On Mon, Jul 28, 2014 at 5:21 PM, Larry Masinter <masinter@adobe.com> wrote: > > We're not to a fully auto-updating world yet, but are closer than ever > before and the trend lines are good. > > I think the issue (about dynamically loading engines) isn't the number of > players (one, three, or fifty) but the variety. > > Reality check please: > Is that actually the real world, are the trend lines really that way? Yes it is. > Or is it only if you are only looking at the auto-updating subset? > Nope. Legacy clients are being replaced with auto-updating clients in general. > And if it's true the whole world is really trending toward auto-update > everything, is it unreservedly "good"? > Yes. Yes it is. Old code is pwn'd code. > Software updates tend to target (and is tested against) recent hardware > and platforms. > Software updates are disruptive. Updates fix old bugs but can introduce > new ones. > Software updates can be impractical in small-memory embedded systems or > those with special configurations and requirements. > Antiquated systems without the ability to auto-update are the root of all security and developer-pain evil. They should either be forcibly disconnected from the network for everyone's good (a requirement which special configuration environments are often aligned with) or upgraded. > A fully auto-updating world, or one in which engines are dynamically > loaded, is good for fully auto-updating / dynamically loading browser > vendors (whether one or many), but not so good for end users of other > applications. > Given the last 10 years of web (in)security, we absolutely, positively, 100% know better. This might have been a reasonable argument in another age, but not today. The jury is no longer out.
Received on Tuesday, 29 July 2014 05:03:29 UTC