ECMAScript ("Javascript") Version 4 - FALSE ALARM

Walter Dnes waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org
Tue Oct 30 05:11:31 UTC 2007 

On Sat, Oct 27, 2007 at 01:04:01PM -0700, Brendan Eich wrote

>>> Many of us are very concerned that the language we love is being
>>> rewritten under our feet."
>
> Love is important, it's what keeps a boat in the air (Serenity).
>
> This sounds all heartfelt -- but it's phony as a three dollar bill! ES4 is 
> a superset of ES3, with optional new facilities. It does nothing to "the 
> language we love" but supplement it where its weaknesses are manifest to 
> anyone who has written large programs in JS. No one is required to use the 
> new features, nothing is lost from the common core language.
>
> I created JS, so I can speak more authentically than whoever was quoted 
> above: I love JS too, quirks and all, but the idea that it should be kept 
> small, like a Toy Poodle, while giant companies such as Microsoft and 
> Yahoo! are purveying and propagating onto the Web proprietary Rottweiler 
> languages -- JS-beating programming languages with ES4-like features -- and 
> even hyping such languages against JS (see the rigged C# chess demo from 
> Mix07 that MS wrote to show up the JScript version of the same program: 
> http://primates.ximian.com/~miguel/pictures/mix-chess.png) -- this is a 
> breathtaking imposture.
>
> Sure, keep JS small in your hearts. But please, don't kid yourselves that 
> it has not reached the big-time, or that it and the open web standards it 
> works with to enable Ajax apps will survive the onslaught of proprietary 
> competitors, unless JS and other open standards evolve significantly.

  Just to let you know where I stand in this battle, my position is
neutrality... i.e. the Pox on both your houses.  Even in the case of
the current ES3, I am unconfortable with the concept of Joe Random
Webmaster (let alone Comrade Joe "Russian Business Network" Webmaster)
being able to download code to, execute it on, my machine.  One reason I
left Windows for linux (and why I run Firefox on my Windows machine at
work) is to get away from from "Active-Hacks" downloading and
auto-executing hostile code on my machine.

  The concept of code from an even more powerful language (I don't care
whether it's ES4, or Silverlight, or whatever) being downloaded to, and
executed on, my machine has me very concerned.  You wax enthusiastic
about a bigger, better Javascript.  If everybody shared your enthusiasm,
"NoScript" would not be one of the most popular extensions for Firefox.
Java at least acknowledges that powerful code from another machine might
be a security risk, and tries (not always successfully, mind you) to
sandbox it.  Having written the original Livescript, I assume you were
part of the original group that decided that since Livescript had so
little power, it didn't need no steenkin sandbox.  The current version
has a lot more power than Livescript 1.0.  The lack of a sandbox has
resulted in a continuing repetition of...

1) Ignore people who tell you to run with Javascript dis-abled.  They're
just a bunch of ignorant stick-in-the-mud Luddites.

2) A zero-day Javascript security hole is discovered.  Woop, woop, woop,
alert, alert, alert.  All the security types warn people to turn off
Javascript until the hole is patched.

3) The hole is patched, and the all-clear is sounded.  Go back to step 1.

  Rinse, lather, repeat... and then you wonder why people don't like
Javascript and its kin.  Variants of "Ecmascript" have had their own
security problems.  Adobe/Macrosoft's "Schlockwave-Trash" has
"ActionScript", which has had some security alerts.  There's Microsoft's
VBscript/Jscript which has helped out with "drive-by-downloads".  And
let's not forget Microsoft's (in)famous WSH (Windows Scripting Host).
My last internet-connected Windows machine at home (running Win98SE when
I switched to linux in 2000) had lines in its AUTOEXEC.BAT to delete WSH
(both the Windows and DOS versions) on bootup.

  Let me ask you 2 questions...

1) do you believe the average person browsing the web is competent to
run an ssh server and let anonymous, possibly malicious, users run bash
scripts (or windows batch files, whatever) on their machine?  I assume
your answer will be "NO".

2) do you believe the average person browsing the web is competent to
run a javascript server and let anonymous, possibly malicious, websites
run javascript on their machine?  Why isn't your answer "NO"?

-- 
Walter Dnes <waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org> In linux /sbin/init is Job #1
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list