ECMAScript ("Javascript") Version 4 - FALSE ALARM

Ian Petersen ispeters-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Tue Oct 30 16:47:29 UTC 2007 

On 10/30/07, D. Hugh Redelmeier <hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org> wrote:
> See how complexity was my friend?
>
> His theory was sound but the engineering was difficult because of
> complexity.

I think you and Lennart have both raised basically the same point.
You're pointing out that the new language is more complex, right?  And
Lennart is pointing out that an interpreter for a new language is
complex.

I can't argue with either of you.  New code is always buggier than old
code.  I suppose I have to concede the point that adding a new
language interpreter to existing browsers is going to open new bugs,
and perhaps re-open old bugs, merely because adding a new language
requires adding new code.

I think the problem of complexity is different from the "problem" Walt
has raised.  He outlined a three-step plan where first you pretend
there are no problems in a script-enabled web, then you find a problem
in the script-enabled web, then you patch the problem and go back to
pretending there aren't any.  This is a social problem and has nothing
to do with the fact that a new language interpreter will introduce new
bugs (as would any other feature, such as supporting CSS3 or HTML5).
If anything, maybe we'll get some new blood in the development stream
and they'll realize that new code brings new problems, and so they'll
stop pretending that there are no problems.  I'm an optimist, so don't
expect anything.

Walt ended his message with two questions with answers that everyone
can agree on.  His questions have nothing to do with the language
features in the new version.  Running a program that goes out onto the
public web, downloads a random scrap of text, and then executes it is
a dangerous activity.  You're trusting your machine to someone else's
code and the language they've chosen to write it in is pretty
irrelevant.  Frankly, when I explain it that way, it sorta sounds like
downloading the latest release of Ubuntu from some random repository
and running it, only when you run the latest Ubuntu, you're giving
free access to the entire filesystem, rather than the downloaded code
having to steal that access.  Scripts in web pages are different from
open source code--I haven't thought much about the last sentence, so
the analogy probably dies pretty quickly under inspection--but
consider that when an open source app is found to have a security
flaw, the language used to write it is mostly irrelevant.  (Of course,
you sometimes get people saying things like "See! You should ditch
C/C++ because of pointers!!! ZOMFG you can't get buffer overruns in
Java/Python/Ruby/Perl/brainf*ck!", but that's different, I think.)

Anyway, as I write this, Chris Browne has reiterated my point but this
time with eloquence, so, uh, "what he said".

Ian

-- 
Tired of pop-ups, security holes, and spyware?
Try Firefox: http://www.getfirefox.com
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list