Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Netscape The Internet

Is Netscape's Code Falling Apart At The Seams? 186

bobby writes: "There a commentary on SecurityFocus that has me thinking: they argue that the infamous Brown Orifice holes in Navigator are examples of a new type of security hole that results, not from bad coding practices, but from coders haphazardly interconnecting disparate components without considering how they'll work together. 'The most dangerous, well-concealed, complex, and noteworthy security flaws in the future will be of this sort,' they write, adding that only the Mozilla project can save Netscape. "
This discussion has been archived. No new comments can be posted.

Is Netscape's Code Falling Apart At The Seams?

Comments Filter:
  • by eastMike ( 194827 ) on Friday September 08, 2000 @02:17AM (#795489)
    but doesn't AOL more or less own netscape? I have never heard AOL even *mention* netscape since their "partnership" (or whatever it is) took place. This seems like a pretty good sign that AOL doesn't expect anything worthwhile out of netscape. Or perhaps they're just waiting for mozilla? Either way, netscape is in poor shape, a nd I'm distraught over what seems to be its impending doom. I really *don't* want to have to use IE.

    "It is well that war is so terrible, lest we grow too fond of it."
  • If your classes and objects are organized right, this shouldn't happen and it fact often doesn't with small projects. However, as projects grow, little mistakes and wrong decisions made at the beginning tend to turn into wide cracks.

    The answer to this would be, as some others noted, to write it from the scratch. This, however can not be the general fix - that's why people invented OO and modular programming.

    I think that the time will come when the programming tools (and math behind the whole thing) will be so advanced that it will become easy for a good programmer to start the project right and develop it in any direction, thus reducing risks of this sort to a minimum.

    I say "good programmer" cause we all know that an idiots with power tools just tend to produce rubbish at a greater rate.

    z.
  • by The Pim ( 140414 ) on Friday September 08, 2000 @02:18AM (#795491)
    Alan Cox noted this aptly a few months ago:

    The evidence from the MS world is that buffer overflows are the _least_ of your worries in a component based environment. Complete inability to build a coherent security model combined with people who wave their arms around when asked hard questions about it are most of the problem.

    Nobody in the windows world is much into buffer overflows right now, you dont need them to tear apart a windows system. There's a lesson there for gnome.

    http://www.uwsg.iu.e du/hypermail/linux/kernel/0007.3/1305.html [iu.edu]

  • I'm sorry sir, but you're over the limit with this one, and you'll have to throw some of those fry back into the stream.

    (jfb)
  • I see a small bit of trolling in your post, but the fact is that partly you are right - it is shameful how badly AOL, Oracle and Sun have whored themselves to the government.

    Each of these companies is hugely powerful on their own, dominating their respective markets.

    What it should show people is that corporations could care less about fairness and competition - left to their devices they will work to diminish and eliminate competition at the earliest possible stage (even if it is not in their own long-term interests). This is why the government has anti-trust laws and oversight.

  • fsck it..

    Third chime's a tarm [eiffel.com]

    t_t_b
    --
    I think not; therefore I ain't®

  • Comment removed based on user account deletion
  • I don't know what you're talking about but during the IE5.5 install you can pick exactly what you need. A bare browser minus java is about 6 meg, smaller than netscape. The configuration in IE5.5 is a tree view just like netscape. Maybe you should do some checking before posting. I happen to like IE because it doesn't crash daily and renders about 10x faster.
  • I'm glad you feel that way. But you forgot to post the link to the perfect, freely available web browser that you wrote from scratch in less than 2 years. Oh, what? There isn't one?

    Well, you can always download the mozilla source and compile just the browser component. Or, you could check out a project like Galeon, which has already done the work for you.

    Really, writing any decent sized app from scratch is not the easiest thing in the world, and web browsers are quite complex. Even if mozilla made their browser 100% standards-compliant, people would still complain since most of the web isn't that way, so they have to code for that, too. How long in the making is Internet Explorer? I don't suppose you'd care to remember how much it utterly SUCKED until version 3.0, with version 4.0 being the first that actually rivalled Netscape. And you know, it takes up at least the same amount of space as Mozilla, and it _is_ just a browser.

    Roar. Sorry, but I've been using Mozilla since M9 and I love it.
  • Logo? so in other words, you want Netscape to drop C completely, and re-code the whole thing from scratch. Uh, I've seen the netscape source, and it's FUCKING HUGE. Re-coding all that is quite pointless.
    Another thing which you might want to remember is the fact that those bugs were JAVA-BASED. The java implimentation from sun had bugs.
    I work for netscape, and have friends who are on the browser group. I know what the problem was, apparently you don't.
    What about Microsoft's current problems? should they rewrite the everything in logo too?
    -Just my .02
  • Adding more programmers fragments the knowledge, but not if they're open source programmers, because they have the magic ability to "review each others' code", which is impossible if you have the wrong kind of license. And Brooks' Law doesn't hold because Eric Raymond said so.

    In the first edition of "The Mythical Man-month", Fred Brooks fought against David Parnas' black box modules. Brooks says that he ran the System 360 project with the goal of making all implementation details public. They printed huge spec manuals and printed reams of updates everyday, which would be dropped off at each programmer's office. In the second edition of "The Mythical Man-month", Brooks admits that he was wrong and Parnas was right. Implementation hiding was the right thing. The programmers for System 360 couldn't understand the whole system. These days, open source advocates claim that source code availability solves the "fragmented programmer knowledge" problem. I don't think it solve it (though it admittedly helps in some ways).


  • And how is related to the article?

    Either you didn't read the article, or you didn't understand it.

    Brown Orifice exists because the people who understood the different components did not or could not see how the interaction of these various pieces could cause trouble.

    If you've followed BUGTRAQ lately, you'd know that this malady seriously affects Windows systems, and that examples have included Microsoft-Microsoft, Microsoft-third party, and third party-third party component interactions.

    It it too hard for you to conceive that the particular case (Netscape 4) is but an example of a general theme? If so, you should probably refrain from programming or entering any field that requires abstract thought.

  • Comment removed based on user account deletion
  • And one would hope that the Mozilla authors are responsible enough to remove any feature that does wind up being proven to have such a huge security hole (or at least disable it by default) until its been fixed. I don't know of any right now, but I'm sure some will be found eventually.


    -RickHunter
  • This is the same reason I don't run Microsoft products at home. They're not engineered well. No one spends a couple years developing a solid model (flowchart) of how the software is supposed to work.

    Hmmm, so how many Linux kernel developers "spend a couple years developing flowcharts"? Which commercial software company for that matter? By the time your flowchart is ready, the market has already moved and you haven't even written any code yet..


  • Comment removed based on user account deletion
  • Microsoft makes hundreds of shrinkwrapped products. Are you sure they build all of them like a novice VB project?

    P.S. Netscape v2 was a crashy POS, it just didn't matter that much because you weren't on the web 8 hours a day back then.

    IE 4 was also a crashy POS, but it was generally engineered correctly (full DOM renderer just like Mozilla). On the other hand, Mozilla's XUL themes can't be considered correct engineering, except in the 1959
  • There's a lesson there for gnome.

    So what does this say about GNOME security? Realistically, with all the debate we've been hearing about GNOME vs. KDE, is GNOME going to be as vulnerable to these kind of component based bugs as MS stuff? I mean, we keep hearing Miguel praise MS and the component model idea, but will it just create more problems? And if so, would there be any way to really provide a lot of background security for each component?

    I don't use GNOME, but I happen to like it, and I would really like to see them be a secure desktop and not fall prey to the kind of attacks that we all know and love in Windows ;-)

    "I may not have morals, but I have standards."
  • by locust ( 6639 ) on Friday September 08, 2000 @05:37AM (#795507)
    More and more software is being developed haphazardly without a clear design, coherent engineering or a well defined development roadmap.

    From everything I hear MS puts a lot of emphasis on the software process. This doesn't prevent them from succumbing to the same failures. Complexity is the enemy of security, and paraphrasing Brook's law... The complexity of a piece of software goes up as the square of the number of modules (features?) involved. Examining a product like Netscape, or IE, even good engineering practice cannot prevent such an extremely complex systems from behaving chaotically at some point. Now add to this short deadlines, and insufficient knowledge: of programming, of the off-the-shelf modules being used; and of the design of the system by the programmers writing it and you have holes waiting to happen. It is a credit to the people writing the software that such holes are not discovered more often.

    --locust

  • Comment removed based on user account deletion
  • What about usability? Until version 4.01 SP1, IE was very unstable. I mainly used Netscape, but found occasion to use IE 3.02 for certain web sites. IE 5 and subsequent releases have not caused the major headaches of earlier versions, but still has serious problems. The ftp browser is a nice feature, which allows drag and drop, but often fails or gets hung up. IE itself, gives up too soon on webpages. These are the reasons why I still use Netscape as my primary browser. Netscape generally loads pages faster and waits longer for the server to respond and load pages.
  • by Jerky McNaughty ( 1391 ) on Friday September 08, 2000 @02:19AM (#795510)

    examples of a new type of security hole that results, not from bad coding practices, but from coders haphazardly interconnecting disparate components without considering how they'll work together.

    If you don't consider how components will interact when used together, then that is bad coding practice. If it's easy to use a component incorrectly, to the point of causing security problems, then I would venture a guess that the component in question has a bad interface. When we write code at work, my co-workers and I strive to have classes which are pretty much impossible to use incorrectly. Contrast this with something poorly designed and implemented like MFC which, when functions aren't called in exactly the right order at exactly the right time, it ASSERTs. If anything, it just sounds like the developers should revisit the ways their classes interact with each other and tidy it up a bit.

    It's all just bad coding practices as far as I can see...

  • by Anonymous Coward
    I've seen a lot of computer book titles over the years. But I've never seen one called "Programming for Security". I wonder if colleges offer such courses? I've never heard anyone refer to such a course on /. or anywhere else for that matter.
  • by StarFace ( 13336 ) on Friday September 08, 2000 @02:21AM (#795512) Homepage
    I am not the original poster, but I'll add a point or two against IE. Ever since 4.x they have completely trashed any sense of powerful configuration. To configure IE you are required to select vague tabs, hunting around, wondering what M$ decided to call file associations this time. Then you get to the last config tab and it looks like they just gave up on creating an interface and threw everything into a huge randomly ordered list.

    Thankfully, IE 5 for the Macintosh spurned this 'innovation' and stuck with the hardened method of a config tree with sub-categories. I can install a fresh version of the browser and have it all configured in a few minutes. I still don't have the Windows version of IE configured the way I want it.

    Another thing is that integration between the OS and the WWW is probably one of the creepiest, low-browed things I've heard of. There are just too many security problems associated with the internet to have a major part of your OS interface completely linked with it. This is ironically the problem they are noting with netscape.

    I want to be able to browse in an encapsulated environment on a browser that 'utilizes' as few of the exploitable WWW technologies that exist. For this reason I use Lynx or w3m for 90% of my browsing. I fire up Mozilla for those inept pages who have no other way to use it except for javascript.

    That right there is the largest concern I have with IE, the tight integration with the OS and filesystem. Not to mention mail, news, office documents, and the core scripting languages of the OS itself. Yes, you can turn a lot of that stuff off, but does it come that way by default?

  • As browsers go, NS 4.x is merely OK. The rendering engine is almost first rate but, it still lacks a lot of DOM compliance and don't get me started on CSS issues.

    NS6 PR2 is actually a step backwards from PR1. A lot of things that worked in PR1 were broken with PR2. Sure, all the glitzy toys are fun but, does the damned browser work? NO!!!

    I have a very short, very simple wish list for the folks at Netscape:

    • Real support for CSS
    • Document rendering that resembles the code according to the recognized definitions of HTML
    Anybody from Netscape can feel free to contact me [mailto] for examples.
  • Comment removed based on user account deletion
  • Can anyone say 'deprecated'?

    I knew we could.

    A lot of the legacy code is there so that the newer bastard son of code works with stuff written for the older bastard son of code.

    Hey, I still use "center" instead of the newer spec for centering text.
    "And they said onto the Lord.. How the hell did you do THAT?!"
  • Any programming language that consisted of giving a little turtle command to do stuff is alright by me- and if you didn't like the turtle, you could change him into a dump truck, or a helicoptor.....

    Seriously, a beautiful way to teach programming to grade school kids: I learned it on an Apple ][ in fourth grade, and it was a blast.
  • Comment removed based on user account deletion
  • I know, I know, I shouldn't encourage him... Oh well. :-)

    It always makes you think when you see the words "ego-free" and "Eric Raymond" in consecutive paragraphs.

    Well, let's try this out... ``Eric Raymond has stated that open-source programming is often an ego-free activity.'' Look! They're in the same sentence! By your logic, that sentence is an even larger load of bollocks than the original article. Pity that it's true. And that the sub-clause (``Open-source programming is often an ego-free activity.''), while not proven, certainly seems to be true in practice. (Yes, there are exceptions. See that word often up there?)

    And Brooks' Law doesn't hold because Eric Raymond said so. Better still, he quoted someone else saying so.

    He stated that Brook's Law doesn't hold---as originally stated---for debugging---in an open source project. He then provided a justification that holds up under current information theory (there isn't a direct link to the explanation in CatB, but it's on thi s page [tuxedo.org]. Exercise for the reader, I guess. (Anyone know why the comment system keeps sticking a space in ``this''? I'd look it up, but I'm working on my resume, which is slightly more important to me right now.)). And then, he provided an empirical example (Linux). And then, he tested his theory (fetchmail).

    The outright lie; Mozilla has been coded "from the ground up".

    Agreed. That's a lie. Of course, you're the only person I have ever seen say this. To the best of my knowledge, nobody involved with Mozilla says this. Even the flakiest of news sites never seem to make this mistake. The article this discussion is about doesn't make this mistake.

  • Remember that supposed "AOL for Linux" download we saw a few weeks ago? ("Gamera") (url: http://slashdot.org/articles/00/ 08/13/137233.shtml [slashdot.org]) Gamera makes use of Mozilla for browsing the internet on a platform MSIE, AOL's choice browser for windows, doesn't support.

    As much as we would all love to hate AOL for supposidly "killing" Netscape and Mozilla, I hope Gamera will aid in its increasingly widespread use. In addition to this, AOL will aid in the popularity of everybody's beloved Linux OS.

    To summarize:

    • Gamera uses Mozilla as its integrated web browser
    • Such support of Mozilla in AOL for Linux will aid the effort to improve Mozilla and increase support for Linux.

  • Honestly, the reason that Netscape is so S-L-O-W is that it's actually running on Javascript (which is written on C/C++ of course).

    BTW, you're reading this message with Netscape, aren't you?
    ---
    Every secretary using MSWord wastes enough resources

  • Systems move towards entropy.

    Thats it. Thats the number one rule of long term software development. No matter what you do, no matter how good your coders are, entropy happens.

    People forget, people leave the project. The coyboy coder stays up all night and in an evil cackle resorts to inline assembly. Stuff like this plagues prodcuts, even ones with the best of software enginnering, paradigms, and tools.

    Take netscape for example. There are not that many engineers on it anymore id imagine. Its an OLD codebase. You probably just cant scrap it all and start over. That would take a long time, and people need to get paid for a living...something has to pay the bills.

    There are two basic types of software products...Quality driven, and release driven. Release driven is such as Microsoft Office, products put out to meet customer demand, to compete against other products making headway, and to work towards strategic initiatives...not to mention fix bugs, improve UI, etc. Quality is a variable in this release, but time is the number one factor.

    Quality driven products are ones like Linux (referring to the linux kernel), or Mozilla. "Its done when we feel its done." It hopefully produces better prodcuts, but more than likely, if you fix every bug that comes down the line, you'll never get it out the, and you'll NEVER pay your bills.

    While netscape is sitting and stewing in development, IE can have free reign over features, new functionality, and overall the general market. However, netscape may come out with fewer bugs.

    Its a moral dilemma that i think is at the heart of the open source development paradigm. is it better to keep your source closed, private, and singularly maintained to have a trimmer development process, or do you open source it to help flush out those hard to find bugs.

    What neither paradigm catches are those integration bugs. Just looking at how all of this comes together will not save anyone from the myriad of hassles that integration of engines, algorithms, and interfaces brings. Teams of coders can be hundred of people big, and still not catch all the bugs.

    Systems move toward entropy. I once read somewhere that "NT is so huge no one person understands it all" There will come a time when everything on the planet is like that. Stuff will get bigger, and it will become too difficult to understand all of the code on such a low level that you are going to have to trust the wisdom of coders that came before you.

    My thoughts as a software developer
    --jay
  • Making bugzilla accept milestones greater than 30 would require a COMPLETE code rewrite.

  • [mouth stops]"Oh my god it's farring apart at the seams" [mouth moves]
    [mouth stops] "Only mozzira can save us now" [mouth moves]
    [Cue big green monster]
  • The referenced article speaks of COM being messed up. I don't have enough personal experience, other than seeing security holes fly by on CERT and BUGTRAQ. There are numerous citations of the inadequate security model of ActiveX. Perhaps I err by equating COM with ActiveX, but I thought it was a market-driven renaming, not anything fundamentally technical.
  • Do birds fly?

    This is something that I've been trying to tell the bible thumpers on Slashdot for a long time - ever since I started posting comments on Slashdot. Now my arguments have been proven by a whole story. Netscape is legendary for being a memory hog (in comparison, as I'm typing this, IE5 is using up 8,448K of memory). Furthermore, Netscape will never let you view the source of a webpage with only a few clicks (in the right-click menu in IE, there's an option, "View Source," that opens the HTML/SHTML/PHP3/etc. page in Notepad. Kinda cool, if you ask me, cause you can see what they used to create pages, the javascipt, and so on. Also, sometimes when you want to download something with Netscape, instead of saving the file, it saves the link! That's just not right. I think a total UI rewrite is overdue for Netscape, as well as a total code rewrite.

  • by icezip ( 172472 ) on Friday September 08, 2000 @05:50AM (#795526) Homepage
    The coders over at Netscape work hard, and they are only human. There's going to be bugs in everything. The discovery of these bugs enables us all to learn from these mistakes and not incorporate them in our own programs. Maybe instead of trashing Netscape, we should dedicated some time in helping.

    --Dave
  • We are getting highly off topic here, so I've changed the subject line accordingly.

    One last thing, and on a more personal side, would you mind clarifying some of your personal objections on Microsoft? Do you really honestly equate them to selling hard drugs?

    I do not equate the dealings of MS with that of hard drugs. I was making an analogy, it is a weakness of mine. :)

    On the grand scale of Bad Things You Can Do to people though, I do feel that Microsoft, (indeed, other software companies in their position as well.) has put themselves up there. One can only guess exactly how many billions of corporate dollars have been spent on these software companies. Such high-level losses bring down losses upon us all, in the long run.

    I believe that the practice of closed software development and sale (expecially per-license sale) has gouged the industry. While we look around things appear to be moving along at an incredible clip. Why in just 5 years we've gone from a television to reading www.insert chocolate company.com on candy wrappers and billboards. As fast as its gone, I wonder how much faster it would have gone without the harnass that has been placed on it by the software enterprises.

    I don't target Microsoft alone on this, they are not the only guilty party, they are merely the most obviously guilty party right now, and thus they are being used as a scapegoat for a lot of malpractice going on out there.

    I should say here, I do not have a problem with software that is purchased. As a developer, I know that bread needs to be passed around. What I have a problem with is establishing a closed or protected code base. Since humans, and ultimatly, the corporations they puppeteer are in fact very greedy, inevitably those closed code-bases will be used to lock out other corporations and businesses at the expense of progress.

    Please, take the time to read the court transcripts, there is more than enough evidence placed on this case to show that progress has been slowed, and will remain slowed as long as individuals hold the keys to their code.

    Now, all of the moral stuff said, I still do have gripes with the way Microsoft products work. You have mentioned that you tire of folks berating Microsoft quality. I'm not going to be one who says everything they produce is rotten. I'll go so far as to say it is satisfactory. I cannot with a clear head though, say that the level of quality I experience using Windows is on par with the MacOS or any *NIX that I've used.

    On my computer at home, I use 100% 'free-speach' software. I do this because it makes me feel good to do that. I not only use, but I contribute to these projects, and that makes me feel good too. I feel like I'm a part of a community; a valued member. When I got to work and I have to use NT, or any other 'corporate' software I feel like a 'user' or a 'client' I'm not actively involved with it. I'm just a consumer and I get treated that way by them.

    So, do I feel like I have chosen to use inferior products just to spite the corporations? No, not at all. For me I don't feel like I'm stooping down. Expecially once I got over the psychological barrier of using software designed with a different mentality. I found that much of this stuff is GREAT quality. It may not look as pretty, one program many not do all 62,000 things that MS Word does, but so what? I can accomplish all of my tasks using a variety of specialized tools that are lean and stable. So honestly, for me it isn't a sacrifice.

    If that makes me rare, then so be it, I've never been accused of being normal before. :)

  • 4) The blasted turtle never does what you want.

    The "turtle does whatever the hell it wants" bug is only present in the "our users are dumber than turtles" release of Microsoft Logo.

  • The speed of the NN4 rendering engine sucks. It's very clear when it comes to rendering complex tables. the browser freezes up several to 30 seconds even, while trying to figure out how to dipslay a complex table layout.


    Mozilla kicks ass in this respect. Can't wait.

  • I thinnk a LOGO based OS is what the world needs right now. Windows style OSes are obviously not that great, and we need to break the rest of the world out of the stagnation that UNIX domination has brought.

    If netscape did do a rewrite in Logo, every web page would have a turtle on it. Just think of the glory of those millions of little green turtles scuttling around!!

    Actually, my PhD thesis is going to be rewriting Linux's TCP/IP stack in Logo. Should be fun.

  • by dpilot ( 134227 ) on Friday September 08, 2000 @01:52AM (#795531) Homepage Journal
    And what does it say for the kitchen-sink concept of software definition and development, in general.

    To go one step further, what does it say for the concept of pay-for software?

    Outside of games, developers of pay-for software generally keep buyers coming back year after year for upgrades by adding new features. Somehow it just doesn't cut it just fixing bugs. Those shouldn't have been there in the first place, and admitting that you're just fixing bugs means that you should be giving it away.

    Now we're seeing a claim that in a rather fundamental fashion, feature accretion is not a good thing.

    Now to take a 180, sometimes feature accretion just may be necessary. So how do we do it in a secure, reliable fashion? Is COM the answer? Does MS really have it licked? I say that with tongue in cheek, because I believe MS values speed to market and profits over ALL else. But maybe they have a kernel of a good idea. Of course, I was in the OpenDoc camp, in the old days.
  • dpilot wrote:

    Now we're seeing a claim that in a rather fundamental fashion, feature accretion is not a good thing.

    This is nothing new. A brief scan of the RISKS Digest archives [ncl.ac.uk] shows many, many cases going back years where a working system and a new, working-as-intended component were combined with disastrous results. (It always amazes me how many engineers and developers have never read RISKS Digest or the book that Neumann published; one developer at a major Northern Virginia Internet applications developer asked me "Is that a local list in your area? I never heard of it.")

    If you don't know what RISKS is, check out comp.risks (the USENET feed of the digest); if your ISP doesn't carry it, either get them to, or change ISPs. It's well worth a few bucks a month more if it comes to that.

    I propose a new version of Brooks' Law: "Adding components to a buggy piece of software makes it buggier."

  • And according to The Cathedral and the 'Bizarre' this sort of development model is supposed to lead to better and more secure software.
    Open source yes, bazaar no.
  • Save Netscape, down with AOL

    hey, this should be moderated as "Funny" z.

  • AOL refuses to release the Gecko browser until the Microsoft case is over. They want to be able to whine in court that Netscape was destroyed by Microsoft when, in fact, Netscape is alive and well. Netscape has had a good standards compliant browser for over a year (Gecko). But Sun/AOL won't allow them to release it because they desperately feel a NEED to hurt Microsoft with Anti-trust DOJ goons.

    Sun/AOL/Netscape decided they will never compete on product merits again. From now on Sun/AOL/Netscape will use Government Goons to do their competing for them.
  • I'd like to take this opportunity to recommend you read The Forum on Risks to the Public in Computers and Related Systems, [ncl.ac.uk] also available as comp.risks [comp.risks]

    What's discussed there is quite relevant here; poor engineering or attempting to overextend what may have originally been a good design appropriate to simpler tasks will result in terrible software problems - security holes, safety hazards and the like.

    Also recommended is the book Computer Related Risks [barnesandnoble.com] by Risks Forum moderator Peter Neumann [sri.com] (ISBN 020155805X). It draws on material from the forum but discusses it in greater detail.

  • I think you have misunderstood the point being made. The article is
    saying that Netscape consists of pieces X, Y, Z developed in different
    companies which are independently well written, but because the
    developers on each team to do not have much insight into the work done
    in the other teams, when it comes to stitch them together a hash is
    made of the job. The advantage of an open development model is that
    the political dimension that prevents openness between the teams is
    gone. Rarely are there developer meetings that you just have to
    attend to know what is going on, instead everyone can follow the
    developers lists and follow the work being done on the related pieces.

    The point doesn't have much to do with quality of developers, but
    is to do with the circumstances under which they work.

  • Huh? The local SYSTEM account has access to almost everything in a default installation. It's essentially Local Administrator minus networking.

    Perhaps you can change this, but my guess is that doing so would break a large number of services that depend on system having rights. It would make more sense to have COM run under an admin-controlled user account.
  • It's not the browser. It's the OS. Over 95% of a web browser should be running with essentially the privileges a Java sandboxed applet is supposed to be limited to. But available OSs don't let you lock down a process that hard. That's the problem. Trusting some gonzo app is never going to work. Serious security theorists realized this twenty years ago.

    This constant discovery of huge holes may finally generate a push for serious operating system security. One can hope. Although neither the Linux nor Windows worlds have done anything that really solves the problem, FreeBSD's Jail(2) [freebsd.org] call has real promise. Note that unlike chroot(2) [freebsd.org], which is for root only, user processes can call Jail(2) [freebsd.org], which makes it much more useful.

    So get busy, get something like Jail(2) [freebsd.org] into Linux, and reorganize Mozilla so most of it runs in jail mode. That will kill the problem, instead of just injuring it slightly.

  • 'The most dangerous, well-concealed, complex, and noteworthy security flaws in the future will be of this sort,'

    Only from incompetent non-college educated programmers who don't properly take into account the emergent properties of a system. Seriously, this is inexcusable and clearly the result of blatant incompetence and a hacked-together system with little, if any, formal design other than AOL insisting on icons to go to their shopping site, instant messenger, and a well-planned feature to report to AOL all the websites you visit. They'll get no sympathy from me.

    Yes, I'd have to agree, if the Mozilla team can stop hacking in worthless features instead of concentrating on meeting the basic requirements of a functional web browser, they could save netscape from itself. But my bet is that Microsoft, using its unfair trade practice of producing a superior product, will end up dominating the free browser 'market'.
    ---

  • I'm gonna have to play devils advocate here, because I see lots and lots of references to how awful Windows NT's security is, yet no specific examples. I'm not saying I disagree, but I want to see some examples. I'm not talking about the Loveletter virus. Tell me a reliable way I can hack my way into Administrator-level account with a Windows NT or 2000 default setup. The exploits I've read about all rely on external programs like ASP or SQL Server. Then again, I've read about lots of Sendmail and Bind exploits as well.

    From my(limited) understanding of the situation, getting Administrator access is a very hard thing to do.

  • No, Mozilla does not rule, have you had a look at the size of the thing, IT IS HUGE!!!! I really wish that mozilla did rule, but it is just too big, that is why Galeon [sourceforge.net] was started, now there is a browser that rules. There is no reason that a web browser should deal with mail/news/irc/everything!!! Lets not go down the IE route with Mozilla and make it an OS!!!
  • by DrXym ( 126579 ) on Friday September 08, 2000 @02:38AM (#795551)
    XPCOM/COM is just an object technology and in itself doesn't make a product any more or less secure than if it were written with Corba or with plain-old DLL exported methods.

    What makes IE so insecure is it's application of this technology to equal what Java was touted to do:

    1. It allows 3rd party COM objects to install and run with complete abandon on your PC. Once installed, that control owns your ass.
    2. It's security model is hopeless - any object marked safe for scripting can be created by any HTML. Even if the control isn't malicious it can be made to do malicious things when you visit a website.

    While Mozilla contains a number of XPCOM components it is not possible for standard HTML to instantiate or exploit any of them. Standard HTML can only instantiate the standard set of Javascript objects and everything else is off-limits.

    Only chrome can create arbitrary XPCOM objects and that's the implicitly trusted "application" that your Mozilla engine is running. AFAIK skins are treated as untrusted content.

    Does that mean Mozilla doesn't contain bugs? Of course not, but it is designed to be safer than ActiveX controls in IE from the outset.

  • At the bottom of that article is says that Netscape 6 is due for release soon. We are only on M18 of Mozilla.. and I believe the milestones go right up to 30 or so? So if we have 12 milestones to go before Mozilla is stable, how can Netscape 6 be coming out soon? Or is this soon as in a years time?
  • by streetlawyer ( 169828 ) on Friday September 08, 2000 @02:47AM (#795558) Homepage
    It always makes you think when you see the words "ego-free" and "Eric Raymond" in consecutive paragraphs. And indeed, this article is a complete piece of boosterism, thin on facts and think on rhetoric.

    Doublespeak: Adding more programmers fragments the knowledge, but not if they're open source programmers, because they have the magic ability to "review each others' code", which is impossible if you have the wrong kind of license. And Brooks' Law doesn't hold because Eric Raymond said so. Better still, he quoted someone else saying so.

    The initial premise is dodgy too; to support the thesis that the component model is to blame, he uses the example of Brown Orifice which comes about because of three things: Java, the Java Core and the Netscape JVM. That's one thing, in my book. Why stop at three? The Netscape JVM is coded in C, so that's a fourth "component". And the Brown Orifice hole serves your files via IP, so that's a fifth. Bollocks.

    The outright lie; Mozilla has been coded "from the ground up". Like hell. If this is the case, why does it have anything to do with Netscape at all? Why, indeed, did the OPen Source Community need to wait for Netscape to open the code base, if there were all these people around who could code a browser "from the ground up". Mozilla has been coded, at best, from the scaffolding.

    And then we get told that all problems will be sorted out in 6.0, for that is based on Open Source. Great. If, say, ZDnet put out an article on Microsoft security and concluded it with "But the next piece of vaporware coming out will surely solve all of these problems", they would be castigated to hell and rightly so.

    A serious lack of critical judgement.

  • by Wakko Warner ( 324 ) on Friday September 08, 2000 @02:47AM (#795559) Homepage Journal
    I just want netscape to go an hour without crashi

    Bus error
    --


    "One World, one Web, one Program" - Microsoft promotional ad

  • Yes it does allow controls to run with complete abandon. Once they are installed and on your machine you have no option but to disable ActiveX control support in IE if you want to stop them running. Once they are running they can do anything they like.

    The medium security level (the default) does at least offer you the chance to prevent third party controls from installing themselves, but that doesn't stop safe for scripting controls getting onto your machine in other ways. For example, if you install MS Office, you'll get several controls like the infamous office assistant which was subject to a security alert not long back.

    So why not bump up the security? Well that's great except it stops other features such as Windows Update and Microsoft's internet-based installers from working properly.

    Your comments about W2K are also misleading. The ActiveX controls (and all in-process COM objects) run with the privileges of the host application since a control is contained in DLL. If you use Run As with IE (the host app) to prevent it access to certain folders then the controls will not have access either. Great, except that W2K still doesn't lock things down on installation. Only a knowledgable user will bother to manually lock things down and even then things could be touch and go.

    For the other 99.999% of users, they're still lumbered with a fatally broken security model.

  • How could, "coders haphazardly interconnecting disparate components without considering how they'll work together." not be considered a bad coding practice?
  • ... adding that only the Mozilla project can save Netscape.

    This is the kind of hyperbolic statement I wish would stop. I don't mean to troll, but isn't netscape pretty much dead anyway? Communicator 4.x is based on a years-old code base which has barely even been tweaked since 1998. And I saw some of this code before release (under NDA for a porting project) -- whoo-ee! It was a mess.

    Which is why they switched codebases for the mozilla project. A bunch of netscape hackers couldn't even make the old netscape engine go. So they dumped it. It's gone. Le Netscape est mort; vive le Mozilla!

    I don't want to use IE, either, even though it's been easier to develop for for the last couple of years (face it - DOM is a lot cleaner than the layer model). But let's stop clammoring for a netscape ressurection. In fact, since the Netscape brand is now just another AOL product, I don't think I'll use it at all. Straight up Mozilla for me, thanks, with a side order of hot-swappable skins.

  • The outright lie; Mozilla has been coded "from the ground up". Like hell. If this is the case, why does it have anything to do with Netscape at all? Why, indeed, did the OPen Source Community need to wait for Netscape to open the code base, if there were all these people around who could code a browser "from the ground up".

    None of the current Mozilla/NS6.0 codebase was used in any previous version of Netscape, and the architecture is completely different. That's what he means by "from the ground up."

    2/3 the programming team are full-time coders employed by Netscape; that's why it has to do with Netscape and why the "Open Source Community" had to wait for Netscape before they had the people who could build it "from the ground up".

    Steven E. Ehrbar
  • Whatever the language you are using to develop large software, true scalability can easily be achieved by using either COM/CORBA or another similar component architecture.

    These components offer a great scalability and abstraction. With those technologies you can easily code in whatever language suits your needs and reuse objects/components that were developped in any language. When used adequatly they are terrific tools/development methods.

    Those are IMHO the way to go and will be for many years due to the exstensibility of these technologies...
  • Sure, and hacking root on a closed down Linux box is nearly impossible...

    Unfortunately you need to turn services on with both OSes, thus increasing the chance that you can break into them.

    IMHO, the greatest resource of the security world is thousands of script kiddies... They make sure that any exploit found is so overused that security people can't help but know about it, thus fixing it.

    If it wasn't for script kiddies we'd have a smaller number of black-hats but they'd have twenty years of unpatched exploits available and nobody would be able to stop them.

    The script-kiddy situation is worse for those on IRC (etc) who attract their attention, but at least with the exploits being made public, banks, the military, ISPs, and other organizations that need robust security can have it, provided they have an administrator that keeps up with their job.
  • This is just personal observation on my home computer. I've got a P3 450 w/ 96 MB RAM, and NS Nav 4.7 is visibly faster than IE 5 at loading & rendering pages. It feels like nearly 2x faster.

    I was surprised because the benchmarks I'd seen said IE was faster in general. But NS is clearly faster on my system.

    If someone tells me how to do timed benchmarks, I'd be happy to run a few for some hard numbers.
    -----
    D. Fischer
  • .. here you are, very likely an experienced linux user (based on lynx, w3m, and mozilla) or at least a seemingly adept Mac/Win user. So why is it a big deal to customize IE for you? Or why is it a big deal to remove VBScripting and Windows Scripting Host?

    I don't think you understand where I'm coming from. While I am in fact an experienced Linux user, I also use the MacOS, Windows95, and WindowsNT Server more often than I use Linux. This automatically places me outside of the scope of this rebuttle since I can just as easily turn those features off.

    The point I was making is that for the general population, the combination of a hard to configure interface mixed with insecure defaults is a Bad Thing. For guys and gals who can get in there and adjust things, its okay. It isn't preferable, but it is okay. For the ones who are just learning that Microsoft Word is not the OS, it's bad.

    My biggest problem is when people insist on using Mozilla or Netscape just because its not IE and not MS. They actually go out of their way to use a product that they usually admit is inferior in many ways just not to use MS. It doesnt make sense.

    So then, if a company sells liquid detergant, also has a blackmarket industry of selling hard drugs, and you don't ethically agree with selling hard drugs -- you are telling me you would go ahead and purchase their liquid detergant anyway with the glaze of saying "well I use the best detergant, it doesn't matter WHO makes it."

    I'm sorry, but I, and many others, find that type of comment much more offensive than the amount of offense you seem to take towards somebody stating that they will not support a company with a bad record, even if it means using a slightly inferior product.

  • From a consumer's point of view, Mozilla makes no sense as an open-source project. It was already free.

    Give the people the power they want and they screw it up by giving more emphesis to skins than to archetecture.

    amateur-source rants/news/general kvetching [ridiculopathy.com]

  • As someone who *designs* rather than programs websites (mostly) I have to disagree with you somewhat. Yes, clients are often kinda clueless and insist on exploding buttons and dancing banner ads, but it's (IMHO) the designer's task to gently steer them away from such foolish notions.

    That said, Flash can be useful: it works (and looks!) the same in every corporate browser (most clients don't care if Linux geeks can't see their site) and it allows for their TV commercial on the web to stand out. Finally, if your designer is *good* at Flash and can actually get some tiny programming done with it without having to resort to PHP or ASP, it frees up *valuable* programmer time for other, more complicated tasks such as database management and the like.

    As with most technologies, the person employing them needs to know what he or she is doing, and often this is not the case. But to say that Flash is by its very nature a great evil is absurd.

  • by Anonymous Coward
    > Document rendering that resembles the code according to the recognized definitions of HTML
    > Anybody from Netscape can feel free to contact me for examples.

    There is something called bugzilla. If you search hard enough on the web, you may even find it.

    In that thing, there is a concept called bug reporting.

    You can use it to actually submit a bug report. You could even set up web space somewhere, with you example of bad rendering. And, you know, you could put this URL in the bug report.

    At this time, something incredible occur. Netscape engineers (which a weenies, as everyone knows) and mozicoders, look at the bug report, and check it. They even make a priority. Rendering according to the standard is considered important by some of those people. Strange uh ?

    After that, some magic take place (which involves sacrifying some goats[.cx]) and the things may get fixed.

    Maybe they should set up another way of doing the things, that would involve having engineers lurking on slashdot, sending mail to random guys according that have problems with the 'recognized definitions of HTML' (note the plural). I beleive you could even suggest that to the mentionned bugzilla.

    Cheers,

    --fred

  • Actually there is now a Linux player for Flash, though I'm not sure it does everything it certainly works OK for the usual annoying front page graphics.
  • I can't say I find IE5 anything other than buggy. And I'm using it right here, right now, under Windows 98, to post this.

    Let's use slashdot itself as an example. It cuts off most stories part-way through. If I have mod points, it smears the comboboxes all over the screen when I scroll, misplaces them and then finally gives up rendering them altogether. Still, not very relevant as I can't use them - when it cut off early, it took that 'Moderate' button with it...

    It frequently screws up so badly it won't let me swap windows properly. It will intermittently refuse to follow links. And it eats resources like nothing else you can imagine. It's just horrendous what it can do to your system and it'll fall over with a fraction of the number of windows I can open from Netscape.

    Communicator 4.0x was a lovely, stable, feature-packed browser. 4.5 was atrocious and could reliably crash the machine totally. They've been getting slowly better since and it's now mostly usable again. Unfortunately, IE has been getting steadily worse for some time...

    Roll on Mozilla.
  • I would like to state upfront that this post contains no content; i know nothing on this subject. My reason for posting is that i hope people who do know things will reply.

    Anyway: Isn't this exactly the kind of thing Eiffel [eiffel.org] is meant to solve? I mean, i haven't looked at it closely yet, but Design by Contract was basically designed for the problem of large, poorly organized projects in which the components were written by people who were not totally certain what the other components were doing, right? The have horror stories in which different components make incorrect assumptions about how the other will work and do Bad Things were what lead to eiffel, right?

    Would the concepts behind design by contract/eiffel have helped with the problems facing netscape, in that objects would be constrained to doing only those things they should be allowed to do? And at the least, those interactions would be clearly defined-- i mean, wouldn't being forced to think out the components and classes specifically in terms of interaction lead to those interactions at least being in some low level way documented-- because at least the question of how should this fit into this has been asked?

    Am i just confused? Please help with any knowledge you may have..

  • And there's another interesting problem with that infamous "runas". It's directly related to COM, and it shows that it's not easy to get an intuitive view for the user concerning the security of these "components".
    You can read about it here [securityfocus.com]. Especially interesting is David Leblancs mail and that of Russ.
    Where do you draw the border when _elevating_ rights with runas (for instance installing something from ms which nowadays often automagically involves Internet Explorer _and_ requires Administrator privileges).

  • It's a 6.5 MB download (win32 installer), once installed the programm takes approximately 15 MB of your harddrive (complete install, including 2 skins). The install does not include the optional jre or any plugins (e.g. flash).

    Once running, your mileage may vary, between 20 and 30 MB used memory in win32 is normal.

    Not bad for an alpha product. It is now nearly feature complete. Due to limitations of linux, the linux version still feels a little slow. However, the win32 builds are quite snappy.

    There are still a lot of minor (i.e. non fatal) bugs left. No doubt these bugs will get the full attention for the next few milestones. As far as I can see, mozilla is nearly (like 99%) feature complete. Some features are a bit shaky.

    The nightly builds are quite good, but you should check with mozillazine before downloading one. Occasionally, after bigger changes, there are some regressions. Don't judge the builds by that because this type of error is usually fixed within a few days. Last week for instance there was a problem with skin switching. Yesterdays build was much better.

    People on slashdot don't understand mozilla. They complain it is bloated, takes too much memory and contains too many features. What they don't seem to understand is that mozilla has to replace communicator and compete with internet explorer and outlook express. All this must be done while remaining cross platform and easy to maintain.

    Mozilla is not a browser, it is a platform. The killer app for this platform happens to be a browser. But there are lots of other interesting applications that it supports. Mozilla's architecture is brilliant. It supports all of the above. That by the way includes a small, fast browser as the Galeon browser proves. The Galeon browser would not be possible without gecko and necko. Once finished these components will find their way to PC's, unix workstations, pda's, settopboxes and maybe even mobile phones.

    I must admit that there were times that I have doubted mozilla was such a good idea. But I've seen the nightly builds. I know it is just an alpha build but still I sometimes forget I'm not using IE. As for IE, my biggest fear was that MS would continue to 'innovate' and 'improve' ie. Yet, all they have done since version 4 is bug fixing and standards tweaking. In essence the 5.5 version looks and feels pretty much the same as the 4.0 version.
  • by Carnage4Life ( 106069 ) on Friday September 08, 2000 @03:11AM (#795604) Homepage Journal
    I read the SecurityFocus article and was impressed by how the article pinpointed what I have begun to fear is a major blight on software development. More and more software is being developed haphazardly without a clear design, coherent engineering or a well defined development roadmap. This is will only get worse with the growing number of people who refuse to go to college [slashdot.org] and learn how to engineer software and instead believing hacking code is all there is to software development.

    Unfortunately instead of the article to then discuss ways to attack the cause of the problem (badly engineered software), it describes ways to attack the symptoms (release the source so bugs can be found).

    There is more to creating robust software than simply testing most the bugs out of a system. Proper engineering practices need to be set in place to allow the extensibility and modularity of the code. Releasing source code may catch buffer overflow exploits and the like but it doesn't solve problems like improper interfaces/protocols being chosen and several other bad design decisions.

    Mozilla has already proved this with the fact that it is a complete rewrite of the original Netscape code. After a year wasted hacking at the code, the Mozilla developers realized that all the Open Source in the world could not change the fact that Netscape Navigator was badly engineered software. Mozilla is better than Netscape not simply because it is Open Source and all bugs are shallow but because it is being properly designed and engineered instead of being a series of unmaintainable hacks like Netscape's Navigator.

    As the saying goes you cannot make a silk purse out of pig's ear.



  • I better go update my resume!
  • I agree. I started with a late version of Mosaic and used Netscape Nav through 4.7. I liked it for philosophical and productivity reasons. But with 4.7, I kept having weird crashes that required reboots.

    I got sick of it, switched to IE 5, and after a week of grumbling, found that IE 5 has a better interface, better features, and is far more stable than NS Nav. The one thing still in NS's favor is that it renders much faster than IE 5.

    But I prefer slow stability over fast crashes.

    I played with Opera briefly, but $30 for a program that seems to do less than my MS "freeware" isn't a good deal. When and if Mozilla produces a stable, full featured browser, I'll switch, but for now, I'm sticking with IE.
    -----
    D. Fischer
  • Vernor Vinge suggests something of this sort in his latest Hugo and Prometheus award winning novel A Deepness In The Sky. One of his characters speculates on the power of providing the underlying layers of increasingly componentized software. Furthermore, Ken Thompson, in his classic article Reflections on Trusting Trust [acm.org], discusses a mechanism for hiding a back door in such a way that it will be replicated with each revision of the software, and the source code for it cannot be found.

    The point I am driving at is that currently these security holes are believed to be accidental. We are not far from seeing instances of them that are deliberately created. Open source offers some protection from that, if the source is actively read by numerous competent people. But when the code is linked from many sources, the program becomes vulnerable to the weakest link in the chain, the least well reviewed library.
  • Why don't you like it beside the fact that it is from M$? I have never had IE5x crash on me, but with Net Comun. 4.61 I EXPECT a crash about once an hour. I mean yeah IE does have some bloated features (actually, A LOT..but oh well) but I really haven't had any problems with it. Just curious thats all..this ain't a troll.

  • hehe... my browser died after that. serves me right:)

    seriously though, this type of thing may or may not be the typical security hole of the future. in fact, if all the components (at one level, say, in netscape) are fully encapsulated and none of them have internal security flaws, it's hard to imagine how a combination of these would allow any breaches.

    however, you can assure this only in the components you're writing or at least have the source code to, which means that open source can make quite a difference, but not because of the "way that components work together", but because if anyone can see how a component works, it will be much more probable that someone will find the hole.

    you can not control all the levels, though. even if we (in few years) get to the point where your computer (used for serious stuff by a fairly advanced user) can be run entirely by OS software, there's still the question of hardware... do we REALLY know what those CPUs are doing? maybe what we need is an open source CPU and chipset?

    z.
  • Geez, the subject line of this post says it all, I guess. ;-)

    Seriously, my attitude has come from the fact that every couple of years I decide I'm being childish & stupid, & I make an attempt to give MS products ``just one more try". And usually within a matter of hours of making this resolution I find I want to drive up to Redmond & adjust the attitude of their design teams with a heavy, blunt object. Or just shoot the lot of them.

    My most recent example: IE's incestuous relationship with Windows 2000. Now I'll admit that I rather liked how information was set out in the File Manager that came in Win 3.1: on one side, you had the directories on the drive set out in a tree metaphor, & on the other side, each file was presented on its own line, with the full file name, file size, time & date the file was last written to, & attributes all in a row. Lots of information at a single glance. And if you were scared to see all of this information, well with a few clicks of the mouse you could change it to a window full of icons.

    A simple, intuitive setup. And Microsoft proceded to start hosing it up.

    First MS started deprecating winfile, in favor of ``Windows Explorer". Since I'm not against change, I grumbled a little, wondered about some of the design implimentations, & ended up learning how to work with this program. I could get my winfile interface, I get the information I wanted how I wanted.

    So life went on. Now in Win2k, though, the Windows Explorer has been replaced with IE. Now I'm no longer looking at a list of files & their characteristics, but at an unnecessary HTML page I don't want. Resize one window the wrong way, & instead of seeing all of the columns, I get a help page I don't need & didn't ask for. Every time I go to another directory, I'm back to a window full of meaningless icons -- as far as I can see, there's no way to set & save my preferences globally. And if I'm reading a page on the web when I decide to verify some files on a local drive . . . let's just say I've been warned about my vocabulary at work.

    Huh? What's that? Why don't I RTFM?? I have, boyo. But that M is truly F'ed. Click on help, & you get choices like about the World Wide Web, or ``Microsoft and the Internet." (But I'm just trying to manage files on the drives in my employer's computer, not experience this irrelevant paradigm!) Using ``Search" on their help pages to get useful information is about as useful as trying to meet Ms. Right with a poorly-written personal ad. The answer is probably out there somewhere, buried in a hint mentioned in an aside while talking about something totally unrelated.

    Microsoft must believe every computer user is a moron, because they work hard writing their user interface down to a moron's level. Everyone else gets confused & either (a) believes she/he is an idiot because she/he can't figure this mess out, or (b) gets just that much more resentful at MS, & resolves to work harder at finding & using a competing -- any competing -- product for their needs.

    Too bad MS is a monopoly. That makes it hard to find competing products in many catagories.

    Okay, okay, I'm done ranting. I've got all of that off my chest, & can go back to work now.

    Geoff
  • by An Onerous Coward ( 222037 ) on Friday September 08, 2000 @03:26AM (#795637) Homepage
    As a programmer who spent several years working with Logo (specifically, fourth to ninth grade), I can tell you that Logo suffers from several fundamental issues that must be overcome before it can become the language of the future:

    1) Lack of multithreading/multiprocessing capability.

    2) Memory allocation is very non-intuitive.

    3) Exception handling is almost non-existant.

    4) The blasted turtle never does what you want.

    I would suggest (and I think my views are shared by a large percentage of the computer industry) that a better programming language for large-scale, team based software design must combine the data abstration of COBOL with the versatility of INTERCAL [caltech.edu].

  • As much as I hate to say it, this is the case with most big open source projects. I work on a very large system during the day (400,000+ lines of code), where everyone is in the same building, and team members are constantly breaking things because they didn't full understand why something was the way it was. "It looked like an easy optimization." "I'll just add this special case code in here to make it work." "I didn't realize that I needed to make call X before call Y." "Oh, _that's_ what that field is for." And this is with lots of whiteboard scribbling and explaining. Heaven help us if we couldn't do that.

    One of the tenets of open source has always been that anyone can go in and fix a bug or make an improvement. Yes, having the source code available is a *good* thing, because it makes a program less likely to disappear as a result of the whims of business, but the whole supposed truism about ease of fixing bugs is not true. As an experienced programmer, I would be scared as hell to track down a bug inside of a program the size of The Gimp or an X server. The odds of breaking something are extremely high.
  • [Disclaimer: I don't work for/on Netscape or Mozilla, I just reported a few bugs]

    You got examples? Fantastic! That's useful info for the developers. So why are you crippling yourself by using PR2?

    PR2 is cool, but it's a packaged beta, and it's already old code.

    You can prepare useful reports on reproducible bugs. Get the latest binary [mozilla.org], check if the problem still exists, then report it straight to the developers [mozilla.org].

    Seriously. You don't need to put Some Faceless Corp between you and the coders anymore. You've got a direct line!

    Have fun,
    Dave

    --

  • The outright lie; Mozilla has been coded "from the ground up". Like hell. If this is the case, why does it have anything to do with Netscape at all? Why, indeed, did the OPen Source Community need to wait for Netscape to open the code base, if there were all these people around who could code a browser "from the ground up". Mozilla has been coded, at best, from the scaffolding.

    That's actually wrong, but it's easy to see why you'd think so.

    The fact is, Mozilla was initially intended to start wtih Netscape's code, which is why they waited for the code to be opened. they, like pretty much everyone else at the time, thought it would be a massive waste of time and effort to start from scratch.

    However, as has been mentioned on /. over and over again, they abandoned the Netscape code and rewrote it. Starting, as they say, from the ground up.

    To use your analogy, they didn't so much use the scaffolding as tear it down and reuse some of the same planks when they built new scaffolding

  • Well said, but...

    Isn't the modularity, and therefor the reuse of code at the root of this problem. Well engineered modules may work very well, but a great deal of care must be taken in the engineering of their reuse as well. It's the hidden or unexpected interactions between modules not originally written to work together (although designed to be reused and well documented) wherein lie particularly insidious bugs.
  • by Lxy ( 80823 ) on Friday September 08, 2000 @04:59AM (#795648) Journal
    This is the same reason I don't run Microsoft products at home. They're not engineered well. No one spends a couple years developing a solid model (flowchart) of how the software is supposed to work. It's kinda like first we build the window manager. Then we build some cool widgets to click on. Then we manage it with the registry. Then we make a cool startup screen. Then we add this extra networking feature, etc.

    Netscape 2.0 was a fantastic browser. It blew the crap out of every browser on the market. NS 3.0 threw in some cool enhancements that although buggy, made it far superior once again. Then IE 4 came out (also badly engineered) and added many more features. Both browsers were equally buggy, but IE4 implemented more features. From then on, both browsers became more fascinated with tweaking the previous version just a little bit more. Mozilla started over, and re-engineered the browser from the ground up. When they finally release M22 (the bug fixed version according to their roadmap) in the year 2039, it will be the most stable browser because it followed a solid engineering process.

    "You'll die up there son, just like I did!" - Abe Simpson
  • by Anonymous Coward on Friday September 08, 2000 @01:59AM (#795650)
    Netscape's problems with maintaining a stable and secure codebase are not to do with a haphazard software design methodology. Their problems are more fundamental than that. In my opinion, Netscape's problems stem from the fact that they coded Navigator/Communicator in the wrong language.

    There have been several recent articles in some of the major software engineering journals, which question the feasibilty of using C or C++ for large projects. C/C++ have been demonstrated to be unsuitable for todays huge software projects, and all other software companies who persevere with C/C++ will eventually run into the same problems as Netscape.

    So what is the solution? The academic community's research advocates the use of a new programming language, Logo [mit.edu], in order to solve the problem of scalability. The amazing levels of abstraction provided by Logo [mit.edu] mean that Logo [mit.edu] is certain to become the major programming language of the future.

  • As somebody who works in an interactive agency, my two cents is that Flash animations are there to satisfy the client, not the user. You'd be surprised how many clients don't actually use the web that much themselves, so they're easily wowed by something that looks like a TV commercial (the Flash presentation) as opposed to something that people will use.

    Francis Hwang

  • I hope they fix it soon

    It's fixed in 4.75.

    Chris
  • by nevets ( 39138 ) on Friday September 08, 2000 @02:07AM (#795655) Homepage Journal
    I'm not saying that the article is wrong. In fact I agree with everything the author states. But I want to add the issue of "speed" to get the product out.

    My experience at work also shows that tight schedules also cause problems. We all have access to the code of our peers but when we are forced to ship the product quicker than as-soon-as-possible we don't take into account what the other programmer is doing. There are those that design the tool that are supposed to prevent this, but if the requirements are lacking, then programmers will do things one way that will cause problems when integrating it to a tool another way.

    Another problem comes when requirements change. Just recently I was on a program that changed a few requirements near the end, and this caused a major design change. With the tight schedule it was impossible to completely test the change to what it should be done. But management seems to think things are some when you change a "simple" requirement and doesn't give a proper budget.

    The open source world doesn't worry too much about schedule. It is willing to produce something better than get the PR of a quick product. I believe open source produces code quicker, but for the quality it seems slow, where closed source can produce quicker than the open source because it hides the things that should have been fixed before the shipment. So this is only a perception that the closed source version was produced quicker.

    Steven Rostedt
  • John Doerr told them to. He saw his investment in NSCP going down the tubes, so he asked another KPCB company to buy them thus converting his huge number of NSCP shares into AOL shares.

    Why do you think AtHome bought Excrete?

    Yes folks, huge swaths of this industry are manipulated by a few people. There are many good reads that illustrate the incredible influence a few VCs have over large parts of the industry. Try Perkin's Internet Bubble.

  • Of course, you gotta mention it in context, he goes on to compliment Linus and acknowledge their differences of opinion based on their different abilities and backgrounds. A good read, the interesting part is about 2/3 of the way down that page.
  • A data point: AOL ran _Netscape v.6_ commercials a few weeks ago on cable. Bad timing or a trial baloon? -- you decide.
  • Been there. Done that. The problems with CSS in Netscape continue to be rampant and, get this, I'm not doing anything special, strange, unique, or otherwise abnormal with CSS. (maybe I should though.)

    The fact is, the Netscape 6 implementation of CSS is, in some cases, a step backwards from the marginal CSS support built into NS 4.x. Additionally, valid tags that are fully developed and documented by the HTML 4.0 specification are not implemented. I absolutely do NOT allow any of those proprietary (MS) HTML extensions in any of my documents yet, IE continues to be a superior rendering engine and interpreter.

    These HAVE been reported via BugTraq and have only gotten worse with successive builds.

    Yes, I will continue to use BugTraq.

    No, I will not continue to expect it to do any good.

    Just give me a functional browser that doesn't have its birth certificate filed in Redmond!!!

  • There aren't enough competent Eiffel programmers to bother.

    Of course, a project like this would be a great way to start up interest in a worthy alternative, and it couldn't have slowed down any more than it already is.

    You have to wonder how long C/C++ are going to continue to hold reign. It looks like at least another thirty years (no joke) at this point.

  • The Linux version is out of date and is Flash only -- not Shockwave. Very annoying.
  • This article has nothing interesting to say. Ever since people started trying to modularise their software, we've recognised that interactions between components are a major source of bugs, because that's where the complexity is. Anywhere you have a lot of bugs, you have a lot of security worries. There is nothing especially insightful about pointing this out again.

    Open source software is no different, of course. Over time it may achieve generally better quality because more people can examine the code, but architecturally it is no different to any other kind of software. Mozilla isn't magically going to be free from security problems.

    The sad, boring truth is that there is no easy way to make complex software secure. Avoiding componentization won't make things better, except that it will probably prevent you from building complex software at all, thus dodging the issue :-). You can swear off complexity and use Lynx on Linux 2.0, but most people want features that are fundamentally complex. Print out all the RFCs and W3C Recommendations for everything you need to get an HTML4/CSS1 Web browser working, and you'll see what I mean.

    Intelligent design, elbow grease and lots of eyes are the only weapons we have. We'd better use them well.
  • Comment removed based on user account deletion
  • by grahamsz ( 150076 ) on Friday September 08, 2000 @02:08AM (#795673) Homepage Journal
    "Oh my god it's falling apart at the seams"

    "Only mozzila can save us now"

    [Cue big green monster]

The finest eloquence is that which gets things done.

Working...