Or Sumatra PDF, which doesn't try and get the user update to the for-pay registered version.

The problem with Firefox is that the Gecko codebase is messy and prone to a lot of security problems. It is, if you will, the BIND 8 or Sendmail of the 2000s. In 2009 alone there have been eight critical security holes reported. Yes, Firefox patches these quickly, but having to update a program more than once a month to keep it secure is a real pain in the butt.

Firefox has a very short update lifecycle for a given update of Firefox; if you want to use an older release of Firefox (think enterprise desktops where any software update has to be approved; think live CD or embedded distributsions), you have no choice but to place yourself at risk.

Modern HTML + CSS + ECMAscript is so complicated that we can't have someone come forward and write a browser that is security-aware. Safari isn't much better, since it needed two updates already this year, and Opera has had an update this year with a couple of security problems fixed.

So, yeah, to keep a modern browser secure requires running on the update treadmill. I hope HTML + CSS + ECMA stop being constantly updated, new web Acid tests are no longer made every couple of years, and the standards calm down so that browser developers don't have to rush to add new features to their browsers all the time, allowing browser developers to take the time to write secure code.

You know, that's a good feature request for Deadwood, code I'm working on now that will eventually become the next-generation recursive DNS resolver for MaraDNS. Have a feature so that, if we get a given IP over DNS, make the reply a "notthere" reply (It's a bad idea to make it a NXDOMAIN).

MaraDNS is an open-source (BSD licensed) DNS server I've been working on for over eight years; right now I'm re-writing the recursive code. Currently, the rewrite of the recursive code is a tiny (32k) DNS forwarding (non-recursive) cache for both Linux and as a native Windows binary.

My goal is to have full recursion supported by the end of 2009.

SHA-256 and SHA-512, Whirlpool and Tiger are all pretty thoroughly-reviewed with no weaknesses uncovered

Tiger actually is vulnerable to a "pseudo-near-collision" ref. No, I have no idea what a "pseudo-near-collision" is, but Tiger's vulnerable to it.

My favorite hash is RadioGatun, but I also like Keccak. I would like Skein, except there is no published variant of it that uses 32-bit words (Whirlpool [1] and Tiger have the same problem).

[1] Yes, you could make a Whirlpool variant with a 128-bit or even 256-bit hash using AES as the compression function, but I prefer to stick to published crypto, since I don't know how to make a truncated differential.

No network, no desktop. A minute and twenty seconds from entering name/password until the desktop appears because Nautilus is hanging for a whole minute. GDM does a similar but shorter hang everytime the login appears.

OK, silly question: Why not remove GDM and Nautilus and replace it with XDM and KDE or some other desktop environment?

Another thought: If this is a DNS issue (I bet it is; you can find out if it is with strace), why not set up a DNS server on the localhost that does nothing but send some reply so these programs get the DNS reply they're waiting for. I have a tiny simple DNS server that might fit the bill if this is your issue.

Any reason we're not buying XP licenses and putting Windows XP on these computers?

You know, this is a common retort: "Windows is hard to install, you have to install drivers after installing the OS; Linux is so easy to install because the OS comes with all drivers"

What Linux advocates forget to mention is that it's really easy to install drivers after installing windows. If you have the disks your hardware came with, it's as simple as "next, I accept, next, next, done".

Another minor detail advocates forget to mention is that, if a given Linux distribution doesn't have your drivers, you're SOL. Nor do advocates mention that each version of Linux has a different driver API/ABI (this is a deliberate decision done by kernel devs) so you can't, for example, use your Ubuntu drivers in Red Hat Enterprise Linux 5.

Linux advocates also forget to mention that the time needed to edit configuration files with arcane formats to get just one thing to work in Linux (such as, say, file and printer sharing in Samba) is far greater than the time needed to install all of the drivers to get a given Windows install to work.

Quite frankly, I would rather deal with the bother of downloading and installing whatever drivers an older version of Windows needs to work (I'm sticking with Windows XP for the foreseeable future) than being forced to install a new unstable version of Linux just so I can have drivers for my new computer.

And Microsoft thinks it is OK to discontinue support?

Microsoft is still providing support; security updates will be available until sometime in 2014. There is right now one, and only one Linux distribution available today guaranteed to still be supported in 2014: Red Hat Enterprise Linux (and its knock-offs like CentOS)

The things Microsoft is not support is updates Microsoft has been giving XP over the years like giving XP Clear type support, support for WPA2 networks, support for SDHC cards, etc.

New drivers will continue to be available for Microsoft Windows XP for the foreseeable future, it's up to hardware makers to decide when to stop supporting XP.

This, should I point out, is better than the situation with RHEL 5 where new hardware doesn't work since the Linux driver model isn't stable; I tried to install CentOS 5 last week and gave up when I couldn't get drivers for my touchpad (Windows XP, of course, has drivers) nor current stable drivers for my WiFi card (supposedly there are drivers, but the last time I was able to use WiFi with my laptop in CentOS 5, the driver would crash unless I pinged the router every second).

You know, as an open source developer, I think another reply is much more appropriate: "Show me the money". There is an idea that Open source developers are somehow under and obligation to give everyone what they want, for fun and for free. Or that the open source developer should fix all bugs their program has.

There is no such obligation.

People are free to download and use my open-source code. It's when they send me email asking for help or feature requests that I draw the line. Sure, I'll help people via private email and I'll implement features, but not without getting paid. Indeed, I've earned a little extra money this way.

Once I let go of the notion I somehow had to answer email privately and deal with people's feature requests free of charge, it's been a lot less stressful developing my software. I believe in open source software, but I don't believe this means I have an obligation to provide free support and to answer the people who want MySQL support or whatever feature doesn't scratch my itch.

- Sam

You know, as much as I agree with you, I wish it were not so.

More and more things are getting tied to a computer. Back in the early 1990s, a computer was generally used for number crunching and document managing. People (generally) did not use a computer to listen to music, watch a movie, meet people, or to stay in touch with one's friends.

Now people are using computers for all of these functions. It's important that things we need for daily living in the 21st century are not controlled by a single corporation with a known pattern of abusive behavior. Microsoft's latest abusive behavior--suing TomTom for having FAT32 support on their device--shows that the only thing stopping Microsoft from abusing their monopoly are antitrust laws and community activism.

This is why Linux needs to fix the issues that make Linux not a suitable desktop for end users, or why one of the other possible open-source desktop OSes (Haiku, Syllable, etc.) needs to become a suitable end-user desktop.

I use Windows right now instead of Linux because I don't feel Linux is ready for the desktop, but most of my partitions for "extra data" are formatted using the second extended filesystem (Linux's "base" stand file system) and read in Windows using ext2fsd because I don't want my data to be held hostage by Microsoft patents.

So, yes, I really want Linux to succeed.

- Sam

OK, don't get me wrong. I used to be a professional Perl programmer and think Perl is useful for a lot of things. The most recent time I made significant use of the "Swiss army chainsaw" is to write a program to split up the large .html files one gets from free ebooks over at baen.com and make them small enough to be usable with my cell phone's built-in html reader:

http://maradns.blogspot.com/2008/11/more-on-nokia-5310-xpressmusic.html

I also still use Perl as a "sed on steroids" when I can't be buggered to figure out how to make a given regex Perl-compatible, such as this real-world example:

perl -pe 's/[0-9]+\/DwMain//;s/\s*//g'

I also have had the privilege of meeting and having dinner with Larry Wall; a very kind person with a very deep and strong faith in God which I respect.

The issue I have with Perl is that it's too big to use in the really embedded space that busybox really thrives in, and is too big to, say, come with the version of MSYS I use. (MSYS is a subset of *NIX for Windows systems that I use when I want the basics of *NIX on a client's Windows machine but don't want to waste time putting Cygwin on their system). My other issue is that Perl code can more easily become unmaintainable "spaghetti code" if there isn't a strong coding style in place and enforced; these days I prefer to use Python when I know a given script is going to be pretty big. Also, Perl's big use when I was a professional Perl programmer, being an excellent cgi-bin language, has by and large been superseded by PHP these days. [1] [2]

Anyway, I don't hate Perl. I still use it; I just feel these days for small stuff sh/awk/sed/etc. make more sense, PHP makes more sense for web monkey applications, and Python (or Java) make more sense for big scripting projects.

[1] Back when I was a Perl pro, I used it mainly for things like data mining and email processing, but that's neither here or there and from a long time ago.

[2] There is, of course, mod-perl, used very notably by Slashdot. There's also mod-python.

I've never fully understood why bash is used anymore when perl is around

The right tool for the right job. For example, I've been using sh/bash for a bunch of SQA regression tests for a command-line caching DNS server I'm working on (my current open-source project). Here is one of the simpler tests so you can get an idea of the syntax:

for VALUE in 0 1 ; do

cat > dwood2rc << EOF
chroot_dir="$( pwd )"
ipv4_bind_addresses="127.0.0.1"
upstream_servers["."]="127.0.0.2"
recursive_acl="127.0.0.1/16"
maxprocs=8
timeout_seconds=1
handle_noreply=${VALUE}
EOF

../../src/DwMain -f dwood2rc > /dev/null &
sleep 1
echo handle_noreply=$VALUE
askmara -t 8 Awww.example.com.
sleep 1
killall DwMain > /dev/null 2>&1
sleep 1

done

Now, yes, one could do a test like this in Perl, but all we're really doing is making a file with some parameters we're testing, then running the program being tested with those parameters. Here, DwMain is the DNS server I'm testing and askmara is like dig, but simpler.

I used to be a big-time Perl scripter, but I feel it's usually too big and complicated for the tasks I'm doing.

For embedded systems, keep in mind the Perl core library is well over a megabyte in size; a full *NIX system in busybox (with sh, awk, ls, and pretty much any other command you would type at the command line) is only about 500k in size. This matters in things like routers and mini-Linux distributions (I once made a Linux distribution that was under 30 megs in size that included a GUI and the Firefox web browser).

Also, the thing that annoys me with Perl is that there is no standard that defines how Perl should act; the only standard is the Perl interpreter itself, and this has changed in strange ways that sometimes makes debugging Perl scripts difficult. What guarantee is there that my Perl scripts will run in Perl 6 or what not?

Also, when people add a lot of stuff from CPAN, Perl starts getting in to "dll hell"

sh, on the other hand, has its behavior defined by POSIX, and if I make a POSIX-compliant script, there's a pretty good chance it will continue to run for the foreseeable future.

I saw this article on OSnews this morning, and it inspired me to write a tiny open-source (public domain) *NIX shell, which can be seen at http://www.samiam.org/software/yash.html. I know the busybox guys are looking to rewrite their *NIX shell to be more modular; this code would be a good starting point.

- Sam