__/ [ Miguel de Icaza ] on Sunday 07 January 2007 19:22 \__
> Hello,
>
> A few corrections:
>
>> That is a great shame, because not only is SLES10 a great product, but the
>> direction of other developement areas in Novell (pre-MS agreement) was
>> right not only for Linux but also for the Internet. A lot has been lost
>> since that agreement was signed.
>>
>> The withdrawing support for mono for example. Pre-agreement Novell were
>> all for it, putting in resources and programmers.
>>
>> Why mono? Well we all know of MS's 'Keep Linux out of .NET' policy, but
>> also .NET2 is not that great an implementation of the interactive web site
>> idea.
>
> There has not been any support withdrawn from Mono. The entire Mono
> team continues to work on Mono. Not only that, but we have new
> engineers working on new areas of Mono as well.
>
> I know a thing or two, because I happen to be the Mono manager at
> Novell.
That said, the general consensus among those who are not Novell customers
(this may, as a matter of fact, include those who used to consider
themselves part of the Opensuse community, me included) do not seem to fancy
this legal minefield. In your deal, for example, the acknowledgement that
patent exchanges are justified, only give credence to prospective
allegations and demands. Also confer:
Red Hat Doesn't Want Mono
,----[ Quote ]
| There are a lot of great new programs and innovations expected
| in Red Hat Enterprise Linux 5. The Novell-led Mono project isn't
| one of them.
`----
http://www.internetnews.com/dev-news/article.php/3644981
Additionally see these:
"With this agreement, you have turned your back on the rest of the
Linux community by deciding to stop giving back to it. This is visible
in the form of Mono, which now has more of a patent shadow over it then
ever before, and so is unusable by the rest of the community, and in
the form of the closed-source endeavors that you have chosen to pursue
with Microsoft in the future"
http://techp.org/petition/show/1
"Why Mono is Currently An Unacceptable Risk"
http://www.gnome.org/~seth/blog/mono
We have accumulated several more articles that speak of the risks over at
BoycottNovell.com. There is a Mono tag to isolate relevant posts. I don't
say this to anger you (in fact, notice that fact that I used to link to your
blog /before/ the deal), but I wish to make you guys aware of how the
'community' perceives Mono. To me, as well as to many others whose blogs I
read, Novell and Mono have become a 'grey/black area'.
>> The GUI tools they give you for free are very good, but they blind you to
>> what you are actually doing. As mentioned today in this news group for
>> example, .NET2 gives you a nice simple drag-and-drop user login tool, no
>> coding necessary to make it work, but of cause that tool if linked to a
>> MSSQL puts user input directly into dynamically created SQL, no validation
>> what so ever, so your simple .NET2 login tool has made you very
>> susceptible to injection attacks. The same is true for all of the
>> drag-n-drop database links.
>
> Whoever said that has not used ASP.NET, has not tried it and has no
> idea what he is talking about. And you are repeating the same false
> statements.
>
> The whole class of Login tools (creation wizard, remember login, login)
> are compound controls that happen to use the Entry control. And every
> single entry control (every parameter to query strings, every form
> value passed back) is filtered through a validation routine that
> prevents cross site scripting.
>
> The actual exception thrown is:
>
> [HttpRequestValidationException (0x80004005): A potentially dangerous
> Request.Form value was detected from the client
> (CreateUserWizard1$CreateUserStepContainer$UserName="<b>miguel</b>").]
> System.Web.HttpRequest.ValidateString(String s, String valueName,
> String collectionName) +388
>
> System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
> nvc, String collectionName) +158
> System.Web.HttpRequest.get_Form() +131
> System.Web.HttpRequest.get_HasForm() +79
> System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean
> dontReturnNull) +63
> System.Web.UI.Page.DeterminePostBackMode() +134
> System.Web.UI.Page.ProcessRequestMain(Boolean
> includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
> +5913
> System.Web.UI.Page.ProcessRequest(Boolean
> includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
> +188
> System.Web.UI.Page.ProcessRequest() +112
> System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
> +37
> System.Web.UI.Page.ProcessRequest(HttpContext context) +135
> ASP.default_aspx.ProcessRequest(HttpContext context) in
> c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
> Files\website10\38b6d13a\fecb441b\App_Web_c7vmqs2i.0.cs:0
>
>
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
> +401
> System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
> completedSynchronously) +117
>
>> Every .NET2 application out there that deals with database access of any
>> kind probably used these drag-n-drop database tools. So, it is very likely
>> that the Lion's share of all of those web applications that are currently
>> live are susceptible to Injection attacks.
>
> Had your wacky theories been remotely right, the above would make
> sense. Luckily for everyone involved, you were wrong, and the above
> paragraph is also wrong.
>
> No point replying to the rest of the nonsense.
Your attitude here is somewhat inappropriate, in my humble opinion.
Experience and facts on the surface suggest that many attempts to mimic
behaviour and technologies from Microsoft led to weaknesses. Look no further
than last Friday when WMF led to a vulnerability in OpenOffice. Will the
inclusion of C#/Mono in OpenOffice for macros, for instance, come with an
added 'bonus' such as compatibility for Office viruses? I will continue to
obtain from using this branch (you strictly insist it's not a "fork") of OOo
that comes from Novell---a company that is evidently in bed with a convicted
monopolist.
With kind regards,
Roy
--
~~ Best wishes for the new year!
Roy S. Schestowitz, Ph.D. Candidate in Medical Biophysics
http://Schestowitz.com | GNU/Linux | PGP-Key: 0x74572E8E
http://othellomaster.com >> GPL-licensed 3-D Othello
http://iuron.com >> proposing an Open Source, non-profit search engine
Open Source journalism contributer @ http://newassignment.net
Joint Editor @ http://boycottnovell.com
|
|
