Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror

Comment Re:Oh boy, another infection vector (Score 2) 230

by His name cannot be s (#48261339) Attached to: Windows 10 Gets a Package Manager For the Command Line

'Approved' isn't the right word.

OneGet has the notion of 'trusted' repositories. We're likely to expand this concept a bit in the future, but for now, that's what it is.

Built-in package sources from reputable sources may be marked as 'trusted' by default, but the majority of sources should be 'untrusted' until the user makes that change.

The real trick is getting package provider plugins to tell OneGet the truth if a repository is trusted or not.

I suspect that we're going to have to introduce a level of trust with the package providers too, and expose this to the user ... somehow.

Comment Re: Oh boy, another infection vector (Score 1) 230

by His name cannot be s (#48261163) Attached to: Windows 10 Gets a Package Manager For the Command Line

You've got a really good point.

We're tossing around some notions about different factors that make a 'package' or 'repository' trustworthy.

I'm sure we can do some stuff with signed repositories and signed packages to detect when things 'change' and/or keep unsigned repositories 'untrusted'.

Really, our first target for this stuff is developers and admins, not my mom...

Comment Re: Oh boy, another infection vector (Score 1) 230

by His name cannot be s (#48260817) Attached to: Windows 10 Gets a Package Manager For the Command Line

Well, considering that the chocolatey provider for OneGet points to the community-controlled repository, I'll have to take that as a win :)

The concept of curated repositories is one that we're really trying to come up without screwing it up.

Regardless, with OneGet, the *user* maintains control. Which repositories they connect to, what software they install.

Comment Re:We can do that thing you like (Score 5, Informative) 230

by His name cannot be s (#48260783) Attached to: Windows 10 Gets a Package Manager For the Command Line

Actually, to be perfectly clear, OneGet isn't really a package manager.

It's a package-manager-manager -- It's a unified way of installing packages of software regardless of the how-it's-implemented-on-the-back-end.

The first real package provider plugin is a Chocolatey one. Why re-invent the wheel when the wheel already works?

The purpose here is to leverage all these different sources of software using a common set of commands and APIs.

Anything that can be represented as a 'source' of software can be plugged in on the back end. I'm aiming for plugins for NPM, Ruby Gems, Python, on top of the expected MSI, Chocolatey, NuGet, etc...

Plugins can be written by anyone, and I'm going to great lengths to make it as simple as possible -- it's about ~15 or so functions to implement and we can plug in virtually any package format or service into OneGet.

Comment Re:Respect (Score 3, Informative) 230

by His name cannot be s (#48260565) Attached to: Windows 10 Gets a Package Manager For the Command Line

[FYI -- I'm @FearTheCowboy everywhere else, my /. id is so old that my name got trimmed from "His Name Cannot Be Spoken" 15ish years ago when they did a database adjustment... ]

I have had thoughts on how to do this; I suspect that while we may not set up a repo to do that, I may hack out the instructions on how that could be done easily if one wanted to maintain their own.

It really boils down to how much time I can throw at that.

Of course, we also want it to plug into WU and WSUS, but that'll be a bit more down the road.
Security

Attacking Game Consoles On Corporate Networks 79

Posted by Soulskill from the waggle-the-wiimote-to-lock-it-down dept.
A pair of security researchers speaking at DefCon demonstrated how video game consoles, which are becoming increasingly common break room or team-building toys, can open vulnerabilities in corporate networks. "[They] found that many companies install Nintendo Wii devices in their work places, even though they don’t let you walk into the company with smartphones or laptops. (Factories and other sensitive work locations don’t allow any devices with cameras). By poisoning the Wii, they could spread a virus over the corporate network. People have a false sense of security about the safety of these game devices, but they can log into computer networks like most other computer devices now. In the demos, the researchers showed they could take compromised code and inject it into the main game file that runs on either a DS or a game console. They could take over the network and pretty much spread malware across it and thereby compromise an entire corporation. The researchers said they can do this with just about any embedded device, from iPhones to internet TVs."

Comment Re:I'll follow them here too. :D (Score 4, Interesting) 293

by His name cannot be s (#31785372) Attached to: Microsoft's CoApp To Help OSS Development, Deployment

I do have one question. Why, exactly, do you think that this sort of approach is likely to be easier than doing what Apple did and simply exposing a Posix API that is actually useful?

Because, even if we could get a great POSIX experience on Windows, it leaves out Windows developers.

One of my goals is to get Windows developers in the OSS game.

On top of that, there is a hell of a lot of non-POSIX open source software on Windows that needs fixing too.

Look at it this way: Would you respect someone who told you the best way to get FireFox running on Linux was to use some sort of Windows emulation layer... Like WINE? no, because FireFox *can* compile for Linux. Same thing with nearly all Open Source I encounter. I want to get the OSS quality and experience on Windows to exceed commercial developers... it needs the most love.

Like I tell people:
Working as an open source software developer at Microsoft is like being a preacher in Vegas. I figure I'm in the single most important place in the universe that I can be.

Comment Re:I'll follow them here too. :D (Score 4, Interesting) 293

by His name cannot be s (#31785036) Attached to: Microsoft's CoApp To Help OSS Development, Deployment

think you had no choice to choose the BSD license instead of the GPL. Had you chosen GPL, it is likely the project would have been immediately rejected by Microsoft.

That's not true actually.

I didn't tell anyone what license I was going to use until a few days ago, by which time they'd already signed the agreement.

In addition to that; as a Microsoft employee for Microsoft, I've contributed code to GPL, LGPL, BSD, PHP and Apache licensed projects.

Comment Re:I'll follow them here too. :D (Score 4, Informative) 293

by His name cannot be s (#31784892) Attached to: Microsoft's CoApp To Help OSS Development, Deployment

As for the first five points, yes I'm aware of all of that, and I'm working to solve all of them. Some of them are not possible (mixing compilers has a lot of bad mojo) and some are solvable with some really good best practices.

1/ Microsoft are stopping using WinSxS assemblies for managing the C/C++ runtimes as it is complex to manage and get right;

Ah, Visual Studio is backing away from WinSxS. I read their justification. I didn't buy into it. I think it's a solvable issue.

2/ With XP, Microsoft were selling WinSxS as being able to deploy different versions of the binaries, but for Vista/Win7 they are now saying that WinSxS is for archival purposes (see the Engineering 7 blog)

Uh, what? I've been talking to the maintainer of the WinSxS system. He's fully supportive of my plans.

3/ It does not really work as intended in practice -- e.g. comctl32 version 6 is different in Vista/Win7 than in XP, yet the applications that reference the XP version use the Vista/7 version

It works just fine, as long as you use it correctly; if they didn't, it's not my fault. Some of the tools I'm building will make it easier not to screw up.

Slashdot Top Deals

Friction is a drag.

Close