefully produces better prodcuts, but more than likely, if you fix every bug that comes down the line, you'll never get it out the, and you'll NEVER pay your bills.
While netscape is sitting and stewing in development, IE can have free reign over features, new functionality, and overall the general market. However, netscape may come out with fewer bugs.
Its a moral dilemma that i think is at the heart of the open source development paradigm. is it better to keep your source closed, private, and singularly maintained to have a trimmer development process, or do you open source it to help flush out those hard to find bugs.
What neither paradigm catches are those integration bugs. Just looking at how all of this comes together will not save anyone from the myriad of hassles that integration of engines, algorithms, and interfaces brings. Teams of coders can be hundred of people big, and still not catch all the bugs.
Systems move toward entropy. I once read somewhere that "NT is so huge no one person understands it all" There will come a time when everything on the planet is like that. Stuff will get bigger, and it will become too difficult to understand all of the code on such a low level that you are going to have to trust the wisdom of coders that came before you.
My thoughts as a software developer
--jay
Re:Mozilla release schedule? (Score:1)
Re:Sounds a bit like a dodgy B film (Score:1)
[mouth stops] "Only mozzira can save us now" [mouth moves]
[Cue big green monster]
Re:So what does this say for Internet Explorer? (Score:1)
Is Netscape's Code Falling Apart At The Seams? (Score:2)
This is something that I've been trying to tell the bible thumpers on Slashdot for a long time - ever since I started posting comments on Slashdot. Now my arguments have been proven by a whole story. Netscape is legendary for being a memory hog (in comparison, as I'm typing this, IE5 is using up 8,448K of memory). Furthermore, Netscape will never let you view the source of a webpage with only a few clicks (in the right-click menu in IE, there's an option, "View Source," that opens the HTML/SHTML/PHP3/etc. page in Notepad. Kinda cool, if you ask me, cause you can see what they used to create pages, the javascipt, and so on. Also, sometimes when you want to download something with Netscape, instead of saving the file, it saves the link! That's just not right. I think a total UI rewrite is overdue for Netscape, as well as a total code rewrite.
Give 'Em a Break (Score:3)
--Dave
Re:Awe man! I hate IE (OT) (Score:1)
One last thing, and on a more personal side, would you mind clarifying some of your personal objections on Microsoft? Do you really honestly equate them to selling hard drugs?
I do not equate the dealings of MS with that of hard drugs. I was making an analogy, it is a weakness of mine. :)
On the grand scale of Bad Things You Can Do to people though, I do feel that Microsoft, (indeed, other software companies in their position as well.) has put themselves up there. One can only guess exactly how many billions of corporate dollars have been spent on these software companies. Such high-level losses bring down losses upon us all, in the long run.
I believe that the practice of closed software development and sale (expecially per-license sale) has gouged the industry. While we look around things appear to be moving along at an incredible clip. Why in just 5 years we've gone from a television to reading www.insert chocolate company.com on candy wrappers and billboards. As fast as its gone, I wonder how much faster it would have gone without the harnass that has been placed on it by the software enterprises.
I don't target Microsoft alone on this, they are not the only guilty party, they are merely the most obviously guilty party right now, and thus they are being used as a scapegoat for a lot of malpractice going on out there.
I should say here, I do not have a problem with software that is purchased. As a developer, I know that bread needs to be passed around. What I have a problem with is establishing a closed or protected code base. Since humans, and ultimatly, the corporations they puppeteer are in fact very greedy, inevitably those closed code-bases will be used to lock out other corporations and businesses at the expense of progress.
Please, take the time to read the court transcripts, there is more than enough evidence placed on this case to show that progress has been slowed, and will remain slowed as long as individuals hold the keys to their code.
Now, all of the moral stuff said, I still do have gripes with the way Microsoft products work. You have mentioned that you tire of folks berating Microsoft quality. I'm not going to be one who says everything they produce is rotten. I'll go so far as to say it is satisfactory. I cannot with a clear head though, say that the level of quality I experience using Windows is on par with the MacOS or any *NIX that I've used.
On my computer at home, I use 100% 'free-speach' software. I do this because it makes me feel good to do that. I not only use, but I contribute to these projects, and that makes me feel good too. I feel like I'm a part of a community; a valued member. When I got to work and I have to use NT, or any other 'corporate' software I feel like a 'user' or a 'client' I'm not actively involved with it. I'm just a consumer and I get treated that way by them.
So, do I feel like I have chosen to use inferior products just to spite the corporations? No, not at all. For me I don't feel like I'm stooping down. Expecially once I got over the psychological barrier of using software designed with a different mentality. I found that much of this stuff is GREAT quality. It may not look as pretty, one program many not do all 62,000 things that MS Word does, but so what? I can accomplish all of my tasks using a variety of specialized tools that are lean and stable. So honestly, for me it isn't a sacrifice.
If that makes me rare, then so be it, I've never been accused of being normal before. :)
Re:That's not the problem (Score:1)
The "turtle does whatever the hell it wants" bug is only present in the "our users are dumber than turtles" release of Microsoft Logo.
Re:Couldn't agree more. (Score:1)
Mozilla kicks ass in this respect. Can't wait.
Re:That's not the problem (Score:1)
If netscape did do a rewrite in Logo, every web page would have a turtle on it. Just think of the glory of those millions of little green turtles scuttling around!!
Actually, my PhD thesis is going to be rewriting Linux's TCP/IP stack in Logo. Should be fun.
So what does this say for Internet Explorer? (Score:3)
To go one step further, what does it say for the concept of pay-for software?
Outside of games, developers of pay-for software generally keep buyers coming back year after year for upgrades by adding new features. Somehow it just doesn't cut it just fixing bugs. Those shouldn't have been there in the first place, and admitting that you're just fixing bugs means that you should be giving it away.
Now we're seeing a claim that in a rather fundamental fashion, feature accretion is not a good thing.
Now to take a 180, sometimes feature accretion just may be necessary. So how do we do it in a secure, reliable fashion? Is COM the answer? Does MS really have it licked? I say that with tongue in cheek, because I believe MS values speed to market and profits over ALL else. But maybe they have a kernel of a good idea. Of course, I was in the OpenDoc camp, in the old days.
Component aggregation trouble is nothing new (Score:2)
Now we're seeing a claim that in a rather fundamental fashion, feature accretion is not a good thing.
This is nothing new. A brief scan of the RISKS Digest archives [ncl.ac.uk] shows many, many cases going back years where a working system and a new, working-as-intended component were combined with disastrous results. (It always amazes me how many engineers and developers have never read RISKS Digest or the book that Neumann published; one developer at a major Northern Virginia Internet applications developer asked me "Is that a local list in your area? I never heard of it.")
If you don't know what RISKS is, check out comp.risks (the USENET feed of the digest); if your ISP doesn't carry it, either get them to, or change ISPs. It's well worth a few bucks a month more if it comes to that.
I propose a new version of Brooks' Law: "Adding components to a buggy piece of software makes it buggier."
Say no more (Score:1)
Open source yes, bazaar no.
Re:Awe man! I hate IE (Score:1)
hey, this should be moderated as "Funny" z.
AOL refuses (Score:1)
Sun/AOL/Netscape decided they will never compete on product merits again. From now on Sun/AOL/Netscape will use Government Goons to do their competing for them.
Read the Risks Forum (on web or news:comp.risks) (Score:2)
What's discussed there is quite relevant here; poor engineering or attempting to overextend what may have originally been a good design appropriate to simpler tasks will result in terrible software problems - security holes, safety hazards and the like.
Also recommended is the book Computer Related Risks [barnesandnoble.com] by Risks Forum moderator Peter Neumann [sri.com] (ISBN 020155805X). It draws on material from the forum but discusses it in greater detail.
Re:Correct Observation, Wrong Solution (Score:2)
saying that Netscape consists of pieces X, Y, Z developed in different
companies which are independently well written, but because the
developers on each team to do not have much insight into the work done
in the other teams, when it comes to stitch them together a hash is
made of the job. The advantage of an open development model is that
the political dimension that prevents openness between the teams is
gone. Rarely are there developer meetings that you just have to
attend to know what is going on, instead everyone can follow the
developers lists and follow the work being done on the related pieces.
The point doesn't have much to do with quality of developers, but
is to do with the circumstances under which they work.
Re:XPCOM/COM doesn't equal security holes (Score:2)
Perhaps you can change this, but my guess is that doing so would break a large number of services that depend on system having rights. It would make more sense to have COM run under an admin-controlled user account.
It's the OS, stupid. (Score:2)
This constant discovery of huge holes may finally generate a push for serious operating system security. One can hope. Although neither the Linux nor Windows worlds have done anything that really solves the problem, FreeBSD's Jail(2) [freebsd.org] call has real promise. Note that unlike chroot(2) [freebsd.org], which is for root only, user processes can call Jail(2) [freebsd.org], which makes it much more useful.
So get busy, get something like Jail(2) [freebsd.org] into Linux, and reorganize Mozilla so most of it runs in jail mode. That will kill the problem, instead of just injuring it slightly.
It's just incompetence (Score:2)
Only from incompetent non-college educated programmers who don't properly take into account the emergent properties of a system. Seriously, this is inexcusable and clearly the result of blatant incompetence and a hacked-together system with little, if any, formal design other than AOL insisting on icons to go to their shopping site, instant messenger, and a well-planned feature to report to AOL all the websites you visit. They'll get no sympathy from me.
Yes, I'd have to agree, if the Mozilla team can stop hacking in worthless features instead of concentrating on meeting the basic requirements of a functional web browser, they could save netscape from itself. But my bet is that Microsoft, using its unfair trade practice of producing a superior product, will end up dominating the free browser 'market'.
---
Re:Agreement from Alan Cox (Score:2)
From my(limited) understanding of the situation, getting Administrator access is a very hard thing to do.
Re:Mozilla ? (Score:2)
XPCOM/COM doesn't equal security holes (Score:4)
What makes IE so insecure is it's application of this technology to equal what Java was touted to do:
While Mozilla contains a number of XPCOM components it is not possible for standard HTML to instantiate or exploit any of them. Standard HTML can only instantiate the standard set of Javascript objects and everything else is off-limits.
Only chrome can create arbitrary XPCOM objects and that's the implicitly trusted "application" that your Mozilla engine is running. AFAIK skins are treated as untrusted content.
Does that mean Mozilla doesn't contain bugs? Of course not, but it is designed to be safer than ActiveX controls in IE from the outset.
Mozilla release schedule? (Score:2)
Pretty mindless advocacy (Score:4)
Doublespeak: Adding more programmers fragments the knowledge, but not if they're open source programmers, because they have the magic ability to "review each others' code", which is impossible if you have the wrong kind of license. And Brooks' Law doesn't hold because Eric Raymond said so. Better still, he quoted someone else saying so.
The initial premise is dodgy too; to support the thesis that the component model is to blame, he uses the example of Brown Orifice which comes about because of three things: Java, the Java Core and the Netscape JVM. That's one thing, in my book. Why stop at three? The Netscape JVM is coded in C, so that's a fourth "component". And the Brown Orifice hole serves your files via IP, so that's a fifth. Bollocks.
The outright lie; Mozilla has been coded "from the ground up". Like hell. If this is the case, why does it have anything to do with Netscape at all? Why, indeed, did the OPen Source Community need to wait for Netscape to open the code base, if there were all these people around who could code a browser "from the ground up". Mozilla has been coded, at best, from the scaffolding.
And then we get told that all problems will be sorted out in 6.0, for that is based on Open Source. Great. If, say, ZDnet put out an article on Microsoft security and concluded it with "But the next piece of vaporware coming out will surely solve all of these problems", they would be castigated to hell and rightly so.
A serious lack of critical judgement.
Who cares if it's secure... (Score:4)
Bus error
--
"One World, one Web, one Program" - Microsoft promotional ad
Re:XPCOM/COM doesn't equal security holes (Score:2)
The medium security level (the default) does at least offer you the chance to prevent third party controls from installing themselves, but that doesn't stop safe for scripting controls getting onto your machine in other ways. For example, if you install MS Office, you'll get several controls like the infamous office assistant which was subject to a security alert not long back.
So why not bump up the security? Well that's great except it stops other features such as Windows Update and Microsoft's internet-based installers from working properly.
Your comments about W2K are also misleading. The ActiveX controls (and all in-process COM objects) run with the privileges of the host application since a control is contained in DLL. If you use Run As with IE (the host app) to prevent it access to certain folders then the controls will not have access either. Great, except that W2K still doesn't lock things down on installation. Only a knowledgable user will bother to manually lock things down and even then things could be touch and go.
For the other 99.999% of users, they're still lumbered with a fatally broken security model.
This is not a bad coding practice? (Score:2)
No, I don't think you're mistaken. (Score:2)
... adding that only the Mozilla project can save Netscape.
This is the kind of hyperbolic statement I wish would stop. I don't mean to troll, but isn't netscape pretty much dead anyway? Communicator 4.x is based on a years-old code base which has barely even been tweaked since 1998. And I saw some of this code before release (under NDA for a porting project) -- whoo-ee! It was a mess.
Which is why they switched codebases for the mozilla project. A bunch of netscape hackers couldn't even make the old netscape engine go. So they dumped it. It's gone. Le Netscape est mort; vive le Mozilla!
I don't want to use IE, either, even though it's been easier to develop for for the last couple of years (face it - DOM is a lot cleaner than the layer model). But let's stop clammoring for a netscape ressurection. In fact, since the Netscape brand is now just another AOL product, I don't think I'll use it at all. Straight up Mozilla for me, thanks, with a side order of hot-swappable skins.
Re:Pretty mindless advocacy (Score:2)
None of the current Mozilla/NS6.0 codebase was used in any previous version of Netscape, and the architecture is completely different. That's what he means by "from the ground up."
2/3 the programming team are full-time coders employed by Netscape; that's why it has to do with Netscape and why the "Open Source Community" had to wait for Netscape before they had the people who could build it "from the ground up".
Steven E. Ehrbar
Re:That's not the problem (Score:2)
These components offer a great scalability and abstraction. With those technologies you can easily code in whatever language suits your needs and reuse objects/components that were developped in any language. When used adequatly they are terrific tools/development methods.
Those are IMHO the way to go and will be for many years due to the exstensibility of these technologies...
Re:Agreement from Alan Cox (Score:2)
Unfortunately you need to turn services on with both OSes, thus increasing the chance that you can break into them.
IMHO, the greatest resource of the security world is thousands of script kiddies... They make sure that any exploit found is so overused that security people can't help but know about it, thus fixing it.
If it wasn't for script kiddies we'd have a smaller number of black-hats but they'd have twenty years of unpatched exploits available and nobody would be able to stop them.
The script-kiddy situation is worse for those on IRC (etc) who attract their attention, but at least with the exploits being made public, banks, the military, ISPs, and other organizations that need robust security can have it, provided they have an administrator that keeps up with their job.
Rendering speed (Score:2)
I was surprised because the benchmarks I'd seen said IE was faster in general. But NS is clearly faster on my system.
If someone tells me how to do timed benchmarks, I'd be happy to run a few for some hard numbers.
-----
D. Fischer
Re:Awe man! I hate IE (Score:2)
I don't think you understand where I'm coming from. While I am in fact an experienced Linux user, I also use the MacOS, Windows95, and WindowsNT Server more often than I use Linux. This automatically places me outside of the scope of this rebuttle since I can just as easily turn those features off.
The point I was making is that for the general population, the combination of a hard to configure interface mixed with insecure defaults is a Bad Thing. For guys and gals who can get in there and adjust things, its okay. It isn't preferable, but it is okay. For the ones who are just learning that Microsoft Word is not the OS, it's bad.
My biggest problem is when people insist on using Mozilla or Netscape just because its not IE and not MS. They actually go out of their way to use a product that they usually admit is inferior in many ways just not to use MS. It doesnt make sense.
So then, if a company sells liquid detergant, also has a blackmarket industry of selling hard drugs, and you don't ethically agree with selling hard drugs -- you are telling me you would go ahead and purchase their liquid detergant anyway with the glaze of saying "well I use the best detergant, it doesn't matter WHO makes it."
I'm sorry, but I, and many others, find that type of comment much more offensive than the amount of offense you seem to take towards somebody stating that they will not support a company with a bad record, even if it means using a slightly inferior product.
You've gotta love amateur-source (Score:2)
Give the people the power they want and they screw it up by giving more emphesis to skins than to archetecture.
amateur-source rants/news/general kvetching [ridiculopathy.com]
Re:Flash animations (OT) (Score:2)
That said, Flash can be useful: it works (and looks!) the same in every corporate browser (most clients don't care if Linux geeks can't see their site) and it allows for their TV commercial on the web to stand out. Finally, if your designer is *good* at Flash and can actually get some tiny programming done with it without having to resort to PHP or ASP, it frees up *valuable* programmer time for other, more complicated tasks such as database management and the like.
As with most technologies, the person employing them needs to know what he or she is doing, and often this is not the case. But to say that Flash is by its very nature a great evil is absurd.
Re:Couldn't agree more. (Score:2)
> Anybody from Netscape can feel free to contact me for examples.
There is something called bugzilla. If you search hard enough on the web, you may even find it.
In that thing, there is a concept called bug reporting.
You can use it to actually submit a bug report. You could even set up web space somewhere, with you example of bad rendering. And, you know, you could put this URL in the bug report.
At this time, something incredible occur. Netscape engineers (which a weenies, as everyone knows) and mozicoders, look at the bug report, and check it. They even make a priority. Rendering according to the standard is considered important by some of those people. Strange uh ?
After that, some magic take place (which involves sacrifying some goats[.cx]) and the things may get fixed.
Maybe they should set up another way of doing the things, that would involve having engineers lurking on slashdot, sending mail to random guys according that have problems with the 'recognized definitions of HTML' (note the plural). I beleive you could even suggest that to the mentionned bugzilla.
Cheers,
--fred
Re:Flash animations (OT) (Score:2)
Re:Correct Observation, Wrong Solution (Score:2)
Let's use slashdot itself as an example. It cuts off most stories part-way through. If I have mod points, it smears the comboboxes all over the screen when I scroll, misplaces them and then finally gives up rendering them altogether. Still, not very relevant as I can't use them - when it cut off early, it took that 'Moderate' button with it...
It frequently screws up so badly it won't let me swap windows properly. It will intermittently refuse to follow links. And it eats resources like nothing else you can imagine. It's just horrendous what it can do to your system and it'll fall over with a fraction of the number of windows I can open from Netscape.
Communicator 4.0x was a lovely, stable, feature-packed browser. 4.5 was atrocious and could reliably crash the machine totally. They've been getting slowly better since and it's now mostly usable again. Unfortunately, IE has been getting steadily worse for some time...
Roll on Mozilla.
Eiffel (flamewar request) (Score:2)
Anyway: Isn't this exactly the kind of thing Eiffel [eiffel.org] is meant to solve? I mean, i haven't looked at it closely yet, but Design by Contract was basically designed for the problem of large, poorly organized projects in which the components were written by people who were not totally certain what the other components were doing, right? The have horror stories in which different components make incorrect assumptions about how the other will work and do Bad Things were what lead to eiffel, right?
Would the concepts behind design by contract/eiffel have helped with the problems facing netscape, in that objects would be constrained to doing only those things they should be allowed to do? And at the least, those interactions would be clearly defined-- i mean, wouldn't being forced to think out the components and classes specifically in terms of interaction lead to those interactions at least being in some low level way documented-- because at least the question of how should this fit into this has been asked?
Am i just confused? Please help with any knowledge you may have..
Re:XPCOM/COM doesn't equal security holes (Score:2)
You can read about it here [securityfocus.com]. Especially interesting is David Leblancs mail and that of Russ.
Where do you draw the border when _elevating_ rights with runas (for instance installing something from ms which nowadays often automagically involves Internet Explorer _and_ requires Administrator privileges).
Re:Mozilla ? (Score:2)
Once running, your mileage may vary, between 20 and 30 MB used memory in win32 is normal.
Not bad for an alpha product. It is now nearly feature complete. Due to limitations of linux, the linux version still feels a little slow. However, the win32 builds are quite snappy.
There are still a lot of minor (i.e. non fatal) bugs left. No doubt these bugs will get the full attention for the next few milestones. As far as I can see, mozilla is nearly (like 99%) feature complete. Some features are a bit shaky.
The nightly builds are quite good, but you should check with mozillazine before downloading one. Occasionally, after bigger changes, there are some regressions. Don't judge the builds by that because this type of error is usually fixed within a few days. Last week for instance there was a problem with skin switching. Yesterdays build was much better.
People on slashdot don't understand mozilla. They complain it is bloated, takes too much memory and contains too many features. What they don't seem to understand is that mozilla has to replace communicator and compete with internet explorer and outlook express. All this must be done while remaining cross platform and easy to maintain.
Mozilla is not a browser, it is a platform. The killer app for this platform happens to be a browser. But there are lots of other interesting applications that it supports. Mozilla's architecture is brilliant. It supports all of the above. That by the way includes a small, fast browser as the Galeon browser proves. The Galeon browser would not be possible without gecko and necko. Once finished these components will find their way to PC's, unix workstations, pda's, settopboxes and maybe even mobile phones.
I must admit that there were times that I have doubted mozilla was such a good idea. But I've seen the nightly builds. I know it is just an alpha build but still I sometimes forget I'm not using IE. As for IE, my biggest fear was that MS would continue to 'innovate' and 'improve' ie. Yet, all they have done since version 4 is bug fixing and standards tweaking. In essence the 5.5 version looks and feels pretty much the same as the 4.0 version.
Correct Observation, Wrong Solution (Score:5)
Unfortunately instead of the article to then discuss ways to attack the cause of the problem (badly engineered software), it describes ways to attack the symptoms (release the source so bugs can be found).
There is more to creating robust software than simply testing most the bugs out of a system. Proper engineering practices need to be set in place to allow the extensibility and modularity of the code. Releasing source code may catch buffer overflow exploits and the like but it doesn't solve problems like improper interfaces/protocols being chosen and several other bad design decisions.
Mozilla has already proved this with the fact that it is a complete rewrite of the original Netscape code. After a year wasted hacking at the code, the Mozilla developers realized that all the Open Source in the world could not change the fact that Netscape Navigator was badly engineered software. Mozilla is better than Netscape not simply because it is Open Source and all bugs are shallow but because it is being properly designed and engineered instead of being a series of unmaintainable hacks like Netscape's Navigator.
As the saying goes you cannot make a silk purse out of pig's ear.
Re:That's not the problem (Score:2)
Re:Awe man! I hate IE (Score:2)
I got sick of it, switched to IE 5, and after a week of grumbling, found that IE 5 has a better interface, better features, and is far more stable than NS Nav. The one thing still in NS's favor is that it renders much faster than IE 5.
But I prefer slow stability over fast crashes.
I played with Opera briefly, but $30 for a program that seems to do less than my MS "freeware" isn't a good deal. When and if Mozilla produces a stable, full featured browser, I'll switch, but for now, I'm sticking with IE.
-----
D. Fischer
The idea isn't entirely new (Score:2)
The point I am driving at is that currently these security holes are believed to be accidental. We are not far from seeing instances of them that are deliberately created. Open source offers some protection from that, if the source is actively read by numerous competent people. But when the code is linked from many sources, the program becomes vulnerable to the weakest link in the chain, the least well reviewed library.
Re:Awe man! I hate IE (Score:2)
Seriously, though... (Score:2)
seriously though, this type of thing may or may not be the typical security hole of the future. in fact, if all the components (at one level, say, in netscape) are fully encapsulated and none of them have internal security flaws, it's hard to imagine how a combination of these would allow any breaches.
however, you can assure this only in the components you're writing or at least have the source code to, which means that open source can make quite a difference, but not because of the "way that components work together", but because if anyone can see how a component works, it will be much more probable that someone will find the hole.
you can not control all the levels, though. even if we (in few years) get to the point where your computer (used for serious stuff by a fairly advanced user) can be run entirely by OS software, there's still the question of hardware... do we REALLY know what those CPUs are doing? maybe what we need is an open source CPU and chipset?
z.
Microsoft hates skilled users (Score:2)
Seriously, my attitude has come from the fact that every couple of years I decide I'm being childish & stupid, & I make an attempt to give MS products ``just one more try". And usually within a matter of hours of making this resolution I find I want to drive up to Redmond & adjust the attitude of their design teams with a heavy, blunt object. Or just shoot the lot of them.
My most recent example: IE's incestuous relationship with Windows 2000. Now I'll admit that I rather liked how information was set out in the File Manager that came in Win 3.1: on one side, you had the directories on the drive set out in a tree metaphor, & on the other side, each file was presented on its own line, with the full file name, file size, time & date the file was last written to, & attributes all in a row. Lots of information at a single glance. And if you were scared to see all of this information, well with a few clicks of the mouse you could change it to a window full of icons.
A simple, intuitive setup. And Microsoft proceded to start hosing it up.
First MS started deprecating winfile, in favor of ``Windows Explorer". Since I'm not against change, I grumbled a little, wondered about some of the design implimentations, & ended up learning how to work with this program. I could get my winfile interface, I get the information I wanted how I wanted.
So life went on. Now in Win2k, though, the Windows Explorer has been replaced with IE. Now I'm no longer looking at a list of files & their characteristics, but at an unnecessary HTML page I don't want. Resize one window the wrong way, & instead of seeing all of the columns, I get a help page I don't need & didn't ask for. Every time I go to another directory, I'm back to a window full of meaningless icons -- as far as I can see, there's no way to set & save my preferences globally. And if I'm reading a page on the web when I decide to verify some files on a local drive . . . let's just say I've been warned about my vocabulary at work.
Huh? What's that? Why don't I RTFM?? I have, boyo. But that M is truly F'ed. Click on help, & you get choices like about the World Wide Web, or ``Microsoft and the Internet." (But I'm just trying to manage files on the drives in my employer's computer, not experience this irrelevant paradigm!) Using ``Search" on their help pages to get useful information is about as useful as trying to meet Ms. Right with a poorly-written personal ad. The answer is probably out there somewhere, buried in a hint mentioned in an aside while talking about something totally unrelated.
Microsoft must believe every computer user is a moron, because they work hard writing their user interface down to a moron's level. Everyone else gets confused & either (a) believes she/he is an idiot because she/he can't figure this mess out, or (b) gets just that much more resentful at MS, & resolves to work harder at finding & using a competing -- any competing -- product for their needs.
Too bad MS is a monopoly. That makes it hard to find competing products in many catagories.
Okay, okay, I'm done ranting. I've got all of that off my chest, & can go back to work now.
Geoff
Re:That's not the problem (Score:3)
1) Lack of multithreading/multiprocessing capability.
2) Memory allocation is very non-intuitive.
3) Exception handling is almost non-existant.
4) The blasted turtle never does what you want.
I would suggest (and I think my views are shared by a large percentage of the computer industry) that a better programming language for large-scale, team based software design must combine the data abstration of COBOL with the versatility of INTERCAL [caltech.edu].
To be expected of large open source projects (Score:2)
One of the tenets of open source has always been that anyone can go in and fix a bug or make an improvement. Yes, having the source code available is a *good* thing, because it makes a program less likely to disappear as a result of the whims of business, but the whole supposed truism about ease of fixing bugs is not true. As an experienced programmer, I would be scared as hell to track down a bug inside of a program the size of The Gimp or an X server. The odds of breaking something are extremely high.
Re:Couldn't agree more. (Score:2)
[Disclaimer: I don't work for/on Netscape or Mozilla, I just reported a few bugs]
You got examples? Fantastic! That's useful info for the developers. So why are you crippling yourself by using PR2?
PR2 is cool, but it's a packaged beta, and it's already old code.
You can prepare useful reports on reproducible bugs. Get the latest binary [mozilla.org], check if the problem still exists, then report it straight to the developers [mozilla.org].
Seriously. You don't need to put Some Faceless Corp between you and the coders anymore. You've got a direct line!
Have fun,
Dave
--
Re:Pretty mindless advocacy (Score:2)
That's actually wrong, but it's easy to see why you'd think so.
The fact is, Mozilla was initially intended to start wtih Netscape's code, which is why they waited for the code to be opened. they, like pretty much everyone else at the time, thought it would be a massive waste of time and effort to start from scratch.
However, as has been mentioned on /. over and over again, they abandoned the Netscape code and rewrote it. Starting, as they say, from the ground up.
To use your analogy, they didn't so much use the scaffolding as tear it down and reuse some of the same planks when they built new scaffolding
Re:Correct Observation, Wrong Solution (Score:2)
Isn't the modularity, and therefor the reuse of code at the root of this problem. Well engineered modules may work very well, but a great deal of care must be taken in the engineering of their reuse as well. It's the hidden or unexpected interactions between modules not originally written to work together (although designed to be reused and well documented) wherein lie particularly insidious bugs.
Re:Correct Observation, Wrong Solution (Score:3)
Netscape 2.0 was a fantastic browser. It blew the crap out of every browser on the market. NS 3.0 threw in some cool enhancements that although buggy, made it far superior once again. Then IE 4 came out (also badly engineered) and added many more features. Both browsers were equally buggy, but IE4 implemented more features. From then on, both browsers became more fascinated with tweaking the previous version just a little bit more. Mozilla started over, and re-engineered the browser from the ground up. When they finally release M22 (the bug fixed version according to their roadmap) in the year 2039, it will be the most stable browser because it followed a solid engineering process.
"You'll die up there son, just like I did!" - Abe Simpson
That's not the problem (Score:5)
There have been several recent articles in some of the major software engineering journals, which question the feasibilty of using C or C++ for large projects. C/C++ have been demonstrated to be unsuitable for todays huge software projects, and all other software companies who persevere with C/C++ will eventually run into the same problems as Netscape.
So what is the solution? The academic community's research advocates the use of a new programming language, Logo [mit.edu], in order to solve the problem of scalability. The amazing levels of abstraction provided by Logo [mit.edu] mean that Logo [mit.edu] is certain to become the major programming language of the future.
Flash animations (OT) (Score:2)
Francis Hwang
Re:Awe man! I hate IE (Score:2)
It's fixed in 4.75.
Chris
Speed is also an issue. (Score:4)
My experience at work also shows that tight schedules also cause problems. We all have access to the code of our peers but when we are forced to ship the product quicker than as-soon-as-possible we don't take into account what the other programmer is doing. There are those that design the tool that are supposed to prevent this, but if the requirements are lacking, then programmers will do things one way that will cause problems when integrating it to a tool another way.
Another problem comes when requirements change. Just recently I was on a program that changed a few requirements near the end, and this caused a major design change. With the tight schedule it was impossible to completely test the change to what it should be done. But management seems to think things are some when you change a "simple" requirement and doesn't give a proper budget.
The open source world doesn't worry too much about schedule. It is willing to produce something better than get the PR of a quick product. I believe open source produces code quicker, but for the quality it seems slow, where closed source can produce quicker than the open source because it hides the things that should have been fixed before the shipment. So this is only a perception that the closed source version was produced quicker.
Steven Rostedt
Wow, are you naive. Why AOL -REALLY- bought NSCP: (Score:2)
Why do you think AtHome bought Excrete?
Yes folks, huge swaths of this industry are manipulated by a few people. There are many good reads that illustrate the incredible influence a few VCs have over large parts of the industry. Try Perkin's Internet Bubble.
Re:ESR coded the world! (Score:2)
Re:I may be mistaken, (Score:2)
Re:Bugzilla (Score:2)
The fact is, the Netscape 6 implementation of CSS is, in some cases, a step backwards from the marginal CSS support built into NS 4.x. Additionally, valid tags that are fully developed and documented by the HTML 4.0 specification are not implemented. I absolutely do NOT allow any of those proprietary (MS) HTML extensions in any of my documents yet, IE continues to be a superior rendering engine and interpreter.
These HAVE been reported via BugTraq and have only gotten worse with successive builds.
Yes, I will continue to use BugTraq.
No, I will not continue to expect it to do any good.
Just give me a functional browser that doesn't have its birth certificate filed in Redmond!!!
Eiffel mindshare is just too small (Score:2)
Of course, a project like this would be a great way to start up interest in a worthy alternative, and it couldn't have slowed down any more than it already is.
You have to wonder how long C/C++ are going to continue to hold reign. It looks like at least another thirty years (no joke) at this point.
Re:Flash animations (OT) (Score:2)
Nothing new here, move along (Score:2)
Open source software is no different, of course. Over time it may achieve generally better quality because more people can examine the code, but architecturally it is no different to any other kind of software. Mozilla isn't magically going to be free from security problems.
The sad, boring truth is that there is no easy way to make complex software secure. Avoiding componentization won't make things better, except that it will probably prevent you from building complex software at all, thus dodging the issue
Intelligent design, elbow grease and lots of eyes are the only weapons we have. We'd better use them well.
Re: (Score:2)
Sounds a bit like a dodgy B film (Score:5)
"Only mozzila can save us now"
[Cue big green monster]