- From: Roberto Peon <grmocg@gmail.com>
- Date: Thu, 14 Nov 2013 12:50:58 -0800
- To: Gili <cowwoc@bbs.darktech.org>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAP+FsNfTvKfPbB34X22anVoJOjXaHjSJhjgbrWk-GqkN8Us-bA@mail.gmail.com>
That has to be one of the funniest things I've heard in a long time! No, sorry, I did actually deal with developers and real deployments. Large numbers of them, actually. Let me rephrase this. Developers WILL choose a solution that is 99.99% reliable with a clear and understandable failure mode over a solution that is broken 10-20% of the time in unpredictable and unfixable ways. Or are debating this and saying that developers will choose to deploy something broken that they can't fix? -=R On Nov 14, 2013 10:37 AM, "Gili" <cowwoc@bbs.darktech.org> wrote: > > It sounds to me like you live in some ivory tower. Most developers suck > (the average developer is not as smart as you). I've seen plenty of cases > where debugging code was left in production systems and never taken out. > > As far as I'm concerned, most developers would pick "easy to debug" over > "reliable" any day of the week, and I also think saying TLS is required for > reliability is unfair. There are plenty of "reliable" services out there > with security holes. That doesn't make them any less "reliable". You will > never *ever* reach 100% secure, which is why I view security as a goal > which exists alongside but separate from reliability. > > Gili > > On 14/11/2013 2:58 PM, Roberto Peon wrote: > > Which devs? > > Most developers that I know will choose "reliable" over "easy to debug" > any day of the week. It is not pleasant dealing with heisenbugs. It is > better to not have to debug. > > In locales where one knows that http2 can work effectively in the clear, > e.g. corporate LANs, one will be able to do so. > > -=R > On Nov 14, 2013 8:02 AM, "Zhong Yu" <zhong.j.yu@gmail.com> wrote: > > > > On Thu, Nov 14, 2013 at 1:21 AM, Willy Tarreau <w@1wt.eu> wrote: > > > On Thu, Nov 14, 2013 at 04:07:07PM +0900, "Martin J. Dürst" wrote: > > >> If I Rob this correctly, this may mean that a future version of IE > will > > >> implement HTTP 2.0 without encryption for http: URIs. > > >> > > >> Next let's say that Apache 3.0 implements HTTP 2.0 which can be > > >> configured to run without encryption (after all, Apache is used in > > >> internal contexts, too). > > >> > > >> What's the chance of this *not* leaking out into the open internet and > > >> forcing other browser vendors to also allow HTTP 2.0 for http: URIs > > >> without encryption? After all, experience has shown that users quickly > > >> abandon a browser that doesn't work for some websites, and that > browser > > >> vendors know about this and try to avoid it. > > > > > > And so what ? It's not a problem. Some browsers will likely implement > > > it at least with a config option that's disabled by default, and these > > > browsers will be the ones picked by developers during their tests, > > > because developers pick the browser that makes their life easier. > > > > And web servers also need to have an option to operate HTTP/2.0 on > > plain TCP to make dev's life easier. It's difficult to see why > > browsers/servers would risk to alienate developers. So most browsers > > and servers would end up with the capability of talking HTTP/2.0 over > > TCP. > > > > > > > > > > Willy > > > > > > > > > > >
Received on Thursday, 14 November 2013 20:51:25 UTC