I was scanning this, and some of the claims involved deserved some
reaction.
On Sat, 23 Sep 2000, Nasser Dassi wrote:
> >.(Any body ever seen the BNF for the VB language, or a spec on VB/ASP from
> MS???)
> * Specs? Yes. It's a matter of finding it... they don't advertise it,
> but they do have specs published. It's a matter of actually looking into.
> Research before making outrageous claims.
Yeah, advertising specs is always something you want people to have to
search for, instead of making it easily available.
> > When will the *SOURCE CODE* to ASP or ASP+ MS implemenation be available
> anytime soon?
> * Patience. As with open-source releases, you cannot have access to
> something if it's not finished yet. If Linus Tolvalds hasn't finished a
> looping process in his code, will you blame him for not releasing what he
> already has completed despite knowing the non-completion of necessary
> code????
Hmm, I'm unaware of MS having any intention of opening or releasing the
source code to a cash cow - that'd be stupid from a business standpoint,
IMHO. They have a distinct reason for making the spec not-so-easy to
find; if you know exactly how it's supposed to do things, it can be
reverse-engineered and the profit goes down from competition from other
sources.
> > What open process is in place so that I, as an ISV, can make
> recommendations to ASP or ASP+?
> * How can anyone critique something not-yet widely available? There are
> many comparison charts published in various publication outlets (online, and
> off) that discuss such issues. LOOK 'EM UP!
You say "not widely available," indicating that it's (ahem) "narrowly
available." Is this the case? If so, MS is a lot more stupid than their
previous record indicates.
>
> > JSP... They have choices and options because its an OPEN architecture.
> * Again, open-ness is not always a SECURE thing. It's rather dangerous.
I was willing to ignore this email until I hit this. This is a retarded,
slanted, IGNORANT statement.
Simply put: there's NOTHING that's "always secure." Period. You can point
to OpenBSD and its reputation for FANTASTIC security... and then you'll
find security alerts with it. In fact, those security alerts are
marvelously instructive, some of them covering issues that are amazingly
convoluted, on the order of "On the second Tuesday of February, if it's
the 8th, and someone mallocs exactly 624 bytes while using sbrk()
manually..." - these aren't situations that just come up commonly enough
that people notice them. This is an open process, where lots of concerned
eyes examine the code. Notices are sent out as soon as a bug is fond,
rather than as soon as the fix is available; that's also openness.
On the other hand, you have closed systems... where the concerned eyes are
mosty concerned with "can we sell it?" I'm a capitalist, but I'm also a
realist - if it doesn't affect the bottom line, it won't get fixed, with
squeaky wheels getting the grease, etc. The attitude of closed source
(commercial) products is, more often than not, is "despite this hole or
bug, will people still buy it?" If the answer is "no," the hole is
plugged. If the answer is "yes," then it might get plugged. (See the
difference?) In fact, how many times have we found out about a bug in a
commercial program only to have the company say, "We knew about that a
while back." My question: WHY THE HECK DIDN'T YOU TELL US ABOUT IT!?! With
open projects, bug reports are more common. That *does* tend to make them
*more* secure on the whole, because it's a "published itch" and you've got
lots of people just itching to get their names in the codebase.
> > Forget the MS stuff... No one wants to be limited by a closed
> architecture. Let's put
> > is this way, if your pissed with the bugs or performance of your NT based
> > ASP implementation, what alternatives to you have?
> * Security, security, security. Does nothing stated make any sense?? If
> no one knows the actual, line-by-line code of a program, that means there
> are less people who can actually break it apart. However, if the entire
> code base is available, then more people can see how things work........ and
> how to break them down.
Oh, man, this is sad. I know people who can break NT (hack into it) in
about ten minutes... and have been able to exploit the same holes for a
few years. Yeah, security, security, security. At least *NIX makes hackers
learn something new all the time... and published reports of security
failures causes *NIX to improve all the time.
To close: It's okay to like ASP over JSP, especially if you're more
familiar with it or are happier with aspects of it. JSP is necessarily
aimed at a slightly different market. However, security isn't the issue -
not when you're talking about NT. ASP grows because it's simple. ASP sucks
because it's simple. (PHP has the same issue, for example - lots of people
use it because they can be brainless and get by.) JSP grows because the
market needs something distributable that doesn't require the same
platform everywhere to distribute on. (Plus, IMHO, the taglib stuff makes
it rock... and I'm unaware of an alternative in ASP, but I don't know ASP
very well. That's why I didn't waste any time criticising ASP in this.)
-----------------------------------------------------------
Joseph B. Ottinger [EMAIL PROTECTED]
http://cupid.suninternet.com/~joeo HOMES.COM Developer
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
