ECMAScript ("Javascript") Version 4 - FALSE ALARM

Ian Petersen ispeters-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Tue Oct 30 07:18:26 UTC 2007 

On 10/30/07, Walter Dnes <waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org> wrote:
> The concept of code from an even more powerful language (I don't care
> whether it's ES4, or Silverlight, or whatever) being downloaded to, and
> executed on, my machine has me very concerned.

The parts that I've snipped raise some very valid concerns regarding
the security hole that is Javascript in the browser.  What I fail to
see is how adding optional static typing and some syntactic sugar to a
Turing-complete language makes this problem any bigger than it already
is.  There are lots of reasons not to allow Javascript to run in your
browser and you've done an excellent job of explaining them to all of
us, but the implication that these language revisions will lead to
more problems, bigger problems, or problems that are harder to solve
seems to me to be nothing more than fear mongering.

Walter, I don't know your background, so sorry if you already know
this, but once a language reaches Turing completeness, the only way to
make it "more powerful" is to make it aesthetically better in some
dimension.  Maybe you make it more expressive so the same algorithm
takes less code.  Maybe you make the interpreter better so the same
code runs faster.  Maybe you make the language easier to read so it
takes less time to get back into the code a month after you first
wrote it.  In the case of Javascript in the browser, the only change
these three things implies is that something will be faster--if the
code is more compact, it'll download faster; if the interpreter is
better, your credit card numbers will be stolen more quickly; if the
code is easier to read, then a computer forensics person will
understand the exploit more quickly after his honey pot gets owned.
Nothing new will happen, old stuff will just happen faster.

I guess what I'm trying to say is that the problem is merely
different.  It's not bigger or smaller, it's different.  For the
people that prefer to experience a script-enabled web, the new
language will make it easier for script writers to provide a rich
experience.  For the people who prefer to run NoScript, they can
continue to run NoScript and still have the script-disabled web.  For
the people, like me, that think Javascript is a nifty language with
uses outside the browser, the new tools in the new language will make
database migration tools and code generators and build scripts easier
to write.

Ian

-- 
Tired of pop-ups, security holes, and spyware?
Try Firefox: http://www.getfirefox.com
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list