If you have a Nokia, it's easy enough to flash the stock (8.0) OS back again using Nokia Care Suite. Probably also true for Samsung WP8 phones, which have a Flashing tool and ROMs have been released at least for some of them. Not sure about HTC or Huawei, but the latter has custom ROMs (so it's almost certainly possible to go back) and the former has *historically* had lots of flashing tools and at least stock ROMs available. Not sure for WP8 though.

I suspect you meant that sarcastically, but if system software (meaning OS kernels, network stacks, device drivers, etc.) were written in better languages, our computer systems could be far safer and more robust, quality of life could be better, and the benefit to productivity and the global economy could be substantial.

For the computing industry, it is one of the great tragedies of our time that C and its derivatives have become so entrenched. There is absolutely no reason we can't have a systems programming language that offers the necessary low-level control without the limited programming model, error-prone syntax and weak safety features of C.

Unfortunately, it is momentum and ubiquity that keep most of the industry using C and its brethren, not technical merit. The vast ecosystem surrounding C is hard to beat for scale. There is promising work being done in some places, Rust for example, but I know of no practical alternative that is ready for production use today.

Of course, OpenSSL itself isn't running at the level of an OS kernel, so it doesn't need the same degree of low-level access anyway. But there is a wider point here about much more than just OpenSSL.

Please read what Raymond actually wrote in The Cathedral and the Bazaar. My criticism applies equally to his more formal definition of Linus's Law, and to his extended argument as a whole.

No-one (sensible) claims that any code review process will find absolutely all bugs. But Raymond's article seems to be arguing that having enough developers and testers on a project will inevitably get you very close.

And yet, we are talking about this in a discussion about a severe bug in one of the most widely used OSS projects on the planet that went undiscovered (or at least unreported and unfixed) for years.

But how many FOSS projects really have diligent review of all their code by anything like that many people? For many projects, getting a change accepted requires only the approval of one or two others. Activities like the current detailed review of TrueCrypt are the exception, not the rule.

If you really want a dramatic improvement in catching these kinds of bugs and you've already got a respectable code review process in place, you'd probably do better by considering complementary strategies instead of pursuing ever diminishing returns from throwing more people into the same informal code review process. Choose safer programming languages that don't admit certain kinds of programmer error in the first place. Employ formal methods to make sure the underlying algorithms are sound. Adopt different testing strategies.

Sadly, using safer programming languages is still swimming against the flow of mainstream programming tools, while using formal methods or many testing strategies outside of having an automated unit test suite sounds like heavyweight design to some people, and this upsets all the newbies who think being "agile" and "moving fast and breaking things" are the way you make good software when quality really matters.

Improving software quality is in significant part a social problem, but the solution is not requiring more people to be reviewers, it's getting more people to understand that just having more reviewers is not enough.

No, it isn't. It's nonsense and it always has been.

There is plenty of evidence for the effectiveness of good code reviews, but most of it shows rapidly diminishing returns with the number of reviewers. You get much of the benefit from having even one or two additional people read over something. By the time you've had more than four or five people take a look, the difference in effectiveness from adding more barely even registers, unless one of the additional reviewers has some sort of unique perspective or expertise that makes them not like the others.

Given that almost every major FOSS system software project has had its share of security bugs, there is really very little evidence to support Raymond's claim at all. It's not like it has ever been taken seriously outside the FOSS fan club, but there are a lot of FOSS fans on Slashdot, and so plenty of comments (and positive moderations) reinforce the groupthink as though it's some inherent truth.

6.1.6 was only released for devices that cannot run iOS 7. If you have a device that can run iOS 7, you had to upgrade to iOS 7 in order to get the important security fix, even if the device had iOS 6.x at the time. There was never an iOS 6.1.6 released for iPad 2 or 3, for example.

If they had released an iOS 6.1.6 for iPad 2/3, it would've allowed downgrading from iOS 7.x to iOS 6.x then jailbreaking, something Apple hates with a passion.

Space launches are tricky! SpaceX has an excellent mission success record so far, but a lot of that is because they're really, really careful around things that could cause a failure (distinct from an abort).

It's disappointing for sure, but it beats having a rocket blow up or lose control in orbit or something. That probably will happen eventually, but with any luck there will be a long-established safety record by then.

A good strong PBKDF2 is probably sufficient, but yeah, 2k rounds is pathetic. iPhones were doing better (admittedly, their passphrases tend to be very short) several years ago, and that's on a mobile CPU. Having a limit of 2k rounds doesn't even make sense, it's not like it's harder to code it for more rounds or something. The only real limit should probably be 0xFFFFFFFF rounds (assuming 32-bit ints) because why have a limit at all?

You are an idiot, several times over.

For one other, not everybody is fanatically partisan. I don't like Eich because he wanted to enshrine religiously motivated discrimination into law. I support gay marriage, and will continue to do so until the law gets out of marriage entirely and makes all the benefits which legally married couples receive instead available to everybody. I use Firefox just as much as I used to (it's not my primary browser, but I keep it installed and use it semi-regularly). The Democratic party receives more of my votes than the Republican party but I do not like Obama, Hillary, or the DNC; I voted for a third-party candidate. I will call anybody acting hypocritically a hyprocrite. For example, you took a non-partisan discussion (equality and corporate politics) and tried to imply that it was partisan (specifically, that Microlith is a blind supporter of the Democratic party) when in fact you just revealed your own partisan bias without refuting a single one of Microlith's points.

Flamebait doesn't have to be off-topic. Off-topic stuff is supposed to get modded off-topic, not flamebait. Flamebait is saying things to get people pissed off, like talking about Congress outing and ostracizing religious people, and linking to a news story about the "gay mafia" (about as idiotic a term as I've ever heard).

The other of the post emself admitted it was flamebait.

You distort facts to imply that they mean something other than what they mean, then act like you expect us to believe your "interpretation". For example, I don't really care what the Democratic party claims - I don't vote any party's line (nor do I support Obama generally speaking, except by comparison to some), and I look at voting records instead of claimed positions - but I doubt you'll find many on either side of the aisle who disagree with the claim that they support the constitution. The constitution explicitly gives the Judicial branch the ability to do what it did to Proposition 8 (overturn it on the basis of higher law). This is to prevent the tyranny of the majority over a disliked minority group, which is one of the obvious failures of a pure democracy. As for "activist judges", you do realize that 5 of the 9 current justices were Republican presidential nominations, right?

Oh, and lots of people who call themselves "orthodox" or "fundamentalist" members of the religions you listed are fine with gay marriage. *Your* view might be that this is inherently contradictory, but their view is that however unrighteous those people are is a matter between them and God but secular law should be fair to all, or that a God of love would not turn His back on somebody on account of who they love, or any of many other arguments. You will probably find many more such people like that than you will find people who believe that the wrathful or gluttonous are nearly so bad, and that (heterosexual) adulterers deserve death. As such, it is quite obvious that religious folk can go about their daily lives without trying to enforce their religious beliefs on others. If you personally cannot, that is a failure of you personally, not of society or even of religion.

Oh, and the bit about tolerance? You really didn't think that part through, did you... it's about creating a tolerant society, not about personally tolerating everything. You present a false dichotomy: tolerate everything including intolerance, or don't be "about tolerance". Try this thought on for size: "we advocate tolerance towards every individual's nature, but oppose those who choose to be intolerant of the nature of others." It may help some people to think of it as advocating tolerance towards the ways in which God created us, and opposing those who are intolerant of some of God's creations. After all, sin is supposed to be about (making the wrong) choice, right? Are we not innocent and pure, until we choose to be otherwise? Well, religious belief is a choice. Sexual orientation is not.

Finally, there's the fact that you cite Fox News, which is just stupid around here. Even assuming that the story was both accurate and unbiased (having read both sides, Fox's account is generally the first but far from the second), that's just asking for trouble. The stories were widely reported; you can find better sources than that.

For the first story, Emmanuel is, to the best of my knowledge (though IANAL), not allowed to deny or revoke business licenses on the grounds of an implied intention to discriminate; an actual act of discrimination or at least a policy requiring it would be required first.

For the second story, that's straightforward: if you run a business open to the public, you are not permitted to discriminate against certain classes of people and refuse them service. This has probably been law since before you were born, in the case of racial discrimination (incidentally, at least one religion in the US held that black skin was the "mark of Cain" and thus they were justified in refusing to interact with them) and for that matter in the case of religion (which, unlike skin color or sexual orientation, is a matter of choice) or several other classifications. Oregon had simply expanded the list of classes against which a public business may not discriminate to include sexual orientation. If "Sweet Cakes by Melissa" had in fact been a Christian bakery - that is, a religious entity only open to Christians - they would probably have won their case. They were not.

For the third story, I'm amused that you chose an article that, aside from using a deliberately inflammatory leading question as a title, really doesn't support your views at all. The conclusion of that article is essentially thus: "he stepped down because of internal opposition to having somebody whose expressed views were contrary to company policy running the company". Or, in a simple answer to the title headline (and usually the right answer, when a headline asks a leading question): "No".

I'd congratulate you on reading something other than Fox News, but it looks like you didn't actually read that article before linking it. Oops.

Offtopic warning
Speaking of Fox News' credibility (off-topic but it was fun doing some research), I'll grant that the popular version of the story of Fox News winning a court case on the right to intentionally spread lies appears to be misleading, but some digging suggests that Fox does not, in fact, believe themselves under any requirement to tell the truth. The Fox News station WVTV was sued after it fired two reporters for threatening to tell the FCC that they were being required to insert untrue material into their news stories. WVTV won the lawsuit (on appeal) on the grounds that the reporters where not whistleblowers (which would have protected them) because “We agree with WTVT that the FCC’s policy against the intentional falsification of the news – which the FCC has called its “news distortion policy” – does not qualify as the required “law, rule, or regulation” under section 448.102.”
http://www.campaignfreedom.org... (see comments as well)
http://www.relfe.com/media_can...
http://www.foxbghsuit.com/sj04...
http://www.spj.org/a-ethics.as... (1998)

Normally I might agree, but Firefox doesn't need to market in the same way that other companies do. Their income comes from very non-traditional sources, and their products are free. That's not to say I *like* the idea of marketing running the place, but I think it's better than it sounds. Mozilla's marketing has been about awareness, much more than about trying to sell something.

Oh, please. OS X / Darwin's implementation of the Unix standard is screwier than half the Linux distros I've used. It's the same from Mac to Mac, sure, but that doesn't mean much; the same applies from SLES machine to SLES machine or from Nokia N900 to Nokia N900. Their filesystem layout is weird, they don't use standard files for some things, or do so bizarrely (some years back, I found their fstab manpage to be wrong and the file itself to be basically useless). Their user system is not entirely conventional.

There is no such singular thing as "the real Unix command line" but I could get a (descendent of) Bourne shell on versions of NT earlier than OS X existed.

The cool feature of Pacemaker is that it checks TLS *clients*, actually. There are other tools for server checks (one of which is included with Pacemaker) but it's actually very important to make sure any clients you have are invulnerable to Heartbleed as well. Software that ships with bundled or integrated OpenSSL libraries - and I've seen quite a few - could be vulnerable to this.

If the server (or client, for that matter) was hit with Heartbleed *during* (or shortly after) the session, the symmetric encryption key may have been retrieved and an attacker who had recorded the whole session could then decrypt it. If the session was ongoing and they were in position to do so, they could MitM it.

Similarly, if the attacker used Heartbleed during the key exchange, they might have leaked the private information (from either endpoint) needed to derive the symmetric key, even if for some reason they didn't get they key directly. Same impact as above.

If the attacker had used Heartbleed to steal the authentication private key prior to your session, they could have hit you with a MitM attack (appearing to be the authentic server) and you wouldn't have known.

If the attacker recorded your session but did not MitM it *or* use Heartbleed on the server while the symmetric key was in memory, you're safe (even if they stole the private key beforehand, much less afterward). That's the beauty of PFS.