RE: Food for thought (resurfacing)

Forget the financial industry, it’s the cost of web access.
Auto update is more expensive than no auto-update, by a great deal.
Devices that auto-update are more expensive than those that don’t.
If web architecture presumes auto-update, if you encourage content authors to create content that presumes auto-update, then there are categories of users you disconnect.

“root of all security evil”: no, auto-update itself admits its own kind of evil
“root of all developer-pain”: no, it eliminates some pains and introduces others

Larry
--
http://larry.masinter.net


From: Marc Fawzi [mailto:marc.fawzi@gmail.com]
Sent: Monday, July 28, 2014 10:39 PM
To: Alex Russell
Cc: Larry Masinter; Noah Mendelsohn; Marcos Caceres; www-tag@w3.org List
Subject: Re: Food for thought (resurfacing)

<<
Antiquated systems without the ability to auto-update are the root of all security and developer-pain evil. They should either be forcibly disconnected from the network for everyone's good (a requirement which special configuration environments are often aligned with) or upgraded.
>>

Tell that to our high-recurring-revenue customers in the financial industry who have just upgraded from IE6 to IE8 and don't feel like upgrading again for as long as Windows 7 lives

The web standards process is too slow and too imperfect for tomorrow's world, which as we know is always approaching. Efforts like NiDIUM prove that innovation cannot be dictated by any one group of people (in this case W3C, TAG and the major vendors who lead them) and disasters like DRM on the Web (EME) are going to countered by a new breed of browser vendors who don't believe in sticking to outdated paradigms like HTM/CSS which were designed for the world of hypertext documents not for serious application development. There will be a time when major browser vendors will have to play catch up with the new emerging paradigms while carrying the burden of supporting the web's legacy technologies Guess who's gonna win that race long term?

The web does. Not the W3C, TAG et al. All these organizations are temporary constructs that have to find a niche place in the complex reality of tomorrow.

Just a verbalized prediction. That's all.






On Mon, Jul 28, 2014 at 10:02 PM, Alex Russell <slightlyoff@google.com<mailto:slightlyoff@google.com>> wrote:
On Mon, Jul 28, 2014 at 5:21 PM, Larry Masinter <masinter@adobe.com<mailto:masinter@adobe.com>> wrote:
> We're not to a fully auto-updating world yet, but are closer than ever before and the trend lines are good.
I think the issue (about dynamically loading engines) isn't the number of players (one, three, or fifty) but the variety.

Reality check please:
Is that actually the real world, are the trend lines really that way?

Yes it is.

Or is it only if you are only looking at the auto-updating subset?

Nope. Legacy clients are being replaced with auto-updating clients in general.

And if it's true the whole world is really trending toward auto-update everything, is it unreservedly "good"?

Yes. Yes it is. Old code is pwn'd code.

Software updates tend to target (and is tested against) recent hardware and platforms.
Software updates are disruptive. Updates fix old bugs but can introduce new ones.
Software updates can be impractical in small-memory embedded systems or those with special configurations and requirements.

Antiquated systems without the ability to auto-update are the root of all security and developer-pain evil. They should either be forcibly disconnected from the network for everyone's good (a requirement which special configuration environments are often aligned with) or upgraded.

A fully auto-updating world, or one in which engines are dynamically loaded, is good for fully auto-updating / dynamically loading browser vendors (whether one or many), but not so good for end users of other applications.

Given the last 10 years of web (in)security, we absolutely, positively, 100% know better. This might have been a reasonable argument in another age, but not today. The jury is no longer out.