Looks like exactly what PostgreSQL's PGStrom project is trying to acheive.

If it was good enough that the market was choosing it as an alternative to Oracle (to the tune of $1billion), I think that's pretty good proof of quality right there (at least as far as the end users' TCO was concerned).

Don't forget the open-source MySQL, which was of such good quality Oracle purchased it for a HUGE amount of money, despite already having a database product (as their primary product no less!).

Yeah, "votes of no confidence" and various fail-safe dissolution rules are two things which I really feel the US government would benefit from. It'd a great way to hold their feet to the fire. That and some other voting system like Instant Runoff. It's weird, because the US Constitution has got pretty much everything else and the kitchen sink thrown in there.

Bitcoin is a rather complex protocol (which I'm not 100% on), so the following is a bit of simplification...

Bitcoin operates as a gigantic transaction ledger (maintained by majority concensus), which tracks the movement of bitcoins between arbitrary psuedonoymous "addresses". To create an address, you generate a ECDSA public/private key pair. The public key is the address, anyone can transfer bitcoins to it. The private key is the control, only someone who has that can move money *out* of that address. The wallet file is essentially just a list of those pairs. If you started using a backup wallet file, you'd have control over all the addresses it has private keys for. If you've emptied any of the them since that backup was made, you'll still have control over the address, there just won't be any money there :)

There's a second (wonderfully useful) wrinkle, though. Due to the nature of ECDSA, you can derive additional public/private pairs from the initial pair, in a deterministic fashion. This allows you to have one master "seed" (e.g. a nice long passphrase) which can be used to generate unlimited public/private keys, without it being obvious that they are even connected to each other. And all you need to take control of any of them is the initial seed value. This means many bitcoin "wallets" are in fact just the seed passphrase... so if you keep it in your head and nowhere else, you have complete control over an unlimited number of addresses, without having to make *any* backups.

I'm sorry, but the entire premise that there is one "best" open source license is completely wrong. Where did this obsession arise to see one license crowned victor over all others, in all situations?

BSD (and MIT and variants) -- I've found they work best for providing backend and reference libraries, which by their nature are trying to provide a standard implementation of something, or at least a standard API. Open and closed sourced projects alike can use and modify it to suit their needs. This means such a library gets the widest adoption over the alternatives (all other factors being equal). This is especially great for server-side programs which want to promote multiple third-party clients - just release a BSD reference client.

LGPL -- A step down, for when you want the adoption level of a BSD license, but your project is complex and high maintenance enough that it needs to keep all the developers focused on a single api and codebase in order to thrive. Graphics libraries like GTK, audio processing libraries like LAME, are a great example of this.

GPL -- Finally, for the same reasons as LGPL, your want everyone contributing back to a single codebase, whether it's because you don't want to give the codebase away to closed source products that then profit from it, prevent brand confusion, or just maximize developer contributions. Mind you, closed source projects *will* choose an LGPL/BSD alternative over this or closed source, so it doesn't make much sense for libraries, etc. Primarily, this is useful for applications, which are vying for user (not developer) eyeballs.

So given they all have different uses that fit better for different project types and target markets, who in their right minds thinks only one of these licenses is correct?

What they need to start doing is sell electric cars with a small, removable, high-efficiency, gas turbine generator for charging.

Build an easy-attach mounting point inside the trunk, with hooks for intake, exhaust, and connection to the battery.

You could leave the thing sitting in your garage 3/4 of the year... and plop in it there when you need to go on a trip. Then you've got the best of both worlds (outside of losing some trunk space).

I suspect (IANA engineer) that you'd have a bunch of weight savings from an engine dedicated to charging the car rather than having the power to push the car directly. Also, the engine could be optimized to always run at it's most efficient RPM, rather than going all over the place during stop-n-go traffic.

I find it kind of odd that all of the analyses linked to in this article go on about SHA512-Crypt, BCrypt, SCrypt, etc, and the slideshow even talks about "Key Derivation Functions"... yet there doesn't seem to be any mention or comparision of PBKDF2-HMAC-SHA512 as a valid password-hashing key derivation function, despite it's widespread use, and that it's one of the core architectural components used in the design of SCrypt.

A developer enters a market and wonders aloud "There are 12 conflict libraries, which one should I target?"

His friend replies: "You know, we should write a single library to abstract away all those differences, so everyone can just target 1 library!"

"That's a great idea!" the developer exclaims.

Now there are 13 conflicting libraries.

it's kinda funny, but webOS comes/came pretty close to what you're describing. Root was accessible by enabling "dev" mode through a special but officially documented code (the konami code for some versions), no cracking needed; the underlying linux os had a number of gnu tools already, and you can use the ipkg framework to install more; then there's Preware, a still thriving open source community / app catalog tool full of free unsigned apps and OS patches which palm and hp both officially sanctioned. The main limitation was that some of the hardware wasn't that well documented.

sigh. My only hope now is that android one day becomes as easy to mod, so getting python and an ssh/http server on my next phone is just as simple.

Relating to webOS phones... I regularly have 8+ browser pages open on my Palm Pre, and I can switch between them quickly with barely a glance and a couple of idly placed swipes with my thumb. I can't think of another ui that would make that work... even on a tablet, the "tabbed browser" interface is clunky. If they'd make a version of Android with 1) that interface, 2) webos's lack of jailbreaking, 3) something akin to Preware and it's offerings... I'd be a lot happier about switching to an Android phone when my Pre breaks.

Actually, the fact that OSX uses SHA512 makes it easy to crack the password (compared to the alternatives).

OSX uses SHA512(salt+password) to generate it's hashes. SHA2 was specifically designed to be highly parallelizable and fast on modern processors, which means brute force attacks are going to proceed very quickly. And as time goes on, and average processor speed increases, that amount of time per cpu (and per $) keeps dropping.

There are four modern password hashing schemes worthy of note: SHA512-Crypt (this is NOT simply SHA512), BCrypt, PBKDF2, and SCrypt.
All of these schemes use a variable number of rounds of their underlying cryptographic operation. This allows the algorithm to stay the same, but the cpu-cost to be increased per hash as computers get faster, or if a user is particularly paranoid and wants to make it take longer to crack.

Many of them (such as PBKDF2) even have properties that make them resistant to preimage attacks on the underlying hash function.

Finally, SCrypt has the unique property of being "memory hard"... it's rounds don't just require a certain amount of time, but a certain amount of memory*time. This makes parallelizing the attack much more costly, as each CPU has to get it's own dedicated amount of memory for the attack.

All of the above are so much tougher to brute force, that the cost of OSX's hash scheme is barely worth notice by comparison. I'm not sure why OSX is using what it is... Linux uses SHA512-Crypt, BSD uses BCrypt, WPA2 and many other things use PBKDF2... all would have been better choices.

Just to provide some links to the "alternative approach" mentioned in the summary:

* The Perspectives Project spearheaded the concept of independant notary servers instead of a chain-of-trust.

* Convergence is another spin on the same concept, by Moxie Marlinspike in fact. (Not sure if it's compatible w/ Perspectives, but I think it is)

I think SCHeckler's point was that $150 - $200 was the right price to sell it at, given what the TouchPad provided. The fact that it cost HP $318 to make something which only had $200 of value to the customer... just shows why selling it at an even higher cost wasn't going to fix anything. They chose the other obvious option, and stopped selling it.

I'd agree that lack of apps was a problem, but only at the $500 price point. Look at how crazily it sold at $99 (and still successfully reselling on ebay for $200)... all of that is happening with the near *promise* of no new apps, and the vaguest homebrew mutterings of "I wonder if we can port Android". I'd argue the lack of apps becomes an increasing concern only when the price starts making the customer think "what else am I getting, besides a ereader / browser?". Which seems to happen around $300.

Not that it's impossible to move tablets without a major app ecosystem. HP had two other choices besides give up: make a cheaper tablet (as you pointed out, that probably wouldn't have worked); or follow the XBox strategy: sell drastically under cost to flood the market, then ramp up the price on the next gen TouchPad2. The gamble is that the initial glut would grow the marketplace to the point that people looking to pay $500 decide the TouchPad2 has enough apps to make it worth it.

For some reason, they tried to start *out* at that point, selling the premium, without any carrot to pull people in. They should have worked their way up to it; but seemed too risk averse to invest the money needed to carve out the mindshare. Not that there's anything wrong with being risk averse, but why did they even try the half-assed way, when the figures should have blatantly showed it was an all or nothing situation?

While I'd like to it not be the case, I'd have to agree with you about the general not-quite-there-yet state of dynamic frameworks. That said, Django's custom ORM leaves much to be desired. Next time you decide to give a python framework a try, pick one which uses SQLAlchemy as it's ORM layer. You'll find it to be a much more sophisticated library (similar to Java's Hibernate). In particular, it has all the features you just mentioned. Not integrating SQLAlchemy is one of the main things that keeps me from using Django... any other ORM layer in Python seems doomed to play catch-up.