W3C home > Mailing lists > Public > www-tag@w3.org > July 2014

Re: Food for thought (resurfacing)

From: Alex Russell <slightlyoff@google.com>
Date: Mon, 28 Jul 2014 22:02:31 -0700
Message-ID: <CANr5HFXzOS+GaFtbsTRGL1+WCicVyA0tiKzGs2SQcsrVmrt7Dg@mail.gmail.com>
To: Larry Masinter <masinter@adobe.com>
Cc: Marc Fawzi <marc.fawzi@gmail.com>, Noah Mendelsohn <nrm@arcanedomain.com>, Marcos Caceres <w3c@marcosc.com>, "www-tag@w3.org List" <www-tag@w3.org>
On Mon, Jul 28, 2014 at 5:21 PM, Larry Masinter <masinter@adobe.com> wrote:

> > We're not to a fully auto-updating world yet, but are closer than ever
> before and the trend lines are good.
>
> I think the issue (about dynamically loading engines) isn't the number of
> players (one, three, or fifty) but the variety.
>
> Reality check please:
> Is that actually the real world, are the trend lines really that way?


Yes it is.


> Or is it only if you are only looking at the auto-updating subset?
>

Nope. Legacy clients are being replaced with auto-updating clients in
general.


> And if it's true the whole world is really trending toward auto-update
> everything, is it unreservedly "good"?
>

Yes. Yes it is. Old code is pwn'd code.


> Software updates tend to target (and is tested against) recent hardware
> and platforms.
> Software updates are disruptive. Updates fix old bugs but can introduce
> new ones.
> Software updates can be impractical in small-memory embedded systems or
> those with special configurations and requirements.
>

Antiquated systems without the ability to auto-update are the root of all
security and developer-pain evil. They should either be forcibly
disconnected from the network for everyone's good (a requirement which
special configuration environments are often aligned with) or upgraded.


> A fully auto-updating world, or one in which engines are dynamically
> loaded, is good for fully auto-updating / dynamically loading browser
> vendors (whether one or many), but not so good for end users of other
> applications.
>

Given the last 10 years of web (in)security, we absolutely, positively,
100% know better. This might have been a reasonable argument in another
age, but not today. The jury is no longer out.
Received on Tuesday, 29 July 2014 05:03:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:03 UTC